Tailscale + SSH on mobile, the short version
Tailscale puts your phone and your servers on one private network (a "tailnet"), each with a stable private IP, so you can SSH to a box from anywhere without forwarding ports or exposing SSH to the internet. There are two related things people mean by "Tailscale SSH":
- SSH over Tailscale — you reach the server's private tailnet IP and log in with your normal SSH key. This is what you do from a mobile SSH client, and it's the common case.
- Tailscale SSH (the feature) — a server-side option (
tailscale up --ssh) where Tailscale itself authenticates SSH between your tailnet nodes using your identity and ACLs, so you don't manage keys for those connections.
This guide sets up both from a phone.
Step 1 — Get your phone and servers on the tailnet
- Install Tailscale on each server and sign in (
tailscale up). Each gets a 100.x private IP and a MagicDNS name. - Put your phone on the tailnet. Either install the Tailscale app, or use a client with it built in — TermAI has Tailscale embedded, so the phone joins the tailnet without a second app. See Tailscale on iPhone.
Step 2 — SSH over the tailnet
Now add a connection in your SSH client using the server's tailnet IP (or MagicDNS name) instead of a public address, port 22, your username, and your key. Because the tailnet is private and always-on, the box is reachable from cellular or any Wi-Fi — and nothing is exposed to the public internet.
Step 3 (optional) — Turn on Tailscale SSH on the server
If you want Tailscale to handle SSH auth between your own devices, enable the feature on the server:
sudo tailscale up --sshNow connections from your tailnet (governed by your ACLs) are authenticated by Tailscale identity rather than a key you manage. You control who can SSH to what in the tailnet policy file — for example, allow your user to reach the prod tag:
// tailnet policy (ACL) — example
{
"ssh": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["tag:prod"],
"users": ["root", "autogroup:nonroot"]
}
]
}Note: Tailscale SSH authenticates by tailnet identity. A third-party mobile SSH client still presents your SSH key over the tunnel; the Tailscale SSH feature shines for keyless access between Tailscale-aware endpoints and for centralizing access rules in ACLs.
Doing it from a phone with less typing
Setting tailscale up --ssh or editing ACLs is easy to fat-finger on a phone. Describe what you want to TermAI's assistant — "enable Tailscale SSH on this host" — and review the command before running it. It's grounded in the box you're connected to, so it gives the right command for that distro.
FAQ
What's the difference between Tailscale SSH and SSH over Tailscale?
SSH over Tailscale means reaching a server's private IP and logging in with your normal SSH key. Tailscale SSH (--ssh) is a feature where Tailscale authenticates SSH between your tailnet nodes via identity and ACLs, so you don't manage keys for those connections.
Do I need to open port 22 to use SSH with Tailscale?
No — that's the point. The server is reachable on its private tailnet address, so you can keep port 22 closed to the public internet.
Can I use Tailscale SSH from an iPhone or Android?
You can SSH over the tailnet from any mobile client (TermAI has Tailscale built in). For the --ssh identity feature itself, the strongest experience is between Tailscale-aware endpoints; from a third-party client you still present your key over the tunnel.
Quick Facts
- SSH over Tailscale: reach the private tailnet IP + your key — no port forwarding (the mobile default)
- Tailscale SSH (
tailscale up --ssh): Tailscale authenticates SSH between tailnet nodes via ACLs - Phone setup: join the tailnet (Tailscale app or TermAI's built-in), then SSH to the private IP
- Security win: keep port 22 closed to the public internet
Free on iOS and Android. 5 AI requests/day on the free tier, plus unlimited SSH/SFTP and built-in Tailscale.