Get started
© 2024

Terminology and concepts

Access control lists

Tailscale uses network access control lists (ACLs), to precisely define what a particular user or device is permitted to access on your tailnet. ACLs are stored in the tailnet policy file.

ACL tags

Lets you assign an identity to devices and use it as part of your access rules to restrict access. See ACL tags for more information.

Admin console

The admin console is where you find detailed information about your tailnet. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. Changes to your tailnet are immediately published to all relevant machines by the coordination server.

The admin console is located at


Application programming interface. Tailscale's API is in development. The tailscale status --json output from the CLI is sufficient for most user needs.


Command line interface. On Linux, macOS, and Windows, Tailscale comes with a CLI interface to control Tailscale that offers a few more options than are available with the GUI (Graphical User Interface) clients.

Coordination server

All machines in a tailnet maintain a connection with a centralized coordination server in order to exchange metadata such as encryption keys, network topology changes, and access policy changes. The coordination server is part of the control plane only, not the data plane — it is not responsible for relaying traffic between machines and so avoids being a performance bottleneck.


A specific physical device, regardless of who uses it.

Device key

A public/private key-pair per device. Multiple users can use a single device (for example, different logins on that Mac/Windows/Linux desktop) but they'll all have the same device key. Each user on that device is then a unique node.


Also referred to as tailnet. A Tailscale domain is a network. Each email domain is its own domain. So users and are both in the domain and can potentially access each others' nodes (subject to the domain's ACL). Shared email providers like are treated specially and each email address is considered its own isolated domain.

See SSO Providers for supported identity providers.


A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain's access rules.

Identity Provider

A method of proving who you say you are, including Google, Okta, and Microsoft. Tailscale is not an identity provider as there are no Tailscale passwords. Tailscale is a relying party of other identity providers.

See SSO Providers for supported identity providers.

Key expiry

Tailscale uses WireGuard to enable encrypted connections between machines. With Tailscale, private encryption keys are fully managed by clients, and the coordination server is only used to distribute public encryption keys.

Using Tailscale means you never have to manage encryption keys directly. Keys are set to automatically expire and must be regenerated at regular intervals. For long-lived cloud servers and other IoT devices, you may disable key expiry from the admin console.


While a Tailscale IP address uniquely identifies a machine in the tailnet, it is neither easy for humans to remember or type. Tailscale's MagicDNS service provides the ability to map a memorable hostname to the Tailscale IP address.

NAT traversal

Most machines on the Internet are unable to naively communicate due to the presence of firewalls and devices that perform network address translation. NAT traversal works around these barriers through a number of techniques. See How NAT traversal works for more information.

Network topology

A computer network is a set of machines that can communicate with one another either directly or indirectly through another machine. Traditional VPN technologies operate as a "hub-and-spoke" network where each machine communicates with another by having all traffic routed through a central gateway machine. Tailscale operates as a mesh network, where each machine is able to communicate directly with one another using NAT traversal.


A combination of a user and a device.


Another node that your node is trying to talk to. They might be part of your domain or not.


When a direct connection between two machines cannot be established, then the only way to communicate is through an intermediate relay that both machines are able to communicate with. Tailscale's relay servers are known as Designated Encrypted Relay for Packets, or DERP. In a vast majority of cases, machines can establish a direct connection, and only a small amount of traffic must instead be routed through DERP.

Relays are distributed globally — New York City, Dallas, Seattle, London, San Francisco, Frankfurt, Tokyo, Sydney, Bangalore, Singapore… and more.


Single sign-on. A way to log in to site B using the identity of site A. See Identity Provider for more information.


The set of machines in a Tailscale network is referred to as a tailnet. Each machine in the tailnet is considered a node and is assigned a unique Tailscale IP address by the coordination server. Nodes can directly communicate with one another unless the traffic is restricted by the tailnet's access rules (ACLs).

A "personal tailnet" refers to a shared domain single-user tailnet (for example,, and an "organization tailnet" refers to a custom domain tailnet.

Tailnet policy file

The object that stores a tailnet's access rules is referred to as the tailnet policy file. The tailnet policy file is a human JSON (HuJSON) file that conforms to the Tailscale policy syntax.


A Tailscale employee.

Tailscale IP address

Each machine in a tailnet is assigned a unique IP address that never changes for your device, even when the machine device switches between home Ethernet, cellular hotspot, or coffee shop Wi-Fi networks. The address is assigned by the coordination server and always of the form 100.x.y.z (for example, Use MagicDNS to automatically register memorable hostnames for machines in the network.


In VPNs, the term tunnel usually refers to a virtual tunnel between the your machine and a peer you're trying to talk to.


WireGuard is the underlying cryptographic protocol that Tailscale speaks.