Can I use Tailscale alongside other VPNs?

It depends. In most cases, you can’t use Tailscale alongside other VPNs.

In theory, it should work. Tailscale only routes a small subset of your internet traffic (100.x.y.z addresses and subnets), by default, leaving the rest for other VPNs to manage.

In practice, most VPNs set aggressive firewall rules to ensure all network traffic goes through them. They then drop all Tailscale traffic, which only Tailscale knows how to route. VPNs that don’t use aggressive firewall rules may be able to run alongside Tailscale.

On iOS, the system also enforces a limit of running one VPN at a time. Until this policy changes, running more than one VPN at a time on iOS is not possible.

We’re exploring ways we could work with other VPN providers to allow using Tailscale alongside other VPNs, but have no expected timeline to fix this.

Workaround: Userspace Networking

Tailscale can run in either kernel networking mode or userspace networking mode. In the default kernel networking mode, Tailscale will create a network interface, change firewall rules, and assign your machine a Tailscale IP address. This is the part that fights with other VPNs.

Tailscale also offers a userspace networking mode where Tailscale will expose a SOCKS5 proxy to allow you to connect out to your tailnet. Any incoming connections will be proxied to the same port on 127.0.0.1.

ping will not work for tailnet destinations when Tailscale is running in userspace networking mode. In order to ping things on your tailnet, use tailscale ping.

Workaround: Split Tunnels

Some VPN providers, such as PIA, allow a “split-tunnel” configuration to bypass traffic for specific applications or addresses ranges. If your other VPN supports this, add the following IP address ranges for compatibility with Tailscale:

100.64.0.0/10
fd7a:115c:a1e0::/48

If you use subnet routes, be sure to add those routes to your split-tunnel configuration too.

When using exit nodes, the split-tunnel workarounds will not work, as Tailscale sets its own aggressive firewall rules to route all traffic to your exit node. Exit nodes only support one VPN at a time.