remote-mac-tailscale-guide.md

A complete, no-router-config guide to reaching your Mac (Mini, Studio, iMac, or laptop) from any network in the world. You'll be able to control its desktop, use its terminal, and reach any service running on it, all over a private encrypted connection.

This guide is written for a headless Mac Mini (no monitor attached) as the main example, since that's the trickiest case. Everything applies equally to any Mac.

Skill level: Comfortable copying and pasting Terminal commands. No networking expertise required. Time: ~20 minutes for first-time setup. Cost: Free (Tailscale's Personal plan covers this).

What you're building

Three layers that stack on top of each other:

Layer	Tool	What it gives you
Network	Tailscale	Makes your Mac reachable from anywhere, privately, without touching your router
Terminal	SSH (built into macOS)	Command-line access to the Mac
Desktop	Screen Sharing (built into macOS)	See and control the Mac's screen with mouse and keyboard

Why Tailscale instead of TeamViewer / AnyDesk / Chrome Remote Desktop?

Those relay apps route your screen through a third party's servers. Tailscale builds a direct, encrypted tunnel between your own devices. The company can't see your traffic. It's also not limited to screen sharing: once your Mac is on the Tailscale network, every service on it (SSH, file transfer, a local web server, a database, a local AI model) becomes reachable as if you were sitting at home. One setup, everything works.

The honest tradeoff: relay apps need zero setup but give you less and route through someone else. Tailscale needs ~20 minutes once, then it's invisible.

Before you start

You'll need:

The Mac you want to reach remotely (the "host").
A second device you'll connect from (laptop, another Mac, phone, tablet).
An account to log into Tailscale with (Google, Microsoft, GitHub, or email). You'll use the same account on every device.

Placeholders used in this guide (replace with your real values):

<TAILSCALE_IP> → your Mac's Tailscale address, looks like 100.x.x.x
<MACHINE_NAME> → your Mac's Tailscale name, looks like your-mac-mini
<USERNAME> → your macOS short username (e.g. john, not "John Smith")

Part 1 — Install Tailscale on the Mac (host)

Pick one install method:

App Store (simplest): Search "Tailscale", install, open it from Applications.

Homebrew (if you use it):

brew install --cask tailscale

Then open Tailscale from Applications.

A small Tailscale icon appears in the menu bar (top-right of the screen).

Log in

Click the Tailscale menu bar icon → Log in.
Your browser opens. Choose a sign-in method. Remember which one — you'll use the same on every device.
Authorize when prompted.
The icon goes solid. Click it: your Mac should show as Connected with a 100.x.x.x address.

That 100.x.x.x is your <TAILSCALE_IP>. Note it down (it's also always visible in the Tailscale menu).

Part 2 — Turn on remote access on the Mac (host)

System Settings → General → Sharing.
Turn ON:
- Screen Sharing — for desktop control.
- Remote Login — for SSH / terminal access.
Click the ⓘ next to Remote Login and confirm your user is allowed (usually "All users" or your name). Note the username shown; that's your <USERNAME>.

⚠️ Critical gotcha — do NOT turn on "Remote Management." macOS has two similar features: Screen Sharing (simple, what you want) and Remote Management (the older Apple Remote Desktop service). They conflict. If Remote Management is on, Screen Sharing misbehaves and you'll get "wrong password" or guest-approval prompts. Use Screen Sharing only. See Troubleshooting if you've already got Remote Management on.

Stop the Mac from sleeping

A sleeping Mac won't answer. While you're here:

System Settings → Battery (or Energy Saver / Lock Screen, depending on macOS version).
Turn ON "Prevent automatic sleeping when the display is off."

For a headless Mac, also consider the caffeinate command or the Amphetamine app as a backup.

If your Mac reboots and sits at the login screen, Screen Sharing can fall back to a "guest approval" prompt that nobody's there to approve. Prevent it:

System Settings → Users & Groups → Automatically log in as → your user.

If this option is greyed out, it's because FileVault disk encryption is on (FileVault blocks auto-login by design). You'll either disable FileVault or always reconnect after reboots manually.

Part 3 — Install Tailscale on your other device(s)

On the laptop/phone you'll connect from:

Install Tailscale (App Store, Homebrew, or the iOS/Android app).
Open it → Log in → use the exact same account as the host.
Wait for Connected.
Click the Tailscale icon: you should now see both devices listed, each with a 100.x.x.x address.

Seeing the host in this list means the two devices can reach each other. Now we test.

Part 4 — Connect via SSH (terminal)

This is the fastest test and proves the whole link works.

Grab the host's <TAILSCALE_IP> from the Tailscale menu.
Open Terminal and run:
```
ssh <USERNAME>@<TAILSCALE_IP>
```
First time only: it asks "Are you sure you want to continue connecting?" → type yes, Enter.
Enter the host's login password.

The password shows nothing as you type, no dots or stars. That's normal. Type it and press Enter.

If the prompt changes to show the host's name, you're in. Confirm with:

hostname

Tip: You can use the machine name instead of the number:

ssh <USERNAME>@<MACHINE_NAME>

On your Mac, open Finder.
Press Cmd + K (or Finder → Go → Connect to Server).
Type:
```
vnc://<TAILSCALE_IP>
```
Click Connect.
Enter the host's username and password (your <USERNAME> + login password).

The host's desktop opens in a window. You're controlling it remotely.

From a phone or tablet: install a VNC client (or a polished app like Jump Desktop or Screens), and point it at <TAILSCALE_IP>.

Part 6 (Optional) — Reach other services on the Mac

This is where Tailscale pays off. Anything listening on the Mac is now reachable from your devices.

A service already listening on all interfaces (bound to 0.0.0.0 or *) works immediately:

http://<TAILSCALE_IP>:<PORT>

A service bound to localhost only (127.0.0.1) works on the Mac but refuses remote connections. Two fixes:

Reconfigure the app to bind to 0.0.0.0 (check its docs/config). Less secure: it's then open to everything on your tailnet.
Use Tailscale Serve (recommended): leave the app on localhost and let Tailscale proxy it over HTTPS:
```
tailscale serve --bg <PORT>
```
If tailscale isn't found (common with the App Store version), use the full path:
```
/Applications/Tailscale.app/Contents/MacOS/Tailscale serve --bg <PORT>
```
Check the resulting URL:
```
tailscale serve status
```
You'll get a clean https://<MACHINE_NAME>.<your-tailnet>.ts.net/ address that proxies to your local port. The app stays locked to localhost (more secure), and only your tailnet can reach it. This survives reboots thanks to --bg.

To turn it off:
```
tailscale serve --https=443 off
```

Find what's listening on your Mac (run on the host):
sudo lsof -iTCP -sTCP:LISTEN -n -P
Look at the address column: 127.0.0.1:PORT = localhost only; *:PORT or 0.0.0.0:PORT = reachable on the network.

Quick reference

Once set up, from any network:

To do this	Run / open
Terminal	`ssh <USERNAME>@<TAILSCALE_IP>`
Desktop	`vnc://<TAILSCALE_IP>` in Finder (Cmd+K)
A web service	`http://<TAILSCALE_IP>:<PORT>`
Via Tailscale Serve	`https://<MACHINE_NAME>.<your-tailnet>.ts.net/`

You can swap <TAILSCALE_IP> for <MACHINE_NAME> anywhere; both work.

FAQ

Is Tailscale really free for this? Yes. The Personal plan is free and supports up to 6 users with unlimited devices, which is far more than a personal setup needs. Tailscale Serve is included.

Do I need to open ports or configure my router? No. That's the entire point of Tailscale. It handles connectivity without any port forwarding or firewall changes.

Does this work behind strict networks (corporate WiFi, mobile data, hotel WiFi)? Almost always. When a direct connection can't be made, Tailscale falls back to its encrypted relays automatically. You won't notice the difference beyond slightly higher latency.

Is it secure? Can Tailscale see my screen? Traffic is end-to-end encrypted between your own devices. Tailscale's servers only help your devices find each other; they don't see your data, screen, or keystrokes.

Can other people see my Mac? Only devices logged into your Tailscale account can reach it. The Personal plan allows up to 6 users, so if you ever add family/teammates to your tailnet, they could reach shared services unless you restrict access with Tailscale ACLs. For a solo setup, only your devices have access.

SSH vs Screen Sharing, which should I use? SSH (terminal) is lighter and faster; use it for anything command-line. Screen Sharing is for when you need the actual graphical desktop. Most power users live in SSH and use Screen Sharing as a fallback.

Do I have to re-run anything after a reboot? No, if you set up auto-login and used tailscale serve --bg. Tailscale reconnects on boot, Screen Sharing and SSH come back automatically, and auto-login ensures the desktop session is ready for VNC.

Can I use a custom domain / company email to sign up? You can, but signing up with a company domain email may auto-enroll you in a 14-day business trial instead of the free Personal plan. Use a personal Google/email account to stay cleanly on the free tier. Check Tailscale admin console → Billing if unsure.

What about Windows or Linux machines? Tailscale runs on all of them. The networking layer is identical; only the "remote desktop" tool differs (RDP on Windows, VNC/RDP on Linux). SSH works everywhere.

Troubleshooting

This is the most common issue and it usually has nothing to do with your password.

Cause 1 — Remote Management is on instead of Screen Sharing, with a separate VNC password. When Remote Management is enabled, it often has its own short "VNC password" that overrides your account login. Your real password gets rejected no matter what.

Fix:

System Settings → General → Sharing.
Turn Remote Management OFF.
Turn Screen Sharing ON (it appears as a separate row once Remote Management is off).
In Screen Sharing's options, leave any "VNC viewers may control screen with password" option OFF so it uses your normal account login.
Reconnect with your <USERNAME> + normal login password.

Cause 2 — Wrong username format. Screen Sharing wants your short username (e.g. john), not your full display name ("John Smith"). It's the same name SSH uses. Confirm it by running this on the host:

id -un

Cause 3 — Verify the password is actually correct. Run on the host (you can be SSH'd in):

dscl . -authonly <USERNAME>

Enter the password at the prompt. Silence = correct. An error means the password is wrong; reset it with:

sudo passwd <USERNAME>

Connecting only as a "guest" / it asks for approval at the Mac

VNC falls back to a guest session that needs someone physically at the Mac to approve. On a headless machine, nobody's there to click it.

Cause: Usually no active desktop session exists (the Mac is sitting at the login window), or Remote Management is interfering.

Fix:

Make sure Remote Management is off and Screen Sharing is on (see above).
Set up auto-login (Part 2) so the Mac always boots into a logged-in desktop that VNC can attach to.
Reboot, then reconnect.

`tailscale: command not found`

The App Store version doesn't always put tailscale on your PATH. Use the full path:

/Applications/Tailscale.app/Contents/MacOS/Tailscale <command>

Or add an alias to your shell profile:

alias tailscale="/Applications/Tailscale.app/Contents/MacOS/Tailscale"

Can't reach a service even though Tailscale is connected

The service is probably bound to 127.0.0.1 (localhost only). Check on the host:

sudo lsof -iTCP -sTCP:LISTEN -n -P | grep <PORT>

If you see 127.0.0.1:<PORT>, either reconfigure the app to bind to 0.0.0.0, or use Tailscale Serve (Part 6) to proxy it.

Tailscale Serve URL shows HTTPS / MagicDNS error

Serve needs MagicDNS and HTTPS certificates enabled for your tailnet. In the Tailscale admin console (login.tailscale.com), go to DNS settings and enable MagicDNS, then enable HTTPS Certificates. Re-run the serve command.

The Mac keeps going to sleep / becomes unreachable

Confirm "Prevent automatic sleeping when the display is off" is ON (Part 2).
For stubborn cases on a headless Mac, run caffeinate -dimsu & over SSH, or install Amphetamine.

Headless Mac has a tiny resolution or laggy graphics

With no monitor attached, macOS sometimes renders at a low resolution or won't fully enable the GPU.

Fix: Buy a cheap HDMI dummy plug (~$5). It tricks the Mac into thinking a 4K display is connected, restoring proper resolution and performance. Worth it for any headless Mac doing graphical work.

Connection works at home but not when away

Confirm both devices show Connected in their Tailscale menus.
Confirm the device you're connecting from is logged into the same Tailscale account.
Try the machine name instead of the IP (or vice versa).
Restart Tailscale on both ends if a device recently changed networks.

A note on security

Your setup is private to your own devices by default. As you grow it, keep these in mind:

Services on your Mac are reachable by every device on your tailnet. Solo, that's just you. If you add other people (up to 6 on the free plan), use Tailscale ACLs to limit who reaches what.
Prefer Tailscale Serve over binding services to 0.0.0.0. Serve keeps the app on localhost and only exposes it through Tailscale's authenticated layer.
Tailscale Funnel exposes a service to the public internet. You almost never need it for personal remote access; don't enable it unless you specifically want a public endpoint (e.g. a webhook).

Setup recap: install Tailscale everywhere (same account) → enable Screen Sharing + Remote Login on the host (never Remote Management) → prevent sleep + auto-login → connect with ssh and vnc:// to the Tailscale IP. Optionally expose services with tailscale serve.

Remote Access to Your Mac From Anywhere (Tailscale + SSH + Screen Sharing)