# Remote Access to Your Mac From Anywhere (Tailscale + SSH + Screen Sharing) A complete, no-router-config guide to reaching your Mac (Mini, Studio, iMac, or laptop) from any network in the world. You'll be able to control its desktop, use its terminal, and reach any service running on it, all over a private encrypted connection. This guide is written for a **headless Mac Mini** (no monitor attached) as the main example, since that's the trickiest case. Everything applies equally to any Mac. > **Skill level:** Comfortable copying and pasting Terminal commands. No networking expertise required. > **Time:** ~20 minutes for first-time setup. > **Cost:** Free (Tailscale's Personal plan covers this). --- ## What you're building Three layers that stack on top of each other: | Layer | Tool | What it gives you | |-------|------|-------------------| | **Network** | Tailscale | Makes your Mac reachable from anywhere, privately, without touching your router | | **Terminal** | SSH (built into macOS) | Command-line access to the Mac | | **Desktop** | Screen Sharing (built into macOS) | See and control the Mac's screen with mouse and keyboard | **Why Tailscale instead of TeamViewer / AnyDesk / Chrome Remote Desktop?** Those relay apps route your screen through a third party's servers. Tailscale builds a direct, encrypted tunnel between *your own devices*. The company can't see your traffic. It's also not limited to screen sharing: once your Mac is on the Tailscale network, *every* service on it (SSH, file transfer, a local web server, a database, a local AI model) becomes reachable as if you were sitting at home. One setup, everything works. The honest tradeoff: relay apps need zero setup but give you less and route through someone else. Tailscale needs ~20 minutes once, then it's invisible. --- ## Before you start You'll need: - The **Mac** you want to reach remotely (the "host"). - A **second device** you'll connect *from* (laptop, another Mac, phone, tablet). - An **account** to log into Tailscale with (Google, Microsoft, GitHub, or email). You'll use the **same account** on every device. **Placeholders used in this guide** (replace with your real values): - `` → your Mac's Tailscale address, looks like `100.x.x.x` - `` → your Mac's Tailscale name, looks like `your-mac-mini` - `` → your macOS short username (e.g. `john`, not "John Smith") --- ## Part 1 — Install Tailscale on the Mac (host) Pick one install method: **App Store (simplest):** Search "Tailscale", install, open it from Applications. **Homebrew (if you use it):** ```bash brew install --cask tailscale ``` Then open Tailscale from Applications. A small Tailscale icon appears in the menu bar (top-right of the screen). ### Log in 1. Click the **Tailscale menu bar icon** → **Log in**. 2. Your browser opens. Choose a sign-in method. **Remember which one** — you'll use the same on every device. 3. Authorize when prompted. 4. The icon goes solid. Click it: your Mac should show as **Connected** with a `100.x.x.x` address. That `100.x.x.x` is your ``. Note it down (it's also always visible in the Tailscale menu). --- ## Part 2 — Turn on remote access on the Mac (host) ### Enable Screen Sharing and Remote Login 1. **System Settings** → **General** → **Sharing**. 2. Turn **ON**: - **Screen Sharing** — for desktop control. - **Remote Login** — for SSH / terminal access. 3. Click the **ⓘ** next to **Remote Login** and confirm your user is allowed (usually "All users" or your name). Note the **username** shown; that's your ``. > ⚠️ **Critical gotcha — do NOT turn on "Remote Management."** > macOS has *two* similar features: **Screen Sharing** (simple, what you want) and **Remote Management** (the older Apple Remote Desktop service). They conflict. If Remote Management is on, Screen Sharing misbehaves and you'll get "wrong password" or guest-approval prompts. **Use Screen Sharing only.** See Troubleshooting if you've already got Remote Management on. ### Stop the Mac from sleeping A sleeping Mac won't answer. While you're here: - **System Settings** → **Battery** (or **Energy Saver** / **Lock Screen**, depending on macOS version). - Turn ON **"Prevent automatic sleeping when the display is off."** For a headless Mac, also consider the `caffeinate` command or the Amphetamine app as a backup. ### Set up auto-login (headless Macs especially) If your Mac reboots and sits at the login screen, Screen Sharing can fall back to a "guest approval" prompt that nobody's there to approve. Prevent it: - **System Settings** → **Users & Groups** → **Automatically log in as** → your user. > If this option is greyed out, it's because **FileVault** disk encryption is on (FileVault blocks auto-login by design). You'll either disable FileVault or always reconnect after reboots manually. --- ## Part 3 — Install Tailscale on your other device(s) On the laptop/phone you'll connect *from*: 1. Install Tailscale (App Store, Homebrew, or the iOS/Android app). 2. Open it → **Log in** → **use the exact same account** as the host. 3. Wait for **Connected**. 4. Click the Tailscale icon: you should now see **both devices** listed, each with a `100.x.x.x` address. Seeing the host in this list means the two devices can reach each other. Now we test. --- ## Part 4 — Connect via SSH (terminal) This is the fastest test and proves the whole link works. 1. Grab the host's `` from the Tailscale menu. 2. Open **Terminal** and run: ```bash ssh @ ``` 3. First time only: it asks *"Are you sure you want to continue connecting?"* → type `yes`, Enter. 4. Enter the host's **login password**. > The password shows **nothing** as you type, no dots or stars. That's normal. Type it and press Enter. If the prompt changes to show the host's name, you're in. Confirm with: ```bash hostname ``` **Tip:** You can use the machine name instead of the number: ```bash ssh @ ``` --- ## Part 5 — Connect to the desktop (Screen Sharing) 1. On your Mac, open **Finder**. 2. Press **Cmd + K** (or Finder → Go → Connect to Server). 3. Type: ``` vnc:// ``` 4. Click **Connect**. 5. Enter the host's **username and password** (your `` + login password). The host's desktop opens in a window. You're controlling it remotely. **From a phone or tablet:** install a VNC client (or a polished app like Jump Desktop or Screens), and point it at ``. --- ## Part 6 (Optional) — Reach other services on the Mac This is where Tailscale pays off. Anything listening on the Mac is now reachable from your devices. **A service already listening on all interfaces** (bound to `0.0.0.0` or `*`) works immediately: ``` http://: ``` **A service bound to localhost only** (`127.0.0.1`) works *on* the Mac but refuses remote connections. Two fixes: 1. **Reconfigure the app** to bind to `0.0.0.0` (check its docs/config). Less secure: it's then open to everything on your tailnet. 2. **Use Tailscale Serve** (recommended): leave the app on localhost and let Tailscale proxy it over HTTPS: ```bash tailscale serve --bg ``` If `tailscale` isn't found (common with the App Store version), use the full path: ```bash /Applications/Tailscale.app/Contents/MacOS/Tailscale serve --bg ``` Check the resulting URL: ```bash tailscale serve status ``` You'll get a clean `https://..ts.net/` address that proxies to your local port. The app stays locked to localhost (more secure), and only your tailnet can reach it. This survives reboots thanks to `--bg`. To turn it off: ```bash tailscale serve --https=443 off ``` > **Find what's listening on your Mac** (run on the host): > ```bash > sudo lsof -iTCP -sTCP:LISTEN -n -P > ``` > Look at the address column: `127.0.0.1:PORT` = localhost only; `*:PORT` or `0.0.0.0:PORT` = reachable on the network. --- ## Quick reference Once set up, from any network: | To do this | Run / open | |------------|-----------| | Terminal | `ssh @` | | Desktop | `vnc://` in Finder (Cmd+K) | | A web service | `http://:` | | Via Tailscale Serve | `https://..ts.net/` | You can swap `` for `` anywhere; both work. --- ## FAQ **Is Tailscale really free for this?** Yes. The Personal plan is free and supports up to 6 users with unlimited devices, which is far more than a personal setup needs. Tailscale Serve is included. **Do I need to open ports or configure my router?** No. That's the entire point of Tailscale. It handles connectivity without any port forwarding or firewall changes. **Does this work behind strict networks (corporate WiFi, mobile data, hotel WiFi)?** Almost always. When a direct connection can't be made, Tailscale falls back to its encrypted relays automatically. You won't notice the difference beyond slightly higher latency. **Is it secure? Can Tailscale see my screen?** Traffic is end-to-end encrypted between your own devices. Tailscale's servers only help your devices find each other; they don't see your data, screen, or keystrokes. **Can other people see my Mac?** Only devices logged into *your* Tailscale account can reach it. The Personal plan allows up to 6 users, so if you ever add family/teammates to your tailnet, they could reach shared services unless you restrict access with Tailscale ACLs. For a solo setup, only your devices have access. **SSH vs Screen Sharing, which should I use?** SSH (terminal) is lighter and faster; use it for anything command-line. Screen Sharing is for when you need the actual graphical desktop. Most power users live in SSH and use Screen Sharing as a fallback. **Do I have to re-run anything after a reboot?** No, if you set up auto-login and used `tailscale serve --bg`. Tailscale reconnects on boot, Screen Sharing and SSH come back automatically, and auto-login ensures the desktop session is ready for VNC. **Can I use a custom domain / company email to sign up?** You can, but signing up with a company domain email may auto-enroll you in a 14-day business trial instead of the free Personal plan. Use a personal Google/email account to stay cleanly on the free tier. Check Tailscale admin console → Billing if unsure. **What about Windows or Linux machines?** Tailscale runs on all of them. The networking layer is identical; only the "remote desktop" tool differs (RDP on Windows, VNC/RDP on Linux). SSH works everywhere. --- ## Troubleshooting ### "Wrong password" when connecting via Screen Sharing (but SSH works fine) This is the most common issue and it usually has nothing to do with your password. **Cause 1 — Remote Management is on instead of Screen Sharing, with a separate VNC password.** When **Remote Management** is enabled, it often has its own short "VNC password" that *overrides* your account login. Your real password gets rejected no matter what. **Fix:** 1. **System Settings** → **General** → **Sharing**. 2. Turn **Remote Management OFF**. 3. Turn **Screen Sharing ON** (it appears as a separate row once Remote Management is off). 4. In Screen Sharing's options, leave any "VNC viewers may control screen with password" option **OFF** so it uses your normal account login. 5. Reconnect with your `` + normal login password. **Cause 2 — Wrong username format.** Screen Sharing wants your **short username** (e.g. `john`), not your full display name ("John Smith"). It's the same name SSH uses. Confirm it by running this on the host: ```bash id -un ``` **Cause 3 — Verify the password is actually correct.** Run on the host (you can be SSH'd in): ```bash dscl . -authonly ``` Enter the password at the prompt. **Silence = correct.** An error means the password is wrong; reset it with: ```bash sudo passwd ``` ### Connecting only as a "guest" / it asks for approval at the Mac VNC falls back to a guest session that needs someone physically at the Mac to approve. On a headless machine, nobody's there to click it. **Cause:** Usually no active desktop session exists (the Mac is sitting at the login window), or Remote Management is interfering. **Fix:** 1. Make sure **Remote Management is off and Screen Sharing is on** (see above). 2. Set up **auto-login** (Part 2) so the Mac always boots into a logged-in desktop that VNC can attach to. 3. Reboot, then reconnect. ### `tailscale: command not found` The App Store version doesn't always put `tailscale` on your PATH. Use the full path: ```bash /Applications/Tailscale.app/Contents/MacOS/Tailscale ``` Or add an alias to your shell profile: ```bash alias tailscale="/Applications/Tailscale.app/Contents/MacOS/Tailscale" ``` ### Can't reach a service even though Tailscale is connected The service is probably bound to `127.0.0.1` (localhost only). Check on the host: ```bash sudo lsof -iTCP -sTCP:LISTEN -n -P | grep ``` If you see `127.0.0.1:`, either reconfigure the app to bind to `0.0.0.0`, or use **Tailscale Serve** (Part 6) to proxy it. ### Tailscale Serve URL shows HTTPS / MagicDNS error Serve needs **MagicDNS** and **HTTPS certificates** enabled for your tailnet. In the Tailscale admin console (login.tailscale.com), go to **DNS** settings and enable **MagicDNS**, then enable **HTTPS Certificates**. Re-run the serve command. ### The Mac keeps going to sleep / becomes unreachable - Confirm **"Prevent automatic sleeping when the display is off"** is ON (Part 2). - For stubborn cases on a headless Mac, run `caffeinate -dimsu &` over SSH, or install Amphetamine. ### Headless Mac has a tiny resolution or laggy graphics With no monitor attached, macOS sometimes renders at a low resolution or won't fully enable the GPU. **Fix:** Buy a cheap **HDMI dummy plug** (~$5). It tricks the Mac into thinking a 4K display is connected, restoring proper resolution and performance. Worth it for any headless Mac doing graphical work. ### Connection works at home but not when away - Confirm both devices show **Connected** in their Tailscale menus. - Confirm the device you're connecting *from* is logged into the **same Tailscale account**. - Try the machine name instead of the IP (or vice versa). - Restart Tailscale on both ends if a device recently changed networks. --- ## A note on security Your setup is private to your own devices by default. As you grow it, keep these in mind: - **Services on your Mac are reachable by every device on your tailnet.** Solo, that's just you. If you add other people (up to 6 on the free plan), use **Tailscale ACLs** to limit who reaches what. - **Prefer Tailscale Serve over binding services to `0.0.0.0`.** Serve keeps the app on localhost and only exposes it through Tailscale's authenticated layer. - **Tailscale Funnel** exposes a service to the *public internet*. You almost never need it for personal remote access; don't enable it unless you specifically want a public endpoint (e.g. a webhook). --- *Setup recap: install Tailscale everywhere (same account) → enable Screen Sharing + Remote Login on the host (never Remote Management) → prevent sleep + auto-login → connect with `ssh` and `vnc://` to the Tailscale IP. Optionally expose services with `tailscale serve`.*