Skip to main content
This tutorial shows how to run Tailscale inside a Blaxel sandbox. Once set up, your sandbox is reachable via SSH from any device on your Tailscale network.

Prerequisites

Before starting, ensure you have: To generate a Tailscale authentication key:
  1. Log in to your Tailscale account and navigate to the administration section.
  2. Click Generate auth key
  3. Configure the key:
    • Reusable — enable if you want to use the same key across multiple sandboxes
    • Ephemeral — recommended for sandboxes: the node is automatically removed from your Tailscale network when it disconnects
    • Expiry — set an appropriate duration (e.g. 90 days)
  4. Click Generate key and copy the value, typically starting with tskey-auth-...
Then set it as an environment variable:

Create a sandbox

Tailscale requires iptables, which is not enabled in sandboxes by default. You enable it by passing extraArgs at creation time.

Install and configure Tailscale in the sandbox

Connect to the sandbox terminal:
Next, install the tailscale and iptables packages and start the tailscaled daemon as a background process.
You can then run tailscale up --ssh to authenticate and enable Tailscale SSH.
Retrieve the Tailscale IP.

Connect to the sandbox using Tailscale

Once authenticated, the sandbox is reachable via SSH from any device on your Tailscale network:

Appendix: Using the SDK

It’s also possible to create a sandbox and configure Tailscale using the Blaxel SDKs instead of the sandbox terminal:
Last modified on May 23, 2026