The default desktop shape keeps your dashboard on localhost. That is fine when you are sitting at the machine running it, but not when you want to approve an agent from your phone on the couch. Tailscale solves this in about five minutes without touching a firewall, a certificate authority, or a public DNS record. This guide assumes you already have Tailscale installed on the machine running Company Agents and at least one other device. If you do not, start at tailscale.com/download and come back.

What you get

  • The dashboard reachable at http://company-agents:3101 (or whatever your machine’s Tailscale name is) from any device on your tailnet
  • HTTPS via Tailscale’s MagicDNS and Let’s Encrypt via Tailscale certs, without running a real CA
  • Nothing exposed to the public internet
  • Same auth model as localhost (no extra login layer needed)

Step 1: Bind the dashboard to 0.0.0.0

By default the dashboard listens on 127.0.0.1:3101. To accept connections from other devices on the tailnet, it needs to bind to 0.0.0.0:3101 (or the specific Tailscale interface address). In .env.local (or your system env): 
DASHBOARD_HOST=0.0.0.0
DASHBOARD_PORT=3101
Restart the orchestrator. Confirm with: 
curl http://<your-tailnet-name>:3101/healthz
# => { "ok": true }
If that works from another device on the tailnet, the hard part is done.

Step 2: Get a real HTTPS cert via Tailscale

Tailscale can issue real Let’s Encrypt certs for your tailnet hostname. Enable it once on your tailnet at login.tailscale.com/admin/dns by turning on HTTPS Certificates. Then, on the host running Company Agents: 
sudo tailscale cert company-agents.tail12345.ts.net
This writes two files:
  • company-agents.tail12345.ts.net.crt
  • company-agents.tail12345.ts.net.key
Point Company Agents at them: 
TLS_CERT_PATH=/path/to/company-agents.tail12345.ts.net.crt
TLS_KEY_PATH=/path/to/company-agents.tail12345.ts.net.key
DASHBOARD_SCHEME=https
DASHBOARD_PORT=443
Restart. You now have HTTPS at https://company-agents.tail12345.ts.net from any device on your tailnet.

Step 3: Mobile access

Tailscale works on iOS and Android. Install the Tailscale app, sign in with the same account, enable the VPN profile, and browse to https://company-agents.tail12345.ts.net in Safari or Chrome. The dashboard is mobile-responsive and renders the approvals inbox cleanly on a phone.

Optional: auth on top of Tailscale

Tailscale itself authenticates devices, so if you trust every device on your tailnet, you can treat the dashboard as an open service behind the tunnel. If you want a belt-and-suspenders setup:
  • Turn on the dashboard’s built-in login (under Settings → Access → Require login), which adds a password layer
  • Or put Tailscale Serve in front of it and let Tailscale handle the auth layer (tailscale serve --bg --https=443 localhost:3101)
The serve approach is cleaner for multi-device setups because the cert management stays inside Tailscale.

Gotchas

  • Tailscale cert refresh: Tailscale-issued certs are valid for 90 days. You will want a cron job or systemd timer to re-run tailscale cert monthly and restart the orchestrator.
  • MagicDNS required: MagicDNS has to be on for the hostname to resolve. It is on by default in new tailnets.
  • Mobile VPN battery: keeping Tailscale on all day costs a small amount of battery. Use Tailscale’s on-demand rules to flip the VPN on only when you are opening the dashboard.
  • Mixing with a local reverse proxy: if you are running Caddy, Nginx, or Traefik on the same host for other services, just terminate Tailscale inside them and forward to 127.0.0.1:3101. Do not run two TLS terminators on the same port.

Next

  • Docker if you want the same setup in a container
  • Secrets because a network-accessible dashboard means your master key becomes a more interesting target
  • Environment variables for the full list of TLS and network options