Three ways to run Tailscale on macOS

There are three ways to run Tailscale on macOS:

  1. The Mac App Store version, from https://apps.apple.com/ca/app/tailscale/id1475387142
  2. A standalone Mac application, available from Tailscale packages
  3. The open source tailscale + tailscaled CLI version, from https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS

The three variants share the same core packet processing code; they differ primarily in how they’re packaged and how they interact with the system.

Why are there three ways?

To be in the Mac App Store, applications run in the macOS App Sandbox, isolating the app from the rest of the system. In that sandbox, applications can be a Network Extension to implement VPNs or VPN-like functionality. The Network Extension system does not work for applications distributed outside of the Mac App Store.

In later versions of macOS, Apple added the similar but slightly different System Extension method of implementing VPNs.

Tailscale also has a version of the Tailscale macOS application that uses a System Extension instead, which can be distributed outside of the App Store (as a DMG or zip).

The final method is running the open source Tailscale code. It uses the kernel utun interface rather than the Network Extension or System Extension frameworks. It has no GUI and thus some functionality, such as Taildrop, does not have the same user experience as the macOS GUI versions.

Do not run with both the Mac App Store version and the standalone Mac application version installed on the same machine. Having both installed can result in the Tailscale extension failing to launch. To safely switch between macOS variants, delete the Tailscale.app currently installed, empty the Trash, and reboot your Mac before attempting to install the new variant.

In summary:

App Store
Network Extension
Standalone
System Extension
tailscaled
utun interface
Available yes yes yes
GUI yes yes no
CLI yes yes yes
Minimum macOS macOS 10.15 macOS 10.15 macOS 10.13
Requires Apple ID yes no no
Run before login no; sandboxed possible; not done yes
Keychain used user none; files on disk none; files on disk
Sandboxed yes yes no
Auto-updates yes; App Store yes; Sparkle no
Open Source no no yes
MagicDNS yes yes yes
Taildrop yes yes incomplete
Exit nodes yes yes partial; can advertise as exit node but cannot use them
MDM support yes yes no

Automating App Store installs

To automate installs of the Mac App Store version of Tailscale, the mas-cli tool lets you run:

mas install 1475387142