← d3dev

Research: Tailscale

Tailscale Inc. (founded by Avery Pennarun, Brad Fitzpatrick, David Crawshaw, David Carney) · tailscale.com · Ongoing (company founded 2019, "How Tailscale Works" post: March 2020)
https://tailscale.com

vpnwireguardmesh-networkingzero-trustnat-traversalhomelabdevops

At a Glance

Tailscale is a mesh VPN that creates peer-to-peer encrypted connections between your devices using WireGuard, without

routing traffic through a central gateway. You install it, log in with your existing SSO, and your devices can talk to

each other from anywhere — no port forwarding, no firewall rules, no server setup. Free tier gives you 3 users and 100

devices.

Research: Tailscale

Metadata

Field	Value
Title	Tailscale — Mesh VPN Built on WireGuard
Author	Tailscale Inc. (founded by Avery Pennarun, Brad Fitzpatrick, David Crawshaw, David Carney)
Source	tailscale.com
Link	https://tailscale.com
Date Published	Ongoing (company founded 2019, "How Tailscale Works" post: March 2020)
Date Downloaded	2026-03-02
Tags	vpn, wireguard, mesh-networking, zero-trust, nat-traversal, homelab, devops

At a Glance

Tailscale is a mesh VPN that creates peer-to-peer encrypted connections between your devices using WireGuard, without

routing traffic through a central gateway. You install it, log in with your existing SSO, and your devices can talk to

each other from anywhere — no port forwarding, no firewall rules, no server setup. Free tier gives you 3 users and 100

devices.

Quotes

"Unlike traditional VPNs, which tunnel all network traffic through a central gateway server, Tailscale creates a peer-to-peer mesh network (known as a tailnet)."
— Tailscale Docs [1]

"The so-called 'control plane' is hub and spoke, but that doesn't matter because it carries virtually no traffic. It just exchanges a few tiny encryption keys and sets policies. The data plane is a mesh."
— Avery Pennarun [2]

"The private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node."
— Avery Pennarun [2]

"With this information, you should be able to build your own Tailscale replacement… except you don't have to, since our node software is open source."
— Avery Pennarun [2]

Sam's TLDR

Tailscale takes WireGuard (already the best VPN protocol) and makes it actually usable. Traditional VPNs are

hub-and-spoke — all traffic flows through one gateway, which creates latency and a single point of failure. Tailscale

flips that: every device connects directly to every other device in a mesh. The clever part is the architecture split —

a centralized coordination server handles key exchange and ACL policy (lightweight, no bottleneck), while the actual

data flows peer-to-peer with zero intermediaries. NAT traversal is handled automatically using STUN/ICE, and for the

worst-case networks that block UDP entirely, DERP relay servers forward already-encrypted packets. The free tier is

generous enough for personal use and homelabs. For a developer like Richard, the killer use cases are: accessing home

machines from anywhere, connecting dev environments across networks, and exposing local services without ngrok. The node

software is open source (Go), which is a trust signal.

Key Points

Mesh, not hub-and-spoke. Devices connect directly to each other, avoiding the latency and bottleneck of routing

through a central VPN gateway [1][2].

Built on WireGuard. Uses wireguard-go (userspace Go implementation) for the data plane. End-to-end encrypted,

private keys never leave the device [2].

Coordination server handles control plane only. Key exchange, ACL policies, and device discovery go through

Tailscale's servers. Actual traffic is peer-to-peer [2].

Automatic NAT traversal. Uses STUN and ICE standards to punch through firewalls and NATs without port forwarding.

No open ports needed [2].

DERP relays for worst-case networks. When direct connections fail (UDP blocked, etc.), traffic is relayed through

encrypted DERP servers. The relay can't decrypt traffic — it just forwards already-encrypted WireGuard packets [2].

Zero-config setup. Install the client, log in with existing SSO (Google, Microsoft, Okta, GitHub), and devices are

connected. No server provisioning, no certificate management [1][2].

ACLs enforced at every node. Security policies are defined centrally but enforced at each endpoint at decryption

time. Unauthorized machines can't even attempt a connection [2].

MagicDNS. Devices get human-readable DNS names automatically — access machines by name instead of IP [3].
Exit nodes. Can route all internet traffic through a designated device, functioning like a traditional VPN when

needed [1].

Subnet routers. Bridge your tailnet to physical LANs or cloud VPCs without installing Tailscale on every machine

in the subnet [2].

Open source node software. The client is open source at github.com/tailscale/tailscale (Go). DERP relay server

code is also open source [2].

Tailscale SSH. Authenticate SSH connections using Tailscale identity instead of managing SSH keys [3].
Tailscale Funnel. Expose a local service to the public internet through Tailscale — like ngrok but integrated into

your mesh [3].

Pricing

Plan	Price	Users	Devices	Key Features
Personal	Free	3	100	Nearly all features, free forever
Personal Plus	$5/mo	6	100	Share with family/friends
Starter	$6/user/mo	Unlimited	100 + 10/user	ACLs (autogroups), MagicDNS, Kubernetes operator
Premium	$18/user/mo	Unlimited	100 + 20/user	Full ACLs, Tailscale SSH, Funnel, audit logging, MDM
Enterprise	Custom	Unlimited	Custom	Tailnet Lock, posture management, log streaming, dedicated support

50% discount for non-profits and educational institutions [3].

Full Summary

What It Is

Tailscale is a mesh VPN service that creates a private network (called a "tailnet") across all your devices using

WireGuard encryption. Unlike traditional VPNs that funnel traffic through a central gateway, Tailscale establishes

direct peer-to-peer connections between devices, resulting in lower latency and higher throughput [1].

The architecture has two layers. The control plane is centralized — Tailscale runs a coordination server that acts

as a "key drop box" where devices exchange WireGuard public keys and download ACL policies. The data plane is fully

decentralized — actual network traffic flows directly between devices, end-to-end encrypted, with no intermediary able

to inspect it [2].

How It Works

Each device runs the Tailscale client (open source, written in Go). On first launch, the client generates a WireGuard

keypair and registers its public key with the coordination server, authenticating via your existing identity provider (

Google, Microsoft, Okta, etc.). The coordination server distributes public keys to authorized peers based on ACL

policies [2].

The hard problem Tailscale solves is NAT traversal. Most devices sit behind firewalls and NATs with no public IP or open

ports. Tailscale uses STUN and ICE protocols to establish direct connections through NATs — a technique that works in

the vast majority of cases. For the remaining cases where direct connections are impossible (networks that block UDP

entirely), Tailscale operates DERP (Designated Encrypted Relay for Packets) servers globally. DERP relays forward

already-encrypted WireGuard packets — they cannot decrypt or inspect the traffic [2].

Use Cases for Developers

Homelab access. Connect to home servers, NAS, Raspberry Pi, etc. from anywhere without exposing ports to the

internet.

Dev environment bridging. Access databases, services, and machines across different networks (home, office, cloud)

as if they're on the same LAN.

Tailscale Funnel. Share a local dev server with teammates or clients without ngrok or similar tunnel services.
Tailscale SSH. SSH into any device on your tailnet using Tailscale identity — no SSH key management.
CI/CD. Connect CI runners to private infrastructure without VPN gateways.
Exit nodes. Route traffic through a specific machine when you need a traditional VPN experience (coffee shop,

travel).

Architecture Highlights

The design is elegant in its separation of concerns. The coordination server (login.tailscale.com) is a single point of

control but not a single point of failure for data — if it goes down, existing connections keep working, you just can't

add new devices. Each node enforces ACLs locally at decryption time, meaning there's no central firewall to configure or

bottleneck [2].

Audit logging works by having each node stream connection metadata to a central logging service in real time. Every

connection is logged twice (source and destination), making log tampering detectable. The window for local tampering is

milliseconds [2].

Deployment is incremental. You can start with two devices, add subnet routers to bridge to existing LANs, and gradually

move toward full zero-trust networking one device at a time [2].

Open Source and Trust

The Tailscale node client is fully open source (github.com/tailscale/tailscale). The DERP relay server code is also open

source. The coordination server is proprietary, but the open source

alternative Headscale exists for self-hosting the control plane. Tailscale has

contributed fixes back to wireguard-go [2].

References

[1]Tailscale — What is Tailscale? https://tailscale.com/kb/1151/what-is-tailscale
[2]Avery Pennarun — How Tailscale Works. https://tailscale.com/blog/how-tailscale-works/
[3]Tailscale — Pricing. https://tailscale.com/pricing