beaconDocs
Networking & Access

Tailscale

Reach the dashboard privately over your tailnet — the default ingress, with no open ports.

Tailscale is Beacon's default way to reach the operator dashboard. It puts the dashboard on your private Tailscale network (tailnet) at https://mc.<tailnet>.ts.net, with TLS handled for you and no extra ports opened on the host. The Minecraft game port stays public for players; only the dashboard is private.

Why Tailscale is the default

  • Nothing to expose. The dashboard never gets a public port — only devices on your tailnet can reach it.
  • No TLS to manage. Tailscale provisions the ts.net certificate.
  • No domain required. You get a working HTTPS hostname immediately.
  • Multi-beacon friendly. Each beacon gets its own tailnet hostname and isolated sidecar, so several beacons coexist on one host with zero ingress config.

It's the right choice when the dashboard is for you and a few trusted admins. If admins need browser access without joining your tailnet, use a custom domain instead.

Set it up

Create a tailnet and an auth key

Sign up at tailscale.com (the free tier is plenty), then generate an auth key — follow Tailscale's auth keys guide. A reusable, pre-authorized key is the easiest fit for a server.

Choose Tailscale mode during setup

In the beacon wizard, pick Tailscale at the Mode step and paste the auth key. Or scripted:

beacon create --yes \
  --mode tailscale \
  --app-url https://mc.<tailnet>.ts.net \
  --tailscale-auth-key tskey-... \
  --mc-image itzg/minecraft-server:java25 \
  --mc-version 26.1.2

The CLI brings up a Tailscale sidecar that joins your tailnet and serves the dashboard.

Reach the dashboard

Install Tailscale on your own devices and sign into the same tailnet. Then open https://mc.<tailnet>.ts.net — or just run beacon open. Anyone you want in the dashboard installs Tailscale and joins the tailnet; share access with their Tailscale account.

Serve vs Funnel

Beacon serves the dashboard with Tailscale Serve by default and can optionally expose it publicly with Funnel:

  • Serve (default) — the dashboard is reachable only by devices on your tailnet. This is the private, recommended posture.
  • Funnel — optionally exposes the dashboard to the public internet over the same ts.net hostname. Only enable this if you specifically want public browser access without a custom domain; for a public domain with TLS, the custom-domain path is cleaner.

Troubleshooting

beacon logs tailscale      # sidecar join / serve status
beacon status              # overall stack health
  • Dashboard unreachable — confirm your own device is signed into the same tailnet and the node appears in the Tailscale admin console.
  • Auth key rejected — keys can expire or be single-use; generate a fresh reusable key and beacon restart.
  • Players can't connect — that's the Minecraft port, not Tailscale. Players use the public host:25565; check the firewall in Ports & Access.

Ports & Access

What a beacon exposes, how players and admins reach it, and how to open the firewall safely.

Custom Domain & TLS

Serve the dashboard at your own domain with automatic HTTPS, and give players a friendly address.

On this page

Why Tailscale is the defaultSet it upCreate a tailnet and an auth keyChoose Tailscale mode during setupReach the dashboardServe vs FunnelTroubleshooting