diff --git a/docs/configuration/endpoint/tailscale.md b/docs/configuration/endpoint/tailscale.md
index 5ea89a0e..6cf10e2b 100644
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@@ -8,7 +8,8 @@ icon: material/new-box
     :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
     :material-plus: [system_interface](#system_interface)  
     :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)
 
 !!! question "Since sing-box 1.12.0"
 
@@ -28,6 +29,7 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
+  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
   "system_interface": false,
@@ -102,6 +104,14 @@ Example: `["192.168.1.1/24"]`
 
 Indicates whether the node should advertise itself as an exit node.
 
+#### advertise_tags
+
+!!! question "Since sing-box 1.13.0"
+
+Tags to advertise for this node, for ACL enforcement purposes.
+
+Example: `["tag:server"]`
+
 #### relay_server_port
 
 !!! question "Since sing-box 1.13.0"
diff --git a/docs/configuration/endpoint/tailscale.zh.md b/docs/configuration/endpoint/tailscale.zh.md
index 1bd65878..f881dd67 100644
--- a/docs/configuration/endpoint/tailscale.zh.md
+++ b/docs/configuration/endpoint/tailscale.zh.md
@@ -8,7 +8,8 @@ icon: material/new-box
     :material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)  
     :material-plus: [system_interface](#system_interface)  
     :material-plus: [system_interface_name](#system_interface_name)  
-    :material-plus: [system_interface_mtu](#system_interface_mtu)
+    :material-plus: [system_interface_mtu](#system_interface_mtu)  
+    :material-plus: [advertise_tags](#advertise_tags)
 
 !!! question "自 sing-box 1.12.0 起"
 
@@ -28,6 +29,7 @@ icon: material/new-box
   "exit_node_allow_lan_access": false,
   "advertise_routes": [],
   "advertise_exit_node": false,
+  "advertise_tags": [],
   "relay_server_port": 0,
   "relay_server_static_endpoints": [],
   "system_interface": false,
@@ -101,6 +103,14 @@ icon: material/new-box
 
 指示节点是否应将自己通告为出口节点。
 
+#### advertise_tags
+
+!!! question "自 sing-box 1.13.0 起"
+
+为此节点通告的标签，用于 ACL 执行。
+
+示例：`["tag:server"]`
+
 #### relay_server_port
 
 !!! question "自 sing-box 1.13.0 起"
diff --git a/option/tailscale.go b/option/tailscale.go
index 661d91a3..dac8e866 100644
--- a/option/tailscale.go
+++ b/option/tailscale.go
@@ -12,22 +12,23 @@ import (
 
 type TailscaleEndpointOptions struct {
 	DialerOptions
-	StateDirectory             string           `json:"state_directory,omitempty"`
-	AuthKey                    string           `json:"auth_key,omitempty"`
-	ControlURL                 string           `json:"control_url,omitempty"`
-	Ephemeral                  bool             `json:"ephemeral,omitempty"`
-	Hostname                   string           `json:"hostname,omitempty"`
-	AcceptRoutes               bool             `json:"accept_routes,omitempty"`
-	ExitNode                   string           `json:"exit_node,omitempty"`
-	ExitNodeAllowLANAccess     bool             `json:"exit_node_allow_lan_access,omitempty"`
-	AdvertiseRoutes            []netip.Prefix   `json:"advertise_routes,omitempty"`
-	AdvertiseExitNode          bool             `json:"advertise_exit_node,omitempty"`
-	RelayServerPort            *uint16          `json:"relay_server_port,omitempty"`
-	RelayServerStaticEndpoints []netip.AddrPort `json:"relay_server_static_endpoints,omitempty"`
-	SystemInterface            bool             `json:"system_interface,omitempty"`
-	SystemInterfaceName        string           `json:"system_interface_name,omitempty"`
-	SystemInterfaceMTU         uint32           `json:"system_interface_mtu,omitempty"`
-	UDPTimeout                 UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	StateDirectory             string                     `json:"state_directory,omitempty"`
+	AuthKey                    string                     `json:"auth_key,omitempty"`
+	ControlURL                 string                     `json:"control_url,omitempty"`
+	Ephemeral                  bool                       `json:"ephemeral,omitempty"`
+	Hostname                   string                     `json:"hostname,omitempty"`
+	AcceptRoutes               bool                       `json:"accept_routes,omitempty"`
+	ExitNode                   string                     `json:"exit_node,omitempty"`
+	ExitNodeAllowLANAccess     bool                       `json:"exit_node_allow_lan_access,omitempty"`
+	AdvertiseRoutes            []netip.Prefix             `json:"advertise_routes,omitempty"`
+	AdvertiseExitNode          bool                       `json:"advertise_exit_node,omitempty"`
+	AdvertiseTags              badoption.Listable[string] `json:"advertise_tags,omitempty"`
+	RelayServerPort            *uint16                    `json:"relay_server_port,omitempty"`
+	RelayServerStaticEndpoints []netip.AddrPort           `json:"relay_server_static_endpoints,omitempty"`
+	SystemInterface            bool                       `json:"system_interface,omitempty"`
+	SystemInterfaceName        string                     `json:"system_interface_name,omitempty"`
+	SystemInterfaceMTU         uint32                     `json:"system_interface_mtu,omitempty"`
+	UDPTimeout                 UDPTimeoutCompat           `json:"udp_timeout,omitempty"`
 }
 
 type TailscaleDNSServerOptions struct {
diff --git a/protocol/tailscale/endpoint.go b/protocol/tailscale/endpoint.go
index 1bd63e71..40bc4bc6 100644
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -97,6 +97,7 @@ type Endpoint struct {
 	exitNodeAllowLANAccess     bool
 	advertiseRoutes            []netip.Prefix
 	advertiseExitNode          bool
+	advertiseTags              []string
 	relayServerPort            *uint16
 	relayServerStaticEndpoints []netip.AddrPort
 
@@ -244,6 +245,7 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		exitNodeAllowLANAccess:     options.ExitNodeAllowLANAccess,
 		advertiseRoutes:            options.AdvertiseRoutes,
 		advertiseExitNode:          options.AdvertiseExitNode,
+		advertiseTags:              options.AdvertiseTags,
 		relayServerPort:            options.RelayServerPort,
 		relayServerStaticEndpoints: options.RelayServerStaticEndpoints,
 		udpTimeout:                 udpTimeout,
@@ -359,25 +361,25 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 	localBackend := t.server.ExportLocalBackend()
 	perfs := &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			RouteAll: t.acceptRoutes,
+			RouteAll:        t.acceptRoutes,
+			AdvertiseRoutes: t.advertiseRoutes,
+			AdvertiseTags:   t.advertiseTags,
 		},
-		RouteAllSet:        true,
-		ExitNodeIPSet:      true,
-		AdvertiseRoutesSet: true,
-	}
-	if len(t.advertiseRoutes) > 0 {
-		perfs.AdvertiseRoutes = t.advertiseRoutes
+		RouteAllSet:                   true,
+		ExitNodeIPSet:                 true,
+		AdvertiseRoutesSet:            true,
+		AdvertiseTagsSet:              true,
+		RelayServerPortSet:            true,
+		RelayServerStaticEndpointsSet: true,
 	}
 	if t.advertiseExitNode {
 		perfs.AdvertiseRoutes = append(perfs.AdvertiseRoutes, tsaddr.ExitRoutes()...)
 	}
 	if t.relayServerPort != nil {
 		perfs.RelayServerPort = t.relayServerPort
-		perfs.RelayServerPortSet = true
 	}
 	if len(t.relayServerStaticEndpoints) > 0 {
 		perfs.RelayServerStaticEndpoints = t.relayServerStaticEndpoints
-		perfs.RelayServerStaticEndpointsSet = true
 	}
 	_, err = localBackend.EditPrefs(perfs)
 	if err != nil {