Tailscale MCP Server
The Tailscale MCP Server provides a standardized interface for automating Tailscale network management through CLI and REST API integration. With this server, you can:
Device Management: List, authorize, deauthorize, and delete devices; manage routes and tags
Network Operations: Connect/disconnect networks, check status, and ping peers
Security Controls: Manage ACLs, policy files, device tags, and network lock settings
DNS Management: Configure nameservers, search paths, and MagicDNS preferences
Key Management: Create, list, and delete authentication keys with specific capabilities
Additional Features: Configure exit nodes, manage file sharing, set up webhooks, and retrieve version information
Built on Node.js runtime (requires v18+) with ES module support for executing Tailscale CLI commands and interacting with the Tailscale REST API.
Provides tools for managing Tailscale networks, including device management (listing, authorizing/deauthorizing devices), subnet route control, network connectivity operations (connect/disconnect), and peer monitoring via ping functionality.
Leverages TypeScript for type safety throughout the implementation, with Zod validation for schema validation and type checking of inputs and outputs.
Uses Zod for runtime validation of data schemas, ensuring type safety and providing descriptive error messages for invalid parameters.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Tailscale MCP Serverlist all authorized devices in my network"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Tailscale MCP Server
A Bun-first Model Context Protocol server for operating Tailscale through a private, least-privilege interface.
The default transport is stdio for local MCP clients. Optional HTTP transport
binds to 127.0.0.1 by default and is designed to be exposed privately with
Tailscale Serve or another tailnet-only proxy.
Install
bun install
bun run buildRelated MCP server: ConnectWise API Gateway MCP Server
Local MCP Usage
{
"mcpServers": {
"tailscale": {
"command": "bunx",
"args": ["@hexsleeves/tailscale-mcp-server"],
"env": {
"TAILSCALE_OAUTH_CLIENT_ID": "your-client-id",
"TAILSCALE_OAUTH_CLIENT_SECRET": "your-client-secret",
"TAILSCALE_TAILNET": "-"
}
}
}
}OAuth clients are preferred for automation because they use scoped access and short-lived tokens. API keys remain supported for compatibility:
TAILSCALE_API_KEY=tskey-... bun run src/index.tsHTTP Mode
HTTP mode requires a bearer token and only accepts localhost or tailnet host headers by default.
export MCP_TRANSPORT=http
export MCP_HTTP_BEARER_TOKEN="$(openssl rand -base64 32)"
export TAILSCALE_OAUTH_CLIENT_ID="your-client-id"
export TAILSCALE_OAUTH_CLIENT_SECRET="your-client-secret"
bun run src/index.ts --http --port 3000 --host 127.0.0.1Expose it privately through Tailscale Serve:
tailscale serve --bg 443 localhost:3000Do not use Funnel for normal MCP operation. Funnel makes the service publicly reachable and should require a separate threat review.
Configuration
Variable | Default | Description |
|
|
|
|
| HTTP bind host |
|
| HTTP bind port |
| Required in HTTP mode | |
| Comma-separated extra allowed HTTP hosts | |
|
| Tailnet name or |
|
| Tailscale API base URL |
| Preferred auth method | |
| Preferred auth method | |
| Compatibility auth method | |
|
|
|
|
| Local CLI path |
|
|
|
| Optional file log path |
Risk levels:
read: read-only tools and resources.write: write operations such as ACL/DNS/route updates.admin: destructive or host-affecting actions such as delete, deauthorize, connect, disconnect, and auth key mutation.
Tools
Stable tool names:
list_devicesdevice_actionmanage_routesget_network_statusconnect_networkdisconnect_networkping_peerget_versionget_tailnet_infomanage_aclmanage_dnsmanage_keysmanage_policy_filemanage_file_sharingmanage_exit_nodesmanage_webhooksmanage_device_tags
Resources
tailscale://tailnet/summarytailscale://devicestailscale://devices/{deviceId}tailscale://acl/current
Prompts
diagnose_tailnet_connectivityreview_acl_change
Development
bun install
bun test
bun run typecheck
bun run lint
bun run buildFull local gate:
bun run qaDocker
docker build -t tailscale-mcp-server .
docker run --rm \
-e MCP_HTTP_BEARER_TOKEN="$MCP_HTTP_BEARER_TOKEN" \
-e TAILSCALE_OAUTH_CLIENT_ID="$TAILSCALE_OAUTH_CLIENT_ID" \
-e TAILSCALE_OAUTH_CLIENT_SECRET="$TAILSCALE_OAUTH_CLIENT_SECRET" \
-p 127.0.0.1:3000:3000 \
tailscale-mcp-serverKeep the published port bound to localhost and expose it to other devices with Tailscale Serve.
For a sidecar deployment that runs the MCP server behind a private Tailscale
Serve endpoint, see deploy/README.md.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/HexSleeves/tailscale-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server