Access Local Web Apps Securely with Tailscale
You’re deep in a feature build. Your designer needs to review it on their machine. Your options: push a half-finished branch to a staging server, wrestle with port forwarding, or fire up ngrok and hope the tunnel stays alive. None of these feel right.
Tailscale offers a cleaner path. This article covers how to use Tailscale Serve to securely access local web apps across devices and teammates — without opening firewall ports or configuring reverse proxies.
Key Takeaways
- A tailnet gives every device a stable, encrypted connection over WireGuard — no static IPs, VPN configs, or firewall rules needed.
- Tailscale Serve exposes a local dev server to your tailnet with automatic HTTPS, stable hostnames, and zero open ports.
- Tailscale Funnel extends that access to the public internet when you need to share with people outside your tailnet.
- The entire workflow replaces staging deploys, port forwarding, and tunnel tools for most internal review scenarios.
What Is a Tailnet and Why It Matters for Local Development
When you install Tailscale on your devices, they join a private encrypted network called a tailnet. Every device gets a stable IP address and a DNS hostname that works consistently regardless of which Wi-Fi network you’re on.
This is the foundation. Your laptop at a coffee shop and your desktop at home are on the same tailnet — and they can reach each other directly over an encrypted WireGuard tunnel. No static IPs, no VPN configuration, no firewall rules.
Tailscale Serve: The Right Tool for Secure Local Development Servers
Tailscale Serve exposes a local service — say, a dev server running on localhost:3000 — to other devices inside your tailnet. It’s the right tool when your audience is your team, not the public internet.
To share a local web app with your teammates, run:
tailscale serve 3000That’s it. Tailscale automatically provisions an HTTPS certificate via MagicDNS and makes your app available at a stable URL like:
https://your-device-name.your-tailnet.ts.netAny teammate with Tailscale installed and the right access permissions can open that URL from anywhere — a different city, a different network — and reach your local dev server directly.
What Serve Handles for You
- Automatic HTTPS — Tailscale manages TLS certificates. No self-signed cert warnings.
- Stable hostname — The URL doesn’t change between sessions.
- No open ports — Your local service binds to
localhost. Nothing is exposed to the public internet. - Identity propagation — Tailscale can forward the authenticated user’s identity to your backend via request headers (
Tailscale-User-Login,Tailscale-User-Name), which is useful for lightweight access control in dev environments.
For security, keep your dev server bound to localhost (the default for most frameworks). Tailscale Serve acts as the secure proxy layer — your app never needs to listen on a public interface.
Discover how at OpenReplay.com.
Tailscale Serve vs Funnel: Knowing the Difference
This distinction matters and is worth being explicit about.
| Tailscale Serve | Tailscale Funnel | |
|---|---|---|
| Who can access it | Tailnet members only | Anyone on the public internet |
| Use case | Team collaboration, internal review | Client demos, webhook testing |
| HTTPS | Yes (MagicDNS) | Yes |
| Requires Tailscale on viewer’s device | Yes | No |
Use Serve when sharing with teammates who already have Tailscale. Use Tailscale Funnel when you need someone outside your tailnet — a client, a stakeholder, a webhook provider — to reach your local service.
To expose your app publicly with Funnel:
tailscale funnel 3000The URL format is the same, but traffic is now routable from the open internet. Use this deliberately and only when necessary.
Real-World Scenarios Where This Workflow Shines
- Responsive design review — Share a Next.js dev server with a designer on a different network without deploying anything.
- Remote pair programming — A teammate opens your local app in their browser while you code.
- Stakeholder previews — Use Funnel for a time-limited demo link without spinning up a staging environment.
- Mobile testing — Access your
localhostdev server from your phone, which is also on your tailnet.
Getting Started
- Download and install Tailscale on each device.
- Sign in and ensure MagicDNS is enabled in your admin console.
- Start your dev server on
localhost:3000(or any port). - Run
tailscale serve 3000on the host machine. - Open the provided
https://URL on any other tailnet device.
To stop serving, run:
tailscale serve resetConclusion
Tailscale Serve removes the friction from sharing local development work. Your team gets a stable, encrypted HTTPS link. Your service stays on localhost. You skip the staging server entirely for internal reviews. When you genuinely need public access, Funnel is one command away. The entire setup takes minutes and requires no infrastructure changes — just install Tailscale, run a single command, and share the URL.
FAQs
Yes. Tailscale Serve only exposes your local service to authenticated members of your tailnet over an encrypted WireGuard connection. Your dev server stays bound to localhost and is never reachable from the public internet. Access is governed by your tailnet's access controls (such as grants or ACL policies), so only authorized teammates can connect.
Absolutely. Tailscale Serve works with any local service that listens on a TCP port. Whether you are running a React dev server, a Django app, a Rails server, or a plain static file server, you just point Tailscale Serve at the correct port number and it handles the rest.
The served URL becomes unreachable because the underlying dev server and Tailscale process are no longer active. Tailscale Serve does not keep your app running independently. When you reopen your laptop and restart your dev server, running tailscale serve again restores access at the same stable URL.
Availability depends on the plan used by your tailnet. Tailscale offers a free Personal plan with limited users and devices, while teams and organizations may require a different plan depending on how the tailnet is configured.
Understand every bug
Uncover frustrations, understand bugs and fix slowdowns like never before with OpenReplay — the open-source session replay tool for developers. Self-host it in minutes, and have complete control over your customer data. Check our GitHub repo and join the thousands of developers in our community.
