Built-in Tailscale
ServerCC has built-in Tailscale networking support. You can connect to servers on your Tailscale network directly from the app — without installing the system-wide Tailscale VPN on your device.
Why Built-in Tailscale?
Traditionally, connecting to servers on a Tailscale network from iOS requires the Tailscale app running as a system-wide VPN. This means:
- All device traffic is routed through Tailscale
- Only one VPN can be active at a time on iOS
- Conflicts with other VPN apps you may need
ServerCC solves this by embedding Tailscale networking directly into the app. The Tailscale connection is app-level only — it does not affect any other network traffic on your device.
Setting Up
Tailscale is configured per-server. You enable it when adding or editing a server.
Get an Auth Key from Tailscale
Go to the Tailscale admin console and generate an auth key. You can choose a reusable key or a one-time key depending on your needs.
Enable Tailscale in the server form
When adding or editing a server, scroll to the Tailscale section and toggle Connect via Tailscale. Paste your auth key in the Auth Key field that appears.
Set the host to a Tailscale address
In the Host field, use the Tailscale IP address (e.g., 100.x.y.z) or MagicDNS hostname of your server. ServerCC will route the SSH connection through its built-in Tailscale network.
If MagicDNS is enabled on your Tailscale network, you can use the machine name directly (e.g., my-server) instead of the IP address.
Connection Flow
When you open a Tailscale-enabled server, ServerCC shows the connection progress in real time:
- Starting Tailscale network — The app joins your Tailscale network as an ephemeral node
- Connecting via Tailscale — Dialing the target server through the Tailscale tunnel
- Setting up connection — A local TCP proxy bridges the Tailscale tunnel to the SSH client
- Establishing SSH connection — SSH authentication proceeds as normal over the tunnel
The server detail page also gives you the option to bypass Tailscale and connect directly if needed.
When Connection Fails
ServerCC classifies Tailscale failures based on the backend state reported by the local Tailscale client, so the error message points at the actual cause:
- Auth key invalid / expired — the stored auth key needs to be rotated in the Tailscale admin console, then updated on the server in ServerCC
- Still authenticating — give the node a moment to come up; retry usually succeeds
- No route to host — the target machine is offline or not in your tailnet
ServerCC no longer wipes the local Tailscale state directory on a transient startup failure, so a reusable auth key is not "burned" by a flaky network or a brief backend hiccup. You only need to regenerate a key when Tailscale itself reports that the key is invalid or expired.
How It Works
When Tailscale is configured, ServerCC joins your Tailscale network as an ephemeral node using the provided auth key. This happens entirely within the app:
- The app establishes a userspace Tailscale connection — no system VPN slot is used
- Tailscale nodes are shared across servers with the same auth key (reference-counted)
- SSH connections are routed through a local TCP proxy that bridges the Tailscale tunnel
- All other traffic (non-Tailscale servers, web browsing, other apps) is unaffected
- You can connect to both Tailscale and non-Tailscale servers simultaneously
Coexistence with Tailscale App
Since ServerCC uses an app-level Tailscale connection, it works independently from the official Tailscale app. You can:
- Use ServerCC with Tailscale while another VPN is active on your device
- Run the official Tailscale app and ServerCC side by side without conflicts
- Keep the Tailscale app disconnected and only use Tailscale networking within ServerCC
The auth key is stored securely in the iOS Keychain (per-server). If the key expires, you will need to generate a new one from the Tailscale admin console and update it by editing the server in ServerCC.