Userspace Networking mode allows running Tailscale on environments where you don’t have access to create a VPN tunnel device.
Tailscale works on Linux systems using a device driver called /dev/net/tun, which allows us to instantiate the VPN tunnel as though it were any other network interface like Ethernet or Wi-Fi. This lets any Linux application — from a web browser to the ping CLI command — send its traffic through the Tailscale interface.
However, not all Linux systems support /dev/net/tun. For example, some container-based app platforms such as Heroku or Google Cloud Run do not. For those environments, userspace networking mode offers a different way of running, where tailscaled functions as a SOCKS5 proxy which other processes in the container can connect through.
You can enable userspace networking from the Tailscale CLI by passing the --tun=userspace-networking flag to tailscaled before calling tailscale up