Get started
© 2024

Terminology and concepts

Access control lists

An access control list (ACL) manages system access using rules in the tailnet policy file. You can use ACLs to filter traffic and enhance security by managing who and what can use which resources.

ACL tags

A tag lets you assign an identity (that's separate from human users) to devices. You can use tags in your access rules to restrict access.

Admin console

The admin console is the central location to view and manage your Tailscale network. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. When you make changes from the admin console, the coordination server updates the changes to your tailnet immediately.

You can access your admin console at


API is an acronym for application programming interface. APIs define a set of rules to interact with an application or service programmatically. The Tailscale API lets you manage your Tailscale account and tailnet.


CLI is an acronym for command line interface. The Tailscale CLI includes a robust set of commands with functionality that GUI applications might not have. The Tailscale CLI is installed automatically when you install Tailscale on Linux, macOS, or Windows.

Coordination server

A coordination server is a central server that maintains a connection to all machines in your Tailscale network. It manages encryption keys, network changes, access policy changes, and maintains a connection to all machines in your Tailscale network. The coordination server is part of the control plane, not the data plane. It avoids being a performance bottleneck by not relaying traffic between machines.


A device is anything other than a user. It can be physical or virtual and sends, receives, or processes data on your Tailscale network.

Device key

A device key is a unique public and private key pair for a specific device. More than one user can use a device key, but each device can only have one device key. The combination of a specific user with a device key represents a unique node.


A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain's access rules.

Identity Provider

An identity provider is a method for users to authenticate to a tailnet. Examples of identity providers include Google, Okta, and Microsoft. Tailscale is not an identity provider but relies other identity providers for authentication.

Key expiry

Key expiry is the end of the validity period for a cryptographic key. An expired key can no longer encrypt or decrypt data, nor authenticate a device to a Tailscale network.

Using Tailscale means you never have to manage encryption keys directly. Tailscale automatically expires keys and requires them to be regenerated at regular intervals. You can disable key expiry for long-lived devices from the admin console.


MagicDNS automatically registers memorable hostnames for devices in your Tailscale network. It also extends and improves DNS functionality.

NAT traversal

NAT is an acronym for network address translation. NAT traversal is a way to connect nodes across the internet through barriers such as firewalls. Most internet devices can't talk to each other because of firewalls and devices that do network address translation. NAT traversal works around these barriers, allowing data to traverse the network.

Network topology

A network topology is an arrangement of nodes in a network. It shows the connections between them. Examples of network topologies include star, bus, hub-and-spoke, mesh, and hybrid.

Traditional virtual private networks (VPNs) use a hub-and-spoke topology. Each machine communicates with another in this setup by sending all traffic through a central gateway machine. Tailscale operates as a mesh topology where each machine can talk directly to others using NAT traversal.


A node is a combination of a user and a device.


A peer is another node that your node is trying to talk to. A peer might or might not be in the same domain.


A relay is an intermediary server that passes data between two or more nodes in a network. Tailscale uses a special type of globally distributed relay server called Designated Encrypted Relay for Packets (DERP). DERP relay servers function as a fallback to connect nodes when NAT traversal fails.


SSO is an acronym for single sign-on. Single sign-on lets users log in to one site using the identity of another.


A tailnet is another term for a Tailscale network, which is an interconnected collection of users, machines, and resources. The network has a control plane and a data plane that work in unison to manage access and send data between nodes.

There are personal and organization tailnets. A personal tailnet is a shared domain single-user tailnet (like An organization tailnet is a custom domain tailnet (like,

Tailnet policy file

The tailnet policy file stores your Tailscale network's access rules, along with other tailnet configuration items. It uses human JSON (HuJSON) and conforms to the Tailscale policy syntax.


A Tailscalar is a Tailscale employee.

Tailscale IP address

A Tailscale IP address is a unique IP address assigned to each machine in your Tailscale network. It's always in the form 100.x.y.z (for example, It stays the same even when switching between your home internet connection, cellular networks, or coffee shop Wi-Fi networks.


In networking, a tunnel is an encapsulated connection between one or more points in a network. It lets users, nodes, or resources communicate securely over a public data network.


WireGuard is the underlying cryptographic protocol that Tailscale uses.