A modern, real-time web application for visualizing and analyzing network traffic flows within Tailscale networks.
brew install rajsinghtech/tap/tsflowdocker pull ghcr.io/rajsinghtech/tsflow:latestDownload the latest release from GitHub Releases.
Important: TSFlow requires the Tailscale Network Flow Logs feature. This is available on Premium and Enterprise plans and must be enabled in your Tailscale admin console. The application will not show any flow data otherwise.
# Set your credentials
export TAILSCALE_OAUTH_CLIENT_ID=your-client-id
export TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret
# Run TSFlow
tsflowNavigate to http://localhost:8080 to access the dashboard.
Using OAuth (Recommended):
docker run -d \
--name tsflow \
-p 8080:8080 \
-e TAILSCALE_OAUTH_CLIENT_ID=your-client-id \
-e TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret \
--restart unless-stopped \
ghcr.io/rajsinghtech/tsflow:latestUsing API Key:
docker run -d \
--name tsflow \
-p 8080:8080 \
-e TAILSCALE_API_KEY=your-api-key \
--restart unless-stopped \
ghcr.io/rajsinghtech/tsflow:latestGo to the Logs tab in your Tailscale Admin Console and ensure that Network Flow Logs are enabled. Note: This requires a Premium or Enterprise plan.
TSFlow supports two authentication methods with Tailscale. You only need to configure one method.
OAuth provides better security through automatic token refresh and fine-grained permissions.
- Go to the OAuth clients page in your Tailscale Admin Console
- Create a new OAuth client
- Copy the Client ID and Client Secret
- Set the following environment variables:
TAILSCALE_OAUTH_CLIENT_ID=your-client-idTAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret
- Go to the API keys page in your Tailscale Admin Console
- Create a new API key
- Copy the generated API key (starts with
tskey-api-) - Set
TAILSCALE_API_KEY=your-api-key
- Go to the Settings page in your Tailscale Admin Console
- Your organization name is displayed in the Organization section (used by the Tailscale API)
- Use this exact organization name for the
TAILSCALE_TAILNETvariable
For most users, the default API URL works fine. However, some users may need to use region-specific endpoints:
- Default:
https://api.tailscale.com - US-specific:
https://api.us.tailscale.com
Set TAILSCALE_API_URL=https://api.us.tailscale.com if you need the US-specific endpoint.
| Variable | Description | Required | Default |
|---|---|---|---|
TAILSCALE_TAILNET |
Your organization name (use - for auto-detect) |
No | - |
TAILSCALE_API_URL |
Tailscale API endpoint URL | No | https://api.tailscale.com |
| OAuth Method | |||
TAILSCALE_OAUTH_CLIENT_ID |
OAuth client ID | Yes* | - |
TAILSCALE_OAUTH_CLIENT_SECRET |
OAuth client secret | Yes* | - |
TAILSCALE_OAUTH_SCOPES |
OAuth scopes (comma-separated) | No | all:read |
| API Key Method | |||
TAILSCALE_API_KEY |
Your Tailscale API key | Yes* | - |
| Other | |||
PORT |
Backend server port | No | 8080 |
ENVIRONMENT |
Runtime mode (development or production) |
No | development |
*Either OAuth credentials OR API key must be provided
Create a docker-compose.yml file:
Using OAuth (Recommended):
services:
tsflow:
image: ghcr.io/rajsinghtech/tsflow:latest
container_name: tsflow
ports:
- "8080:8080"
environment:
- TAILSCALE_OAUTH_CLIENT_ID=your-client-id
- TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret
restart: unless-stoppedUsing API Key:
services:
tsflow:
image: ghcr.io/rajsinghtech/tsflow:latest
container_name: tsflow
ports:
- "8080:8080"
environment:
- TAILSCALE_API_KEY=your-api-key
restart: unless-stoppedCommands:
# Start the application
docker-compose up -d
# View logs
docker-compose logs -f tsflow
# Update to latest version
docker-compose pull && docker-compose up -d
# Stop the application
docker-compose downDeploy TSFlow on Kubernetes using the provided manifests:
git clone https://github.com/rajsinghtech/tsflow.git
cd tsflow/k8s
# Edit kustomization.yaml with your credentials
kubectl apply -k .Built with ❤️ for the Tailscale community