Fixing “Tailscale Stuck on Starting…” on Windows 10 (Docker Desktop / Hyper-V Systems)

If you've installed Tailscale on Windows 10/11 and when it starts it just says:

"Starting…"

…you're at the right place.

This issue commonly shows up on machines running Docker Desktop, Hyper-V, WSL2, or other virtual networking components. The service appears to be running, but the Tailscale VPN never actually connects.

This post walks through:

• The exact symptoms
• Why it happens
• The full fix that worked
• Why Docker and Hyper-V systems are more prone to it

What is Tailscale?

Tailscale is a VPN service that creates a secure private network between your devices using WireGuard. Unlike traditional VPNs, Tailscale provides zero-config networking that just works - that is, when it starts properly.

The Tailscale VPN allows you to access your devices from anywhere, set up exit nodes for secure browsing, and connect your entire infrastructure without complex firewall configurations.

The Symptoms

On the affected Windows 10 machine after you install Tailscale:

• The Tailscale tray icon says "Starting…" indefinitely
• Get-Service Tailscale shows Running
• tailscale up in PowerShell hangs with no output
• No "Tailscale Tunnel" adapter appears in Network Connections
• Restarting the service does nothing
• Stopping Docker Desktop doesn't fix it

Meanwhile, Tailscale works perfectly on other machines.

What's Actually Broken?

Tailscale on Windows relies on a virtual network adapter (Wintun driver).

In this failure state:

• The Windows service starts
• The CLI runs
• But the tunnel adapter never gets created

Without that adapter, Tailscale has nothing to bind to - so it just sits there.

This is usually caused by a corrupted Windows NDIS/network binding stack. Machines that run:

• Docker Desktop
• Hyper-V
• WSL2
• Old VPN clients
• Virtual switches

…are more likely to hit this issue.

The Fix

This fully resets Windows networking and forces the virtual driver stack to rebuild.

Step 1 – Uninstall Tailscale

Go to:

Settings → Apps → Tailscale → Uninstall

Reboot.

Step 2 – Deep Reset the Windows Network Stack

Open PowerShell as Administrator and run:

You may see an "Access is denied" during netsh int ip reset, that's fine.

The important command is:

This does the heavy lifting:

• Removes WAN miniports
• Removes network adapters
• Clears binding corruption
• Rebuilds the NDIS stack
• Resets Hyper-V switch bindings

You will see adapters being removed in the output, hat's normal.

When it finishes, reboot immediately.

Step 3 – Confirm Network Is Working

After reboot:

Make sure:

• You get a valid LAN IP (e.g., 192.168.x.x)
• Internet access works

If networking is normal, continue.

Step 4 – Download Tailscale and Reinstall Properly

Now it's time to reinstall Tailscale. Download Tailscale from the official website and follow these steps:

1. Download the latest Tailscale installer from tailscale.com/download
2. Right-click the installer → Run as Administrator
3. Let the Tailscale installation complete
4. Reboot again

Do not start Docker Desktop yet.

Step 5 – Verify the Tunnel Adapter Exists

Before opening the tray app, go to:

Control Panel → Network and Sharing Center → Change Adapter Settings

You should now see:

Tailscale/Tailscale Tunnel

If you see it, the driver installed correctly.

Step 6 – Bring Tailscale Up

Open PowerShell (Admin):

The tailscale up command initializes your connection. You should now:

• See browser login open
• Successfully authenticate
• Get a 100.x.x.x IP address

You can confirm with:

At this point, Tailscale should work normally.

Now you can start Docker Desktop again.

Why This Works

netcfg -d forces Windows to completely rebuild the network binding stack.

On Docker / Hyper-V systems, it's common for:

• Old virtual adapters
• VPN remnants
• Corrupted bindings
• Incomplete driver registrations

…to prevent new virtual drivers from attaching properly.

The Tailscale service starts, but the Wintun adapter never registers.

Resetting the stack clears the corruption and allows the driver to install cleanly.

What You Do NOT Need

You do not need:

• The Docker Desktop Tailscale extension
• A Tailscale container
• Host networking mode
• Special Docker configuration
• Hyper-V changes

Tailscale should run on Windows itself — not inside Docker.

Configuring Tailscale Exit Nodes

Once your Tailscale install is working properly, you can configure a Tailscale exit node to route all your internet traffic through another device on your network. This is useful for secure browsing from public WiFi or accessing region-specific content.

To set up an exit node, use:

Then enable it in the Tailscale admin console. Other devices can then route through this machine as their exit node.

If It Still Doesn't Work

After you reinstall Tailscale, check if the Wintun driver exists:

If nothing appears, Windows may be blocking the driver from installing.

At that point, you're likely dealing with Group Policy restrictions, antivirus interference, or other system-level blocks that prevent unsigned or third-party drivers from loading.

Frequently Asked Questions

Why does Tailscale get stuck on "Starting…" on Windows?

Tailscale relies on a virtual network adapter called the Wintun driver. When the Windows NDIS network stack becomes corrupted—often from Docker Desktop, Hyper-V, WSL2, or old VPN clients—the adapter fails to initialize. The service runs, but with no tunnel adapter to bind to, Tailscale never actually connects.

Will netcfg -d break my network connection?

Temporarily, yes. The netcfg -d command removes all network adapters and rebuilds the network stack. After rebooting, Windows automatically reinstalls your network drivers and restores connectivity. This is a clean reset, not permanent damage.

Do I need to uninstall Docker Desktop to fix Tailscale?

No. You can keep Docker Desktop installed. The issue isn't Docker itself—it's the corrupted network stack that accumulated over time. After resetting the stack and reinstalling Tailscale, both will work normally together.

Can I run Tailscale inside Docker instead of on Windows?

You can, but it's not recommended for most users. Running Tailscale in a container requires host networking mode or complex routing configurations. It's simpler and more reliable to run Tailscale natively on Windows, where it integrates properly with the system network stack.

What does the Wintun driver do?

Wintun is a high-performance virtual network driver for Windows. Tailscale uses it to create the "Tailscale Tunnel" adapter that routes traffic through the Tailscale VPN network. If Wintun doesn't load, Tailscale has no way to send or receive packets.

Why does this issue affect Docker and Hyper-V systems more?

Docker Desktop and Hyper-V create their own virtual network adapters and switches. Over time, repeated installs/uninstalls, driver updates, and binding changes can corrupt the Windows network stack. Systems that only run standard network hardware rarely encounter this corruption.

What if the Tailscale Tunnel adapter still doesn't appear after reinstalling?

If the tunnel adapter doesn't show up in Network Connections after you install Tailscale, check if the Wintun driver loaded with pnputil /enum-drivers | findstr /i wintun. If it's missing, Windows may be blocking unsigned or third-party drivers due to Group Policy, Secure Boot settings, or antivirus software.

How do I download Tailscale for Windows?

To download Tailscale, visit tailscale.com/download and select the Windows installer. Always download Tailscale from the official website to ensure you get the latest stable version.

Is this fix safe to run on a production machine?

It's safe, but disruptive. The netcfg -d command rebuilds the network stack, which temporarily disconnects all network access and requires multiple reboots. On a production machine, schedule this during maintenance windows. Test on a development or staging machine first if possible.