From 79ac0af7198750ba42f613c8cf506eac4001672b Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Thu, 8 Jan 2026 07:15:45 +0100 Subject: [PATCH] docs: clarify tailscale serve/funnel prerequisites --- docs/gateway/tailscale.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/gateway/tailscale.md b/docs/gateway/tailscale.md index a5cb069b4..d7f4f8ff0 100644 --- a/docs/gateway/tailscale.md +++ b/docs/gateway/tailscale.md @@ -12,8 +12,8 @@ Tailscale provides HTTPS, routing, and (for Serve) identity headers. ## Modes -- `serve`: Tailnet-only HTTPS via `tailscale serve`. The gateway stays on `127.0.0.1`. -- `funnel`: Public HTTPS via `tailscale funnel`. Requires a shared password. +- `serve`: Tailnet-only Serve via `tailscale serve`. The gateway stays on `127.0.0.1`. +- `funnel`: Public HTTPS via `tailscale funnel`. Clawdbot requires a shared password. - `off`: Default (no Tailscale automation). ## Auth @@ -69,3 +69,18 @@ clawdbot gateway --tailscale funnel --auth password - `tailscale.mode: "funnel"` refuses to start unless auth mode is `password` to avoid public exposure. - Set `gateway.tailscale.resetOnExit` if you want Clawdbot to undo `tailscale serve` or `tailscale funnel` configuration on shutdown. + +## Tailscale prerequisites + limits + +- Serve requires HTTPS enabled for your tailnet; the CLI prompts if it is missing. +- Serve injects Tailscale identity headers; Funnel does not. +- Funnel requires Tailscale v1.38.3+, MagicDNS, HTTPS enabled, and a funnel node attribute. +- Funnel only supports ports `443`, `8443`, and `10000` over TLS. +- Funnel on macOS requires the open-source Tailscale app variant. + +## Learn more + +- Tailscale Serve overview: https://tailscale.com/kb/1312/serve +- `tailscale serve` command: https://tailscale.com/kb/1242/tailscale-serve +- Tailscale Funnel overview: https://tailscale.com/kb/1223/tailscale-funnel +- `tailscale funnel` command: https://tailscale.com/kb/1311/tailscale-funnel