Logo Neurocoda

Tailscale Expose SOCKS5 Port for Proxy Software

Neurocoda
Neurocoda

💡 I have been using Clash or Quantumult X for a long time. After setting up internal network services via Tailscale, I need to switch apps every time I access the intranet (Tailscale client and the proxy software cannot run at the same time), which is very inconvenient. Therefore, I considered adding an intranet proxy node to the proxy software and configuring routing rules so that frequent app switching is no longer necessary.

Deploy Tailscale Container

Refer to Userspace networking mode (for containers), deploy a Tailscale container and expose the SOCKS5 port.

Terminal window
docker run -d \\
--name tailscale-socks5 \\
--restart=unless-stopped \\
--cap-add=NET_ADMIN \\
-e TS_USERSPACE=true \\
-e TS_SOCKS5_SERVER=0.0.0.0:1055 \\
-p 127.0.0.1:1055:1055 \\
-v /var/www/tailscale-socks5:/var/lib/tailscale \\
tailscale/tailscale:latest tailscaled --tun=userspace-networking --socks5-server=0.0.0.0:1055

Check if it is listening on port :1055:

Terminal window
docker exec -it tailscale-socks5 ss -tuln

Start Tailscale and complete login:

Terminal window
docker exec -it tailscale-socks5 tailscale up --accept-dns=false --accept-routes

After successful login, test whether the SOCKS5 port exposed by the Tailscale container works properly:

Terminal window
curl --socks5 127.0.0.1:1055 <http://tailscale> intranet service

But this SOCKS5 proxy does not have authentication (username/password). To expose it to the public network with a bit more security, consider deploying a SOCKS5 proxy with username/password authentication, which forwards its outbound traffic to the unauthenticated SOCKS5 service provided by Tailscale.

Deploy kechangdev/s2s Container

Project address: https://github.com/kechangdev/s2s

The following example starts this container, listening on port 45675 of the local machine, with username/password set to username / password, and forwards traffic to the local unauthenticated SOCKS5 proxy 127.0.0.1:1055.

Terminal window
docker run -d --network host \\
--name tailscale-s2s \\
-e SOCKS5_USERNAME="username" \\
-e SOCKS5_PASSWORD="password" \\
-e TS_SOCKS5_HOST="127.0.0.1" \\
-e TS_SOCKS5_PORT="1055" \\
-e INBOUND_PORT="45675" \\
kechangdev/s2s:latest
VariableDefaultDescription
SOCKS5_USERNAMEusernameUsername for inbound SOCKS5 authentication
SOCKS5_PASSWORDpasswordPassword for inbound SOCKS5 authentication
TS_SOCKS5_HOST127.0.0.1Address of outbound SOCKS5 (e.g., the SOCKS5 provided by Tailscale)
TS_SOCKS5_PORT1055Port of outbound SOCKS5
INBOUND_PORT45675SOCKS5 port exposed by this container (with username/password authentication)

Note:

  • --network host is typically used to share the network namespace with the host, making it easy to connect to the local Tailscale SOCKS5. Other network modes can be used as long as the container can reach TS_SOCKS5_HOST:TS_SOCKS5_PORT.
  • To change the listening port, simply modify INBOUND_PORT when starting and map the port accordingly.

Test:

Terminal window
curl -v --socks5 127.0.0.1:45675 -U username:password <http://tailscale> intranet service

If the target page content is correctly returned, the entire proxy chain is working.

Software Configuration

Taking Quantumult X as an example:

  • Configure the SOCKS5 node:
Terminal window
socks5=IP:Port, username=XXX, password=XXX, fast-open=false, udp-relay=false, server_check_url=http://tailscale intranet service, tag=tailscale
  • Configure the policy group:
Terminal window
static=Tailscale, tailscale
  • Configure routing rules:
Terminal window
; Tailscale
ip-cidr, 100.64.0.0/10, Tailscale

There you go, you can now access your Tailscale intranet seamlessly:

|700

Reminder

It is highly recommended to use TLS/SSH tunnels or Fail2Ban or other methods to reinforce security. Exposing only SOCKS5 + username/password to the public network still poses potential risks (brute force, packet capture, etc.).

Title: Tailscale Expose SOCKS5 Port for Proxy Software Author: Neurocoda Created at: 2026-07-03 12:46:33 Link: https://neurocoda.com/en/posts/tailscale-expose-socks5-port-for-proxy-software-en/ License: This work is licensed under CC BY-ND 4.0.

Comments