Skip to content
W WikiWalls
Article Issue #5232

Tailscale

What to know

Tailscale is a commercial VPN product that uses WireGuard as its cryptographic transport layer and adds a coordination plane (operated by Tailscale Inc.) to automate key distribution, NAT traversal, and device authentication; When a device joins a tailnet, it generates a WireGuard key pair and registers the public key with Tailscale's coordination server; Tailscale is the fastest way for builders to set up secure remote access to self-hosted services without exposing anything to the public internet

Tailscale, WikiWalls Glossary illustration
Wikiwalls Team Administrator
2 min read Subscribe to the Journal
« Back to Glossary Index

Tailscale is a commercial VPN product that uses WireGuard as its cryptographic transport layer and adds a coordination plane (operated by Tailscale Inc.) to automate key distribution, NAT traversal, and device authentication. It creates a virtual private mesh network (called a tailnet) where every enrolled device can communicate directly with every other enrolled device using stable private IP addresses (100.x.x.x range), regardless of the underlying network topology. For self-hosters and remote builders, Tailscale is the fastest path to securely accessing home or VPS-hosted services from anywhere.

How it works

When a device joins a tailnet, it generates a WireGuard key pair and registers the public key with Tailscale’s coordination server. Tailscale uses a modified STUN/ICE approach to establish direct peer-to-peer WireGuard tunnels between devices, falling back to DERP (Designated Encrypted Relay for Packets) relay servers when direct connections are not possible due to symmetric NAT. MagicDNS assigns stable human-readable hostnames (device-name.tailnet.ts.net) to each device, eliminating the need to track IP addresses.

Key facts

  • Free tier: The personal free plan supports up to 3 users and 100 devices, which covers most individual and small-team self-hosting use cases
  • Subnet routing: A Tailscale subnet router can expose an entire home network CIDR to the tailnet, giving remote access to devices without Tailscale installed
  • Exit nodes: Any tailnet device can be designated as an exit node, routing all internet traffic through it, effectively acting as a VPN in the traditional sense

For builders

Tailscale is the fastest way for builders to set up secure remote access to self-hosted services without exposing anything to the public internet. The typical workflow: install Tailscale on the home server and the travel laptop, and all self-hosted services become accessible via their Tailscale hostname from anywhere, with no port forwarding, no dynamic DNS, and no public-facing attack surface. It is also how many small engineering teams share access to shared development infrastructure.

Sources

« Back to Definition Index
If this saved you an afternoon — subscribe to the Journal and we will send the next one straight to your inbox.
Wikiwalls Team
Administrator · 41 published guides · Joined 2016

Welcome to wikiwalls

More from WikiWalls

AI & APIs

Cursor vs Copilot vs Cody vs Windsurf, after a 30-day production diary

May 14, 2026 · 24 min read
AI & APIs

The Cheapest Production-Grade LLM, ranked at constant output quality

May 13, 2026 · 16 min read
Self-Hosted

Best Mini-PC for Homelab: Beelink, Minisforum, GMKtec Tested

May 11, 2026 · 5 min read
AI & APIs

Best AI Note Apps: Mem vs Reflect vs Tana vs Saner.ai

May 11, 2026 · 6 min read
The WikiWalls Journal · Free, weekly

One careful fix in your inbox each Wednesday.

No affiliate links inside the diagnosis. No sponsored "top 10". One careful fix per week — unsubscribe in one click.

No tracking pixels · No spam · Edited by a human.