How to Move a Remote Server Between Tailnets (Without Losing SSH Access)

Moving a remote machine between two Tailscale networks (tailnets) is a high-stakes operation. Because Tailscale is a single-session service, logging out usually means cutting the very branch you’re sitting on.

If you’re restructuring your organization or—as in our case—migrating because an old admin left the building, here is how to perform the “Hot Swap” without getting locked out.

The Problem: The “Suicide” Command

Normally, if you SSH into a machine via Tailscale and run tailscale logout, your connection dies instantly. You can’t run the subsequent tailscale up command because you no longer have a route to the box. You’ve just effectively bricked your remote access.

The Solution: Run the Handoff in the Background

We run the logout/login as a background script that survives the SSH session dropping. One small thing to watch: sudo won’t be able to prompt for a password once you lose the terminal, so cache the credential first.

Step 1: Generate the “New Passport” (Auth Key)

You need the machine to join the new network automatically.

  • Log into your new Tailscale Admin Console.
  • Go to Settings > Keys and click Generate auth key.
  • Crucial Settings: Toggle Reusable (if moving many nodes) and Pre-authorized to ON.
  • Copy the key (tskey-auth-xxxx...).

Step 2: Prepare the “Hot-Swap” Script

On your remote machine, create a small bash script. This script acts as your “automated agent.”

cat << 'EOF' > switch_tailscale.sh
#!/bin/bash
# A brief pause to ensure the background handoff is clean
sleep 2

# 1. Disconnect from the old network
tailscale logout

# 2. Immediately join the new network using the Auth Key
tailscale up --authkey=tskey-auth-your-new-key-here --accept-routes
EOF

chmod +x switch_tailscale.sh

Step 3: Pull the Trigger

Run a throwaway sudo first so the timestamp is cached, then launch the script under nohup:

sudo true && sudo nohup ./switch_tailscale.sh &

Your SSH session will freeze — that’s expected. Within ~30 seconds the machine should appear in the new tailnet’s admin console with a fresh IP.

Step 4: Maintaining Access via Node Sharing

What if you need to access this machine from your old network without constantly switching accounts? Use Node Sharing.

  • In the new tailnet console, click the “…” menu next to your machine and select Share.
  • Generate an invite link.
  • Open that link while logged into your old tailnet account.
  • The machine will now appear in your old network as a “Shared” node, complete with its own dedicated IP.

Summary Checklist

  • Auth Key: Pre-authorized so the node joins without manual approval.
  • Sudo timestamp: cached before nohup, since you’ll have no terminal to prompt against.
  • Patience: give it ~60 seconds for routes to propagate.

Success! You’ve migrated your infrastructure without a single trip to the data center or a frantic call to cloud support.