Fixing Transmission’s “403 Forbidden” Over Tailscale
Software engineer transitioning into ML/AI Engineering
I recently set up Transmission on my Mac mini and wanted to access it remotely through Tailscale. In theory, it should’ve been easy: install Tailscale on both devices, open:
http://mac-mini:9091/transmission/web
…and call it a day.
Instead, Transmission greeted me with:
403: Forbidden
And because Transmission is Transmission, it gives you zero hints about why your own machine is blocking you.
So here’s the exact set of steps I took to fix this — written for anyone who hits the same problem (you probably will).
🧠 Why Transmission Throws 403 in the First Place
Transmission.app on macOS stores its configuration in a macOS plist:
~/Library/Preferences/org.m0k.transmission.plist
Not the usual settings.json that Linux tutorials refer to.
Inside that plist, Transmission has multiple RPC whitelist settings. And the fun part is:
Even if the UI says the whitelist is disabled, Transmission will still enforce it internally.
Tailscale uses the 100.x.x.x subnet.
Transmission only whitelists:
127.0.0.1your LAN range (e.g.,
192.168.x.x)your Bonjour hostname (
macmini.local)
So when you try to access Transmission through Tailscale, Transmission looks at the IP, does not recognize it, and throws a 403.
🪛 Step 1 — Confirm RPC Is Enabled
Just to make sure Transmission is actually listening on the network, check these keys:
defaults read org.m0k.transmission RPCEnabled
defaults read org.m0k.transmission RPCBindAddress
defaults read org.m0k.transmission RPCPort
You want:
RPCEnabled = 1RPCBindAddress = "0.0.0.0"RPCPort = 9091
If all that’s fine and you still get 403, keep reading.
🕵️ Step 2 — Check the RPC Whitelist
Dump the full config:
defaults read org.m0k.transmission
In my case, I saw:
RPCUseWhitelist = 1;
RPCWhitelist = "127.0.0.1,192.168.68.*,macmini.local";
Visually, Transmission looked like it had whitelist disabled elsewhere, but the truth is:
RPCUseWhitelist = 1is the real master switch.
And it was still on.
No wonder it blocked my Tailscale IP.
🔧 Step 3 — Disable the Whitelist (for real)
There are three flags you must disable.
If you miss even one, Transmission will still enforce whitelisting.
Run:
defaults write org.m0k.transmission RPCUseWhitelist -bool false
defaults write org.m0k.transmission RPCWhitelistEnabled -bool false
defaults write org.m0k.transmission RPCHostWhitelistEnabled -bool false
Verify with:
defaults read org.m0k.transmission | grep RPC
Now, the whitelist is actually off.
🔄 Step 4 — Restart Transmission Properly
This part matters.
Transmission only saves plist changes when you fully quit the app:
Right-click Transmission in the Dock → Quit
Or press
Cmd+Q
Then reopen it.
If you edit the plist while Transmission is open, it will overwrite your changes on exit.
🌐 Step 5 — Test Over Tailscale
Once the whitelist is actually disabled, visiting:
http://100.xxx.xxx.xxx:9091/transmission/web/
from your other device should show the login page immediately.
And because MagicDNS handles everything nicely, you can also use:
http://mac-mini:9091/transmission/web/
from anywhere — your laptop, mobile, work Wi-Fi, 4G, whatever — as long as Tailscale is running.
No open ports, no VPN configuration, no exposure to the public internet.
🎉 Final Thoughts
Now I can access Transmission from my MacBook, my iPhone, outside home, inside home — all privately and securely over Tailscale.
If you hit this same problem: I hope this saves you the hour of plist archaeology I had to go through.
