TL;DR

• WebDAV server that runs exclusively on your Tailscale network
• Secure file access without public internet exposure
• Zero-config setup with ephemeral Tailscale nodes
• Works with any standard file manager or WebDAV client

Links

• GitHub: https://github.com/zmaas/tsdav
• Installation
• Usage Examples

Why

Need to grab files from a remote machine but don't want to mess with SSH, VPNs, or expose services publicly? tsdav gives you secure WebDAV access through Tailscale's encrypted mesh network in seconds.

Highlights

• Zero trust by design: Only accessible through your Tailscale network
• Standard protocol: Works with Finder, Windows Explorer, curl, etc.
• Ephemeral: Auto-cleanup when you're done - no lingering network nodes
• Optional auth: Add HTTP Basic Auth when you need it

How it works

1. Spins up a WebDAV server serving your chosen directory
2. Registers as an ephemeral Tailscale node (auto-cleanup on exit)
3. Accessible via http://tsdav:8080 from any device on your tailnet
4. Standard WebDAV protocol - mount as network drive or use any client

Installation

go build -o tsdav main.go

Usage

Quick start

# Serve current directory
./tsdav

# Serve specific path
./tsdav --dir /home/user/documents

With authentication

export WEBDAV_USER=myuser
export WEBDAV_PASS=mypass
./tsdav --dir /path/to/files --authenticate

Client examples

# macOS Finder: Cmd+K → http://tsdav:8080
# Windows: Map network drive to \\tsdav@8080\DavWWWRoot
# Command line
curl -u user:pass http://tsdav:8080/somefile.txt

Security

• All traffic encrypted through Tailscale's WireGuard mesh
• No public internet exposure (not even localhost)
• Ephemeral nodes prevent network pollution
• Optional HTTP Basic Auth for additional access control

Tech

• Go with net/http and WebDAV handlers
• Tailscale SDK for mesh networking
• Ephemeral node registration with auto-cleanup
• Standard WebDAV protocol implementation

What I learned

• Tailscale's ephemeral nodes are perfect for temporary services
• WebDAV client compatibility varies wildly (Windows is... special)
• Sometimes the simplest solution (WebDAV) beats complex file sync setups
• Mesh networking makes "secure by default" actually achievable

Environment Variables

• TS_AUTHKEY: Tailscale auth key for headless setup
• WEBDAV_USER: Username for HTTP Basic Auth
• WEBDAV_PASS: Password for HTTP Basic Auth