1. Overview
Tailscale is a zero-configuration VPN built on the WireGuard protocol. It creates a private mesh network (called a tailnet) between devices, enabling direct peer-to-peer communication with end-to-end encryption, without requiring any open ports or complex firewall rules.
By default, each Tailscale account (identified by a login provider such as Google, Microsoft, or GitHub) forms its own isolated tailnet. Devices from different accounts cannot see each other without explicit configuration.
This document explains the method to connect two computers that belong to different Tailscale users, so that each machine appears on the other’s network:
Key concepts
| Term | Description |
|---|---|
| tailnet | The private network formed by all devices on a single Tailscale account. |
| Tailscale IP | A stable 100.x.x.x address assigned to each device, permanent across sessions. |
| MagicDNS | Tailscale’s built-in DNS; lets you reach devices by hostname (e.g. pc-name.tail…). |
| Node sharing | Feature that adds a specific device from one tailnet into another user’s tailnet. |
| ACL / Policy | Access Control List: JSON rules that define which devices can talk to which. |
2. Prerequisites
Both users must complete the following steps independently before proceeding with any sharing configuration.
2.1 Create a Tailscale Account
Each user navigates to https://tailscale.com and signs up using one of the supported identity providers (Google, Microsoft, GitHub, Apple, or custom OIDC). A free Personal plan supports up to 3 users and 100 devices, which is sufficient for this scenario.
2.2 Install the Tailscale Client
Install the client appropriate for each computer’s operating system:
| OS | Installation method | Notes |
|---|---|---|
| Windows | Download installer from tailscale.com/download | Runs as a system service |
| macOS | App Store or tailscale.com/download | Requires system extension approval |
| Linux (deb) | curl -fsSL https://pkgs.tailscale.com/stable/ ubuntu/focal.gpg │ sudo apt-key add – | Official repo available |
| Linux (rpm) | sudo yum install tailscale (after adding repo) | RHEL/Fedora/CentOS |
Note: The computer to run Maemuki Bridge must use Windows
2.3 Authenticate and Connect
After installation, each user authenticates their device:
- Windows / macOS: click the Tailscale icon in the system tray or menu bar and select Log in.
- Linux: run the following command in a terminal and open the displayed URL in a browser:
sudo tailscale up
Once authenticated, the device appears in the user’s admin console at https://login.tailscale.com/admin/machines and receives a stable 100.x.x.x Tailscale IP address.
Tip: Verify connectivity within each tailnet before proceeding. Run tailscale status in a terminal to see the assigned IP and confirm the device is online.
3. Tailscale Node Sharing
Node sharing is the simplest and most targeted approach. User A shares their computer with User B’s tailnet. The shared device appears in User B’s device list with a special badge, and User B can reach it by its Tailscale IP or MagicDNS hostname. No VPN exit node or routing changes are required.
This method is asymmetric by default: User A shares with User B. To make the connection bidirectional (each user can reach the other’s computer), both users must share their respective devices.
3.1 User A: Share a Device
User A performs the following steps in the Tailscale admin console:
- Open the admin console: https://login.tailscale.com/admin/machines
- Locate the device to be shared in the Machines list.
- Click the three-dot menu (⋮) on that device row and select Share.
- In the Share dialog, enter User B’s email address (the one associated with their Tailscale account).
- Click Send invite. Tailscale sends an email to User B with an acceptance link.
**Note: **The invitation expires after 7 days if not accepted. A new invite can be sent at any time.
3.2 User B: Accept the Shared Device
User B performs the following steps:
- Open the invitation email from Tailscale and click the acceptance link.
- Log in to the Tailscale console if prompted.
- The shared device now appears in User B’s Machines list, marked with a Shared badge.
- Run tailscale status on User B’s machine to confirm the shared device is visible:
tailscale status
The output lists all reachable devices including the newly shared one. User B can now reach User A’s machine using its Tailscale IP (100.x.x.x) or its MagicDNS name.
3.3 Verify Connectivity
From User B’s terminal, test reachability of User A’s shared device:
# Replace 100.x.x.x with User A's device Tailscale IP
ping 100.x.x.x
# Or using MagicDNS hostname (if MagicDNS is enabled)
ping hostname-of-user-a-machineA successful ping confirms the cross-account connection is established. Application-level connectivity (RDP, SSH, HTTP, etc.) can be tested on the specific ports used by those services.
Bidirectional sharing: For User A to also reach User B’s computer, User B must perform the same sharing procedure (steps 3.1–3.2) in reverse, sharing their own device with User A.
4. Troubleshooting
The following table lists common problems encountered when connecting devices across different Tailscale accounts, along with their causes and solutions.
| Symptom | Likely cause | Solution |
|---|---|---|
| Shared device not visible after accepting invite | Tailscale daemon not running on the shared device | Ensure tailscale up is running. Check systemctl status tailscaled on Linux. |
| ping succeeds but application connection fails | OS-level firewall blocking the port | Open the specific port in Windows Firewall, macOS Application Firewall, or iptables/ufw on Linux. |
| tailscale status shows device as offline | Authentication expired or key rotation required | Run tailscale up again on the affected device to re-authenticate. |
| MagicDNS name does not resolve | MagicDNS not enabled in the tailnet settings | Enable MagicDNS in the admin console under DNS settings. |
| Double-NAT or CGNAT preventing direct connection | ISP uses carrier-grade NAT | Tailscale automatically uses DERP relay servers as fallback. Performance may be reduced but connectivity is maintained. |
4.1 Useful Diagnostic Commands
| Command | Purpose |
|---|---|
| tailscale status | List all reachable nodes and their online/offline state. |
| tailscale ping 100.x.x.x | Test latency and path to a specific Tailscale peer. |
| tailscale netcheck | Diagnose NAT type, DERP latency, and UDP availability. |
| tailscale ip -4 | Display the local device’s Tailscale IPv4 address. |
| tailscale bugreport | Generate a diagnostic report to share with Tailscale support. |
5. Summary
The following checklist summarizes all the steps required to establish a bidirectional connection between two computers belonging to different Tailscale users.
5.1 Quick-Reference Checklist
| # | Who | Step |
|---|---|---|
| 1 | Both users | Create a Tailscale account at tailscale.com. |
| 2 | Both users | Install the Tailscale client on their computer. |
| 3 | Both users | Authenticate with tailscale up and verify the device appears in the admin console. |
| 4 | User A | Go to admin console → Machines → Share → enter User B’s email → Send invite. |
| 5 | User B | Accept the invitation from the email link. |
| 6 | User B | Verify the shared device appears in tailscale status. |
| 7 | User B | To share reciprocally: repeat steps 4–6 with roles reversed. |
| 8 | Optional | Enable subnet routes if full LAN access is needed (Section 4). |
| 9 | Optional | Restrict access with ACL rules in the admin console (Section 5). |
| 10 | Both users | Test application connectivity (SSH, RDP, HTTP) using Tailscale IPs. |
5.2 Additional Resources
- Official documentation: https://tailscale.com/kb
- Node sharing guide: https://tailscale.com/kb/1084/sharing
- MagicDNS: https://tailscale.com/kb/1081/magicdns
For enterprise deployments with more than two users, consider Tailscale’s Business or Enterprise plans.