The only way to allow them access to one of your service behind the tailscale VPN that I can think of is via tailscale funnel.
With that you can expose one of your tailscale nodes to the internet.
But that means everyone has access to it, so you’d need to employ some extra security measure to secure access.
See details about funnel here: Tailscale Funnel · Tailscale
Basically it consists of two base commands:
tailscale serve and
With the first you set up what you want to serve. At the moment I believe that can be raw text, HTTP, HTTPS or TCP (all of which currently can only point to a service running on the local host 127.0.0.1).
This automatically creates valid certificates (from “Let’s Encrypt”) and serves your server within the tailnet.
Then you can use
tailscale funnel to extend that into the internet, making it available under the fully qualified domain name of your particular tailnet node, e.g.
More details under the
tailscale serve --help and
tailscale funnel --help commands (or the link above).
If you don’t want to expose a service to the internet and keep it all within the tailnet, then I’m afraid the only way you can share access would be to have the contractor either have their own tailnet, into which you share your node, OR you give a user account under your domain, so that they can login with that and you limit what they can access via tailscale’s ACLs.
But either way they’d need to install the tailscale client.
If you want to get creative, then you could create a VPS for the sole purpose of connecting the contractor to your tailnet.
Install tailscale on the VPS, but give a tag to that node. Having a tag strips it from all access and you have to explicitly define what it can access in your tailnet.
Then provide some other means for the contractor to access that VPN (i.e. not via tailscale), be that VNC, RDP, or what have you.
So then your contractor would login to that VPS via some method (VNC, RDP, some other remote tool, etc.). The VPS is also connected to your tailnet, but only has limited access to the machines/services you explicitly defined.
Technically, instead of a VPS you could probably also do this on a VM. The VPS or VM would basically act as a limited gateway into your tailnet.