Tailscale
Tailscale is a mesh VPN built on WireGuard that connects devices and services directly over an encrypted peer-to-peer network and coordinates key distribution through a central control plane.
Direct encrypted connections without a central tunnel bottleneck
Classic VPNs route all traffic through a central concentrator. Tailscale takes a different approach: it builds an overlay network in which the nodes talk to each other directly. The actual data plane is based on WireGuard, a lean and fast VPN protocol whose core components are licensed under the GPLv2. Traffic is end-to-end encrypted and flows, wherever possible, directly between the devices involved rather than through the provider's servers. Tailscale thereby connects distributed sites, cloud resources, and individual work devices as if they were all on the same local network.
Control plane and data plane are separate
Tailscale separates control from data traffic. A central control plane, the coordination server, distributes the public keys of the nodes and brokers their reachability. It carries almost no payload traffic itself: the private keys never leave the respective device, so only the two communicating nodes can encrypt and decrypt the traffic. To establish connections behind firewalls and NAT, Tailscale uses NAT traversal techniques. When no direct connection succeeds, so-called DERP relays forward the encrypted packets without being able to decrypt them.
Open and proprietary components working together
Tailscale is not an end-to-end open-source product but combines open and proprietary building blocks. The client, meaning the daemon and the command-line tool, is open source and licensed under BSD-3-Clause; the DERP relay servers are open as well. The coordination server, by contrast, is proprietary and operated by the provider as a hosted service. Those who want to run the control plane themselves can turn to Headscale, an open-source, self-hostable implementation of the coordination server under the BSD-3-Clause licence. Headscale is a community project and is not affiliated with Tailscale Inc., even though one maintainer is employed by the provider.
Where it sits in the network
Tailscale belongs to the class of identity-based overlay networks and can be deployed as a building block of a zero-trust architecture, in which every access is explicitly authorised rather than granted on the basis of network position. In the market the service sits alongside alternatives such as NetBird, which likewise build a WireGuard-based mesh. Those who need a fully self-operated control plane combine the open Tailscale client with Headscale or choose a solution with an open-source server.
References
- Tailscale Open Source at Tailscale. Which parts are open and which are not. (2026). tailscale.com/opensource
- Tailscale How Tailscale Works. The architecture of control plane, WireGuard data plane, and DERP relays. (2020). tailscale.com/blog/how-tailscale-works
- Headscale Headscale. Open-source, self-hostable implementation of the coordination server. (2026). github.com/juanfont/headscale
- WireGuard WireGuard Fast, Modern, Secure VPN Tunnel. The VPN protocol of the data plane. (2026). www.wireguard.com/
Related topics
- Zero Trust, the access context for Tailscale.
- Security Strategy, the security frame for Tailscale.
- Compliance, the control frame for Tailscale.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.