Tailscale: a mesh VPN you stop noticing

What Tailscale is (and isn't)

Tailscale uses stock WireGuard for the data plane — same kernel module, same crypto. What it adds is a control plane: a coordination server (controlplane.tailscale.com) that distributes public keys and ACLs to your nodes so they can build direct peer-to-peer tunnels through NAT. Your traffic never traverses Tailscale's servers; the control plane just brokers introductions.

If you only need two known hosts on known ports, plain WireGuard is fewer moving parts. Tailscale starts paying off the moment you have a third device, a roaming laptop, or anything behind double NAT.

Install on Linux

curl -fsSL https://tailscale.com/install.sh | sh

The script adds the official APT/YUM repo for your distro, installs tailscale and tailscaled, and enables the systemd unit. Then bring the interface up:

sudo tailscale up

You'll get a one-time URL. Open it in any browser, authenticate (Google/GitHub/Microsoft/passkey/etc.), and the node is added to your "tailnet" — Tailscale's word for the private network of all your devices.

tailscale status
tailscale ip -4

The first command lists every device in your tailnet and whether you have a direct connection or are relaying via DERP. The second prints your assigned IP from the 100.64.0.0/10 CGNAT range.

Install on Windows

Download the MSI from tailscale.com/download/windows. It installs as a service, runs in the system tray, and signs in through the same browser flow as Linux. No config files; the tray icon shows your tailnet devices and lets you pick an exit node.

MagicDNS

Turn on MagicDNS in the DNS settings of the admin console. Every device gets a hostname like laptop.tail-scale.ts.net that resolves on every other device in the tailnet — no /etc/hosts juggling, no DNS server to run:

ssh laptop                       # short form (MagicDNS adds the search domain)
ssh server.tail-scale.ts.net     # fully qualified
ping db

Subnet router: expose an existing LAN

If you want roaming devices to reach your home LAN (printer, NAS, IoT) without installing Tailscale on each one, designate one always-on machine on that LAN as a subnet router:

# On the home server, in addition to enabling IPv4 forwarding
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv6.conf.all.forwarding=1
# Make permanent
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf

sudo tailscale up --advertise-routes=192.168.1.0/24

Then in the admin console under Machines → (this machine) → Edit route settings, approve the advertised route. Other tailnet devices can now reach 192.168.1.x directly.

Exit node: route all traffic through one device

Same idea but for the default route. On the device you want to use as an exit (typically a VPS):

sudo tailscale up --advertise-exit-node

Approve it in the admin console. On any client:

sudo tailscale up --exit-node=my-vps --exit-node-allow-lan-access

That last flag keeps your local LAN reachable (printer, etc.) while everything else routes through the exit. The Windows tray icon has the same toggle under Exit node.

Tailscale SSH

Replace SSH key management with Tailscale's identity. On any server:

sudo tailscale up --ssh

Then from any client in your tailnet: ssh server — Tailscale handles the auth out of band, no authorized_keys file, and you can write ACLs in the admin console that say "only Alice can SSH to prod hosts as root, only between 9 and 5".

The default ACL is permissive (all your devices can talk to each other). Tighten it before adding shared devices or other users.

One ACL example

Open the Access controls page; the policy is HuJSON (JSON with comments). A minimal "tag your servers, only admins can SSH" looks like:

{
  "tagOwners": {
    "tag:server": ["autogroup:admin"]
  },
  "acls": [
    { "action": "accept", "src": ["*"], "dst": ["*:*"] }
  ],
  "ssh": [
    {
      "action": "accept",
      "src":    ["autogroup:admin"],
      "dst":    ["tag:server"],
      "users":  ["root", "ubuntu", "autogroup:nonroot"]
    }
  ]
}

Then bring the server up with sudo tailscale up --ssh --advertise-tags=tag:server.

Tailscale Funnel: expose a single port publicly

If you want to share something with someone who isn't in your tailnet, Funnel lets one device serve on the public internet through Tailscale's edge:

# Enable funnel in the admin console first (Settings -> Funnel)
tailscale funnel 8080

The console prints a public https://<hostname>.tail-scale.ts.net URL with a real TLS cert. Drop the funnel with tailscale funnel reset.

Troubleshooting

"relay 4 ms" instead of "direct" in tailscale status. Means traffic is going through Tailscale's DERP relay. Usually due to symmetric NAT on both ends or a firewall blocking UDP. Run tailscale netcheck on both sides to see what it can and can't do; opening UDP/41641 outbound on restrictive firewalls usually fixes it.
Subnet router approved, route not working. Did you enable IP forwarding? sudo sysctl net.ipv4.ip_forward should print 1. Also confirm the destination devices' default gateway can route back to the Tailscale subnet (it should, since traffic comes from the router's LAN IP via masquerading).
MagicDNS not resolving on a Linux host. Make sure /etc/resolv.conf isn't being clobbered by NetworkManager. Tailscale prefers systemd-resolved; resolvectl status should show your tail-net domain as a search domain.
Two users, same machine. Use tailscale up --operator=$USER so the chosen user can run tailscale commands without sudo. Per-user identity still flows through the system daemon.