Tailscale Expose SOCKS5 Port for Proxy Software
💡 I have been using Clash or Quantumult X for a long time. After setting up internal network services via Tailscale, I need to switch apps every time I access the intranet (Tailscale client and the proxy software cannot run at the same time), which is very inconvenient. Therefore, I considered adding an intranet proxy node to the proxy software and configuring routing rules so that frequent app switching is no longer necessary.
Deploy Tailscale Container
Refer to Userspace networking mode (for containers), deploy a Tailscale container and expose the SOCKS5 port.
docker run -d \\ --name tailscale-socks5 \\ --restart=unless-stopped \\ --cap-add=NET_ADMIN \\ -e TS_USERSPACE=true \\ -e TS_SOCKS5_SERVER=0.0.0.0:1055 \\ -p 127.0.0.1:1055:1055 \\ -v /var/www/tailscale-socks5:/var/lib/tailscale \\ tailscale/tailscale:latest tailscaled --tun=userspace-networking --socks5-server=0.0.0.0:1055Check if it is listening on port :1055:
docker exec -it tailscale-socks5 ss -tulnStart Tailscale and complete login:
docker exec -it tailscale-socks5 tailscale up --accept-dns=false --accept-routesAfter successful login, test whether the SOCKS5 port exposed by the Tailscale container works properly:
curl --socks5 127.0.0.1:1055 <http://tailscale> intranet serviceBut this SOCKS5 proxy does not have authentication (username/password). To expose it to the public network with a bit more security, consider deploying a SOCKS5 proxy with username/password authentication, which forwards its outbound traffic to the unauthenticated SOCKS5 service provided by Tailscale.
Deploy kechangdev/s2s Container
Project address: https://github.com/kechangdev/s2s
The following example starts this container, listening on port 45675 of the local machine, with username/password set to username / password, and forwards traffic to the local unauthenticated SOCKS5 proxy 127.0.0.1:1055.
docker run -d --network host \\ --name tailscale-s2s \\ -e SOCKS5_USERNAME="username" \\ -e SOCKS5_PASSWORD="password" \\ -e TS_SOCKS5_HOST="127.0.0.1" \\ -e TS_SOCKS5_PORT="1055" \\ -e INBOUND_PORT="45675" \\ kechangdev/s2s:latest| Variable | Default | Description |
|---|---|---|
SOCKS5_USERNAME | username | Username for inbound SOCKS5 authentication |
SOCKS5_PASSWORD | password | Password for inbound SOCKS5 authentication |
TS_SOCKS5_HOST | 127.0.0.1 | Address of outbound SOCKS5 (e.g., the SOCKS5 provided by Tailscale) |
TS_SOCKS5_PORT | 1055 | Port of outbound SOCKS5 |
INBOUND_PORT | 45675 | SOCKS5 port exposed by this container (with username/password authentication) |
Note:
--network hostis typically used to share the network namespace with the host, making it easy to connect to the local Tailscale SOCKS5. Other network modes can be used as long as the container can reachTS_SOCKS5_HOST:TS_SOCKS5_PORT.- To change the listening port, simply modify
INBOUND_PORTwhen starting and map the port accordingly.
Test:
curl -v --socks5 127.0.0.1:45675 -U username:password <http://tailscale> intranet serviceIf the target page content is correctly returned, the entire proxy chain is working.
Software Configuration
Taking Quantumult X as an example:
- Configure the SOCKS5 node:
socks5=IP:Port, username=XXX, password=XXX, fast-open=false, udp-relay=false, server_check_url=http://tailscale intranet service, tag=tailscale- Configure the policy group:
static=Tailscale, tailscale- Configure routing rules:
; Tailscaleip-cidr, 100.64.0.0/10, TailscaleThere you go, you can now access your Tailscale intranet seamlessly:

Reminder
It is highly recommended to use TLS/SSH tunnels or Fail2Ban or other methods to reinforce security. Exposing only SOCKS5 + username/password to the public network still poses potential risks (brute force, packet capture, etc.).