Tailscale Funnel exposes a service running on a Tailscale device to the public internet. It gives you a URL under your tailnet domain and routes public traffic through Tailscale’s relay path to the local resource.
That makes Funnel a strong option when you already use Tailscale and want public access tied to a tailnet. It can also be overkill when the job is a 30 minute client review of a local dev server.
Tailscale Funnel setup and requirements
Tailscale’s official docs list several requirements for Funnel. You need Tailscale v1.38.3 or later, MagicDNS enabled, HTTPS enabled for the tailnet, valid HTTPS certificates, and a Funnel node attribute in the tailnet policy file. Funnel is also listed as beta in the docs validated in January 2026.
The basic command can look small:
tailscale funnel 3000The setup behind it has more context. The command can open an approval flow, create HTTPS certificates, and update the tailnet policy file. Admin roles and access controls matter because Funnel makes a local service reachable from the broader internet, not only from devices inside the tailnet.
Funnel also has limits. Tailscale documents that Funnel can only use DNS names in your tailnet domain, only listens on ports 443, 8443, and 10000, only works over TLS-encrypted connections, and has non-configurable bandwidth limits. On macOS, some file and directory sharing paths depend on the Tailscale client variant.
None of that makes Funnel bad. It means Funnel belongs to the Tailscale network model. If that model fits your team, Funnel gives you a controlled way to publish a service from a node.
How Tailscale Funnel works
Funnel starts with a device in your tailnet. When you expose a local resource, Tailscale creates a unique Funnel URL under the tailnet domain. A public requester opens that URL. Tailscale relay infrastructure receives the request and establishes a TCP proxy to the device.
The important product decision: Funnel connects public access to your Tailscale identity, device, DNS, and policy setup. That creates a sensible model for teams that already use Tailscale for secure networking.
Use cases include:
- Sharing a local web service from a trusted machine.
- Exposing a personal tool from a tailnet node.
- Testing public access to a service before a longer-term deployment.
- Giving external users access to something that lives behind your network.
Funnel fits better when the service and device identity matter. If you want a throwaway browser link for a reviewer, you may want a tool whose default unit is a review session, not a device on a mesh network.
Where Tailscale Funnel is a strong fit
Choose Tailscale Funnel when your team already uses Tailscale and the public URL should connect to a known tailnet device.
Funnel has clear strengths:
- It builds on an existing Tailscale account and tailnet.
- It keeps device identity and tailnet DNS in the workflow.
- It supports public access without making the reviewer join the tailnet.
- It uses TLS and hides the local device IP behind the relay path.
The admin and policy pieces help organizations. They also add ceremony for quick developer previews. A one-off client review often has different needs: no account setup for the developer, no policy edit, no persistent tailnet context, and a clear link expiry.
When to use a Tailscale Funnel alternative
Use a Tailscale Funnel alternative when your job starts with a local dev server and a reviewer, not with a tailnet.
wiremaven creates temporary encrypted public links for local dev servers. Your machine connects to an outbound-only WebSocket relay. The reviewer gets a browser link. You see viewer joins, request status, failures, and the remaining TTL.
npx wiremaven-cli 3000 --expires 30m --name client-reviewDuring beta, wiremaven does not require an account. You can choose 15, 30, or 60 minute review windows. That works well for agencies, founders, and product teams that need to show a local build without configuring a persistent network service.
| Workflow | Better fit | Why |
|---|---|---|
| Tailnet-based public service | Tailscale Funnel | Uses Tailscale identity, DNS, and policy controls |
| Client review of localhost | wiremaven | Short TTL, no account during beta, session signals |
| Webhook development | ngrok or a webhook tool | Broad provider docs and callback examples |
| Durable private service access | Tailscale Serve or VPN | Keeps access inside a trusted network |
Pricing and limits change across vendors. Check current vendor pricing before you standardize on a tunnel workflow.
Review workflow checklist
Before you pick Funnel or an alternative, name the review constraints.
- Does the reviewer need a public browser link or private network access?
- Do you need the link to expire after the call?
- Do you need to see request failures during the session?
- Does your team already run Tailscale with MagicDNS and tailnet policies?
- Will this service stay available after the review?
If the answer centers on device access, Funnel may fit. If the answer centers on a short feedback loop for a local build, a review-focused tunnel will feel lighter.
For wiremaven setup, use the docs. For the outbound relay flow, see how wiremaven works.
FAQ
What is Tailscale Funnel?
Tailscale Funnel exposes a local service on a Tailscale device to the public internet through a URL under your tailnet domain.
Does Tailscale Funnel require a Tailscale account?
Yes. Funnel builds on Tailscale’s account, tailnet, device, DNS, and policy model.
Is Tailscale Funnel good for client demos?
It can work, especially if your team already uses Tailscale. For a short local review link with viewer and request signals, use a review-focused tunnel such as wiremaven.
What ports can Tailscale Funnel listen on?
Tailscale’s docs list 443, 8443, and 10000. Check the official docs before relying on those limits in production planning.
Try a short review link
For a local app on port 3000, create a 30 minute link:
npx wiremaven-cli 3000 --expires 30m --name tailscale-alternativeRelated: 7 ngrok Alternatives for Developers in 2026 | What Is a Localhost Tunnel? | ngrok vs. localtunnel vs. wiremaven