Skip to content

Tailscale on Windows Host (Recommended Approach)

Overview

Tailscale is already installed as a Windows app on the remote PC. This is the officially recommended configuration. WSL2's SSH port is exposed through the Windows Tailscale IP via port forwarding or mirrored networking.

How It Works

  1. Windows Tailscale assigns the PC a Tailscale IP (e.g., 100.64.x.x).
  2. SSH traffic from your home machine reaches port 22 on that Tailscale IP.
  3. The traffic is routed into WSL2 where sshd is listening.

The routing from Windows to WSL2 depends on the networking mode:

WSL2 shares the host's network interfaces. Ports bound inside WSL2 are automatically accessible on all host IPs, including the Tailscale IP.

No netsh portproxy needed. Just configure the Hyper-V firewall.

See networking.md for setup.

With NAT Networking (Default)

WSL2 gets its own private IP (172.x.x.x). You need netsh interface portproxy to forward traffic from the Windows Tailscale IP to WSL2's internal IP.

See port-forwarding.md for setup.

Tailscale SSH Feature

Tailscale offers a "Tailscale SSH" feature that replaces OpenSSH entirely, but it is not supported on Windows (as of early 2026). You must use traditional OpenSSH inside WSL2.

Connecting from Home

ssh -i ~/.ssh/wsl_ubuntu admin@<tailscale-ip-of-windows-pc>

Or with the SSH config from key-auth.md: 

ssh wsl-dev

Verifying Tailscale IP

On the Windows PC (PowerShell): 

tailscale ip -4

Or check the Tailscale admin console at https://login.tailscale.com/admin/machines.

Firewall

Restrict Windows Firewall inbound rule for port 22 to Tailscale's CGNAT range: 

New-NetFirewallRule -DisplayName "WSL2 SSH via Tailscale" `
    -Direction Inbound -Protocol TCP -LocalPort 22 `
    -Action Allow -RemoteAddress 100.64.0.0/10

This ensures only tailnet machines can reach SSH. See firewall.md.