Tailscale MCP Server

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.
1

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal
npm install -g tailscale-mcp
2

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal
claude mcp add -e "TAILSCALE_TAILNET=${TAILSCALE_TAILNET}" mcp-tailscale -- node "<FULL_PATH_TO_MCP_TAILSCALE>/dist/index.js"

Replace <FULL_PATH_TO_MCP_TAILSCALE>/dist/index.js with the actual folder you prepared in step 1.

Required:TAILSCALE_TAILNET+ 3 optional
README.md

Secure MCP access for private infrastructure over Tailscale

mcp-tailscale

Secure MCP access for private infrastructure over Tailscale

The Problem

AI agents need access to internal tools, services, and infrastructure — but exposing private systems to the internet creates unacceptable security risks. VPNs are complex, SSH tunnels are fragile, and API gateways add latency and maintenance overhead.

mcp-tailscale bridges this gap: a lightweight MCP server that gives AI agents secure, authenticated access to your Tailscale-connected infrastructure — without exposing anything to the public internet.

What It Does

mcp-tailscale is an MCP Gateway Runtime that connects AI agents (Claude, GPT, custom) to your private infrastructure through Tailscale's zero-trust network. It provides 48 tools across 9 domains for managing devices, DNS, ACL policies, auth keys, users, webhooks, posture integrations, and tailnet settings — all through the Tailscale API v2.

No SSH. No shell execution. API-only. 4 runtime dependencies.

Use Cases

  • DevOps Automation — Let AI agents manage device authorization, subnet routes, and ACL policies across your tailnet
  • DNS Management — Configure split DNS, global nameservers, and MagicDNS through natural language
  • Security Auditing — Automated ACL policy validation, posture compliance checks, and key rotation
  • Fleet Management — Monitor device status, manage tags, and onboard new devices at scale
  • Infrastructure as Conversation — Query and modify your private network configuration through AI-driven workflows

Quick Start

Install from npm

npm install -g tailscale-mcp

Or clone and build from source

git clone https://github.com/itunified-io/mcp-tailscale.git
cd mcp-tailscale
npm install
cp .env.example .env   # Edit with your Tailscale API key and tailnet name
npm run build
node dist/index.js     # stdio transport for MCP

Claude Code Integration

Add to .mcp.json in your project root:

{
  "mcpServers": {
    "tailscale": {
      "command": "node",
      "args": ["/path/to/mcp-tailscale/dist/index.js"],
      "env": {
        "TAILSCALE_API_KEY": "your-api-key-here",
        "TAILSCALE_TAILNET": "your-tailnet-name"
      },
      "comment": "Or use OAuth: TAILSCALE_OAUTH_CLIENT_ID + TAILSCALE_OAUTH_CLIENT_SECRET instead of TAILSCALE_API_KEY"
    }
  }
}

Features

48 tools across 9 domains:

  • Devices — List, get, delete, authorize, expire, rename devices; manage routes, tags, and posture attributes
  • DNS — Global nameservers, search paths, split DNS configuration, MagicDNS preferences
  • ACL — Get, set, preview, validate, and test ACL policies
  • Keys — List, get, create, and revoke auth keys
  • Tailnet — Settings (read/write), contacts, Tailnet Lock status
  • Users — List and get tailnet users with role/type filtering
  • Webhooks — Create, list, get, and delete webhook endpoints
  • Posture Integrations — List, get, create, and delete third-party posture provider integrations
  • Diagnostics — Tailnet status summary, API connectivity check, log streaming, DERP map

Authentication: API key or OAuth client credentials (auto-refresh)

Skills

Claude Code skills compose MCP tools into higher-level workflows. See `.claude/skills/README.md` for detailed documentation.

Skill Slash Command Description
tailscale-health /ts-health Tailnet health dashboard — devices, DNS, ACL, keys, connectivity
tailscale-live-test /ts-test Live integration test — read + safe writes with cleanup
tailscale-acl-management ACL policy management — view, edit, validate, test, drift detection
tailscale-device-management Device management — list, authorize, routes, tags, posture
tailscale-dns-management DNS management — split DNS, nameservers, search paths, MagicDNS
tailscale-key-management Auth key management — create, list, rotate, revoke
tailscale-onboarding New device onboarding — auth key, authorize, tags, routes, verify

SSE

Tools (4)

device_managementManage devices including listing, authorizing, renaming, and managing routes or tags.
dns_managementConfigure global nameservers, search paths, split DNS, and MagicDNS settings.
acl_managementGet, set, preview, validate, and test ACL policies.
key_managementList, create, and revoke authentication keys.

Environment Variables

TAILSCALE_API_KEYTailscale API key for authentication
TAILSCALE_TAILNETrequiredThe name of your tailnet
TAILSCALE_OAUTH_CLIENT_IDOAuth client ID for authentication
TAILSCALE_OAUTH_CLIENT_SECRETOAuth client secret for authentication

Configuration

claude_desktop_config.json
{"mcpServers": {"tailscale": {"command": "node", "args": ["/path/to/mcp-tailscale/dist/index.js"], "env": {"TAILSCALE_API_KEY": "your-api-key-here", "TAILSCALE_TAILNET": "your-tailnet-name"}}}}

Try it

List all devices currently connected to my tailnet and identify any that are unauthorized.
Validate the current ACL policy for any potential security misconfigurations.
Configure split DNS to route traffic for internal.example.com to my private nameserver.
Create a new auth key for onboarding a new server and set its tags.
Check the health status of my tailnet and report any connectivity issues.

Frequently Asked Questions

What are the key features of Tailscale MCP?

48 tools across 9 domains including Devices, DNS, ACL, and Keys. Secure API-only access without shell execution or SSH. Supports both API key and OAuth client credential authentication. Real-time diagnostics including log streaming and DERP map status. Automated ACL policy validation and drift detection.

What can I use Tailscale MCP for?

DevOps teams automating device authorization and subnet route management. Network administrators configuring global nameservers and MagicDNS via natural language. Security engineers performing automated ACL policy audits and posture compliance checks. Fleet managers monitoring device status and managing tags at scale.

How do I install Tailscale MCP?

Install Tailscale MCP by running: npm install -g tailscale-mcp

What MCP clients work with Tailscale MCP?

Tailscale MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Tailscale MCP docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all cloud servers →

Related MCP Servers

SSH MCP Server
Execute shell commands on remote Linux and Windows systems via SSH.
cloud346 stars
Hono MCP Server
Expose your Hono API endpoints as MCP tools.
cloud77 stars
n8n Manager for AI Agents
Manage n8n workflow automation instances through AI agent tools.
cloud54 stars
Kilntainers
Give Every Agent an Ephemeral Linux Sandbox — via MCP
cloud36 stars
AWS MCP Server
Manage and provision AWS resources using natural language prompts
cloud27 stars
Dynamics 365 Finance & Operations
Production-ready MCP server for Microsoft Dynamics 365 Finance & Operations
cloud25 stars