Tailscale
Tailscale is a software-defined mesh virtual private network (VPN) service that enables secure, zero-configuration connectivity between devices, servers, and services across the internet using the WireGuard protocol for end-to-end encryption.[1] Built on open-source foundations, it facilitates point-to-point networking with automatic NAT traversal, eliminating the need for manual port forwarding or complex firewall rules, and supports granular access controls based on user identity and device posture.[1] The service is designed for both personal and enterprise use, allowing users to create private networks that span clouds, on-premises environments, and mobile devices without traditional VPN hardware.[1] Tailscale operates by leveraging a lightweight coordination server to manage authentication, key distribution, and network topology, while all data traffic flows directly between peers via WireGuard tunnels for optimal performance and security.[1] This architecture enforces zero-trust principles, where access is restricted to the minimum necessary privileges, and integrates with over 100 tools such as Docker, Kubernetes, and identity providers like Okta and Google Workspace.[1] Key features include subnet routing for site-to-site connections, MagicDNS for simplified device naming, and enterprise-grade tools like audit logs, SSH session recording, and automated device onboarding, all while maintaining SOC 2 compliance and regular security audits.[1] Founded in 2019 in Toronto, Canada, by software engineers Avery Pennarun, David Carney, and David Crawshaw—former contributors to projects at Google and other tech firms—Tailscale Inc. emerged from a desire to revive the decentralized, user-centric networking ideals of the early internet.[2][3] The company, which operates fully remotely with a diverse team, has raised significant funding, including a $14.5 million CAD Series A in 2020 and subsequent rounds from investors like Accel and Insight Partners, reaching Series C status by 2025.[2][4] Tailscale has gained widespread adoption, serving over 10,000 organizations, including notable companies like Duolingo, Instacart, and Hugging Face, for use cases ranging from remote team access to secure IoT deployments and homelab setups.[5] Its free tier for personal use has made it popular among developers and hobbyists, while enterprise offerings emphasize scalability and compliance for production environments.[1] The platform's open-source components, hosted on GitHub, encourage community contributions and transparency in its core implementation.[6]History
Founding and Early Development
Tailscale was founded in 2019 in Toronto, Canada, by former Google engineers Avery Pennarun, David Carney, David Crawshaw, and Brad Fitzpatrick.[7][3][8] The company emerged from the founders' shared experiences at Google, where they worked on large-scale distributed systems, aiming to recreate the simplicity of internal networking for external use.[9] The name "Tailscale" draws inspiration from Google's 2013 research paper "The Tail at Scale," which discusses handling latency variability in massive distributed systems.[10][11] This reference reflects the founders' intent to address the "tail" of networking challenges—those rare but problematic edge cases in connectivity—that traditional solutions often overlook.[10] From its inception, Tailscale focused on resolving zero-config VPN difficulties faced by developers, leveraging the WireGuard protocol to enable seamless mesh networking without manual port forwarding or complex setups.[9][12] The goal was to provide secure, peer-to-peer connections that mimicked the ease of internal corporate networks, eliminating the hassles of legacy VPNs like firewall rules and hardware dependencies.[9][12] Early development proceeded as an open-source project hosted on GitHub, with the initial code release for the Linux client occurring in February 2020.[13] This was followed by the product's general availability announcement in April 2020, highlighting its emphasis on rapid deployment and user-friendly authentication over the intricacies of conventional VPN configurations.[9][7]Funding and Growth
Tailscale secured $12 million in Series A funding in November 2020, led by Accel with participation from Heavybit and Uncork Capital, to accelerate development of its distributed networking platform.[14] In May 2022, the company raised $100 million in a Series B round co-led by CRV and Insight Partners, with additional investment from Accel, Heavybit, and Uncork Capital, valuing Tailscale at $1 billion and supporting expansion into enterprise markets.[15] In April 2025, Tailscale raised $160 million in a Series C round led by Accel, with participation from CRV, Insight Partners, Heavybit, and Uncork Capital.[16] By 2025, Tailscale's user base had grown to millions of connected devices worldwide, with over 10,000 paid business customers, highlighting strong enterprise adoption among organizations seeking secure, zero-trust networking solutions.[17] This expansion was driven by the platform's scalability and integration capabilities, enabling widespread use in both small teams and large-scale deployments. Key milestones included the launch of paid tiers in June 2021, with Team and Business plans starting at $5 and $15 per user per month, respectively, to monetize enterprise features.[18] By 2023, Tailscale had deepened integrations with major cloud providers like AWS, Azure, and Google Cloud Platform, facilitating seamless connectivity across hybrid environments.[19] The project is licensed under the BSD-3-Clause license.[6]Technical Overview
Core Architecture
Tailscale employs a mesh VPN architecture that enables direct, peer-to-peer connections between devices, forming a secure virtual network known as a "tailnet." At its core, this model leverages WireGuard as the data plane, which establishes lightweight, encrypted tunnels for all communication between nodes. WireGuard handles the encryption, decryption, and routing of traffic in a cryptographically secure manner, ensuring end-to-end protection without relying on intermediary proxies for the primary data flow. This design prioritizes efficiency and simplicity, allowing devices to communicate as if on a local network while maintaining high performance for applications like file sharing or remote access.[20][21] The control plane, managed by Tailscale's centralized coordination server, oversees key management, authentication, and network coordination to facilitate these peer connections. It generates and distributes WireGuard public-private key pairs to authenticated devices, enabling secure tunnel establishment without manual configuration. Authentication occurs through OAuth 2.0 and OpenID Connect protocols, integrating with identity providers such as Google, GitHub, or enterprise SSO systems, while device provisioning can use ephemeral auth keys—essentially shared secrets—for automated or headless setups. The control plane also enforces access policies and handles topology updates, ensuring nodes receive only the necessary information to connect to authorized peers.[20][22][23] To prevent address conflicts with existing private networks, Tailscale assigns IPv4 addresses from the Carrier-Grade NAT (CGNAT) range of 100.64.0.0/10, as specified in RFC 6598. This range, reserved for shared address space in ISP environments (spanning 100.64.0.0 to 100.127.255.255), is unlikely to overlap with standard RFC 1918 private subnets like 192.168.0.0/16 or 10.0.0.0/8 used in home or enterprise LANs. Additionally, Tailscale assigns IPv6 addresses from the Unique Local Address (ULA) range fc00::/8, as defined in RFC 4193, enabling dual-stack networking. By operating within this space, Tailscale ensures stable, unique identifiers for nodes across diverse network environments, including those behind multiple NAT layers, without exposing addresses to the public internet.[24][25][26] Tailscale's design adopts a client-server hybrid model, where lightweight client software runs on each node to manage local WireGuard operations and periodic check-ins with the coordination server. Nodes register upon joining the tailnet, receiving their IP assignment, keys, and peer maps from the server, which acts solely as a discovery and management hub rather than a data relay. This separation allows for scalable, decentralized traffic flow while centralizing administrative functions, making the system resilient to individual node failures and easy to deploy on endpoints like laptops, servers, or IoT devices.[20][27]Networking Mechanisms
Tailscale employs several techniques to traverse Network Address Translation (NAT) devices and establish direct peer-to-peer (P2P) connections between nodes. The primary method involves STUN (Session Traversal Utilities for NAT), where clients query DERP servers acting as STUN servers to discover their public IP addresses and ports from an external perspective.[28] This enables UDP hole punching, allowing peers to simultaneously send packets to each other's discovered endpoints, thereby creating a direct path through symmetric or restrictive NATs without requiring port forwarding.[29] To enhance connectivity in environments with port-restricted NATs, Tailscale supports port mapping protocols such as UPnP (Universal Plug and Play), NAT-PMP (NAT Port Mapping Protocol), and PCP (Port Control Protocol). These protocols allow clients to request the NAT device to open specific public ports and forward traffic to the internal endpoint, effectively making the NAT "friendlier" by bypassing firewall rules for those ports.[29] When direct P2P connections fail due to complex NAT configurations or firewalls blocking UDP, Tailscale falls back to DERP (Detoured Encrypted Routing Protocol) relays, which forward encrypted WireGuard packets over HTTPS streams, ensuring connectivity even in restrictive networks.[27] For accessing local subnets behind a Tailscale node, particularly on Linux, Source NAT (SNAT) can be disabled on the VPN interface using the --snat-subnet-routes=false flag to route traffic directly to devices on the local network without address translation.[27][30] This subnet routing capability allows users to expose entire local networks—such as office or datacenter subnets—to the Tailscale mesh, enabling seamless access to resources like printers or servers that are not individually enrolled.[30] DERP relay servers play a crucial role in maintaining reliable connections by not only serving as a fallback but also selecting low-latency paths among a global network of regionally distributed relays.[31] These servers forward end-to-end encrypted traffic using WireGuard keys, preserving privacy while minimizing overhead in scenarios where direct UDP paths are unavailable.[27] To support dynamic network topologies, Tailscale implements automatic key rotation and endpoint discovery through its coordination server. Nodes periodically generate new WireGuard keypairs, share updated public keys via the server, and use STUN-derived endpoint information to rediscover peers without manual reconfiguration.[27] This process ensures ongoing connectivity as devices move between networks or IP addresses change.[29]Features
Security and Access Controls
Tailscale implements a zero-trust networking model, where no implicit trust is granted based on network location or perimeter, requiring verification of every access request through identity and policy enforcement.[32] This approach eliminates default access, mandating explicit approvals for device joins to the tailnet and for sharing subnets, ensuring that only authorized entities can participate in the network.[32] Access controls are enforced via Access Control Lists (ACLs), which adhere to the principle of least privilege by defining granular permissions for traffic between nodes, users, and groups on a deny-by-default basis.[33] ACLs specify sources (such as users, groups, or tagged devices) and destinations (including IP addresses, ports, and protocols), allowing administrators to restrict lateral movement and limit exposure within the tailnet.[33] Tailscale Services, in public beta as of October 2025, allows defining services on the tailnet with virtual IP addresses (TailVIPs) and DNS names, enabling load balancing and more granular access controls via policies on these resources.[34] All communications in Tailscale are secured with end-to-end encryption using the WireGuard protocol, which employs the Noise IK handshake for key exchange based on Curve25519 elliptic curve cryptography.[35] Mutual authentication occurs through public-private key pairs, where each node's public key is verified before establishing a connection, preventing unauthorized access without relying on central decryption.[27] Tailscale's mesh networking supports direct peer-to-peer connections secured by this encryption model.[27] Tailscale also supports state encryption for the state file at rest on disk, using platform-specific mechanisms such as TPM 2.0 on Windows and Linux or Keychain on macOS, to protect private keys from cloning attacks (introduced in version 1.86, July 2025).[36] Tailscale provides audit logging for connection events, authentication attempts, and configuration changes, including key management actions, to enable monitoring and compliance.[37] These logs can be streamed to external systems for analysis, and Tailscale integrates with identity providers such as Google Workspace and Okta for single sign-on (SSO) and multi-factor authentication (MFA), enhancing access verification without compromising log integrity.[38][39]Management Tools
Tailscale provides a web-based admin console as the primary interface for managing a tailnet, which is the private network created by the service. Accessible via login.tailscale.com/admin, the console allows administrators to oversee users, devices, DNS settings, and permissions centrally. Device approvals are handled through this interface, where administrators can review and authorize new devices joining the network to ensure only trusted hardware connects. Additionally, the Access Controls page enables direct editing of access control lists (ACLs), which define granular permissions for users and devices within the tailnet. A visual policy editor, available in beta since August 2025, offers a web-based interface for editing ACLs with forms, previews, and switchable JSON views.[40][41][33][42] The Tailscale CLI, invoked via thetailscale command, offers local command-line operations for device-level management and troubleshooting. Administrators can use tailscale status to check connection details, including IP addresses, machine names, and online status of peers in the tailnet. For IP assignments, the tailscale ip command retrieves a device's Tailscale IPv4 or IPv6 address, supporting queries for remote devices by hostname. Exit node setup is facilitated through the tailscale up command with flags like --advertise-exit-node to designate a device as an exit node or --exit-node=<[IP](/page/IP)|name> to route traffic via one.[43]
Tailscale's API supports programmatic automation of tailnet operations, available to all plans and authenticated via access tokens generated in the admin console. These tokens, with expiration periods from 1 to 90 days, enable scripting for tasks such as dynamic ACL policy updates and device management. The API also facilitates monitoring by allowing queries for network state and events, integrating with external tools for automated workflows. Detailed endpoints are documented interactively at tailscale.com/api.[44]
For oversight, Tailscale includes a monitoring dashboard integrated into the admin console, providing real-time visibility into tailnet health. This features display device online status, last seen timestamps for node health assessment, and service discovery for running applications. Traffic statistics and anomaly detection are supported through network flow logging, which captures node-to-node interactions and can stream to SIEM systems for alerting on unusual patterns. Client metrics, exportable to Prometheus-compatible systems, further enhance monitoring of connection performance and uptime.[45][46][47]
Supported Platforms
Client Operating Systems
Tailscale provides client software for a variety of end-user operating systems, enabling secure networking on desktops, mobiles, and select legacy systems. The client implementations are designed to integrate seamlessly with each platform's native networking stack, supporting both graphical user interfaces (GUIs) for ease of use and command-line interfaces (CLIs) for advanced configuration.[43][48] For desktop environments, Tailscale supports Microsoft Windows versions 10 and later, as well as Windows Server 2016 and later, through a native application that includes both GUI and CLI components. Installation on Windows is typically performed via an MSI installer or executable download from the official package server, with the client running as a system service for persistent connectivity.[49] On macOS (version 12 Monterey or later), the client utilizes a system extension for VPN integration, available via the Mac App Store for GUI-based setup or as a standalone package from Tailscale's repository for CLI-focused users; this approach ensures compatibility with macOS's security model without kernel extensions.[50][51] Linux support covers major distributions including Ubuntu (via APT), Debian, Fedora, CentOS/RHEL (via YUM/DNF), and openSUSE, with pre-built packages hosted on Tailscale's stable repository; users can install via package managers followed by thetailscale up command to authenticate and connect.[52][53] Auto-updates are handled through built-in mechanisms on these platforms, such as the tailscale update CLI command where available, or via distribution-specific tools.[54]
Mobile device support includes dedicated apps for Android (version 8 or later) and iOS (version 15 or later), distributed through the Google Play Store and Apple App Store, respectively. The Android client operates with a background service to maintain VPN tunnels even when the app is not in the foreground, installing a system VPN configuration upon first launch.[48][55][56] On iOS, the app leverages Apple's Network Extension framework to establish per-app or full-device VPN profiles, allowing split-tunnel or full-tunnel modes with automatic handling of background connectivity restrictions.[57][58] For Apple TV devices running tvOS 17 or later (version 18 or later recommended), a limited-purpose app enables media streaming and basic networking, installed via the App Store and configured similarly to iOS with VPN profile approval; it supports features like exit node functionality but lacks full CLI access.[59][60]
Additionally, a client exists for Plan 9 operating systems, ported to support both minimal forks like 9legacy and modified variants like 9front, allowing legacy systems to join Tailscale networks for file sharing and namespace interactions.[61] Tailscale clients can also extend to containerized environments via lightweight integrations, such as running the client within Docker containers.[30]