Skip to main content
Mesh Agent connects your on-premise infrastructure to ShiftLabs through an encrypted WireGuard-based mesh network. No inbound ports or complex firewall rules required.

Prerequisites

  • Linux server (Ubuntu 22.04 or 24.04 recommended)
  • Root or sudo access
  • Outbound internet access (no inbound ports required)
  • Subnets you want to expose (e.g., 10.150.50.0/24)

How to Create an Agent

1

Open Mesh Agent Page

Go to Mesh Networking → Mesh Agent and click Create Agent.
2

Enter Agent Details

  • Name: Descriptive name (e.g., production-dc-istanbul)
  • Location: Physical location (e.g., Istanbul Data Center)
  • Customer Subnets: Network ranges to expose (e.g., 10.150.50.0/24)
3

Save

Click Create. You’ll receive installation instructions with your authentication key.

How to Install the Agent

After creating the agent, run the installation script on your server: 
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up \
  --login-server=https://headscale.shiftlabs.dev \
  --authkey=YOUR_AUTH_KEY \
  --advertise-routes=10.150.50.0/24
The actual script with your authentication key is displayed after agent creation.

How to Approve Routes

1

Open Agent Details

Go to Mesh Networking → Mesh Agent and click on your agent.
2

Go to Routes Tab

Click the Routes tab.
3

Enable Routes

Toggle the switch to enable each pending route.
Your infrastructure is now connected to ShiftLabs.

How to Add New Subnets

1

Update Agent Configuration

On your agent’s detail page, click Edit Subnets and add the new subnet.
2

Update Server

On your server, re-run with all subnets:
sudo tailscale up --advertise-routes=10.150.50.0/24,172.16.0.0/24
3

Approve Route

Approve the new route in the Routes tab.

How to Set Up High Availability

For redundancy, install the agent on multiple servers using the same authentication key.
1

Create One Agent

Create a single agent in ShiftLabs.
2

Install on Multiple Servers

Run the installation script on 2+ servers using the same key.
3

Verify

All nodes appear under the same agent in the Nodes tab.
If one node goes offline, traffic automatically routes through available nodes.

How to Rotate Authentication Keys

1

Open Agent

Go to your agent’s detail page.
2

Rotate

Click Rotate Key and confirm.
Existing connections are not affected. Only new node registrations use the new key.

How to Delete an Agent or Node

Delete a node:
  1. Go to agent detail → Nodes tab
  2. Click delete icon on the node
  3. The node disconnects immediately
Delete an agent:
  1. Go to agent detail page
  2. Click Delete and confirm
Deleting an agent disconnects all nodes immediately and cannot be undone.

Network Requirements

Mesh Agent requires only outbound connectivity:
ProtocolPortPurpose
UDP41641WireGuard tunnel
HTTPS443Coordination server
No inbound ports need to be opened on your firewall.

Troubleshooting

  1. Check server has internet connectivity
  2. Verify Tailscale service is running: 
    sudo systemctl status tailscaled
  3. Restart if needed: 
    sudo systemctl restart tailscaled
  1. Verify routes are enabled (not “Pending”) in Routes tab
  2. Enable IP forwarding: 
    sudo sysctl net.ipv4.ip_forward=1
  3. Check advertised routes: 
    tailscale status
  1. Verify you copied the complete installation script
  2. Check if authentication key expired
  3. Generate new key with Rotate Key and reinstall
  1. Check network stability on agent server
  2. Verify firewall isn’t blocking UDP port 41641
  3. Check for IP conflicts in your network

FAQ

No limit. Create as many as needed for different locations.
Yes. ShiftLabs handles IP translation automatically to prevent conflicts.
It shows as “Inactive”. Operations targeting that infrastructure will fail until reconnected. The agent reconnects automatically when network is available.
No. Works with dynamic IPs and behind NAT.
  1. Install on new server using the same authentication key
  2. Verify new node appears in Nodes tab
  3. Delete the old node