What is Tailscale?
Tailscale creates a private network (mesh VPN) across all your devices and servers using WireGuard under the hood. No port forwarding, no firewall rules, no VPN servers to manage. Every device gets a stable IP and can reach every other device securely.
Why Tailscale?
- Free tier — 3 users, 100 devices
- Zero config — install, login, connected. No server setup.
- WireGuard-based — fastest VPN protocol, kernel-level performance
- MagicDNS — access devices by name: ssh pi@raspberry.tailnet
- ACLs — control who can access what with JSON policies
- Exit nodes — route internet traffic through any device
Quick Start
# Install on any device
curl -fsSL https://tailscale.com/install.sh | sh
# Connect
sudo tailscale up
# Check your devices
tailscale status
# laptop 100.64.0.1 linux
# server-prod 100.64.0.2 linux
# macbook 100.64.0.3 macOS
SSH Without Port Forwarding
# Before Tailscale: complex SSH tunnel
ssh -J bastion user@10.0.1.50 -p 2222
# With Tailscale: direct connection
ssh user@server-prod # MagicDNS resolves to Tailscale IP
# Or use Tailscale SSH (no SSH keys needed!)
tailscale ssh server-prod
Access Control Lists
{
"acls": [
{"action": "accept", "src": ["group:devs"], "dst": ["tag:staging:*"]},
{"action": "accept", "src": ["group:ops"], "dst": ["tag:production:*"]},
{"action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self:*"]}
],
"groups": {
"group:devs": ["alice@example.com", "bob@example.com"],
"group:ops": ["charlie@example.com"]
},
"tagOwners": {
"tag:staging": ["group:devs"],
"tag:production": ["group:ops"]
}
}
Tailscale API
# List devices
curl -s 'https://api.tailscale.com/api/v2/tailnet/your-tailnet/devices' \
-H "Authorization: Bearer tskey-api-your-key" | jq '.devices[] | {name, addresses, os}'
# Authorize a device
curl -X POST 'https://api.tailscale.com/api/v2/device/DEVICE_ID/authorized' \
-H "Authorization: Bearer tskey-api-your-key" \
-d '{"authorized": true}'
Funnel (Expose Services Publicly)
# Expose a local service to the internet
tailscale funnel 3000
# Your service is now at https://macbook.tail12345.ts.net/
# Expose with custom path
tailscale funnel --set-path /api 8080
Tailscale vs Alternatives
| Feature | Tailscale | WireGuard | OpenVPN | Cloudflare Tunnel |
|---|---|---|---|---|
| Setup time | 2 min | 30 min | 1 hour | 15 min |
| Free tier | 100 devices | Self-host | Self-host | Unlimited |
| Mesh topology | Yes | Manual | Hub-spoke | Hub only |
| MagicDNS | Yes | Manual | Manual | No |
| ACLs | JSON policy | iptables | OpenVPN config | Cloudflare rules |
| NAT traversal | Automatic | Manual | Manual | Tunnel-based |
Real-World Impact
A remote team of 8 developers needed to access staging servers, databases, and internal tools. With OpenVPN: 2 days to set up, constant connection drops, one person maintained the VPN server. With Tailscale: 10 minutes for the entire team, zero maintenance, every device can reach every other device. The developer who maintained the VPN got 2 days/month back.
Building secure infrastructure? I help teams implement zero-trust networking. Contact spinov001@gmail.com or explore my data tools on Apify.
Top comments (0)