Reach your Mac from any network in the world. Control its desktop, use its terminal, and hit any service on it, all over a private encrypted connection. No router config, no port forwarding.
This guide uses a headless Mac Mini (no monitor attached) as the running example, since that's the trickiest case. Everything applies equally to any Mac, MacBook, iMac, or Studio.
Three layers that stack on top of each other:
| Layer | Tool | What it gives you |
|---|---|---|
| Network | Tailscale |
Makes your Mac reachable from anywhere, privately, without touching your router |
| Terminal | SSH |
Command-line access (built into macOS) |
| Desktop | Screen Sharing |
See and control the screen with mouse and keyboard (built into macOS) |
Those relay apps route your screen through a third party's servers. Tailscale builds a direct, encrypted tunnel between your own devices. The company can't see your traffic. It's also not limited to screen sharing: once your Mac is on the Tailscale network, every service on it (SSH, file transfer, a local web server, a database, a local AI model) becomes reachable as if you were sitting at home. One setup, everything works.
The honest tradeoff: relay apps need zero setup but give you less and route through someone else. Tailscale needs ~20 minutes once, then it's invisible.
You'll need:
Replace these with your real values:
<TAILSCALE_IP> → your Mac's Tailscale address, looks like 100.x.x.x<MACHINE_NAME> → your Mac's Tailscale name, looks like your-mac-mini<USERNAME> → your macOS short username (e.g. john, not "John Smith")Pick one install method:
App Store (simplest): Search "Tailscale", install, open it from Applications.
Homebrew (if you use it):
brew install --cask tailscaleA small Tailscale icon appears in the menu bar (top-right of the screen).
100.x.x.x address.That 100.x.x.x is your <TAILSCALE_IP>. Note it down (it's always visible in the Tailscale menu).
<USERNAME>.macOS has two similar features: Screen Sharing (simple, what you want) and Remote Management (the older Apple Remote Desktop service). They conflict. If Remote Management is on, Screen Sharing misbehaves and you'll get "wrong password" or guest-approval prompts. Use Screen Sharing only. If you've already enabled Remote Management, see Troubleshooting.
A sleeping Mac won't answer. While you're here:
For a headless Mac, also consider the caffeinate command or the Amphetamine app as a backup.
If your Mac reboots and sits at the login screen, Screen Sharing can fall back to a "guest approval" prompt that nobody's there to approve. Prevent it:
💡 If this option is greyed out, it's because FileVault disk encryption is on (FileVault blocks auto-login by design). Either disable FileVault, or always reconnect after reboots manually.
On the laptop/phone you'll connect from:
100.x.x.x address.Seeing the host in this list means the two devices can reach each other. Now we test.
This is the fastest test and proves the whole link works.
<TAILSCALE_IP> from the Tailscale menu.ssh <USERNAME>@<TAILSCALE_IP>yes, Enter.⌨️ The password shows nothing as you type, no dots or stars. That's normal Terminal behavior. Type it and press Enter.
If the prompt changes to show the host's name, you're in. Confirm with:
hostnameTip: You can use the machine name instead of the number: ssh <USERNAME>@<MACHINE_NAME>
vnc://<TAILSCALE_IP><USERNAME> + login password).The host's desktop opens in a window. You're controlling it remotely.
From a phone or tablet: install a VNC client (or a polished app like Jump Desktop or Screens) and point it at <TAILSCALE_IP>.
This is where Tailscale pays off. Anything listening on the Mac is now reachable from your devices.
A service already listening on all interfaces (bound to 0.0.0.0 or *) works immediately:
http://<TAILSCALE_IP>:<PORT>
A service bound to localhost only (127.0.0.1) works on the Mac but refuses
remote connections. Two fixes:
0.0.0.0 (check its docs). Less secure: it's then open to everything on your tailnet.tailscale serve --bg <PORT>If tailscale isn't found (common with the App Store version), use the full path:
/Applications/Tailscale.app/Contents/MacOS/Tailscale serve --bg <PORT>Check the resulting URL:
tailscale serve status
You'll get a clean https://<MACHINE_NAME>.<your-tailnet>.ts.net/ address that proxies to
your local port. The app stays locked to localhost (more secure), and only your tailnet can reach it.
This survives reboots thanks to --bg. To turn it off:
tailscale serve --https=443 off🔍 Find what's listening on your Mac (run on the host):
sudo lsof -iTCP -sTCP:LISTEN -n -P
Look at the address column: 127.0.0.1:PORT = localhost only;
*:PORT or 0.0.0.0:PORT = reachable on the network.
Once set up, from any network:
| To do this | Run / open |
|---|---|
| Terminal | ssh <USERNAME>@<TAILSCALE_IP> |
| Desktop | vnc://<TAILSCALE_IP> in Finder (Cmd+K) |
| A web service | http://<TAILSCALE_IP>:<PORT> |
| Via Tailscale Serve | https://<MACHINE_NAME>.<your-tailnet>.ts.net/ |
You can swap <TAILSCALE_IP> for <MACHINE_NAME> anywhere; both work.
Yes. The Personal plan is free and supports up to 6 users with unlimited devices, far more than a personal setup needs. Tailscale Serve is included.
No. That's the entire point of Tailscale. It handles connectivity without any port forwarding or firewall changes.
Almost always. When a direct connection can't be made, Tailscale falls back to its encrypted relays automatically. You won't notice beyond slightly higher latency.
Traffic is end-to-end encrypted between your own devices. Tailscale's servers only help your devices find each other; they don't see your data, screen, or keystrokes.
Only devices logged into your Tailscale account can reach it. If you ever add family/teammates to your tailnet (up to 6 users), they could reach shared services unless you restrict access with Tailscale ACLs. For a solo setup, only your devices have access.
SSH (terminal) is lighter and faster; use it for anything command-line. Screen Sharing is for when you need the graphical desktop. Most power users live in SSH and use Screen Sharing as a fallback.
No, if you set up auto-login and used tailscale serve --bg. Tailscale reconnects on boot, Screen Sharing and SSH come back automatically, and auto-login ensures the desktop session is ready for VNC.
You can, but a company domain email may auto-enroll you in a 14-day business trial instead of the free Personal plan. Use a personal Google/email account to stay cleanly on the free tier. Check Tailscale admin console → Billing if unsure.
Tailscale runs on all of them. The networking layer is identical; only the "remote desktop" tool differs (RDP on Windows, VNC/RDP on Linux). SSH works everywhere.
The most common issue, and it usually has nothing to do with your password.
Cause 1 — Remote Management is on instead of Screen Sharing, with a separate VNC password. Remote Management often has its own short "VNC password" that overrides your account login, so your real password gets rejected.
Fix:
<USERNAME> + normal login password.Cause 2 — Wrong username format. Screen Sharing wants your short username (e.g. john), not your display name. Confirm it on the host:
id -unCause 3 — Verify the password is actually correct. Run on the host (you can be SSH'd in):
dscl . -authonly <USERNAME>Enter the password at the prompt. Silence = correct. An error means it's wrong; reset with sudo passwd <USERNAME>.
VNC falls back to a guest session needing someone physically at the Mac to approve. On a headless machine, nobody's there.
Cause: usually no active desktop session exists (Mac is at the login window), or Remote Management is interfering.
Fix:
tailscale: command not foundThe App Store version doesn't always put tailscale on your PATH. Use the full path:
/Applications/Tailscale.app/Contents/MacOS/Tailscale <command>Or add an alias to your shell profile:
alias tailscale="/Applications/Tailscale.app/Contents/MacOS/Tailscale"The service is probably bound to 127.0.0.1 (localhost only). Check on the host:
sudo lsof -iTCP -sTCP:LISTEN -n -P | grep <PORT>If you see 127.0.0.1:<PORT>, either reconfigure the app to bind to 0.0.0.0, or use Tailscale Serve (Part 6) to proxy it.
Serve needs MagicDNS and HTTPS certificates enabled. In the Tailscale admin console (login.tailscale.com) → DNS, enable MagicDNS, then enable HTTPS Certificates. Re-run the serve command.
caffeinate -dimsu & over SSH, or install Amphetamine.With no monitor attached, macOS sometimes renders at a low resolution or won't fully enable the GPU.
Fix: buy a cheap HDMI dummy plug (~$5). It tricks the Mac into thinking a 4K display is connected, restoring proper resolution and performance. Worth it for any headless Mac doing graphical work.
Your setup is private to your own devices by default. As you grow it, keep these in mind:
0.0.0.0. Serve keeps the app on localhost and only exposes it through Tailscale's authenticated layer.
Install Tailscale everywhere (same account) → enable Screen Sharing + Remote Login on the host
(never Remote Management) → prevent sleep + auto-login → connect with ssh
and vnc:// to the Tailscale IP.
Optionally expose services with tailscale serve.