If you cannot access a Tailscale service from a Linux machine, you likely need to run this command:

sudo tailscale set --accept-routes

Here’s why:

Unlike a standard device (a “node”), a Tailscale Service is a virtual entity. It doesn’t represent a single physical network interface.

  • Standard Node: Your Mac or Linux box has a direct “Peer” entry in the internal WireGuard table. Linux sees these 100.x.y.z addresses and knows they belong to the tailscale0 interface by default.
  • Service IP: A Service IP is essentially a Shared Anycast IP. It is “advertised” by one or more nodes in your network. Because it is being advertised rather than being a direct peer-to-peer connection, Linux treats the traffic to that IP as a route rather than a simple local interface destination.

Linux is often used as a router or server. To prevent Tailscale from accidentally hijacking existing routes or creating “routing loops”, Tailscale on Linux ignores all advertised routes until you explicitly opt-in.