Using Tailscale with Parsec for Secure Remote Desktop Access

tailscale-parsec-guide.md

🛡️ Using Tailscale with Parsec for Secure Remote Desktop Access

📌 Overview

This guide shows how to use Tailscale (a mesh VPN) together with Parsec (a high-performance remote desktop tool) to:

• Securely access your machine from anywhere
• Avoid port forwarding or exposing public IPs
• Improve peer-to-peer connection reliability

---

🔧 Requirements

Tool	Version/Notes
Tailscale	Free or paid plan, installed on both client and host
Parsec	Installed and configured on both client and host
OS	Windows, Linux, or macOS supported by both tools

---

📥 Step-by-Step Instructions

1. Install Tailscale on Both Machines

🖥 Host (e.g., Gaming PC or Workstation)

• Go to https://tailscale.com/download
• Install Tailscale for your OS
• Log in using your preferred identity provider (e.g., Google, GitHub)

💻 Client (e.g., Laptop or Tablet)

• Repeat the same steps to install and log in to Tailscale

✅ After login, both devices should appear in your Tailscale admin panel

---

2. Confirm Tailscale Connection

• Open a terminal or command prompt
• Run:

tailscale status

You should see your host and client listed with 100.x.x.x IP addresses (Tailscale's private network).

Try pinging the host from the client:

ping 100.x.x.x

🟢 If ping works, you have a successful Tailscale connection.

---

3. Install and Configure Parsec

On the Host

• Download Parsec: https://parsec.app/downloads
• Sign in or create an account
• Enable Host Mode in settings
• Add your PC to your Approved Devices list

On the Client

• Install and log in using the same Parsec account
• You should see the host listed if Parsec detects it via LAN

---

4. Force Parsec to Use Tailscale IP (Optional)

If Parsec fails to establish a direct connection (due to NAT/firewall), you can:

1. Get the Host’s Tailscale IP from the tailscale status output
2. On the client, manually connect by running (Parsec CLI, advanced):

parsecd --peer 100.x.x.x

Or in the Parsec UI (when supported), edit the host config to use the Tailscale IP.

---

5. Optimize and Secure

✔ Use Tailscale ACLs

Restrict access to the host device from certain clients via ACL rules:

{
  "ACLs": [
    {
      "Action": "accept",
      "Users": ["user@example.com"],
      "Ports": ["100.x.x.x:443", "100.x.x.x:3389"]
    }
  ]
}

✔ Enable Tailscale SSH (Optional)

This allows you to SSH into your host via Tailscale:

ssh user@100.x.x.x

Enable it from the admin panel and in your Tailscale config.

---

6. Test Your Setup

• Start Parsec on the host
• On the client, connect to the host
• Confirm smooth, low-latency remote desktop session

You should now have Parsec running over Tailscale, with no need for public IPs or port forwarding 🎉

---

🧠 Additional Notes

Feature	Supported
NAT Traversal	✅
Cross-platform support	✅
Works behind CGNAT/NAT	✅
Secure (end-to-end)	✅ via WireGuard
Gamepad input + low-latency	✅ via Parsec

---

✅ Summary

Tool	Purpose
Tailscale	Creates a secure private network for your devices
Parsec	Provides low-latency remote desktop access
Combined	Gives you fast, secure, and private access to your workstation from anywhere

❯ parsecd --peer 100.84.165.115
[D 2026-02-25 15:23:44] log: Parsec release17 (150-101, Service: -1, Loader: 12)
[D 2026-02-25 15:23:44] log: Parsec getting initial user data.
[D 2026-02-25 15:23:44] log: Parsec got initial user data.
[2 2026-02-25 15:23:44] Force Relay Mode: Off
[2 2026-02-25 15:23:44] Force Relay Mode: Off
[2 2026-02-25 15:23:44] UPNP: upnp_create
[D 2026-02-25 15:23:44] Client status changed to: -3
[D 2026-02-25 15:23:47] Client status changed to: 20
[3 2026-02-25 15:23:48] CANDEX: LAN 192.168.1.2:22929
[2 2026-02-25 15:23:48] Adding LAN Candidate from peer (1); 192.168.1.2:22929
[3 2026-02-25 15:23:48] CANDEX: LAN 172.19.80.1:22929
[2 2026-02-25 15:23:48] Adding LAN Candidate from peer (1); 172.19.80.1:22929
[3 2026-02-25 15:23:48] CANDEX: LAN 192.168.1.3:22929
[2 2026-02-25 15:23:48] Adding LAN Candidate from peer (1); 192.168.1.3:22929
[3 2026-02-25 15:23:48] Sent candidate.
[3 2026-02-25 15:23:48] sent: {"action":"candex","version":1,"payload":{"attempt_id":"e433885a-328d14b6-d352c96a-018c523b-ec4bb932-e70a22ce","data":{"lan":true,"port":31859,"ver_data":1,"versions":{"bud":1,"control":1,"p2p":1,"audio":1,"init":1,"video":1},"from_stun":false,"sync":false,"ip":"192.168.1.5"},"to":"3A7ZO2GHErZ4hXPzrGHHtbV2rD4"}}
[3 2026-02-25 15:23:49] CANDEX: WAN ::ffff:182.50.241.86:22929
[2 2026-02-25 15:23:49] Adding WAN Candidate from peer (1); ::ffff:182.50.241.86:22929
[3 2026-02-25 15:23:49] Sent candidate.
[3 2026-02-25 15:23:49] sent: {"action":"candex","version":1,"payload":{"attempt_id":"e433885a-328d14b6-d352c96a-018c523b-ec4bb932-e70a22ce","data":{"lan":false,"port":22929,"ver_data":1,"versions":{"bud":1,"control":1,"p2p":1,"audio":1,"init":1,"video":1},"from_stun":false,"sync":true,"ip":"::ffff:182.50.241.86"},"to":"3A7ZO2GHErZ4hXPzrGHHtbV2rD4"}}
[I 2026-02-25 15:23:49] STUN reply from ::ffff:3.228.228.84:3478
[2 2026-02-25 15:23:49] Sending Candidate; ::ffff:182.50.241.166:31859
[3 2026-02-25 15:23:49] Sent candidate.
[3 2026-02-25 15:23:49] sent: {"action":"candex","version":1,"payload":{"attempt_id":"e433885a-328d14b6-d352c96a-018c523b-ec4bb932-e70a22ce","data":{"lan":false,"port":31859,"ver_data":1,"versions":{"bud":1,"control":1,"p2p":1,"audio":1,"init":1,"video":1},"from_stun":true,"sync":false,"ip":"::ffff:182.50.241.166"},"to":"3A7ZO2GHErZ4hXPzrGHHtbV2rD4"}}
[3 2026-02-25 15:23:49] CANDEX: WAN ::ffff:182.50.241.166:31859
[D 2026-02-25 15:23:52] UPNP: No devlist
[I 2026-02-25 15:23:57] Client disconnected with status code: -6023 / -11010
[D 2026-02-25 15:23:57] Client status changed to: -3

why it not connecting to the targeted peer?

app_custom_address = tailscaletargetip
app_lan_address = tailscaletargetip

if any1 wondering to fix this issue you can use this config, and put it in your device that you want to connect, in the parsec config.txt