Terminology and concepts

Tailnet

The set of machines in a Tailscale network is referred to as a tailnet. Each machine in the tailnet is considered a node and is assigned a unique Tailscale IP address by the coordination server. Nodes can directly communicate with one another unless the traffic is restricted by the tailnet’s access control lists (ACLs).

Coordination server

All machines in a tailnet maintain a connection with a centralized coordination server in order to exchange metadata such as encryption keys, network topology changes, and access policy changes. The coordination server is part of the control plane only, not the data plane - it is not responsible for relaying traffic between machines and so avoids being a performance bottleneck.

Network topology

A computer network is a set of machines that can communicate with one another either directly or indirectly through another machine. Traditional VPN technologies operate as a “hub-and-spoke” network where each machine communicates with another by having all traffic routed through a central gateway machine. Tailscale operates as a mesh network, where each machine is able to communicate directly with one another using NAT traversal.

NAT traversal

Most machines on the Internet are unable to naively communicate due to the presence of firewalls and devices that perform Network Address Translation. NAT traversal works around these barriers through a number of techniques. See “How NAT traversal works” for more details.

Relay

When a direct connection between two machines cannot be established, then the only way to communicate is through an intermediate relay that both machines are able to communicate with. Tailscale’s relay servers are known as Designated Encrypted Relay for Packets, or DERP. In a vast majority of cases, machines can establish a direct connection, and only a small amount of traffic must instead be routed through DERP.

Relays are distributed globally — New York City, Dallas, Seattle, London, San Francisco, Frankfurt, Tokyo, Sydney, Bangalore, Singapore… and we keep adding more relays as we go along.

Tailscale IP address

Each machine in a tailnet is assigned a unique IP address that never changes for your device, even when the machine device switches between home Ethernet, cellular hotspot, or coffee shop Wi-Fi networks. The address is assigned by the coordination server and always of the form 100.x.y.z (for example, 100.101.102.103). Use MagicDNS to automatically register memorable hostnames for machines in the network.

Admin console

The admin console is where you find detailed information about your tailnet. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. Changes to your tailnet are immediately published to all relevant machines by the coordination server.

The admin console is located at https://login.tailscale.com/admin/.

Key expiry

Tailscale uses WireGuard to enable encrypted connections between machines. With Tailscale, private encryption keys are fully managed by clients, and the coordination server is only used to distribute public encryption keys.

Using Tailscale means you never have to manage encryption keys directly. Keys are set to automatically expire and must be regenerated at regular intervals. For long-lived cloud servers and other IoT devices, you may disable key expiry from the admin console.

Access control lists

Tailscale uses network access control lists (ACLs), to precisely define what a particular user or device is permitted to access on your tailnet. ACLs are stored in the tailnet policy file.

Tailnet policy file

The object that stores a tailnet’s access control lists is referred to as the tailnet policy file. The tailnet policy file is a human JSON (HuJSON) file that conforms to the Tailscale policy syntax.

MagicDNS

While a Tailscale IP address uniquely identifies a machine in the tailnet, it is neither easy for humans to remember or type. Tailscale’s MagicDNS service provides the ability to map a memorable hostname to the Tailscale IP address.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms