Can I self-host Tailscale?

Not Tailscale itself (the coordination server is proprietary), but Headscale is an open-source, self-hosted alternative that implements the coordination protocol. Tailscale clients work with Headscale.

How is Tailscale different from a traditional VPN?

Traditional VPNs route all traffic through a central server. Tailscale creates direct peer-to-peer connections between devices. No central server bottleneck, lower latency, no infrastructure to maintain.

Does Tailscale work on all platforms?

Yes. macOS, Windows, Linux, iOS, Android, FreeBSD, and Synology/QNAP NAS devices. Also available as Docker containers and for Kubernetes.

Is the free plan enough?

For individual use, yes. 100 devices and 3 users is more than enough for a personal setup. Paid plans add team features, ACLs, and more users.

Can Tailscale replace my corporate VPN?

For many teams, yes. Tailscale replaces VPN concentrators with direct peer-to-peer connections. ACLs handle access control. SSO handles authentication. The setup is simpler and the performance is better.

DERP (Designated Encrypted Relay for Packets) is Tailscale's relay network. When two devices can't establish a direct connection (restrictive NAT), traffic flows through a DERP relay. Traffic is still encrypted end-to-end.

Does Tailscale drain battery?

Minimal. WireGuard is extremely efficient—it only transmits when there's data. The battery impact is negligible compared to WiFi or cellular.

What's Tailscale Funnel?

Funnel exposes a local service to the public internet via Tailscale's infrastructure. Run a web server on localhost and Funnel gives you a public HTTPS URL. Similar to ngrok but built into Tailscale.

PublishedJanuary 1, 2026•UpdatedMay 9, 2026

Tailscale

Name: Tailscale
Availability: InStock

Mesh VPN based on WireGuard

Security & PrivacyFreeReplaces ZeroTier ($18/month)

Tailscale screenshot — Tailscale — Official Website

Quick Take: Tailscale

4.7

Tailscale is the best way to connect your devices into a private network. The mesh architecture, WireGuard encryption, and zero-infrastructure approach solve real problems for developers, self-hosters, and teams. The free plan is generous (100 devices), the setup is trivial (install and sign in), and the performance is excellent (direct peer-to-peer). The only concerns are dependency on Tailscale's coordination server (mitigated by Headscale) and potential conflicts with other VPN software on macOS.

Best For

•Developers who SSH between machines and are tired of port forwarding
•Self-hosters who want secure remote access without exposing ports
•Remote teams replacing slow corporate VPNs
•Anyone who wants their devices connected into a private network

What is Tailscale?

Tailscale is a mesh VPN built on WireGuard that connects your devices into a private network without port forwarding, firewall rules, or VPN server management. Install it on your Mac, your phone, your Raspberry Pi, and your cloud server—they can all reach each other by hostname as if they were on the same LAN. No infrastructure to maintain. The traditional VPN model requires a central server: all traffic flows through a single point, the server needs to be provisioned and maintained, and if the server goes down, your VPN goes down. Tailscale uses a mesh architecture where devices connect directly to each other (peer-to-peer) using WireGuard tunnels. The Tailscale coordination server handles authentication and key exchange, but actual data flows directly between your devices. This means lower latency, no single point of failure, and no server to maintain. For individual developers, the killer feature is SSH access to remote machines without exposing port 22 to the internet. Install Tailscale on your home Mac and your cloud server, and you can SSH from one to the other using Tailscale IPs—no public IP, no port forwarding, no Dynamic DNS. For teams, Tailscale creates a private network where developers can access staging servers, databases, and internal services without VPN concentrators or bastion hosts. Tailscale uses WireGuard as its underlying protocol, which means connections are fast, encrypted, and battery-efficient. WireGuard establishes connections in milliseconds (compared to seconds for OpenVPN/IPSec) and has minimal CPU overhead. Tailscale wraps WireGuard with identity-based authentication (Google, Microsoft, GitHub, Okta), ACLs (access control lists), and a web admin console. The free plan supports up to 100 devices for personal use. Paid plans add team features, ACL policies, and more devices. For a single developer connecting a few personal devices, the free plan is more than enough.

Install with Homebrew

brew install --cask tailscale-app

Deep Dive: How Tailscale's Mesh Architecture Works

Understanding Tailscale's architecture explains why it's faster and simpler than traditional VPNs.

History & Background

Tailscale was founded in 2019 by Brad Fitzpatrick (who also created LiveJournal and memcached) and Avery Pennarun. The insight was that WireGuard solved the encryption problem but left key management, NAT traversal, and access control unsolved. Tailscale wraps WireGuard with identity-based networking—your devices authenticate with your identity provider and Tailscale handles the rest.

How It Works

Tailscale's architecture has three components: (1) The coordination server handles authentication, key distribution, and peer discovery. It never sees your data. (2) The DERP relay network provides fallback connectivity when direct connections fail. Traffic is end-to-end encrypted even through DERP. (3) The client software on each device establishes WireGuard tunnels to other devices and implements ACL enforcement. Most traffic flows directly peer-to-peer.

Ecosystem & Integrations

Tailscale integrates with identity providers (Google Workspace, Microsoft Entra, GitHub, Okta), infrastructure (AWS VPC, GCP, Azure), and container platforms (Docker, Kubernetes). It can replace VPN concentrators, bastion hosts, and VPC peering with a single tool. The open-source client and Headscale provide escape hatches from vendor lock-in.

Future Development

Tailscale continues to expand its feature set: Funnel for public access, app connectors for SaaS integration, and improved multi-user coordination. The platform is evolving from 'connect your devices' toward 'secure access to everything' for teams and enterprises.

Key Features

Mesh VPN with WireGuard

Tailscale creates direct peer-to-peer WireGuard tunnels between your devices. Traffic flows directly from device to device—not through a central server. This means lower latency than traditional hub-and-spoke VPNs. WireGuard handles encryption (ChaCha20 + Poly1305) and establishes connections in milliseconds.

MagicDNS

Every device on your Tailscale network gets a DNS name based on its hostname. If your MacBook is named 'work-mac', you can SSH to it from any other device using `ssh work-mac` instead of remembering IP addresses. MagicDNS resolves these names automatically across your mesh network.

Tailscale SSH

Tailscale can handle SSH authentication without managing SSH keys. Enable Tailscale SSH and you can connect to any machine on your network using Tailscale identity—no SSH keys to distribute, no authorized_keys to manage. Access is controlled by Tailscale ACLs. This eliminates the entire SSH key management problem for teams.

Access Control Lists (ACLs)

Define who can access what using JSON-based ACL policies. Allow the engineering team to reach staging servers but not production. Let the CEO access the analytics dashboard but nothing else. ACLs are version-controlled in a Git repository and applied instantly across the network.

Exit Nodes

Designate any Tailscale device as an exit node to route all internet traffic through it. Use your home Mac as an exit node and your phone's internet traffic goes through your home connection—useful for accessing region-locked content or securing traffic on public WiFi.

Subnet Routing

A Tailscale device can act as a subnet router, exposing an entire local network to your Tailscale mesh. Install Tailscale on one device in your office network and every Tailscale-connected device can access printers, NAS drives, and internal services on that network without installing Tailscale on each device.

Funnel (Public Access)

Tailscale Funnel exposes a service running on your device to the public internet through Tailscale's infrastructure. Run a web server on localhost:3000, enable Funnel, and get a public HTTPS URL that routes to your machine. It's like ngrok but built into your VPN.

NAT Traversal (DERP)

Most devices are behind NAT (routers, firewalls). Tailscale uses STUN/TURN-like techniques and its own DERP (Designated Encrypted Relay for Packets) relay servers to establish direct connections even through double NAT, carrier-grade NAT, and restrictive firewalls. When direct connection fails, DERP relays encrypted traffic—slower, but it always works.

Who Should Use Tailscale?

1The Developer with a Home Lab

You have a Mac at home, a Linux server in the closet, and a cloud VM on DigitalOcean. Install Tailscale on all three. Now you can SSH between them using hostnames, access the Linux server's web interfaces, and transfer files—all without public IPs or port forwarding. When you're at a coffee shop, it works identically.

2The Remote Team Member

Your company has staging servers behind a VPN. The traditional VPN is slow and drops connections. Replace it with Tailscale: each developer installs the client, logs in with their work Google account, and gets direct access to staging servers. ACLs control who can access what. No VPN concentrator, no split tunneling headaches.

3The Privacy-Conscious Traveler

You're at a hotel and don't trust the WiFi. Set your home Mac as an exit node and route all your phone's traffic through it. Your internet activity goes through your home connection instead of the hotel network. Tailscale's WireGuard tunnel handles the encryption.

4The Self-Hoster

You run Plex, Home Assistant, and Nextcloud on a home server. Instead of exposing ports to the internet (security risk), install Tailscale. Access all your services from anywhere using Tailscale IPs. No Dynamic DNS, no reverse proxy, no Let's Encrypt certificates for local services.

5The Contractor Working with Multiple Clients

You need access to three different clients' internal networks. Each client adds you to their Tailscale network with specific ACLs. You switch between client networks using Tailscale profiles. No client VPN software conflicts, no juggling multiple VPN connections.

How to Install Tailscale on Mac

Tailscale is available via the Mac App Store, Homebrew, or direct download.

Install via Homebrew

Run `brew install --cask tailscale` in Terminal to install the GUI app. For the CLI-only version, use `brew install tailscale`. Or download directly from the Mac App Store (free).

Sign In

Open Tailscale and sign in with your identity provider: Google, Microsoft, GitHub, Apple, or Okta. This creates your Tailscale network (tailnet).

Install on Other Devices

Install Tailscale on your other devices (phone, server, Raspberry Pi) and sign in with the same account. They automatically join your tailnet.

Connect

Each device appears in the Tailscale admin console with a 100.x.x.x IP and a MagicDNS hostname. Ping between devices to verify: `ping work-mac`.

Pro Tips

• Enable MagicDNS in the admin console to use hostnames instead of IP addresses.
• For headless servers, install via `curl -fsSL https://tailscale.com/install.sh | sh`.
• Set up an exit node on your home machine for secure browsing on public WiFi.

Configuration Tips

Enable MagicDNS Immediately

MagicDNS lets you use hostnames instead of 100.x.x.x IPs. Enable it in the admin console (admin.tailscale.com → DNS settings). After enabling, `ssh my-server` works instead of `ssh 100.64.1.5`.

Set Up an Exit Node at Home

On your home Mac or router, enable exit node (`tailscale up --advertise-exit-node`). When you're on untrusted WiFi, route all traffic through home. Toggle exit node on/off from the Tailscale menu bar icon.

Use ACLs from Day One

Even for personal use, set up basic ACLs. As your network grows, ACLs prevent accidental access. Lock down sensitive services and explicitly allow only the devices that need access.

Enable Tailscale SSH for Key-Free Access

Replace SSH key management with Tailscale SSH. Enable it in ACLs and your Tailscale identity handles authentication. No more copying SSH keys between machines.

Alternatives to Tailscale

VPN and networking solutions vary by use case:

Headscale

Headscale is an open-source, self-hosted implementation of the Tailscale coordination server. It gives you the same mesh VPN without depending on Tailscale's infrastructure. Requires more setup and doesn't have feature parity with Tailscale's hosted service.

ZeroTier

ZeroTier is a similar mesh networking solution. It supports more complex network topologies (bridges, routes) but has a less polished user experience. Tailscale is simpler to set up; ZeroTier is more flexible for complex networking scenarios.

WireGuard (Manual Setup)

You can set up WireGuard manually without Tailscale, but you need to manage keys, peer configurations, and NAT traversal yourself. Tailscale automates all of this. Manual WireGuard makes sense if you have specific network requirements Tailscale doesn't support.

ngrok

ngrok exposes local services to the public internet, similar to Tailscale Funnel. But ngrok is purely for public access, while Tailscale is a private network with optional public access. Different tools for different needs.

Pricing

Freemium

The free Personal plan includes up to 100 devices and 3 users—more than enough for individual developers. The Personal Plus plan ($5/month, $48/year) adds custom domain support and improved connectivity. Team plans start at $6/user/month (Starter) and $18/user/month (Premium) with advanced ACLs, SSO, and admin features. Enterprise plans add audit logs, auto-labeling, and dedicated support with custom pricing. All paid plans include a 7-day free trial of Premium features.

Pros

✓No server to maintain—mesh VPN with zero infrastructure
✓Direct peer-to-peer connections for low latency
✓WireGuard underneath: fast, encrypted, battery-efficient
✓MagicDNS gives hostname-based access across devices
✓Tailscale SSH eliminates SSH key management
✓Free plan supports 100 devices—more than enough for personal use
✓Works through NAT, firewalls, and carrier-grade NAT
✓ACLs for team access control

Cons

✗Depends on Tailscale's coordination server (not fully self-hosted without Headscale)
✗100.x.x.x IP range can conflict with some corporate networks
✗Exit node routing adds latency compared to direct internet
✗Some features (Funnel, custom DERP) are confusing for new users
✗macOS app requires a VPN configuration profile that may conflict with other VPNs
✗Not a replacement for privacy VPNs (Mullvad, ProtonVPN)—different purpose

Community & Company

Tailscale is a venture-backed company founded in 2019 by Brad Fitzpatrick (creator of LiveJournal and memcached) and others. The product is partially open-source—the client is open-source (tailscale/tailscale on GitHub, 20,000+ stars), while the coordination server is proprietary (Headscale provides an open-source alternative). Tailscale has an active community on GitHub, Reddit (r/Tailscale), and their own community forum. The documentation is excellent—clear, practical, and well-maintained. Tailscale is widely adopted in the developer community and increasingly in enterprise settings.

Video Tutorials

Getting Started with Tailscale

Tailscale27.2K views

How to get started with Tailscale in under 10 minutes

Tailscale • 430.3K views

Rustdesk and Tailscale is a remote desktop access dream team

Tailscale • 152.1K views

Tailscale Exit Node on MacOS

Henderson Tech • 10.5K views

Frequently Asked Questions about Tailscale

Yes, but not a privacy VPN like Mullvad or NordVPN. Tailscale creates a private network between your devices (mesh VPN). It doesn't hide your IP from websites. Use it for device-to-device connectivity, not for anonymous browsing.

Our Verdict

4.7/5

Best for:Developers who SSH between machines and are tired of port forwardingSelf-hosters who want secure remote access without exposing portsRemote teams replacing slow corporate VPNsAnyone who wants their devices connected into a private network

About the Author

Sam Patel

Security & Privacy Researcher

Security SoftwarePrivacy ToolsNetwork Security

9+ years in cybersecurity · CISSP certified

Related Technologies & Concepts

TailscaleWireGuardBrad FitzpatrickHeadscaleZeroTierDERPHomebrew

Sources & References

Key Verified Facts

Official documentation confirming that Tailscale is a zero-config VPN built on top of the WireGuard protocol, creating a private mesh network.[cite-1]
Detailed technical explanation of how Tailscale connects devices directly using NAT traversal without requiring users to open firewall ports or manage port forwarding.[cite-2]
Documentation for the macOS client, detailing how Tailscale integrates with Apple's Network Extension framework and is installable via the Mac App Store.[cite-3]
Explains the MagicDNS feature, which automatically registers DNS names for devices in the network, allowing connections by hostname instead of IP addresses.[cite-4]
The official open-source GitHub repository for the Tailscale client node code, demonstrating its foundation on WireGuard.[cite-5]

1
What is Tailscale? · Tailscale Docs
Accessed May 6, 2026
"Official documentation confirming that Tailscale is a zero-config VPN built on top of the WireGuard protocol, creating a private mesh network."
2
How NAT traversal works · Tailscale
Accessed May 6, 2026
"Detailed technical explanation of how Tailscale connects devices directly using NAT traversal without requiring users to open firewall ports or manage port forwarding."
3
macOS · Tailscale Docs
Accessed May 6, 2026
"Documentation for the macOS client, detailing how Tailscale integrates with Apple's Network Extension framework and is installable via the Mac App Store."
4
MagicDNS · Tailscale Docs
Accessed May 6, 2026
"Explains the MagicDNS feature, which automatically registers DNS names for devices in the network, allowing connections by hostname instead of IP addresses."
5
tailscale/tailscale: The easiest, most secure way to use WireGuard and 2FA.
Accessed May 6, 2026
"The official open-source GitHub repository for the Tailscale client node code, demonstrating its foundation on WireGuard."
6
juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server
Accessed May 6, 2026
"An open-source repository for Headscale, verifying that the Tailscale protocol ecosystem can be interacted with using self-hosted, alternative control planes."
7
How Tailscale Works
Accessed May 6, 2026
"Official Tailscale blog explaining how Tailscale replaces traditional hub-and-spoke VPNs with a peer-to-peer mesh network that requires zero firewall configuration."
8
Tailscale Pricing
Accessed May 6, 2026
"Official Tailscale pricing page detailing current plans including Personal (free), Personal Plus, Starter, Premium, and Enterprise tiers with up-to-date pricing."
9
Tailscale Changelog
Accessed May 6, 2026
"Official Tailscale changelog documenting the latest releases, security updates, and feature additions across all platforms."

Compare Tailscale

Tailscale vs ZeroTier

networking

Tailscale vs Pangolin

networking

Tailscale is a Free Alternative

Tailscale can replace these paid apps:

ZeroTier$18/month

Browse all free alternatives

More Security & Privacy

Featured in Collections

Remote Access & VPNWork from anywhere securely

Explore More on Bundl

All Apps Comparisons Free Alternatives Collections

Similar Apps

1Password

Password manager and secure wallet

ZeroTier

Global software-defined networking

Bitwarden

Open source password manager

KeePassXC

Cross-platform password manager

ExpressVPN

VPN client for secure and private internet access

LastPass

Password manager

Read our complete guide to the best security & privacy for Mac

PublishedJanuary 1, 2026•UpdatedMay 9, 2026

Tailscale

Mesh VPN based on WireGuard

Security & PrivacyFreeReplaces ZeroTier ($18/month)