Blog

A combination of our newsletter and other posts, where we talk about Tailscale, WireGuard®, 2-factor auth, and other networking-related topics.

Subscribe via email, RSS or follow our Twitter.

Tailscale: A modern replacement for Hamachi

Photo of Xe Iaso
Xe Iaso on

When I was in college almost a decade ago, I lived on the computer science floor of my dorm. It was quite possibly one of the most interesting places I’ve ever lived. It was full of nerds, and we had file shares and LAN parties every weekend. While I was there, I got introduced to a tool called Hamachi that we used in order to keep playing games like Minecraft, StarCraft (Brood War), and Age of Mythology together over winter and summer breaks. We shared our photos, code creations, and more; all over that shared network. This allowed us to be together even on breaks, when we were on opposite sides of the state.

Making heads or tails of open source

David Crawshaw on
Photo of David Crawshaw

Open source is in Tailscale’s bones. After our seed round, when we were only five people making our initial open source plans, we each already had decades of experience writing and using community software. Personally, I’m a Unix programmer only because of a Slackware CD I picked up in Hong Kong in 1995. I owe my livelihood and a big part of my identity to open source. So it was natural to me that we would open source anything where the trouble involved in doing so was worth the value of releasing the code.

Beyond our instincts to build open source software, we also couldn’t have built Tailscale without it. Tailscale is heavily dependent on open source: WireGuard®, a tunneling protocol for establishing encrypted connections between peers, is at the core of Tailscale. And, like every other company these days, the vast majority of the code we use wasn’t written by us — we have dependencies on code written by thousands of other developers, and we want to give back.

Now with more DERP

David Crawshaw and Denton Gentry on
Photo of David Crawshaw
Photo of Denton Gentry

Tailscale clients make direct connections to each other, almost all the time. To do that, they need reliable communication infrastructure to determine how to connect (using DISCO packets), and a communication path of last resort to use when the local network on one or both ends is hostile enough that direct connections are not feasible. Tailscale runs a global network of DERP relay servers to cover both of these needs.

This week, we added nine additional DERP locations to complement our existing relay network. By operating in more locations globally, your devices are more likely to be closer to a server. That means you can more quickly and easily establish network connections. And, if your connection goes through a closer relay, it’ll likely be faster.

The case of the spiky file descriptors

Mihai Parparita on
Photo of Mihai Parparita

Not all engineering work at Tailscale requires changing Go internals or deep insights into how to leverage the birthday paradox for NAT traversal. There are countless small bugs and edge cases that we investigate in our quest to meet an unreasonably high percentile of our users’ expectations. This is the story of one such investigation.

What we learned (and can share) from passing our SOC 2 Type II audit

David Anderson, Rachel Lubman, Denton Gentry and Maya Kaczorowski on
Photo of David Anderson
Photo of Rachel Lubman
Photo of Denton Gentry
Photo of Maya Kaczorowski

Good news everyone: Tailscale is SOC 2 compliant! Wait… weren’t we already compliant? Yes, but now we’re SOC 2 Type II compliant… which is kind of a big deal.

As part of our ongoing commitment to security and privacy at Tailscale, we’ve completed a SOC 2 Type II audit. Our Type I audit validated that we had policies and procedures in place to keep your information safe. Now, our Type II audit validates that our security controls were effective over the period of time evaluated and that we’re actually implementing the policies and procedures we committed to.

GitOps for Tailscale ACLs

Xe Iaso on
Photo of Xe Iaso

Tailscale lets you manage access permissions within a tailnet, including which users are allowed to connect to which machines, using powerful Access Control Lists (ACLs). ACLs are controlled by a HuJSON tailnet policy file that you can edit directly in the admin console. This makes managing permissions simple, but unlike other controls defined in code, there is no way to require approval or review before accepting changes made to ACLs directly in Tailscale’s admin console. In the industry, there’s a pattern called GitOps that suggests you should maintain anything that defines your infrastructure, like this policy file, in a Git repository and use CI to validate, test, and automatically deploy changes.

In this post, I’m going to cover how you can set up a GitOps workflow for your tailnet policy file with GitHub Actions so you can maintain ACLs in a central repository, apply the same controls for changes to your configuration file as you do for code (“config as code”)— such as requiring review, and how to automatically apply these configuration changes to your network.

To make this easier, we’ve released a Sync Tailscale ACLs GitHub Action you can use for automatically updating your tailnet policy file from GitHub. If you’re using this action, or another GitOps workflow you’ve built yourself, you can surface it in the Access Controls page of the admin console to prevent colleagues from accidentally making unapproved changes.

Screenshot of Access controls in the admin console with a linked Git repository.

When using GitOps, a warning is shown in the admin console.

August Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
Summer has come to an end in the northern hemisphere, and as we sharpen our pencils and compare Lisa Frank Trapper Keepers, we have some exciting updates to share. The team worked alongside some wonderful partners to extend on-demand access to your Tailscale resources with OpalIndentSym, and ConductorOneBrad Fitzpatrick did some moonlighting on the 9to5 Apple @ Work podcast talking about Tailscale SSH. Microsoft’s Paul Yu detailed how to access your Linux machine on Azure with Tailscale SSH.

Manage your Tailscale resources with Terraform

Denton Gentry and Andrew Dunham on
Photo of Denton Gentry
Photo of Andrew Dunham

When deploying infrastructure, you might need to frequently redeploy an environment for testing, or spin up servers in response to an increase in demand. A common tool to automate the provisioning of your infrastructure is Terraform — with Terraform, you can define infrastructure as code, then script deployments of that infrastructure. If you’re deploying servers that you want to access over Tailscale, you can already simplify setup by using a tagged auth key to automatically connect devices to your tailnet with the right permissions. But what if you’re trying to manage your deployment of Tailscale?

You can also use Terraform to manage your use of Tailscale to define and deploy your ACLs, DNS settings, auth keys, and more. Tailscale is adopting the Tailscale Terraform provider and taking responsibility for ongoing support and development. The community, notably David Bond, originally created the Tailscale Terraform provider, and we are very thankful for the work they’ve done to provide this valuable tool to others.

Ephemeral nodes… now more ephemeral!

Maisem Ali on
Photo of Maisem Ali

If you’re using Tailscale with short-lived devices such as containers or frequently redeployed infrastructure, you are probably already using ephemeral nodes. Ephemeral nodes are meant for automated, frequently redeployed workloads because they’re automatically removed from your network once they are no longer active. However, this automatic process could potentially take an hour or longer while the coordination server waits to see if the ephemeral node will come back online. This clutters your network with containers or functions that are no longer running.

Tailscale for DevOps: On-demand access to your Tailscale resources with Opal

Maya Kaczorowski on
Photo of Maya Kaczorowski

When you’re working in an environment with strict compliance needs, you want to make sure you’re following the principle of least privilege and granting employees access only to the resources they need to do their job. Tailscale ACLs already make that possible by letting you define what someone can access — and restricting their access to everything else — with “default deny” rules.

In many organizations, access to resources needs to be granted temporarily, such as when someone needs additional information in order to debug a customer issue. This is why we’re partnering with Opal: to provide short-lived, granular, on-demand access to resources in your tailnet. With Opal, your team can generate self-serve access requests and get automatic approvals for faster access to the resources they need, rather than waiting for their help desk ticket to be manually reviewed and provisioned.

Tailscale logo connecting to Opal logo

Tailscale for DevOps: On-demand access to your Tailscale resources with Sym

Maya Kaczorowski on
Photo of Maya Kaczorowski

Managing privileged access can help improve security by reducing unnecessary access to sensitive resources and customer data. With Tailscale ACLs, you can already manage access to company resources and restrict access with “default deny” rules.

But what if there’s an emergency, and the person on call needs to access your production environment? Solving this is why we’re excited to partner with Sym! Now, users can easily request temporary access to sensitive resources in Tailscale via Slack. These requests can then be approved by team members directly in Slack, or even be automatically approved for certain people — such as on-call engineers.

Tailscale logo connecting to Sym logo

Tailscale for DevOps: On-demand access to your Tailscale resources with ConductorOne

Maya Kaczorowski on
Photo of Maya Kaczorowski

Modern governance and access control policies for sensitive resources like production nodes, databases, and SSH access to servers on Tailscale can sometimes lead to extra work when requesting and approving on-demand access. Fortunately, Tailscale ACLs already let you manage access to company resources and restrict access with “default deny” rules.

But what if you want to automate Tailscale access requests and approvals so that on-call employees and engineers can get access to sensitive resources where and when they need it? That’s why we’re really excited to partner with ConductorOne, which pulls your Tailscale identities and ACLs into a centralized, automated identity security control center that gives you greater control over who has access to what and — crucially — when.

Tailscale logo connecting to ConductorOne logo

July Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
It has been an eventful July for the team here — and we’ve been busy with new features (we have a status page), a new version (Tailscale v.1.28), and a growing learning library. Here’s all that, plus some of the meaningful contributions from our community that help make our vision of a more human internet possible.

Tailscale for DevOps: On-demand access to your Tailscale resources with Indent

Maya Kaczorowski on
Photo of Maya Kaczorowski

As your teams grow and become more distributed, it makes sense to limit an employee’s access based on their job function rather than to give everyone persistent access to your production environment. This not only lets you manage sensitive resources such as customer data more effectively, but it also reduces the risk of accidentally impacting production — for example, by running a query meant for your staging environment. This doesn’t mean you want to prevent the legitimate use of these resources, such as when someone’s on call, but simply to ensure they only have access when they’re on call.

Following the principle of least privilege, teams should limit access to sensitive production resources to only those who need it, and only when they need it. Tailscale ACLs already let you manage access to company resources and restrict access by default with “default deny” rules. But what if someone needs access to a server they don’t normally use? That’s why we’re excited to partner with Indent — so members of your team can easily request, and reviewers can easily approve, time-bounded access to these resources without ever leaving Slack.

Tailscale logo connecting to Indent logo

Putting Tailscale on the Steam Deck

Photo of Xe Iaso
Xe Iaso on

Tailscale lets you connect your computers to each other so that you can use them together securely. As technology continues to advance, we’ll be carrying around more and more devices that, for convenience, we’ll call “computers.” Some of them are more limited than others, but today I want to talk about one device in particular: the Steam Deck by Valve.

The Steam Deck is a handheld Linux computer that is used for playing desktop-grade PC games. Its portability allows you to take your Steam library on the go with you anywhere, just like a Nintendo Switch. The Deck is also notable because it runs a variant of Arch Linux called SteamOS. Valve’s philosophy is that the Steam Deck is just a PC. It is open and hackable for anyone to modify to fit their needs. Valve even gives you the drivers to install Windows on the Deck, in case you want to.

June Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
In June, we launched Tailscale SSH into beta. Featured community contributions include Pat Reagan documenting their experience with Tailscale SSH, and Kris Nova recording a Twitch tutorial on how to use Tailscale.

Introducing Tailscale SSH

Today we’re delighted to introduce Tailscale SSH, to more easily manage SSH connections in your tailnet. Tailscale SSH allows you to establish SSH connections between devices in your Tailscale network, as authorized by your access controls, without managing SSH keys, and authenticates your SSH connection using WireGuard®.

Many organizations already use Tailscale to protect their SSH sessions — for example, to allow users to connect from their work laptop to their work desktop. Since Tailscale allows you to connect your devices in a virtual private network, and use access controls to restrict communications between them, we thought, “Why do we need SSH keys? Let’s just make SSH use your Tailscale identity.” And so we did.

For sensitive high-risk connections, such as those connecting as root, you can also enable check mode. Check mode requires a user to re-authenticate with your SSO (or to have recently re-authenticated) before being able to establish a Tailscale SSH connection.

Animation of re-authenticaitng in the browser when using SSH to connect as a root user on the host demo.

When using check mode, if you haven’t recently authenticated, you need to re-authenticate before establishing a Tailscale SSH connection.

Read on to learn more about what Tailscale SSH is, how it compares to other SSH solutions, and how to start using it in your tailnet.

Roll out Tailscale as a standalone macOS app

Nick O'Neill on
Photo of Nick O'Neill

Tailscale runs on many platforms, including macOS, and has a macOS version available in the App Store. If you’re using macOS at work, however, your team might not be able to roll out Tailscale to your entire organization if not everyone has an Apple ID. In this case, it’s common to use a mobile device management (MDM) solution that allows you to distribute applications that are not available in the App Store.

Starting with Tailscale v1.26, you can install Tailscale as a standalone macOS application. The standalone macOS application has all the same functionality as the version distributed in the App Store.

May Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
It was another busy month for our growing team! We saw many of you virtually at Gitpod’s DevX conference, DockerCon, or in-person at BSidesSF. As a fully remote company, we’re looking for motivated individuals who can think on their feet, enjoy collaborating with highly technical teams, and are comfortable working asynchronously. See our open roles in this month’s newsletter, and learn more about our company vision.

Tailscale is officially SOC 2 compliant

David Anderson, Rachel Lubman, Denton Gentry and Maya Kaczorowski on
Photo of David Anderson
Photo of Rachel Lubman
Photo of Denton Gentry
Photo of Maya Kaczorowski

At Tailscale, we are ridiculously passionate about security and privacy—so much so that we built a product that, by design, can’t see your data. We don’t even want to see your data. Behind the scenes, we’ve been completing security audits, working with expert cryptographers to validate our key management, and ensuring we lock down access to our production environment.

We’re excited to announce that we’ve received our SOC 2 Type I report, reaffirming our commitment to security. Let’s dig into how Tailscale applies security controls to protect your information.

Latacora and Tailscale: A conversation on compliance

When Tailscale started working toward SOC 2, we started to ask some fundamental questions about growing and continually improving our security posture. This led us to partner with Latacora, a security firm that specializes in building information security practices for startups.

Tailscale extension for Docker Desktop launches at DockerCon

Ross Zurowski and Aaron Klotz on
Photo of Ross Zurowski
Photo of Aaron Klotz

You can use Tailscale to securely connect to the resources you need for development, including internal tools and databases, no matter where you are or where your development environment lives.

Today, as part of DockerCon, we’re excited to launch our Tailscale Docker Desktop extension. The Tailscale extension for Docker Desktop makes it easy to share exposed container ports from your local machine with other users and devices on your tailnet.

Use Tailscale in Docker Desktop to share a staged copy of your work with a colleague as part of a code review, or share in-progress feedback with teammates. Or access production resources from your development environment, such a database, a package registry, or a licensing server. Because Tailscale works with SSO from your identity provider, Tailscale makes it easier to safely share what you’re working on with anyone in your organization, based on access controls.

Tailscale raises $100M… to fix the Internet

Photo of Avery Pennarun
Avery Pennarun on
We’ve raised $100M in a Series B financing led by CRV and Insight Partners, with participation from our existing major investors: Accel, Heavybit, and Uncork Capital, along with a cast of many prominent angels and smaller investors.

April Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
We are happy (Canadian-level happy) to share that Tailscale has raised a US$100M Series B! We could not have achieved this investment without you, reader. This community sharing and using Tailscale has been our springboard to the success of our product. So, thank you! If you’d like to learn more about what we’re doing with the money, our name origin story, and other musings then read Avery’s blog post. Even with all the funding news, the world hasn’t stopped — we have a handful of community contributions and Tailscale improvements to walk through.

We all have to do a better job managing our infrastructure

Laura Franzese on
Photo of Laura Franzese

This is an interview with Tailscale co-founder and CTO David Crawshaw from CyberNews, reprinted with permission.

The impressive technological progress led to a variety of exciting developments, such as the emergence of the cloud and wireless technology. With our lives being so interconnected with the digital realm, can we still have the same level of privacy as a few decades ago?

Tailscale Authentication for NGINX

Photo of Xe Iaso
Xe Iaso on

Previously on the Tailscale blog, I walked through how authentication works with Tailscale for Grafana and even for Minecraft. Today we’re going to take that basic concept and show how to extend it to services that you have proxied behind NGINX.

Android TV remote control

Photo of Elias Naur
Elias Naur on

In this guest post, Elias Naur walks us through running Tailscale on Android TV.

Running Tailscale on an Android TV device is useful for the situations where you’re trying to connect to a big screen, but can’t use a desktop or mobile device. For example, you might want to access your home media server to watch your favorite TV shows when you’re on the go in a hotel room or Airbnb, and only have an Android TV stick to connect to the provided TV.

The Tailscale Android app now includes support for Android TV, and is available in the Google Play Store for compatible TV devices.

Read on for technical details on how we made this possible.

Sync Okta groups to use in your Tailscale ACLs

Onboarding and offboarding are some of the biggest operational challenges that face organizations today. When an employee switches teams, goes on leave, or exits, an admin typically deactivates them in their identity provider—and unfortunately, in 2022, that’s a recurring management burden. Tailscale already allows you to use your organization’s existing identity provider to manage access to devices and services in your network, including authentication settings such as multi-factor authentication. Then, to manage access to devices on your Tailscale network, you can define access control lists (ACLs) that specify which sources, such as users, groups, hosts, or tags, can access which destinations and on which ports. Access rules can include groups, which allow you to easily grant access to many users for the same resources, such as those on the same team or in the same role. However, instead of defining groups in Tailscale, you might prefer to refer to groups you already have defined in your identity provider.

Tailscale Authentication For Minecraft

Xe Iaso and TJ Horner on
Photo of Xe Iaso
Photo of TJ Horner
You can do many things with computers. Some of them are more productive than others. My recent blog post shows how to authenticate to any service, such as Grafana. Some people took the idea of using Tailscale for authenticating to any service as a neat fact. Others took this as a challenge to come up with even more creative applications of Tailscale for authentication. This is the story of one of the latter cases. This is how you can make your Minecraft server join your tailnet and authenticate to it with Tailscale. One big question you may be asking is, “Why on earth would you want to do this?” I would like to counter this with another question: “Why not?” As a great man has said, “Science isn’t about ‘why?’ it’s about ‘why not?’” We take this philosophy seriously at Tailscale. Putting your Minecraft server into your tailnet with Tailscale for authentication gives you these advantages:

Tailscale logo on NASDAQ tower v1

Photo of Jessica Webb Kennedy
Jessica Webb Kennedy on

Tailscale was included in Wing Venture Capital’s 2022 Enterprise Tech 30 List. While it’s an honor to be included, what we are most excited about is what inclusion in the list signifies.

Tailscale highlighted on the New York NASDAQ

March Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
We took a brief break from your inbox at the end of February. But we are back to making the Internet a bit more human and sharing some of the meaningful contributions from our community that help make that possible.

How To Seamlessly Authenticate to Grafana using Tailscale

Xe Iaso on
Photo of Xe Iaso
In a DevOps environment, you have to deal with a lot of different internal services that have their own authentication systems. This can take a lot of time and work to provision correctly, especially as part of user onboarding and offboarding. Tailscale already knows who you are, so for tools that you only make internally accessible in your tailnet, such as Grafana (a popular observability/statistics graphing service), we can take advantage of that to lighten the load. Instead of relying on each application to have its own authentication, by putting the application available in your tailnet, you can control access based on the existing identities and authentication you have in your identity provider. You can then manage access to that service with the authorization controls you define in Tailscale ACLs. This post will assume the following things: You have administrative (sudo) access to the target machine You have HTTPS enabled for your tailnet (your-tailscale-https-domain.

A database for 2022

Photo of David Crawshaw
David Crawshaw on
Hi, it’s us again, the ones who used to store our database in a single JSON file on disk, and then moved to etcd. Time for another change! We’re going to put everything in a single file on disk again. As you might expect from our previous choice (and as many on the internet already predicted), we ran into some limits with etcd. Database size, write transaction frequency, of particular note: generating indexes. All of these were surmountable limits, but we were quickly running into the biggest limit: me. Until now, I have been allowed to choose just about anything for a database as long as I do all the work. But at a certain point, that doesn’t scale. The way to solve the issues with etcd was bespoke code. Every time someone else had to touch it, I had to explain it. Especially the indexing code. (Sorry.) What we need is something easier to dive into and get back out of quickly, a database similar enough to common development systems that other engineers, working hard to solve other problems, don’t have to get distracted by database internals to solve their problem.

How our free plan stays free

Photo of Avery Pennarun
Avery Pennarun on

TL;DR: Tailscale’s free plan is free because we keep our scaling costs low relative to typical SaaS companies. We care about privacy, so unlike some other freemium models, you and your data are not the product. Rather, increased word-of-mouth from free plans sells the more valuable corporate plans. I know, it sounds too good to be true. Let’s see some details.

Use Caddy to manage Tailscale HTTPS certificates

Photo of Brad Fitzpatrick
Brad Fitzpatrick on

When you connect to a web application on your tailnet over plain HTTP, you might get a security warning in your browser. Although your tailnet’s connections use WireGuard, which provides end-to-end encryption at the network layer, your browser isn’t aware of that encryption—so it looks for a valid TLS certificate for that domain. For internal web apps, this can be confusing to your users, so Tailscale already allows you to provision HTTPS certificates from Let’s Encrypt for your internal web applications, with tailscale cert.

If you’re running a public web server, though, it will need to get the certificate from Tailscale to serve your sites over HTTPS on your tailnet. Caddy is an open source web server—and unlike most web servers, it provisions and manages HTTPS certificates for you. (We love it because it uses HTTPS by default!) Caddy also manages renewing these certificates automatically.

With the beta release of Caddy 2.5, Caddy automatically recognizes and uses certificates for your Tailscale network (*.ts.net), and can use Tailscale’s HTTPS certificate provisioning when spinning up a new service.

Tagged nodes no longer need key renewal, which means it's easier than ever to manage servers

Photo of Maisem Ali
Maisem Ali on

Devices you add to your Tailscale network will periodically expire their node keys and force users to reauthenticate, to ensure the devices are still meant to be on your network.

In Tailscale, ACL tags provide a way to assign an identity to a device, which replaces the prior user authentication on that device. So, node key expiry might be surprising behavior for tagged devices, such as servers, which do not have a user associated with them.

Starting today, tagged devices will have key expiry disabled by default.

Introducing auto approvers for routes and exit nodes

Photo of Maisem Ali
Maisem Ali on

You can use subnet routers in Tailscale to easily connect an existing network you have to your tailnet—for example, a virtual private cloud, or an on-premises legacy network. To set up a subnet router, you advertise routes from the device, and then approve these from the admin console. But what if you’re spinning up multiple subnet routers in high-availability mode? Or multiple exit nodes?

We’re introducing the concepts of autoApprovers for routes and exit nodes. This lets you specify in your ACL file which users can self-approve routes and exit nodes. This means that you can set up a subnet router or an exit node with just one CLI command on the device.

ACL tags are generally available

ACL tags can be applied to a Tailscale device in order to manage access permissions based on its tag. Tailscale already allows you to manage access to devices based on their names, rather than IP addresses; and tags take this a step further, so you can manage access to devices based on their purpose. For example, you might tag a production server prod and a production database prod, and allow all prod devices to communicate with each other in your network, rather than specifying each device individually.

We’re excited to announce ACL tags are now generally available! What does this mean for you? You can include tags as part of an authentication key, you can tag devices from the admin console, and tags can be owners of other tags. And we’ve further locked down ACL tags, so that authentication is required when re-tagging a device. ACL tags are a free feature, available in all pricing tiers.

December Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
December brought fascinating community contributions, including How To Get Tailscale Working With a Fire TV Stick and how to use Tailscale for SSH access to ‘LAN’ locked machines.

Tailscale Rhyme Time crossword

This is our inaugural Tailscale crossword puzzle. The answer key will be published in our December newsletter, and on our blog.

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter