unsubbed.co

Tailscale

WireGuard mesh VPN that sets up in under 2 minutes — MagicDNS, exit nodes, subnet routers, and SSH all included, free for 100 devices.

BSD-3-Clause Free tailscale/tailscale · 30K tailscale.com Go Mobile App

Best for: Homelab operators who want secure remote access to home servers without port forwarding, and remote development teams who need to connect to internal services across NATs and firewalls.

TL;DR

  • What it is: A mesh VPN built on WireGuard that creates encrypted peer-to-peer tunnels between your devices with zero configuration — no port forwarding, no certificates, no firewall rules.
  • Who it’s for: Developers, homelab operators, and small teams who need secure access to internal services across NATs and firewalls without managing VPN infrastructure.
  • Cost savings: Free tier covers 100 devices and 3 users — enough for most personal and small team use. Paid plans start at $6/user/month. Compare to traditional VPN appliances ($500-5000+) or dedicated VPN servers requiring ongoing maintenance.
  • Key strength: Setup that actually takes under 2 minutes. Install the client, authenticate via SSO, and your device joins the mesh. MagicDNS gives every device a hostname. Exit nodes, subnet routers, and SSH — all one-click.
  • Key weakness: The coordination server is proprietary and hosted by Tailscale. Your traffic doesn’t flow through their servers (it’s peer-to-peer), but the control plane that manages keys, ACLs, and device registration is theirs. Headscale exists as an open-source alternative but lacks feature parity.

What is Tailscale

Tailscale creates a WireGuard mesh network between your devices. Instead of configuring WireGuard tunnels manually — generating keys, exchanging configs, setting up port forwarding — you install Tailscale, log in with Google/Microsoft/GitHub, and every authenticated device can reach every other device by hostname. That’s it.

The technical architecture: each device runs the Tailscale client (open-source, BSD-3-Clause, 29,500+ GitHub stars), which establishes WireGuard tunnels directly between peers. Tailscale’s coordination server handles key exchange, NAT traversal (via DERP relay servers when direct connections fail), and access control. Traffic flows peer-to-peer — Tailscale never sees your data. But the coordination server that orchestrates the mesh is proprietary and hosted by Tailscale Inc., a Canada-based company.

Key capabilities beyond basic mesh connectivity: MagicDNS gives every device a resolvable hostname. Exit nodes route your internet traffic through any device on your tailnet. Subnet routers expose local network ranges without installing Tailscale on every device. Tailscale SSH eliminates SSH key management entirely. Funnel exposes local services to the public internet. ACLs define who can access what using JSON policy files.

Why people choose it over ZeroTier, NetBird, and traditional VPNs

Versus traditional VPNs (OpenVPN, IPSec). Traditional VPNs require a central server, certificate management, NAT configuration, and ongoing maintenance. Users report “setting up a mesh VPN on all my devices was so damn easy” and “after installing Tailscale on a bunch of machines, I’ve just ventured out — holy moly, just SSH’ed into my boxes like I’m home. Amazing. Converted.” The technical advantage: mesh topology means traffic goes directly between peers instead of hair-pinning through a central server, reducing latency for most use cases.

Versus ZeroTier. ZeroTier operates at Layer 2 (Ethernet switching) with its own encryption. Practical implications: ZeroTier supports multicast/broadcast (useful for service discovery and IoT), Tailscale doesn’t. ZeroTier’s free tier covers only 10 devices vs Tailscale’s 100. Tailscale has MagicDNS, one-click exit nodes, and SSO integration that ZeroTier lacks. Choose ZeroTier when you need Layer 2 bridging, physical network bridging, or IoT multicast.

Versus NetBird. NetBird offers a fully self-hosted option with integrated identity management. The trade-off: NetBird requires more setup, has a smaller community, and lacks Tailscale’s polish. Since NetBird v0.65 (February 2026), it includes a built-in reverse proxy competing with Tailscale Funnel. “For home lab operators prioritizing ownership, NetBird’s self-hosted model delivers comparable functionality while maintaining complete infrastructure autonomy.”

The Headscale option. Headscale is a community-built open-source coordination server. In theory, this gives you a fully self-hosted Tailscale. In practice, Headscale trails the official server on features — MagicDNS works but Funnel, SSH, and some ACL features are limited or missing.

Features: what it actually does

Networking:

  • WireGuard mesh VPN with automatic NAT traversal
  • Direct peer-to-peer connections with DERP relay fallback
  • MagicDNS — automatic hostname resolution for all devices
  • Subnet routers — expose local networks without per-device install
  • Exit nodes — route internet traffic through any device
  • Funnel — expose local services to the public internet
  • Split DNS — route specific domains through specific resolvers

Security and access control:

  • WireGuard encryption (ChaCha20-Poly1305) on all traffic
  • SSO authentication via Google, Microsoft, GitHub, Okta, Azure AD
  • JSON-based ACL policies for fine-grained access control
  • Tailscale SSH — keyless SSH authentication via identity
  • Device posture checks and compliance gates (enterprise)
  • Tailnet Lock — prevent unauthorized devices from joining

Developer tools:

  • Taildrop — file sharing between devices
  • tailscale serve — reverse proxy for local development
  • API for programmatic device management
  • GitHub Actions integration for CI/CD pipelines
  • Kubernetes operator

Platform support:

  • Linux, macOS, Windows, iOS, Android
  • Synology NAS, QNAP NAS packages
  • Docker container sidecar mode
  • GL.iNet FlashRouter integration

Pricing math

PlanPriceDevicesUsers
PersonalFree1003
Starter$6/user/monthConfigurableConfigurable
Premium$18/user/monthConfigurableConfigurable
EnterpriseCustomCustomCustom

The free tier is genuinely useful. 100 devices and 3 users covers most homelab setups, solo developers, and even small teams who share a single tailnet. You get MagicDNS, exit nodes, subnet routers, ACLs — the core product, not a crippled trial.

The $18/user/month value play: Tailscale SSH eliminates SSH key management entirely — one reviewer notes this “eliminates the need to manage PKI at scale, or go through the nightmare of changing keys out when someone leaves.” For a 40-person dev team, this was “a win — developers up and running in an afternoon and nearly 100% team adoption within a week.”

Deployment reality

The setup is as fast as everyone claims:

# Linux
curl -fsSL https://tailscale.com/install.sh | sh && tailscale up

# macOS
brew install tailscale

# Docker
docker run -d --name=tailscale tailscale/tailscale

Authenticate via browser (SSO), and your device joins the mesh. Adding a new device takes under 2 minutes.

Subnet router setup: Install Tailscale on one machine in a local network, enable IP forwarding, run tailscale up --advertise-routes=192.168.1.0/24, approve in admin console. Every device on your tailnet can now reach that subnet — no per-device install needed.

The NAT traversal magic: Connecting to home servers while behind hotel WiFi, double NAT, and restrictive networks — this is where Tailscale’s engineering shines. WireGuard alone can’t traverse these situations. Tailscale’s STUN/DERP infrastructure handles it automatically, falling back to relay servers when direct connections fail.

Who should use this

Use Tailscale if:

  • You’re a homelab operator who wants secure remote access to home servers without port forwarding or dynamic DNS
  • You’re a remote development team that needs to connect to internal services across NATs and firewalls
  • You’re a small-to-medium company replacing legacy VPN appliances with zero-trust networking
  • You need CI/CD pipelines that reach private infrastructure without exposing endpoints

Not the right tool if:

  • You need full infrastructure sovereignty with no third-party dependencies — use NetBird or raw WireGuard
  • You need Layer 2 bridging, multicast, or IoT device discovery — use ZeroTier
  • You want a privacy VPN for streaming geo-locked content — use a traditional VPN provider
  • You’re at 250+ users and ACL complexity is a concern — evaluate the enterprise tier carefully

Sources

This review synthesizes 5 independent third-party articles along with primary sources from the project itself. Inline references throughout the review map to the numbered list below.

  1. [1] medium.com (2024-12-11) — “Setting Up a Mesh VPN with Tailscale: My Journey” — praise (link)
  2. [2] cloudingenium.com (2026-03-23) — “Tailscale: Zero-Config WireGuard Mesh VPN for Teams and Home Labs” — deployment (link)
  3. [3] flashrouters.com (2025-10-01) — “How to Install Tailscale VPN: Set Up Tailscale on a VPN Router” — deployment (link)
  4. [4] xda-developers.com (2026) — “I switched from Tailscale to this fully self-hosted alternative, and I’m loving it so far” — critical (link)
  5. [5] dev.to (2026) — “ZeroTier vs Tailscale: Which Mesh VPN to Use?” — comparison (link)
  6. [6] GitHub repository — official source code, README, releases, and issue tracker (https://github.com/tailscale/tailscale)
  7. [7] Official website — Tailscale project homepage and docs (https://tailscale.com)

References [1]–[7] above were used to cross-check claims about features, pricing, deployment, and limitations in this review.

Deploy

Docker

Self-host with Docker Compose

Coolify

One-click via Coolify panel
elestio

Elestio

Managed hosting from $9/mo
pikapods

PikaPods

Simple managed hosting

Features

Mobile & Desktop

  • Mobile App

Category

Security & Authentication (159) Authentication & SSO (40) VPN Solutions (15)

Replaces

appgate
Appgate
3 tools
cisco-secure-access
Cisco Secure Access
3 tools
twingate
Twingate
3 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0