Published: Last updated:

Tailscale

Tailscale is a mesh VPN built on WireGuard that connects devices and services directly over an encrypted peer-to-peer network and coordinates key distribution through a central control plane.


Direct encrypted connections without a central tunnel bottleneck

Classic VPNs route all traffic through a central concentrator. Tailscale takes a different approach: it builds an overlay network in which the nodes talk to each other directly. The actual data plane is based on WireGuard, a lean and fast VPN protocol whose core components are licensed under the GPLv2. Traffic is end-to-end encrypted and flows, wherever possible, directly between the devices involved rather than through the provider's servers. Tailscale thereby connects distributed sites, cloud resources, and individual work devices as if they were all on the same local network.

Control plane and data plane are separate

Tailscale separates control from data traffic. A central control plane, the coordination server, distributes the public keys of the nodes and brokers their reachability. It carries almost no payload traffic itself: the private keys never leave the respective device, so only the two communicating nodes can encrypt and decrypt the traffic. To establish connections behind firewalls and NAT, Tailscale uses NAT traversal techniques. When no direct connection succeeds, so-called DERP relays forward the encrypted packets without being able to decrypt them.

Open and proprietary components working together

Tailscale is not an end-to-end open-source product but combines open and proprietary building blocks. The client, meaning the daemon and the command-line tool, is open source and licensed under BSD-3-Clause; the DERP relay servers are open as well. The coordination server, by contrast, is proprietary and operated by the provider as a hosted service. Those who want to run the control plane themselves can turn to Headscale, an open-source, self-hostable implementation of the coordination server under the BSD-3-Clause licence. Headscale is a community project and is not affiliated with Tailscale Inc., even though one maintainer is employed by the provider.

Where it sits in the network

Tailscale belongs to the class of identity-based overlay networks and can be deployed as a building block of a zero-trust architecture, in which every access is explicitly authorised rather than granted on the basis of network position. In the market the service sits alongside alternatives such as NetBird, which likewise build a WireGuard-based mesh. Those who need a fully self-operated control plane combine the open Tailscale client with Headscale or choose a solution with an open-source server.

References

Related topics

Ask AI

These links open external AI services, the conversation and its content are sent to their providers.