Skip to main content
This tutorial shows how to run Tailscale inside a Blaxel sandbox. Once set up, your sandbox is reachable via SSH from any device on your Tailscale network.

Prerequisites

Before starting, ensure you have: To generate a Tailscale authentication key:
  1. Log in to your Tailscale account and navigate to the administration section.
  2. Click Generate auth key
  3. Configure the key:
    • Reusable — enable if you want to use the same key across multiple sandboxes
    • Ephemeral — recommended for sandboxes: the node is automatically removed from your Tailscale network when it disconnects
    • Expiry — set an appropriate duration (e.g. 90 days)
  4. Click Generate key and copy the value, typically starting with tskey-auth-...
Then set it as an environment variable: 
export TS_AUTHKEY=tskey-auth-...

Create a sandbox

Tailscale requires iptables, which is not enabled in sandboxes by default. You enable it by passing extraArgs at creation time. 
import { SandboxInstance } from "@blaxel/core";

const sandbox = await SandboxInstance.create({
  name: "tailscale-sandbox",
  extraArgs: { iptables: "enabled" },
});

Install and configure Tailscale in the sandbox

Connect to the sandbox terminal: 
bl connect tailscale-sandbox
Next, install the tailscale and iptables packages and start the tailscaled daemon as a background process. 
# Install dependencies
apk add tailscale iptables

# Start the daemon
tailscaled &
You can then run tailscale up --ssh to authenticate and enable Tailscale SSH. 
# Authenticate and enable Tailscale SSH
# Prints an auth URL if no key is provided, or authenticates silently with a key
tailscale up --hostname=my-sandbox --ssh
# or: tailscale up --authkey=$TS_AUTHKEY --hostname=my-sandbox --ssh
Retrieve the Tailscale IP. 
# Get your Tailscale IP
tailscale ip

Connect to the sandbox using Tailscale

Once authenticated, the sandbox is reachable via SSH from any device on your Tailscale network: 
ssh root@<tailscale-ip>
# or using the hostname directly:
ssh root@my-sandbox

Appendix: Using the SDK

It’s also possible to create a sandbox and configure Tailscale using the Blaxel SDKs instead of the sandbox terminal: 
import { SandboxInstance } from "@blaxel/core";

const TS_AUTHKEY = process.env.TS_AUTHKEY!;
const SANDBOX_NAME = "tailscale-sandbox";

// 1. Create sandbox with iptables enabled
const sandbox = await SandboxInstance.create({
  name: SANDBOX_NAME,
  extraArgs: { iptables: "enabled" },
});

// 2. Install dependencies
await sandbox.process.exec({
  name: "install-deps",
  command: "apk add --no-cache tailscale iptables",
  waitForCompletion: true,
  timeout: 60, // 60 seconds
});

// 3. Start the tailscaled daemon in the background
await sandbox.process.exec({
  name: "tailscaled",
  command: "tailscaled",
  keepAlive: true,
  timeout: 0, // run indefinitely
});

// Give the daemon a moment to initialize
await new Promise((r) => setTimeout(r, 2000));

// 4. Authenticate and bring up the interface
const up = await sandbox.process.exec({
  name: "tailscale-up",
  command: `tailscale up --authkey=$TS_AUTHKEY --hostname=${SANDBOX_NAME} --ssh`,
  env: { TS_AUTHKEY },
  waitForCompletion: true,
  timeout: 30, // 30 seconds
});
console.log("tailscale up:", up.logs);

// 5. Get the Tailscale IP
const ip = await sandbox.process.exec({
  name: "tailscale-ip",
  command: "tailscale ip",
  waitForCompletion: true,
  timeout: 10, // 10 seconds
});
console.log("Tailscale IP:", ip.logs?.trim());
Last modified on May 28, 2026