This repository provides an ACAP package that installs the Tailscale VPN client on Axis cameras.
- Secure remote access to cameras
- Easy to install via EAP package
- Works on Axis OS 11.11+ (non-root version)
- Works on legacy Axis OS 9.x / 10.x via the ACAP 3 variant
- Based on WireGuard VPN technology
Disclaimer: This is an independent, community-developed ACAP package and is not an official Axis Communications product. It is not affiliated with, endorsed by, or supported by Axis Communications AB. Use it at your own risk. For official Axis software, visit axis.com
Tailscale Notice: Tailscale is a product of Tailscale Inc. This package independently redistributes the Tailscale binaries under the BSD 3-Clause License and is not affiliated with, endorsed by, or supported by Tailscale Inc. For the official Tailscale client, visit tailscale.com.
- Installation
- Usage
- Settings
- Proxy Support
- Updating Tailscale
- Purpose
- Useful Links
- Compatibility
- Star History
- Support
Get the prebuilt .eap file from the Releases page.
- Log into your Axis camera.
- Go to Apps → Add App.
- Upload the
.eapfile.
Once installed:
- Start the app.
- Click Open to view logs and get your Tailscale authentication URL.
- On uninstall, all changes/files are removed.
You'll need a Tailscale account to authenticate.
- Runs a C-based parameter bridge (compiled via ACAP SDK 1.15.1) that reads settings from the ACAP parameter store and launches Tailscale.
- View logs and connection status via the Open button in the app.
- Authenticate using the provided URL, or pre-enter an auth key in Settings.
- Change the Custom Server URL in Settings to use a self-hosted Headscale control server.
- Parameter changes (ports, server URL, auth key) are applied automatically without needing to reinstall the app.
All parameters are configurable via the web UI (Open → Settings card) and take effect immediately without reinstalling:
| Parameter | Default | Description |
|---|---|---|
| Custom Server URL | (empty) | Control server URL for Headscale or other self-hosted servers. Leave blank to use Tailscale's official servers. |
| Auth Key | (empty) | Pre-authentication key (tskey-auth-...). Cleared automatically after first successful connection. Leave blank to authenticate via browser. |
| HTTP Proxy Port | 8080 |
Port for the outbound HTTP/HTTPS proxy. |
| SOCKS5 Proxy Port | 1080 |
Port for the outbound SOCKS5 proxy. |
All non-ROOT variants expose two local proxy endpoints that route outbound traffic through the Tailscale tunnel. The ports are configurable via Settings → HTTP Proxy Port / SOCKS5 Proxy Port in the web UI.
Routes HTTP and HTTPS traffic. Set this wherever an HTTP/HTTPS proxy field is available on the camera:
| Location | Field | Value |
|---|---|---|
| System → Network → Global proxies | HTTP proxy | http://127.0.0.1:<port> |
| System → Network → Global proxies | HTTPS proxy | http://127.0.0.1:<port> |
| System → MQTT → Broker | HTTP proxy | http://127.0.0.1:<port> |
| System → MQTT → Broker | HTTPS proxy | http://127.0.0.1:<port> |
For ACAP apps or services that support SOCKS5, set their proxy to 127.0.0.1:<port>.
The active proxy addresses are always shown in the Proxy Configuration card of the web UI.
If you change a port that is already in use by another process, the app will log an error and exit rather than silently falling back to a different port.
- New
.eapfiles are auto-built and released weekly (if a new Tailscale version is available). - To update, simply install the new
.eapover the existing one.
Replace the binaries in the lib/ folder:
tailscaletailscaled
Download the latest versions: Tailscale static builds
From the main directory of the version you want (arm / aarch64):
docker build --tag <package_name> .
docker cp $(docker create <package_name>):/opt/app ./buildTailscale ACAP can now run without root privileges, making it compatible with Axis OS 11.11+.
- Runs in user space networking mode.
For full kernel networking, use the ROOT version. Note: ROOT mode requires Axis OS 11.11–11.x — Axis OS 12 and later removed root access for third-party applications.
An ACAP 3 variant (armv7hf_acap3) is available for older cameras that do not support ACAP 4 / Axis OS 11+. It uses the same userspace networking mode and web UI, built against the ACAP SDK 3.5 toolchain.
Adding a VPN client directly to the camera enables:
- Secure remote access without additional hardware or complex network configuration.
- Easy setup through Tailscale’s lightweight WireGuard-based tunnel.
Learn more: How Tailscale Works
The Tailscale ACAP is compatible with Axis cameras with ARM and AARCH64-based SoCs.
| Variant | Architecture | Axis OS | Notes |
|---|---|---|---|
aarch64 |
AArch64 | 11.11+ (ACAP 4) | Standard, userspace networking, configurable proxy ports |
armv7hf |
ARMv7 | 11.11+ (ACAP 4) | Standard, userspace networking, configurable proxy ports |
aarch64_root |
AArch64 | 11.11 – 11.x (ACAP 4) | Full kernel networking (root) — not supported on OS 12+ |
armv7hf_root |
ARMv7 | 11.11 – 11.x (ACAP 4) | Full kernel networking (root) — not supported on OS 12+ |
armv7hf_acap3 |
ARMv7 | 9.x – 10.x | Legacy cameras, ACAP SDK 3 |
Not sure which variant to use? Check System → Properties → Firmware version on your camera. Axis OS 12+ → use the standard variant (
aarch64orarmv7hf). Axis OS 11.11–11.x → standard variant, or ROOT if you need kernel networking. Axis OS 9.x/10.x on ARMv7 → usearmv7hf_acap3.
You can verify your device details using the following command:
curl --anyauth "*" -u <username>:<password> <device_ip>/axis-cgi/basicdeviceinfo.cgi --data '{"apiVersion":"1.0","context":"Client defined request ID","method":"getAllProperties"}'Replace
<device_ip>,<username>, and<password>with your device credentials.
Enclose your password in quotes' 'if it contains special characters.
If you like this project and want to support my work:
Sponsor Me