Most VPN setups fail at the same place: you get WireGuard or OpenVPN running on one machine, and then you spend an afternoon poking holes in firewalls, forwarding ports on a router you may not control, and hand-editing config files every time a device joins or leaves. Tailscale's pitch is that you skip all of that. You install a client, log in with an identity provider you already use, and your machines can reach each other over an encrypted connection as if they were on the same LAN — even when they sit behind separate NATs in different cities.
We ran Tailscale across a mix of a Linux server, a MacBook, an iPhone, and a Raspberry Pi to see how close it gets to that promise. The short version: for getting a private network between your own devices, it removes almost all of the manual work. The longer version has some edges worth knowing before you build anything important on it.
How the mesh actually works
Tailscale is built on WireGuard for the data plane, so the encryption and the in-kernel performance come from a protocol that already has a strong reputation. What Tailscale adds is the part WireGuard deliberately leaves out: coordination. Plain WireGuard expects you to manually exchange public keys and tell each peer where to find the others. Tailscale runs a coordination server that distributes keys and endpoint information for you, so every node learns how to reach every other node automatically.
The connections themselves are peer-to-peer. When two of your devices talk, traffic flows directly between them rather than through Tailscale's servers — the coordination server only brokers the introduction. To get a direct path through restrictive NATs, Tailscale uses STUN-style hole punching. When that fails (some corporate or carrier-grade NATs are genuinely hostile), traffic falls back to a relay called DERP. Relayed connections are slower and add latency, but they keep the link working instead of dropping it. In our testing, home-to-cloud and phone-to-server links negotiated direct paths within a few seconds; one connection over a locked-down guest network stayed on DERP the whole time.
Each device gets a stable 100.x.y.z address on the tailnet and a name through MagicDNS, so you can ssh pi instead of memorizing IPs. That naming layer is a bigger quality-of-life win than it sounds — it survives reboots, IP changes, and network switches.
Tailscale is open source on the client side, but the coordination server it points at by default is Tailscale's hosted service. If you want to avoid depending on that, Headscale is a community-built, self-hostable implementation of the control server that the official clients can connect to. It's a real option, but it's maintained separately and you take on the operational burden yourself.
The features that justify the install
Beyond basic device-to-device connectivity, a few capabilities are what make people keep Tailscale around instead of treating it as a one-off tunnel.
Subnet routers let one device advertise a whole local network to the tailnet. Install Tailscale on a single box at home or in a VPC, enable subnet routing, and every other node can reach printers, NAS boxes, or internal services on that subnet without running a client on each one. This is the realistic path for hardware you can't install software on.
Exit nodes route all of a device's internet traffic through another node, which is the closer-to-traditional-VPN use case — tunneling your phone's traffic through your home connection, for example.
Tailscale SSH is the feature that surprised us most. It lets the tailnet handle SSH authentication based on your access-control policy, so you can drop the dance of distributing public keys to authorized_keys files. Access is governed centrally, and you can require re-authentication through your identity provider. For small teams this removes a recurring chore.
All of this is gated by ACLs — a JSON policy file that defines which users and devices can reach which others, and on which ports. The default policy is wide open within your own tailnet, which is convenient for a solo setup and a trap for a team. The ACL system is expressive, but it's also the part you most need to get right.
The default ACL allows every device on a tailnet to reach every other device on all ports. That is fine for your personal machines and dangerous the moment you add coworkers, contractors, or a server you'd rather keep isolated. Before you invite anyone, write an explicit ACL that scopes access to what each group actually needs — don't ship the default into a shared tailnet.
How it compares to the alternatives
It helps to be precise about what Tailscale replaces. It is not really competing with a commercial "hide my traffic" VPN; it competes with the effort of wiring up your own private network.
The trade-off is dependency. Plain WireGuard answers to no one; Tailscale's default setup relies on Tailscale's coordination server and your identity provider being reachable. Existing connections keep working if the control plane has a brief outage, but you can't authenticate new devices or push ACL changes during one. For a lot of people that's an acceptable trade for never touching a firewall rule again. For others it's the reason to run Headscale.
Pricing and where it bites
Tailscale's free Personal plan is genuinely usable: it covers up to 100 devices and a small number of users, which is more than enough for an individual managing a homelab and a few personal machines. Tailscale SSH, MagicDNS, subnet routing, and exit nodes are all available without paying.
The cost shows up when you grow into a team. Paid plans are priced per user and unlock the features teams actually need — more users, finer-grained controls, and longer log retention. The pricing has been revised more than once over Tailscale's life, so check the current plan page rather than trusting a number you read in an article. The pattern to expect is that solo and hobby use is free, and you start paying when multiple people share a tailnet.
If your only goal is reaching your own machines from anywhere, set up a single subnet router on your home network and an exit node, then stop. You'll get most of Tailscale's value on the free plan without installing a client on every device or touching the paid tiers.
Tailscale is the rare infrastructure tool where the demo and the daily reality match. It does one job — making private networking between your machines stop being a project — and it does it with very little ceremony. The honest caveats are the control-plane dependency and the wide-open default ACL, both of which matter more as you add people. For a solo developer or a small team that wants WireGuard's performance without WireGuard's bookkeeping, it's an easy thing to recommend.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)