別アプリなしで iOS に Tailscale を設定する

Why we built Tailscale in

If you run anything self-hosted — a homelab, a few VPS instances behind your own Tailscale network, a small office — you've probably hit the same friction we did on iOS: open the Tailscale app to bring up the tunnel, switch to your SSH app, hope the tunnel hasn't dropped, switch back if it has. On mobile that context switch is heavier than it sounds. iOS suspends apps aggressively; Tailscale needs to stay alive for SSH to reach a private hostname.

So we embedded the Tailscale SDK directly. There's no second app. When you open TermAI, the tunnel is part of the app's lifecycle. Your tailnet devices appear in the SSH list as if they were on the public internet, and the WireGuard-encrypted path is handled invisibly.

Prerequisites

• A Tailscale account (free for up to 100 devices)
• At least one device already on your tailnet that runs sshd — a Mac, a Linux server, a Raspberry Pi, anything
• TermAI installed on iOS 16 or newer

If you don't have a tailnet yet, sign up at tailscale.com first and install Tailscale on one Mac or Linux box. Five minutes — we'll wait.

Enable Tailscale in TermAI

1. Open TermAI → Settings → Network
2. Toggle Tailscale on
3. The first time, iOS will ask permission to add a VPN configuration. This is how WireGuard works on iOS — the OS handles the tunnel, TermAI talks to it. Tap Allow.

The configuration prompt is one-time. After that, the tunnel comes up automatically whenever TermAI opens.

Sign in with OAuth

With the toggle on, TermAI prompts you to sign in. Tap Sign in with Tailscale. You'll bounce to Safari, hit the Tailscale OAuth flow (Google / GitHub / Microsoft / Okta, whichever your account uses), and come back to TermAI.

We use the official Tailscale OAuth API. No password is ever entered into TermAI, and we don't store your Tailscale credentials.

Sign-in is per-device. If you sign in on iPhone and iPad, both devices appear separately on your Tailscale admin console — useful for ACLs if you want different access rights for mobile.

Your first tailnet SSH

Back in the SSH list, tap + to add a new connection. Instead of typing a hostname, tap the Tailnet tab at the top of the form. You'll see a list of every device on your tailnet that's currently online.

Tap one — say, a homelab box named nas. TermAI auto-fills:

• Host: the device's tailnet IP (100.x.y.z)
• Username: blank — you fill this in
• Port: 22 (override if your sshd runs elsewhere)

Add your username, pick a private key from TermAI's key manager (or generate a new one), and save. Tap the connection. You're in.

Use MagicDNS hostnames

Numeric tailnet IPs work, but MagicDNS makes life better. If you've enabled MagicDNS on your tailnet, you can connect by hostname — ssh nas instead of ssh 100.96.4.21.

Enable MagicDNS in the Tailscale admin console under DNS. TermAI picks it up automatically — restart the Tailscale toggle once after enabling so it refreshes the resolver. From then on, the SSH form's Host field accepts nas directly.

Troubleshooting

Tailscale devices don't appear in the picker. Make sure the tunnel actually came up: Settings → Network → Tailscale → status. If it says "connecting" indefinitely, your iOS device hasn't accepted the VPN configuration — re-toggle and re-accept the iOS prompt.

Connection works on Wi-Fi but not cellular. Some carriers block UDP that Tailscale prefers; the client falls back to DERP relays automatically but the fallback is slower. If you're consistently slow on cellular, force DERP in advanced settings.

"Permission denied (publickey)" after a successful tailnet connect. The tunnel is up; SSH auth failed. Re-check the username and verify your TermAI public key is in ~/.ssh/authorized_keys on the server. The tailnet part is irrelevant at that point.

One more thing: Tailscale is disabled on the mainland China build per local regulations. If you're shipping to that region, see /docs/china for the alternative networking path.