tailscale

This MCP server provides a comprehensive interface for managing Tailscale resources through the MCP protocol. It exposes 42 tools organized into logical categories: Device Management, Key Management, User Management, DNS Management, and Advanced Features. Each tool corresponds to a specific Tailscale API operation, such as listing devices, creating authentication keys, updating ACL policies, configuring DNS settings, and managing webhooks and posture integrations. You can invoke these tools via an MCP client by selecting the desired tool under the tailscale server and passing the required parameters. The server supports both API key and OAuth-based authentication, so choose the method that best fits your environment and security requirements. When integrating with clients (such as Claude Code or generic MCP clients), you can point the client to the tailscale MCP server and provide environment credentials through either Docker environment variables or a local binary deployment as demonstrated in the configuration examples.

Prerequisites: a valid Tailscale account with API access, and either an API key or OAuth client credentials. Choose a deployment method: Docker (recommended), Binary (Go 1.24+), or Source.

Docker (Recommended):

1. Ensure Docker is installed.
2. Pull and run the image with your credentials:

# Using API key authentication
docker run -d \
  --name tailscale-mcp-server \
  --restart unless-stopped \
  -e TAILSCALE_API_KEY="tskey-api-..." \
  -e TAILSCALE_TAILNET="your-tailnet" \
  tailscale-mcp-server:latest

# Using OAuth authentication
docker run -d \
  --name tailscale-mcp-server \
  --restart unless-stopped \
  -e TAILSCALE_CLIENT_ID="your-client-id" \
  -e TAILSCALE_CLIENT_SECRET="your-client-secret" \
  -e TAILSCALE_TAILNET="your-tailnet" \
  tailscale-mcp-server:latest

Docker Compose (Recommended):

1. Clone the repository and navigate to the mcp directory.

git clone <repository-url>
cd mcp

2. Create and configure a .env file with your credentials (refer to .env.example).
3. Start the server with Docker Compose:

docker-compose up -d
docker-compose logs -f

Building locally from source:

# Build the binary
go mod tidy
go build -o tailscale-mcp-server ./cmd

Binary installation (Go install):

go install github.com/pnocera/tailscale-mcp-server/cmd@latest

Note: Ensure you expose the appropriate environment variables and maintain secure handling of API keys or OAuth credentials.

Environment variables can be provided either via Docker envs or a local .env file. If both API key and OAuth credentials are present, OAuth will be used. The server supports both API key and OAuth authentication methods for flexibility. When using Docker, you may want to opt for docker-compose to manage environment files and startup/shutdown. If you encounter connectivity issues, verify that the Tailscale tailnet name matches between your credentials and the server configuration, and ensure the API key or OAuth scope includes the required permissions for device, user, DNS, and policy operations. For debugging, consult the MCP client logs (e.g., docker-compose logs or container logs) to inspect tool invocations and any API errors returned by Tailscale.