5 things you didn't know you could do with Tailscale | Recorded for PlatformCon NYC 2025

One Sentence Summary

Tailscale unlocks versatile, cross-platform networking—mesh VPN, SSH-less access, CI/CD integration, and NAT traversal with practical demos for developers everywhere today.

Main Points

• Supports many OS, including Mac, iOS, Windows, Linux, Android, plus TV OS.
• App on almost anything: Apple TV, Android TV, robots, etc.
• Tailscale is a WireGuard-backed mesh VPN with direct device-to-device communication.
• Uses NAT traversal to connect through firewalls without port forwarding.
• ACLs and grants control access and firewall-like permissions across the TailNet.
• The MCP server lets you query TailNet status and automate tasks programmatically.
• Example: integrate TailNet into CI/CD pipelines (GitHub Actions) for deployments.
• Tailscale SSH eliminates keys, certs, and passwords with tag-based access control.
• Exit nodes allow routing all traffic through a chosen node (e.g., Digital Ocean).
• Browser-based SSH and Let's Encrypt TLS via TailScale Serve enable remote web hosting.

Takeaways

• Explore MCP-powered automation to manage TailNet state and devices programmatically.
• Leverage TailScale SSH to remove SSH key management and simplify access control.
• Use exit nodes to centralize and secure outbound traffic from your TailNet.
• Integrate TailScale with CI/CD to securely deploy apps from GitHub actions.
• Use DNS/TLS features (TailScale Serve) to expose local services safely from anywhere.

---

Extended Summary

This transcript is a practical showcase of five advanced but approachable things you can do with Tailscale beyond basic VPN usage. The speaker positions Tailscale as a mesh VPN built on WireGuard that can connect devices and services across different networks without opening inbound ports, using NAT traversal, MagicDNS, ACLs/grants, Tailscale SSH, Serve, Funnel, and API-driven automation.

The five main capabilities demonstrated are:

1. Run Tailscale on nearly any device/OS and use it to connect almost anything to anything.
2. Use a community MCP server to query and operate on a Tailnet through an AI client.
3. Add Tailscale to CI/CD workflows, specifically a GitHub Actions deployment pipeline.
4. Use Tailscale SSH for passwordless/keyless SSH, including browser-based SSH and exit nodes.
5. Use Tailscale Serve to expose a local service over HTTPS with automatic TLS certificates.

Primary tools, software, and platforms explicitly mentioned in the transcript include Tailscale, WireGuard, GitHub Actions, Docker Compose, MKDocs, DigitalOcean, Claude Desktop, Let’s Encrypt, Python, MacBook, Apple TV, Android TV, tvOS, Go, IP Chicken, and 5G/mobile access.

The transcript is strongly implementation-oriented and shows how Tailscale becomes an infrastructure glue layer for remote access, automation, deployment, SSH identity, and secure service publishing.

Detailed Step-by-Step Breakdown

1. Install Tailscale on Supported Devices and Understand the Core Network Model

The speaker begins by highlighting that Tailscale can be installed across major operating systems and device classes.

Platforms explicitly mentioned

• macOS
• iOS
• Windows
• Linux
• Android
• tvOS
• Android TV
• Apple TV

Conceptual implementation point

The transcript explains that Tailscale is written in Go, which is why it is portable across many modern systems.

Practical workflow

1. Open the download page:

   • tailscale.com/download

2. Select your platform.

3. Install the Tailscale client.

4. Authenticate the device into your Tailnet.

5. Once joined, the device becomes part of the mesh network and can communicate with other enrolled devices.

Important technical takeaway

The speaker contrasts Tailscale with traditional point-to-point VPNs such as Cisco AnyConnect or Surfshark. The implementation detail emphasized is:

• Tailscale uses WireGuard for packet transport
• Tailscale builds a mesh VPN
• devices talk directly to each other
• NAT traversal reduces or eliminates the need for manual port forwarding

Example use cases explicitly mentioned

• Connect a GitHub Actions runner to a cloud VPS
• Connect a cloud VPS to a system behind a residential firewall
• Access self-hosted home lab services from a phone over 5G
• Use Tailscale Serve and Tailscale Funnel for automatic HTTPS publishing

Assumption: Standard/Typical Setup

The transcript does not show the actual login/authentication command or exact install command for each OS. A typical Linux bootstrap flow would involve:

• installing the package
• running tailscale up
• authenticating via browser or auth key

That exact command was not shown in this transcript, so it should not be treated as transcript-confirmed.

2. Query and Operate on a Tailnet with a Community MCP Server

The first concrete “didn’t know you could do this” tip is using a Model Context Protocol (MCP) server for Tailscale.

What is being demonstrated

A community-built Tailscale MCP server from GitHub is connected to the speaker’s Claude desktop application. This lets the AI client query the Tailscale API and return readable information about the Tailnet.

Implementation flow shown

1. Install or configure a Tailscale-compatible MCP server from GitHub.
2. Configure an AI client, in this case Claude Desktop, to talk to that MCP server.
3. Provide an API token so the MCP server can call the Tailscale API.
4. Use commands inside the AI client to query the Tailnet.

Actions explicitly mentioned

• list devices
• ping peers
• get tailnet info

Example shown in transcript

The speaker uses a short command to invoke the MCP tool and asks it to retrieve Tailnet info. The MCP server:

1. sends a request over the API connection
2. uses the configured API token
3. retrieves Tailnet information
4. returns parsed output into the AI client

Output/data types mentioned

• Tailnet name
• owner identity
• device list
• route configuration
• active/offline status
• “last active” data

Why this matters technically

This is not just a read-only reporting setup. The speaker explicitly frames it as an automation pattern:

• “when this happens, do this”
• “if this condition is met, do that”

That means the MCP server can be used as a programmable control plane wrapper over the Tailscale API.

Important warning from transcript

The speaker explicitly says this MCP server is not an official Tailscale project. It is a third-party GitHub project that he found interesting.

Assumption: Standard/Typical Setup

The transcript does not provide:

• the GitHub repository URL
• the MCP config file format
• the exact Claude Desktop MCP configuration block
• the exact environment variable names for the API token

A typical setup would likely involve a local JSON/YAML config plus an API key stored as an environment variable, but those details were not explicitly provided.

3. Use Tailscale Inside a CI/CD Pipeline with GitHub Actions

The next concrete feature is integrating Tailscale into a deployment workflow.

Demonstrated use case

The speaker deploys perfectmediaserver.com using GitHub Actions, with the runner joining the Tailnet as an ephemeral node so it can securely access deployment infrastructure.

High-level architecture shown

• Source code is stored in a GitHub repo
• A GitHub Actions workflow runs on push
• The runner uses OAuth client credentials to join the Tailnet
• The runner performs deployment commands against a remote target reachable over Tailscale

Workflow steps shown

1. Open the GitHub repository backing the website.

2. Open the GitHub Actions workflow.

3. Locate a job that:

   • connects the runner to the Tailnet
   • runs deployment commands

4. Configure:

   • OAuth client
   • OAuth secret

5. When the action runs, the runner joins the Tailnet as an ephemeral node.

6. The workflow then runs deployment steps.

Deployment mechanism explicitly mentioned

The actual deployment is done through Docker Compose commands. The speaker emphasizes that the workflow is doing the same thing he would do manually on the host.

Technologies explicitly referenced

• GitHub Actions
• Docker Compose
• MKDocs
• Tailscale GitHub Action
• ephemeral node
• Tailscale SSH
• OAuth client
• OAuth secret

What the demo proves

The speaker makes a commit by appending 123 to a file, pushes the change, and watches:

1. GitHub Actions start
2. runner connect to the Tailnet
3. temporary GitHub node appear in the Tailscale admin console
4. the site rebuild
5. the content become visible on the deployed website

Security-relevant implementation detail

The speaker notes that this approach uses Tailscale SSH behind the scenes, which avoids:

• manual SSH key management
• extra deployment secrets specifically for SSH access

Assumption: Standard/Typical Setup

The exact YAML was not read line-by-line in the transcript. Missing specifics include:

• workflow file path, likely something like .github/workflows/*.yml
• exact action reference such as uses:
• exact names of the Tailscale-related GitHub secrets
• remote hostnames and compose file paths

A typical implementation would have these as:

• GitHub repository secrets
• workflow steps invoking the Tailscale action before deployment commands
• remote commands over Tailscale SSH

Those are reasonable patterns, but not transcript-confirmed specifics.

4. Use Tailscale SSH for Passwordless/Keyless Access, Add an Exit Node, and SSH from the Browser

This is one of the most implementation-rich sections in the transcript.

Provision a fresh remote host

The speaker creates a fresh DigitalOcean droplet and then uses the Tailscale admin console to generate an install script.

Installation flow shown

1. In the Tailscale admin console, click:

   • Add device
   • Linux server

2. Optionally configure:

   • tags
   • ephemeral behavior
   • exit node

3. Click Generate install script

4. Tailscale generates:

   • an auth key
   • the full install/bootstrap command with arguments

5. SSH into the new droplet using its original access method (initially password-based in the demo)

6. Paste the generated Tailscale install command into the droplet shell

What that install script does

According to the transcript, it:

• downloads and installs Tailscale
• adds the machine to the Tailnet
• uses the generated auth key automatically

Enable Tailscale SSH on the host

After installation, the speaker runs:

• tailscale set --ssh

This enables the host to accept Tailscale SSH connections.

Rename the machine

The machine initially has a generated name; the speaker changes it in the admin console to:

• Bob

SSH using Tailscale identity, not keys

Once enabled, the speaker connects using:

• ssh root@Bob

The critical implementation point is that there are:

• no manually managed SSH keys
• no password entered for this Tailscale-mediated SSH session

Tags and access control

The speaker briefly explains tags as a way to segment the Tailnet. Example logic described:

• servers tagged dev can only be accessed by identities/devices that meet matching policy conditions
• a ci tag can limit what CI/CD nodes can reach

This is enforced through ACLs and/or grants.

Configure the host as an Exit Node

The same droplet is then enabled as an exit node.

Steps shown

1. In the admin console, open the machine settings

2. Go to route settings

3. enable:

   • Use as exit node

4. Manually approve the exit node because exit nodes are considered sensitive/risky

Verify exit node behavior

The speaker:

1. opens IP Chicken
2. notes the current public IP
3. chooses Bob as the active exit node in the Tailscale client
4. sees public traffic now egress through DigitalOcean

That proves that internet traffic is now routed through the selected Tailscale node.

Browser-based SSH

The transcript also shows that you can click the SSH button in the admin console and open a browser shell.

The explanation given:

• the browser creates an ephemeral node
• JavaScript is used to establish that temporary Tailscale connectivity
• after authentication, the browser session can SSH into the node

This is useful when:

• you are on a host where the Tailscale client is unavailable
• you do not want to install local software
• you need fast emergency/admin access

Assumption: Standard/Typical Setup

The transcript does not provide:

• the exact generated install command
• exact ACL/grant JSON or HuJSON policy examples
• any SSH policy configuration entries
• the exact browser-side implementation details

The only transcript-confirmed SSH-enabling command is tailscale set --ssh.

5. Publish a Local Service Over HTTPS with Tailscale Serve

The final major tip demonstrates exposing a local service with automatic TLS.

Local service being served

The speaker runs a simple Python web server on port 8000 that serves the contents of the home directory.

This implies a command similar to Python’s built-in HTTP server, though the exact command is not spoken in full. The speaker only says he is “listing the contents of my home directory using Python on port 8000.”

Tailscale Serve command shown

He then runs a Tailscale Serve command that maps a Tailnet HTTPS endpoint to that local service. The transcript’s OCR/transcription of the exact command is garbled, but the intended pattern is clearly:

• tailscale serve
• mapping HTTPS port 443 to localhost:8000

The visible transcription appears approximately like:

• tailscale serve ... 8000

but not reliably enough to quote as exact syntax.

What happens next

1. Tailscale provisions a TLS certificate
2. It uses Let’s Encrypt in the background
3. The local service becomes available via a Tailscale HTTPS URL
4. No manual certificate setup is required

Additional features involved

• MagicDNS is mentioned as part of the addressing experience
• the speaker copies the node’s MagicDNS name to access it remotely
• the service is then accessible from another device, including a phone, even when not on the same physical network

Important networking point

The transcript emphasizes that this is still made possible by:

• direct device-to-device connectivity
• NAT traversal
• no complex firewall or inbound port configuration

Assumption: Standard/Typical Setup

The exact tailscale serve syntax is not cleanly preserved in the transcript. A typical form would look like one of the documented Serve patterns that map HTTPS requests to a local TCP/HTTP backend on localhost:8000, but the precise CLI flags used in this demo are not transcript-confirmed.

Key Technical Details

Core technologies explicitly mentioned

• Tailscale
• WireGuard
• Go
• GitHub Actions
• Docker Compose
• MKDocs
• DigitalOcean
• Claude Desktop
• Model Context Protocol (MCP)
• Let’s Encrypt
• Python
• MagicDNS
• ACLs
• grants
• exit nodes
• ephemeral nodes
• Tailscale SSH
• Tailscale Serve
• Tailscale Funnel

Important Tailscale concepts extracted from the transcript

• Mesh VPN rather than traditional point-to-point VPN
• Direct device-to-device communication
• NAT traversal
• No inbound port opening required
• Tailnet as the logical network boundary
• Tags for grouping and access scoping
• ACLs/grants for policy control
• MagicDNS for discoverable internal naming
• Ephemeral nodes for temporary CI/browser sessions
• Exit nodes for routing internet traffic through a chosen machine

Commands and CLI terms explicitly or effectively shown

• tailscale set --ssh
• ssh root@Bob
• tailscale serve ... localhost:8000 (exact flags not fully legible in transcript)
• installation via generated Linux server install script
• GitHub workflow that connects the runner to the Tailnet with OAuth client and OAuth secret

Infrastructure and device examples mentioned

• Apple TV
• Android TV
• robot vacuum
• GitHub Action runner
• cloud VPS
• residential firewall
• home lab services
• phone over 5G
• DigitalOcean droplet
• MacBook

Security and identity implementation details

• Tailscale SSH removes the need to manage traditional SSH keys manually
• exit nodes require approval because of their routing implications
• tags and grants/ACLs are used to constrain access and reduce blast radius
• browser SSH creates an ephemeral node for secure temporary access

Pro Tips

First, use tags early. Even though the transcript does not configure them in full, the speaker clearly treats tags like dev and ci as essential for controlling what machines and workflows can access. For any real deployment, do not leave everything in one flat trust domain.

Second, use ephemeral nodes for automation. The GitHub Actions example is important because it avoids leaving long-lived machines or credentials attached to your Tailnet. Temporary membership is a strong pattern for CI/CD.

Third, combine Tailscale SSH with infrastructure provisioning. The workflow shown with DigitalOcean is especially useful for bootstrapping fresh hosts: install Tailscale, enable --ssh, rename the node, then use Tailnet identity instead of distributing SSH keys.

Fourth, use exit nodes as controlled egress points. The demo uses a droplet named Bob as an exit node to send all traffic through DigitalOcean. This is useful for geographic egress, centralized inspection, or accessing resources that only trust specific source IPs.

Fifth, use Tailscale Serve for internal service publication before reaching for reverse proxies, public DNS, and certificate tooling. For quick demos, admin tools, test dashboards, and internal apps, the transcript shows that Serve dramatically reduces setup complexity.

Potential Limitations/Warnings

The MCP server demonstrated is explicitly not an official Tailscale project. That means maintainability, API compatibility, and security posture depend on the third-party repository. Treat it as an interesting integration, not a guaranteed supported product.

The transcript references ACLs and grants but does not actually show the policy file. That means the most security-sensitive part of a production deployment is discussed conceptually, not implemented step-by-step here. Anyone reproducing these workflows should define policy before broad rollout.

The exact tailscale serve command syntax is not fully preserved in the transcript. The intent is obvious, but the precise flags should be verified against official docs before direct copy/paste.

The GitHub Actions deployment section does not include the full workflow YAML. You can reproduce the architecture, but not every implementation detail is present in the transcript, especially:

• action version
• secret names
• target host addressing
• deployment command structure

Using an exit node changes where traffic leaves the network. That can affect:

• latency
• source IP reputation
• compliance expectations
• logging/visibility
• cost on the node hosting the egress

Finally, browser-based SSH and automatic certificate provisioning are very convenient, but they still depend on correct identity, policy, and network approval settings. The transcript focuses on the happy path, not the failure/debug path.

Recommended Follow-Up Resources

The most useful next resource is the Tailscale “How It Works” blog post, which the speaker explicitly recommends. That appears to be the conceptual foundation for understanding the mesh model, NAT traversal, and the way Tailscale differs from conventional VPN products.

After that, the strongest follow-up areas are:

• official Tailscale SSH documentation
• official Tailscale Serve and Funnel documentation
• official GitHub Actions integration docs for Tailscale
• ACL/grants policy documentation
• official API documentation for automating Tailnet operations

Because this transcript repeatedly uses ephemeral nodes, tags, and Tailnet policy, those areas are the most important if you want to reproduce the workflows safely rather than just functionally.

Suggested Books (5)

1. WireGuard From Scratch — Jason A. Donenfeld

This book is directly relevant because the transcript repeatedly positions Tailscale as being built on WireGuard. A deeper understanding of WireGuard helps clarify what Tailscale is abstracting away, especially around peer connectivity, key exchange, and efficient VPN transport. It is especially useful for understanding the network layer underneath the Tailscale experience.

2. How Linux Works, 3rd Edition — Brian Ward

This is one of the best practical books for understanding the kinds of systems shown in the transcript: Linux hosts, SSH access, background services, network routing, and remote administration. It helps bridge the gap between “this command works” and “I know what the system is doing when I run it,” which is essential for using Tailscale SSH, Serve, and remote deployment effectively.

3. Docker Deep Dive — Nigel Poulton

The CI/CD section uses Docker Compose as the deployment mechanism, so a solid grounding in containers and deployment workflows is highly relevant. This book supports the transcript by helping you understand how application packaging, service definitions, and remote deployments fit together when Tailscale is used as the secure network overlay.

4. SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys — Michael W. Lucas

Even though the transcript emphasizes that Tailscale SSH reduces the need for manual SSH key management, understanding classic SSH is still crucial. This book provides the baseline mental model for remote access, tunnels, authentication, and host trust, making it much easier to appreciate what Tailscale SSH simplifies or replaces.

5. Computer Networking: A Top-Down Approach — James F. Kurose and Keith W. Ross

This is the best broad technical companion to the transcript’s repeated references to mesh VPNs, NAT traversal, direct peer communication, and secure remote access. It gives the networking foundation needed to understand why Tailscale’s architecture works, what problems it solves, and how features like exit nodes and secure overlays fit into the larger networking stack.