Sign in Subscribe
By Sahil Kapoor -

Tailscale

A zero-configuration mesh VPN built on WireGuard that creates a secure private network between your devices — no firewall rules, no static IPs, no port forwarding required.

Tailscale takes the cryptographic strength of Wireguard and wraps it in a coordination layer that eliminates all the manual configuration that makes WireGuard hard to operate at scale. Install the client, log in with your identity provider, and your device joins the mesh. Every other device on your Tailnet is immediately reachable via a stable 100.x.x.x IP — through NAT, firewalls, and across cloud providers.

How Tailscale Works

Tailscale separates the data plane from the control plane:

  • Control plane — Tailscale's servers handle key distribution, authentication, and peer discovery. They never see your traffic — only public keys and network topology.
  • Data plane — Direct WireGuard tunnels between peers. Traffic goes peer-to-peer when possible (using DERP relay servers only when direct connection fails due to symmetric NAT).

Key Features

  • MagicDNS — hostname resolution across the tailnet (laptop.tailscale.ts.net)
  • ACLs — fine-grained access control (user A can reach SSH on server B, but not port 5432)
  • Exit nodes — route all traffic through a device (like a traditional VPN for internet privacy)
  • Subnet routing — expose an entire subnet (e.g., an AWS VPC) to tailnet members via one router node
  • Funnel — expose a local service to the public internet via Tailscale's infrastructure

Tailscale vs Cloudflare Tunnel

Cloudflare Tunnel is optimized for exposing a specific HTTP service publicly; Tailscale is optimized for private mesh networking between trusted devices. Use Tailscale when you want to SSH into machines or connect services across environments privately. Use Cloudflare Tunnel when you want to expose a service to the public internet without opening firewall ports.

Use Cases

  • SSH access to cloud VMs without a bastion host or public IP
  • Secure access to home lab from anywhere
  • Connecting dev machines to staging databases without VPC peering complexity
  • Remote access to IoT/edge devices behind carrier NAT
  • Zero-trust access for small teams (replace corporate VPN)

Self-Hosted: Headscale

Headscale is an open-source implementation of the Tailscale control plane, for organizations that need full control over the coordination server. It's compatible with Tailscale clients.

  • Wireguard — the VPN protocol that powers Tailscale's data plane
  • Cloudflare Tunnel — complementary tool for public service exposure
  • Traefik — reverse proxy often used alongside Tailscale for internal service routing
  • Hashicorp Vault — secrets management that pairs well with Tailscale for zero-trust access control

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon