Go owns Tailscale state
Authentication, WireGuard, ACLs, MagicDNS, DERP, TLS certs, and socket establishment stay inside upstream tsnet.
Dart package over Go tsnet
Use a Tailscale node from Dart.
package:tailscale embeds upstream Go
tsnet and exposes Dart APIs for lifecycle, nodes,
HTTP, TCP, UDP, TLS, Serve, Funnel, routing controls, and
diagnostics.
ts.http.bind()private HTTP listenerts.tcp.bind()raw streamsts.serve.forward()existing local serverts.prefs.updateMasked()routing controls
- Control plane
- Auth, prefs, nodes, whois, diagnostics via tsnet and LocalAPI.
- Data plane
- Owned listeners use fd-backed streams/datagrams, not localhost proxying.
- Platforms
- macOS, iOS, Android, Linux. Windows is intentionally not supported yet.
Feature support
What is implemented today.
This is intentionally explicit. Implemented means there is a typed Dart API and coverage in unit, integration, Headscale, or live Tailscale tests depending on what the feature requires.
Current package surface. Features marked implemented have typed Dart APIs and automated coverage at the tier listed in the repository test docs.
| Area | Dart API | Status | Upstream / notes |
|---|---|---|---|
| Node lifecycle | init, up(ephemeral), down, logout, status |
Implemented | Backed by embedded tsnet.Server lifecycle, including disposable nodes for CI and tests. |
| Nodes and identity | nodes(), nodeByIp(), whois() |
Implemented | Stable node IDs and LocalAPI identity data for authorization checks. |
| Outbound HTTP | http.client |
Implemented | Standard package:http.Client routed through tsnet.HTTPClient. |
| Inbound HTTP | http.bind(port) |
Implemented | fd-backed request and response bodies; no loopback reverse proxy. |
| Raw transports | tcp, udp, tls.bind |
Implemented | Package-native connections/datagrams over Go-owned tailnet sockets. |
| Serve and Funnel | serve.forward, funnel.forward |
Implemented | Forward an existing loopback HTTP server. Serve includes tailnet identity headers; Funnel is public and does not. |
| Tailscale Services | N/A | Not yet | Upstream ListenService is newer than the current tailscale.com v1.92.2 pin. |
| Routing controls | prefs, exitNode |
Implemented | LocalAPI prefs wrappers; live Tailscale coverage for hosted-only behavior. |
| Diagnostics | diag.ping, metrics, derpMap, checkUpdate |
Implemented | Typed diagnostic wrappers with structured error codes. |
| Taildrop | taildrop.* |
Not yet | Public types exist; transfer implementation is deferred. |
| Profiles | profiles.* |
Not yet | Multi-profile/account management is demand-gated. |
| Windows | All data-plane APIs | Unsupported | Needs a Windows-native backend; POSIX fd reactor is not portable. |
API examples
Common flows in code.
These snippets use the public package API. The full generated Dart reference is published at /api/.
Examples assume Tailscale.init has already run and
await ts.up(...) reached a stable state.
Architecture
Upstream semantics, Dart-shaped surface.
Control calls cross a worker isolate into Go. High-volume transport I/O uses fd capabilities and a shared POSIX reactor. Forwarding APIs are different by design: they publish a local HTTP server the app already owns.
Dart owns application shape
Callers work with package-native clients, listeners, datagrams, streams, node objects, prefs, and diagnostics.
Owned transports use fds
http.bind, tcp.bind, udp.bind, and tls.bind move data through private fd capabilities and the shared reactor.
Forwarding is intentionally loopback
serve.forward and funnel.forward are for existing local HTTP servers. Shelf handlers can also run directly on http.bind with the tested adapter example.
Install
Package metadata and docs.
Requires Dart 3.10.4+, Go 1.25+, and the native toolchain for the target platform. Supported today: Android, iOS, macOS, Linux.
dependencies:
tailscale: ^0.3.1