Skip to content

Tailscale Services Setup (Davros)

This guide documents the exact Tailscale service-host setup that worked on the davros laptop for exposing local ports through Tailscale Services.

Prerequisites

  • You are logged into the correct tailnet.
  • Your local apps are running on the ports you want to expose.
  • Your node can advertise an approved ACL tag (in this setup: tag:local).

1) Configure Node Tag + Network Flags

The node had non-default Tailscale flags, so using tailscale up without a full set of desired settings failed.

The working command was:

tailscale up --reset --accept-routes --advertise-exit-node --advertise-tags=tag:local

Verify:

tailscale debug prefs | head -n 40

Expected values include:

  • LoggedOut: false
  • AdvertiseTags: ["tag:local"]
  • RouteAll: true
  • AdvertiseRoutes: ["0.0.0.0/0", "::/0"]

2) Create Service Mappings

Create each service mapping on this node:

tailscale serve --service=svc:davros-3000 --bg 3000
tailscale serve --service=svc:davros-3001 --bg 3001
tailscale serve --service=svc:davros-8081 --bg 8081
tailscale serve --service=svc:davros-8055 --bg 8055

These map to:

  • https://davros-3000.blowfish-pentatonic.ts.net -> http://127.0.0.1:3000
  • https://davros-3001.blowfish-pentatonic.ts.net -> http://127.0.0.1:3001
  • https://davros-8081.blowfish-pentatonic.ts.net -> http://127.0.0.1:8081
  • https://davros-8055.blowfish-pentatonic.ts.net -> http://127.0.0.1:8055

3) Admin Approval Requirement

Even after successful tailscale serve commands, traffic will time out until an admin approves the node as a host for each service.

Typical message:

This machine is configured as a service proxy for svc:..., but approval from an admin is required.

4) Verify Local Port Health

Service URLs only work if local ports are listening.

curl -I --max-time 5 http://127.0.0.1:3000
curl -I --max-time 5 http://127.0.0.1:3001
curl -I --max-time 5 http://127.0.0.1:8081
curl -I --max-time 5 http://127.0.0.1:8055

Observed during setup:

  • 3000: connection refused (app not running)
  • 3001: responding (403, but alive)
  • 8081: responding (200)
  • 8055: connection refused (app not running)

5) Verify Service Reachability

After admin approval and local app readiness:

for s in 3000 3001 8081 8055; do
  echo "== $s =="
  curl -I --max-time 10 "https://davros-$s.blowfish-pentatonic.ts.net" || true
done

Troubleshooting

Error: service hosts must be tagged nodes

Cause: node does not have an allowed advertised tag.

Fix:

  1. Ensure ACL policy allows tag ownership.
  2. Run tailscale up --reset ... --advertise-tags=tag:local.

Error: requested tags are invalid or not permitted

Cause: tailnet ACL tagOwners does not permit your user/group/node to advertise that tag.

Fix: ask admin to allow that tag, then rerun tailscale up command.

Error: changing settings via tailscale up requires mentioning all non-default flags

Cause: existing non-default prefs were already set on the node.

Fix: use --reset and explicitly set the desired flags in one command.

Useful Commands

Show current config:

tailscale serve status --json

Clear one service mapping:

tailscale serve clear svc:davros-3001

Turn off one service HTTPS endpoint:

tailscale serve --service=svc:davros-3001 --https=443 off