Tailscale is not a VPN in the consumer sense. It does not encrypt your traffic to the public internet through a remote server. It does something different: it builds a private mesh network between your devices, so you can reach your devices from each other as if they were on the same local network, regardless of where they actually are.
For self-hosters, remote workers, and anyone who has services they want to access from multiple locations without exposing them to the public internet, Tailscale has become the default answer. I have used it as my primary mesh networking layer for over two years across personal and work setups.
What Tailscale is
Tailscale is a commercial mesh networking service built on top of WireGuard. The free tier is generous (up to 100 devices, basic features). Paid tiers add team features, advanced ACLs, and enterprise functionality.
You install the Tailscale client on each device you want to connect. Each device authenticates to your Tailscale account and joins your “tailnet.” Devices on the same tailnet can reach each other directly using their tailnet hostname or IP, with all traffic between them encrypted via WireGuard.
The architecture is hub-and-spoke logically (your devices coordinate through Tailscale’s coordination servers) but peer-to-peer in actual data transfer (the WireGuard tunnels go directly between devices when network conditions allow).
What Tailscale does well
The setup is genuinely friction-free. Install the client, sign in with your account, the device is on your tailnet. No port forwarding. No DNS configuration. No certificate management. Done.
NAT traversal works. Tailscale automatically establishes peer-to-peer connections between devices behind different NAT layers using a combination of techniques (STUN, TURN, hole punching). The result is direct connections in most cases, which means low latency and high throughput.
MagicDNS gives every device on your tailnet a hostname. Instead of remembering tailnet IPs, you use names like “homeserver” or “laptop” that resolve correctly across all your devices.
Subnet routing lets you expose entire local networks through a tailnet device. If your home server is on a tailnet, you can configure it to route traffic for your home subnet, making any device on your home network accessible from your tailnet.
Exit nodes turn any tailnet device into a VPN exit. You can route all your traffic from one device through another device on your tailnet, useful for accessing region-locked services from your home country while traveling.
The cross-platform support is comprehensive. Native clients for Windows, macOS, Linux, iOS, Android. Containers can run as Tailscale-connected services. Even some embedded platforms (Raspberry Pi, OpenWrt routers) have native support.
The audit history is good. Tailscale’s protocols and code have been independently reviewed. The underlying WireGuard protocol has been formally verified.
What Tailscale does less well
The free tier limits some advanced features. Subnet routing, ACLs beyond basic, and the SSH integration require paid plans for many users.
The dependence on Tailscale’s coordination servers is a real consideration. Your devices need to talk to Tailscale’s servers to discover each other and establish initial connections. If Tailscale the company has an outage, new connections cannot be established until it returns. Existing connections continue to work; new device discovery does not.
The corporate dependency is real. Tailscale is a commercial company with venture funding and enterprise customers. If the company fails or is acquired by an unfriendly buyer, your tailnet depends on infrastructure you do not control.
The encryption keys for your tailnet are generated client-side and Tailscale never sees them, but the metadata (which devices are on your tailnet, what their IPs are, who is connecting to what) is visible to Tailscale’s coordination servers.
When Tailscale is the right tool
You have multiple devices you want to connect privately without exposing services to the public internet.
You self-host services and want to access them from your phone, laptop, or other devices when you are not at home.
You work remotely and want to reach work resources behind a firewall through a network-level mesh rather than per-app VPNs.
You want a no-port-forwarding way to access a home network from anywhere.
You need to share specific services with specific other people (a friend, a colleague) without granting them access to your entire network.
When Tailscale is not the right tool
You want a public-internet VPN for privacy from your ISP. Tailscale does not do this in the way Mullvad or NordVPN do (although you can approximate it via exit nodes, the use case is different).
You need to be invisible to a corporate network. Tailscale runs over the network you are on; it does not hide the fact that you are running it.
You require the ability to operate without any cloud dependency at all. Tailscale’s coordination servers are required for normal operation.
You are managing a network with strict regulatory requirements that prohibit dependency on commercial cloud services for connectivity infrastructure.
Headscale as the self-hosted alternative
For users who specifically want the Tailscale experience without the dependency on Tailscale’s coordination servers, Headscale is an open-source self-hosted implementation of the Tailscale control plane. Your devices use the standard Tailscale client but coordinate through your own Headscale server.
Trade-offs:
- Headscale requires you to run and maintain the coordination server.
- Some Tailscale features are not yet supported in Headscale.
- The setup is more complex than Tailscale’s commercial product.
- The benefit: you fully control the coordination layer.
For most users, Tailscale’s commercial offering is the right call. For users who specifically want self-hosting, Headscale is mature enough to be a serious option.
Pricing
Free tier: 100 devices, 3 users, basic ACLs. Sufficient for most personal use cases.
Personal Pro: $5 per user per month, removes some limits, adds basic team features.
Premium and Enterprise tiers: progressively more features for business use.
For an individual using Tailscale across personal devices: free tier is sufficient indefinitely.
How I use it
My primary Vaultwarden instance is on a small VPS, accessible only via Tailscale. Cannot reach it from the public internet; can reach it from any of my devices that are on my tailnet.
My home network has a Raspberry Pi running Tailscale as a subnet router. When I am traveling, I can SSH into devices on my home network as if I were home.
My partner has Tailscale on their phone. When we are both on the tailnet, we can share files between phones using a simple HTTP file server we run on demand, without exposing anything to the internet.
The kids’ tablet has restricted access to a parental-control filtering DNS that runs on a tailnet device. The DNS is invisible to the public internet but accessible from the tablet via tailnet routing.
These use cases would all be possible without Tailscale (using port forwarding, dynamic DNS, traditional VPN setups, etc.) but would all be much more complicated. Tailscale removed enough friction that I actually deploy these patterns where I would not have bothered before.
A specific recommendation
For most users wanting mesh networking: Tailscale free tier. Sign up, install on your devices, the value is apparent within the first hour.
For users with specific self-hosting requirements: Headscale on a small VPS, with Tailscale clients on devices.
For users who do not have a clear use case: do not use either yet. Mesh networking is a tool that solves specific problems; if you do not have those problems, the tool adds complexity without benefit.
Related: Vaultwarden complete setup with Caddy and Tailscale, 13 things I wish someone had told me before self-hosting