Keep Tailscale Windows Service up 24/7 with Service Protector

How to Keep the Tailscale Windows Service Up 24/7 with Service Protector

Monitor and automatically restart Tailscale if stops for any reason. Ensure that your VPN always running.

Tailscale is a WireGuard-based software package that connects devices securely over a VPN.

By default, the Tailscale server installs itself as a Windows Service. That way, it starts automatically whenever your computer boots and runs unattended in the background:

But running as a service may not be enough. What happens if Tailscale crashes? Or if someone accidentally stops the service? That's where Service Protector come in. It will keeps a close eye on Tailscale and quickly jump in to help if it detects a problem.

To set up Tailscale with Service Protector:

  1. Download and install Service Protector, if necessary.

  2. Start Service Protector.

  3. Select Protector > Add to open the Add Protector window:

    Add Protector

  4. On the General tab, in the Service to protect drop-down, select the Tailscale service.

    You can leave all other settings at their defaults, which should work well for Tailscale:

    Tailscale Windows Service: General Tab

  5. Tailscale is a network service that must always be connected. If it's not online, something is wrong.

    To protect against that failure, let's set up a "sanity check". It will monitor Tailscale's TCP/IP stack and restart the service if it has no open connections.

    1. Switch to the Monitor tab. Check the Whenever it fails a periodic sanity check box and click the Set button:

      Tailscale Windows Service: Monitor Tab

    2. In the Add Sanity Check window, select the Check that your service has open network connections option and click Next to proceed:

      Add a network connections check

    3. The next page allows you to specify what kind of network connections to look for.

      When we examined tailscaled.exe — the executable run by the service — we noticed a single outbound TCP/IP connection. Indeed, here's what we saw in Microsoft's TCPView:

      tailscaled.exe network connections

      Because of that, we recommend activating the Fail if there are no outbound/remote connections option in your sanity check:

      Tailscale network connections sanity check: Options

      Click Next to continue.

    4. At this point, specify how often Service Protector should check that Tailscale has an outbound network connection. Every 5 minutes should be good enough but feel free to adjust as you see fit:

      Tailscale network connections sanity check: Frequency

      After you're done, click Next to move on.

    5. And finally, confirm your settings:

      Confirm your Tailscale sanity check settings

      If everything looks good, click Add to record your new sanity check and return to the Monitor tab.

  6. We're done configuring Tailscale so click the Save button. In a few seconds, a new entry named "Tailscale" will appear in the Service Protector window.

    The green shield indicates that Service Protector is already actively monitoring the Tailscale Windows Service — to quickly detect and respond to failures:

    Tailscale Windows Service: Protected

    You can click the green "Running" circle to see how the Tailscale service/executable is doing:

    Tailscale Windows Service: Running status

  7. That's it! Next time your computer boots, Tailscale will start automatically and Service Protector will babysit the service and promptly restart it if it stops for any reason.

    We encourage you to edit your Tailscale entry in Service Protector and check out the many other settings that may be appropriate for your environment. For example, send an email if the service fails, restart Tailscale once a week to keep it "fresh", and much more.

Trouble protecting the Tailscale Windows Service?