# Fixing Transmission’s “403 Forbidden” Over Tailscale I recently set up Transmission on my Mac mini and wanted to access it remotely through Tailscale. In theory, it should’ve been easy: install Tailscale on both devices, open: ```markdown http://mac-mini:9091/transmission/web ``` …and call it a day. Instead, Transmission greeted me with: > **403: Forbidden** And because Transmission is Transmission, it gives you zero hints about *why* your own machine is blocking you. So here’s the exact set of steps I took to fix this — written for anyone who hits the same problem (you probably will). --- ## 🧠 Why Transmission Throws 403 in the First Place [Transmission.app](http://Transmission.app) on macOS stores its configuration in a macOS plist: ```markdown ~/Library/Preferences/org.m0k.transmission.plist ``` Not the usual `settings.json` that Linux tutorials refer to. Inside that plist, Transmission has multiple RPC whitelist settings. And the fun part is: > **Even if the UI says the whitelist is disabled, Transmission will still enforce it internally.** Tailscale uses the `100.x.x.x` subnet. Transmission only whitelists: * `127.0.0.1` * your LAN range (e.g., `192.168.x.x`) * your Bonjour hostname (`macmini.local`) So when you try to access Transmission through Tailscale, Transmission looks at the IP, does not recognize it, and throws a 403. --- ## 🪛 Step 1 — Confirm RPC Is Enabled Just to make sure Transmission is actually listening on the network, check these keys: ```markdown defaults read org.m0k.transmission RPCEnabled defaults read org.m0k.transmission RPCBindAddress defaults read org.m0k.transmission RPCPort ``` You want: * `RPCEnabled = 1` * `RPCBindAddress = "0.0.0.0"` * `RPCPort = 9091` If all that’s fine and you still get 403, keep reading. --- ## 🕵️ Step 2 — Check the RPC Whitelist Dump the full config: ```markdown defaults read org.m0k.transmission ``` In my case, I saw: ```markdown RPCUseWhitelist = 1; RPCWhitelist = "127.0.0.1,192.168.68.*,macmini.local"; ``` Visually, Transmission *looked like* it had whitelist disabled elsewhere, but the truth is: > `RPCUseWhitelist = 1` is the real master switch. And it was still on. No wonder it blocked my Tailscale IP. --- ## 🔧 Step 3 — Disable the Whitelist (for real) There are three flags you must disable. If you miss even one, Transmission will still enforce whitelisting. Run: ```markdown defaults write org.m0k.transmission RPCUseWhitelist -bool false defaults write org.m0k.transmission RPCWhitelistEnabled -bool false defaults write org.m0k.transmission RPCHostWhitelistEnabled -bool false ``` Verify with: ```markdown defaults read org.m0k.transmission | grep RPC ``` Now, the whitelist is **actually** off. --- ## 🔄 Step 4 — Restart Transmission Properly This part matters. Transmission only saves plist changes when you **fully quit** the app: * Right-click Transmission in the Dock → Quit * Or press `Cmd+Q` Then reopen it. If you edit the plist while Transmission is open, it will overwrite your changes on exit. --- ## 🌐 Step 5 — Test Over Tailscale Once the whitelist is actually disabled, visiting: ```markdown http://100.xxx.xxx.xxx:9091/transmission/web/ ``` from your other device should show the login page immediately. And because MagicDNS handles everything nicely, you can also use: ```markdown http://mac-mini:9091/transmission/web/ ``` from anywhere — your laptop, mobile, work Wi-Fi, 4G, whatever — as long as Tailscale is running. No open ports, no VPN configuration, no exposure to the public internet. --- ## 🎉 Final Thoughts Now I can access Transmission from my MacBook, my iPhone, outside home, inside home — all privately and securely over Tailscale. If you hit this same problem: I hope this saves you the hour of plist archaeology I had to go through.