type FallbackTCPHandler func(src, dstnetip.AddrPort) (handler func(net.Conn), interceptbool)

type FunnelOption interface {// contains filtered or unexported methods}

funcFunnelOnly¶added inv1.38.0

func FunnelOnly()FunnelOption

FunnelOnly configures the listener to only respond to connections from Tailscale Funnel.The local tailnet will not be able to connect to the listener.

funcFunnelTLSConfig¶added inv1.84.0

func FunnelTLSConfig(conf *tls.Config)FunnelOption

FunnelTLSConfig configures the TLS configuration forServer.ListenFunnel

This is rarely needed but can permit requiring client certificates, specificciphers suites, etc.

The provided conf should at least be able to get a certificate, settingGetCertificate, Certificates or GetConfigForClient appropriately.The most common configuration is to set GetCertificate toServer.LocalClient's GetCertificate method.

UnlessFunnelOnly is also used, the configuration is also used forin-tailnet connections that don't arrive over Funnel.

type Server struct {// Dir specifies the name of the directory to use for// state. If empty, a directory is selected automatically// under os.UserConfigDir (https://golang.org/pkg/os/#UserConfigDir).// based on the name of the binary.//// If you want to use multiple tsnet services in the same// binary, you will need to make sure that Dir is set uniquely// for each service. A good pattern for this is to have a// "base" directory (such as your mutable storage folder) and// then append the hostname on the end of it.Dirstring// Store specifies the state store to use.//// If nil, a new FileStore is initialized at `Dir/tailscaled.state`.// See tailscale.com/ipn/store for supported stores.//// Logs will automatically be uploaded to log.tailscale.com,// where the configuration file for logging will be saved at// `Dir/tailscaled.log.conf`.Storeipn.StateStore// Hostname is the hostname to present to the control server.// If empty, the binary name is used.Hostnamestring// UserLogf, if non-nil, specifies the logger to use for logs generated by// the Server itself intended to be seen by the user such as the AuthURL for// login and status updates. If unset, log.Printf is used.UserLogflogger.Logf// Logf, if set is used for logs generated by the backend such as the// LocalBackend and MagicSock. It is verbose and intended for debugging.// If unset, logs are discarded.Logflogger.Logf// Ephemeral, if true, specifies that the instance should register// as an Ephemeral node (https://tailscale.com/s/ephemeral-nodes).Ephemeralbool// AuthKey, if non-empty, is the auth key to create the node// and will be preferred over the TS_AUTHKEY environment// variable. If the node is already created (from state// previously stored in Store), then this field is not// used.AuthKeystring// ControlURL optionally specifies the coordination server URL.// If empty, the Tailscale default is used.ControlURLstring// RunWebClient, if true, runs a client for managing this node over// its Tailscale interface on port 5252.RunWebClientbool// Port is the UDP port to listen on for WireGuard and peer-to-peer// traffic. If zero, a port is automatically selected. Leave this// field at zero unless you know what you are doing.Portuint16// AdvertiseTags specifies tags that should be applied to this node, for// purposes of ACL enforcement. These can be referenced from the ACL policy// document. Note that advertising a tag on the client doesn't guarantee// that the control server will allow the node to adopt that tag.AdvertiseTags []string// contains filtered or unexported fields}

func (*Server)CapturePcap¶added inv1.56.0

func (s *Server) CapturePcap(ctxcontext.Context, pcapFilestring)error

CapturePcap can be called by the application code compiled with tsnet to save a pcapof packets which the netstack within tsnet sees. This is expected to be useful duringdebugging, probably not useful for production.

Packets will be written to the pcap until the process exits. The pcap needs a Lua dissectorto be installed in WireShark in order to decode properly: wgengine/capture/ts-dissector.luain this repository.https://tailscale.com/kb/1023/troubleshooting/#can-i-examine-network-traffic-inside-the-encrypted-tunnel

func (*Server)CertDomains¶added inv1.38.0

func (s *Server) CertDomains() []string

CertDomains returns the list of domains for which the server canprovide TLS certificates. These are also the DNS names for theServer.If the server is not running, it returns nil.

func (*Server)Close¶added inv1.24.0

func (s *Server) Close()error

Close stops the server.

It must not be called before or concurrently with Start.

func (*Server)Dial¶added inv1.20.0

func (s *Server) Dial(ctxcontext.Context, network, addressstring) (net.Conn,error)

Dial connects to the address on the tailnet.It will start the server if it has not been started yet.

func (*Server)GetRootPath¶added inv1.88.0

func (s *Server) GetRootPath()string

GetRootPath returns the root path of the tsnet server.This is where the state file and other data is stored.

func (*Server)HTTPClient¶added inv1.36.0

func (s *Server) HTTPClient() *http.Client

HTTPClient returns an HTTP client that is configured to connect over Tailscale.

This is useful if you need to have your tsnet services connect to other devices onyour tailnet.

package mainimport ("log""tailscale.com/tsnet")func main() {srv := &tsnet.Server{}cli := srv.HTTPClient()resp, err := cli.Get("https://hello.ts.net")if resp == nil {log.Fatal(err)}// do something with resp_ = resp}

func (*Server)Listen¶

func (s *Server) Listen(network, addrstring) (net.Listener,error)

Listen announces only on the Tailscale network.It will start the server if it has not been started yet.

Listeners which do not specify an IP address will match for trafficfor the local node (that is, a destination address of the IPv4 orIPv6 address of this node) only. To listen for traffic on other addressessuch as those routed inbound via subnet routes, explicitly specifythe listening address or use RegisterFallbackTCPHandler.

package mainimport ("fmt""log""net/http""tailscale.com/tsnet")func main() {srv := &tsnet.Server{Hostname: "tadaima",}ln, err := srv.Listen("tcp", ":80")if err != nil {log.Fatal(err)}log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {fmt.Fprintln(w, "Hi there! Welcome to the tailnet!")})))}

func (*Server)ListenFunnel¶added inv1.38.0

func (s *Server) ListenFunnel(network, addrstring, opts ...FunnelOption) (net.Listener,error)

ListenFunnel announces on the public internet using Tailscale Funnel.

It also by default listens on your local tailnet, so connections cancome from either inside or outside your network. To restrict connectionsto be just from the internet, use the FunnelOnly option.

Currently (2023-03-10), Funnel only supports TCP on ports 443, 8443, and 10000.The supported host name is limited to that configured for the tsnet.Server.As such, the standard way to create funnel is:

s.ListenFunnel("tcp", ":443")

and the only other supported addrs currently are ":8443" and ":10000".

It will start the server if it has not been started yet.

package mainimport ("fmt""log""net/http""tailscale.com/tsnet")func main() {srv := &tsnet.Server{Hostname: "ophion",}ln, err := srv.ListenFunnel("tcp", ":443")if err != nil {log.Fatal(err)}log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {fmt.Fprintln(w, "Hi there! Welcome to the tailnet!")})))}

package mainimport ("fmt""log""net/http""tailscale.com/tsnet")func main() {srv := new(tsnet.Server)srv.Hostname = "ophion"ln, err := srv.ListenFunnel("tcp", ":443", tsnet.FunnelOnly())if err != nil {log.Fatal(err)}log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {fmt.Fprintln(w, "Hi there! Welcome to the tailnet!")})))}

func (*Server)ListenPacket¶added inv1.68.0

func (s *Server) ListenPacket(network, addrstring) (net.PacketConn,error)

ListenPacket announces on the Tailscale network.

The network must be "udp", "udp4" or "udp6". The addr must be of the form"ip:port" (or "[ip]:port") where ip is a valid IPv4 or IPv6 addresscorresponding to "udp4" or "udp6" respectively. IP must be specified.

If s has not been started yet, it will be started.

func (*Server)ListenTLS¶added inv1.38.0

func (s *Server) ListenTLS(network, addrstring) (net.Listener,error)

ListenTLS announces only on the Tailscale network.It returns a TLS listener wrapping the tsnet listener.It will start the server if it has not been started yet.

package mainimport ("fmt""log""net/http""tailscale.com/tsnet")func main() {srv := &tsnet.Server{Hostname: "aegis",}ln, err := srv.ListenTLS("tcp", ":443")if err != nil {log.Fatal(err)}log.Fatal(http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {fmt.Fprintln(w, "Hi there! Welcome to the tailnet!")})))}

func (*Server)LocalClient¶added inv1.26.0

func (s *Server) LocalClient() (*local.Client,error)

LocalClient returns a LocalClient that speaks to s.

It will start the server if it has not been started yet. If the server'salready been started successfully, it doesn't return an error.

func (*Server)LogtailWriter¶added inv1.90.0

func (s *Server) LogtailWriter()io.Writer

LogtailWriter returns anio.Writer that writes to Tailscale's logging service and will be only visible to Tailscale'ssupport team. Logs written there cannot be retrieved by the user. This method always returns a non-nil value.

func (*Server)Loopback¶added inv1.38.0

func (s *Server) Loopback() (addrstring, proxyCred, localAPICredstring, errerror)

Loopback starts a routing server on a loopback address.

The server has multiple functions.

It can be used as a SOCKS5 proxy onto the tailnet.Authentication is required with the username "tsnet" andthe value of proxyCred used as the password.

The HTTP server also serves out the "LocalAPI" on /localapi.As the LocalAPI is powerful, access to endpoints requires BOTH passing a"Sec-Tailscale: localapi" HTTP header and passing localAPICred as basic auth.

If you only need to use the LocalAPI from Go, then prefer LocalClientas it does not require communication via TCP.

func (*Server)RegisterFallbackTCPHandler¶added inv1.52.0

func (s *Server) RegisterFallbackTCPHandler(cbFallbackTCPHandler) func()

RegisterFallbackTCPHandler registers a callback which will be calledto handle a TCP flow to this tsnet node, for which no listeners will handle.

If multiple fallback handlers are registered, they will be called in anundefined order. See FallbackTCPHandler for details on handling a flow.

The returned function can be used to deregister this callback.

func (*Server)Start¶added inv1.20.0

func (s *Server) Start()error

Start connects the server to the tailnet.Optional: any calls to Dial/Listen will also call Start.

package mainimport ("log""tailscale.com/tsnet")func main() {srv := new(tsnet.Server)if err := srv.Start(); err != nil {log.Fatal(err)}// Be sure to close the server instance at some point. It will stay open until// either the OS process ends or the server is explicitly closed.defer srv.Close()}

func (*Server)Sys¶added inv1.78.0

func (s *Server) Sys() *tsd.System

Sys returns a handle to the Tailscale subsystems of this node.

This is not a stable API, nor are the APIs of the returned subsystems.

func (*Server)TailscaleIPs¶added inv1.38.0

func (s *Server) TailscaleIPs() (ip4, ip6netip.Addr)

TailscaleIPs returns IPv4 and IPv6 addresses for this node. If the nodehas not yet joined a tailnet or is otherwise unaware of its own IP addresses,the returned ip4, ip6 will be !netip.IsValid().

func (*Server)Up¶added inv1.38.0

func (s *Server) Up(ctxcontext.Context) (*ipnstate.Status,error)

Up connects the server to the tailnet and waits until it is running.On success it returns the current status, including a Tailscale IP address.