Tailscale¶
Tailscale is a zero-config mesh VPN built on WireGuard that creates secure networks between your devices without complex firewall rules or port forwarding.
Why Tailscale?¶
┌──────────────────────────────────────────────────────────────────────────────┐
│ Traditional VPN vs Tailscale │
│ │
│ Traditional VPN (Hub-and-Spoke) Tailscale (Mesh) │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ VPN │ │ Device │───│ Device │ │
│ │ Server │ │ A │ │ B │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ ┌────────┼────────┐ └──────┬──────┘ │
│ │ │ │ │ │
│ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ ┌────┴────┐ │
│ │ A │ │ B │ │ C │ │ Device │ │
│ └─────┘ └─────┘ └─────┘ │ C │ │
│ └─────────┘ │
│ All traffic through server Direct peer-to-peer │
│ Single point of failure No central bottleneck │
│ Complex setup Zero configuration │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Key Features¶
| Feature | Description |
|---|---|
| Zero Config | No firewall rules, port forwarding, or complex setup |
| WireGuard | Built on modern, fast, secure WireGuard protocol |
| NAT Traversal | Works behind any NAT, even carrier-grade NAT |
| MagicDNS | Automatic DNS for all devices on your network |
| ACLs | Fine-grained access control policies |
| SSO | Integrate with existing identity providers |
| Taildrop | Easy file sharing between devices |
| Exit Nodes | Route internet traffic through any device |
| Subnet Routers | Access entire subnets without installing Tailscale |
Quick Start¶
1. Install Tailscale¶
# Ubuntu/Debian
curl -fsSL https://tailscale.com/install.sh | sh
# Or via package manager
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg | \
sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list | \
sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt update && sudo apt install tailscale
2. Authenticate¶
Follow the URL to authenticate with your identity provider.
3. Connect¶
# Check status
tailscale status
# Ping another device
tailscale ping my-laptop
# Access services
ssh user@my-server # Using MagicDNS name
How It Works¶
┌──────────────────────────────────────────────────────────────────────────────┐
│ Tailscale Architecture │
│ │
│ ┌─────────────────────┐ │
│ │ Coordination │ │
│ │ Server │ │
│ │ (control plane) │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌────────────────────┼────────────────────┐ │
│ │ Key exchange │ ACL distribution │ │
│ │ NAT traversal │ Device registration│ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Device A │◄──────►│ Device B │◄──────►│ Device C │ │
│ │ 100.x.x.1│ │ 100.x.x.2│ │ 100.x.x.3│ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ ▲ ▲ ▲ │
│ └────────────────────┴────────────────────┘ │
│ Direct WireGuard connections │
│ (data plane - peer to peer) │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
- Control Plane: Tailscale's coordination servers handle key exchange, device registration, and ACL distribution
- Data Plane: Actual traffic flows directly between devices using WireGuard
- NAT Traversal: DERP relays help establish connections when direct paths fail
Documentation Sections¶
Fundamentals¶
- How Tailscale Works - Architecture and concepts
- WireGuard Basics - Underlying protocol
- Networking Concepts - IPs, NAT traversal, DERP
Installation¶
- Linux - Ubuntu, Debian, RHEL, Arch
- Containers - Docker, Kubernetes
- Other Platforms - macOS, Windows, mobile
Configuration¶
- Basic Setup - First-time configuration
- CLI Reference - Command line interface
- Environment Variables - Advanced configuration
Features¶
- MagicDNS - Automatic DNS
- Taildrop - File sharing
- Exit Nodes - Route internet traffic
- Subnet Routers - Access entire networks
- Funnel & Serve - Expose services to internet
Integration¶
- Docker - Container networking
- Kubernetes - K8s operator
- SSH - Tailscale SSH
- VS Code - Remote development
Administration¶
- Access Controls - Policy configuration
- User Management - Identity and teams
- Key Management - Auth keys and API
- Logging & Monitoring - Observability
Troubleshooting¶
- Connection Issues - Debugging connectivity
- Performance - Speed optimization
- Common Problems - FAQ
Reference¶
- Quick Reference - Command cheat sheet
- Network Ports - Firewall requirements