Nonchalant Guidance

About Me·RSS·My Projects·LinkedIn

Added on: Thursday, 28 July, 2022 | Updated on: Thursday, 02 March, 2023

Tech Highlight: Tailscale Overview/Review

A love letter to some pretty cool tech and a good way of conducting business


The Internet today is flawed. We possess smartphones, tablets and laptops that surpass the performance capabilities of servers from 20-30 years ago, yet we can’t talk to them without the use of some intermediary: a server to connect to. This approach is flawed and inefficient since it will be a single choke point for everyone’s traffic, not to mention the privacy-related drawbacks (one entity seeing who everyone is talking to….).

Examples of this centralization hurting everyone:

We can’t even access resources on our local network without some corporations’ servers acting as a middleman.

Tailscale is a clever solution to this problem. It uses WireGuard as it’s base to build a mesh network for your devices, essentially making it appear as if they are all connected to the same network. Each device gets a static IP on this network, which is in the Carrier-grade NAT address space to avoid any collisions with your own networks. Tailscale by default only ever routes connections to machines on this mesh network through the WireGuard VPN, but you can make a machine advertise itself as an exit node to route all your Internet traffic through that device, effectively making a traditional consumer VPN typically used to mask IP addresses.

I have been using Tailscale for a couple weeks now and in the process, have become profoundly enamoured with the tech.

Here’s what I like:

As for the latter, I really appreciate them addressing how it is that they have such a good free plan. They clearly outline the fact that since their software makes direct connections, it doesn’t really matter how many devices you have, the amount of traffic the company itself has to deal with is minuscule (an IP address, port, pubkey and maybe some authentication info). Having a free plan allows developers and hobbyists to try out the software, and later be encouraged by the experience to nudge their companies to try it out as well, getting some valuable enterprise customers over the long run as well as getting the word out and gaining free publicity (ahem). They also try to keep the DERP (relays used when no direct connections can be made) costs low through some manner of rate limiting.

However, in most cases, it makes direct connections to your devices for maximum efficiency and privacy, and if it can’t, it just uses relays located around the world, combined with some careful management and rate limiting to make sure their hosting bill on AWS doesn’t skyrocket. What this means is that you can almost always access your device no matter what kind of connection you have, and that connection is completely private.

Private keys never leave the device, and Tailscale doesn’t really ever have the ability to read your traffic info. The only real info they have is the fact that you connected from one device to another at this time.

If you still think this is too much info, you can self-host the Tailscale control plane using headscale on an Internet-facing device. This creates 1 Tailnet you can connect your devices to. The Tailscale devs are fairly friendly towards this project, and the CLI and desktop apps come with options to change the control plane to whatever URL you wish. - MagicDNS is extremely convenient. The Tailscale client already (kinda sorta) hijacks DNS on the installed devices, so having it resolve your devices on the mesh network is fairly trivial. So, you don’t even need to remember the static IP addresses of your devices.

Tailscale helps automate tedious parts of networking so that we can all enjoy the Internet in its original, collaborative spirit.

Here’s what can be improved:

I imagine for Tailscale the company, it is not a huge issue as their main customers are enterprises, who already use some identity provider. This could be a gripe for individuals using Tailscale. If this is an issue for you, consider self-hosting headscale.

The only time (at the time of writing) Tailscale does use the kernel implementation is when a Linux device advertises itself as an exit node. Even then, the exit node is the only one that ever uses the kernel WireGuard.

I’ll keep my eye on this and related issues because if this does end up being done. Tailscale will be much faster for it.


In spite of the gripes I have with their product, I really like Tailscale. It is cliché, but it just works. I use it to access my home network from afar for right now, even using a Raspberry Pi as a homemade VPN, and it has worked nicely so far. The security is pretty good, even if the third party authentication requirement means that both Tailscale and that identity provider can add devices to the Tailnet without your knowledge (though, again, it can’t exactly do a whole bunch of damage since the bulk of the business logic is still contained in the open source client, and also headscale exists if you really want to minimize this risk).

If you don’t want to bother opening ports or using dynamic DNS services or really doing a whole lot of work related to NAT traversal, Tailscale is a good place to start (and hopefully end).

That’s all for today. Bye for now!

Note: “WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.

This website was made using Markdown, Pandoc, and a custom program to automatically add headers and footers (including this one) to any document that’s published here.

Copyright © 2023 Saksham Mittal. All rights reserved. Unless otherwise stated, all content on this website is licensed under the CC BY-SA 4.0 International License