Terminology and concepts
Allows you to assign an identity to devices and use it as part of your access rules to restrict access. See ACL tags for more information.
The admin console is where you find detailed information about your tailnet. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. Changes to your tailnet are immediately published to all relevant machines by the coordination server.
The admin console is located at https://login.tailscale.com/admin/.
Application programming interface. Tailscale’s API is in development. The tailscale status –json output from the CLI is sufficient for most user needs.
Command line interface. On Linux, macOS, and Windows, Tailscale comes with a CLI interface to control Tailscale that offers a few more options than are available with the GUI (Graphical User Interface) clients.
All machines in a tailnet maintain a connection with a centralized coordination server in order to exchange metadata such as encryption keys, network topology changes, and access policy changes. The coordination server is part of the control plane only, not the data plane - it is not responsible for relaying traffic between machines and so avoids being a performance bottleneck.
A specific physical device, regardless of who uses it.
A public/private key-pair per device. Multiple users can use a single device (e.g. different logins on that Mac/Windows/Linux desktop) but they’ll all have the same device key. Each user on that device is then a unique node.
Also referred to as tailnet. A Tailscale domain is a network. Each email domain is its own domain. So users email@example.com and firstname.lastname@example.org are both in the example.com domain and can potentially access each others’ nodes (subject to the domain’s ACL). Shared email providers like @gmail.com are treated specially and each email address is considered its own isolated domain.
See SSO Providers for supported identity providers.
A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain’s access rules.
A method of proving who you say you are, including Google, Okta, and Microsoft. Tailscale is not an identity provider as there are no Tailscale passwords. Tailscale is a relying party of other identity providers.
See SSO Providers for supported identity providers.
Tailscale uses WireGuard to enable encrypted connections between machines. With Tailscale, private encryption keys are fully managed by clients, and the coordination server is only used to distribute public encryption keys.
Using Tailscale means you never have to manage encryption keys directly. Keys are set to automatically expire and must be regenerated at regular intervals. For long-lived cloud servers and other IoT devices, you may disable key expiry from the admin console.
While a Tailscale IP address uniquely identifies a machine in the tailnet, it is neither easy for humans to remember or type. Tailscale’s MagicDNS service provides the ability to map a memorable hostname to the Tailscale IP address.
Most machines on the Internet are unable to naively communicate due to the presence of firewalls and devices that perform network address translation. NAT traversal works around these barriers through a number of techniques. See How NAT traversal works for more information.
A computer network is a set of machines that can communicate with one another either directly or indirectly through another machine. Traditional VPN technologies operate as a “hub-and-spoke” network where each machine communicates with another by having all traffic routed through a central gateway machine. Tailscale operates as a mesh network, where each machine is able to communicate directly with one another using NAT traversal.
A combination of a user and a device.
When a direct connection between two machines cannot be established, then the only way to communicate is through an intermediate relay that both machines are able to communicate with. Tailscale’s relay servers are known as Designated Encrypted Relay for Packets, or DERP. In a vast majority of cases, machines can establish a direct connection, and only a small amount of traffic must instead be routed through DERP.
Relays are distributed globally — New York City, Dallas, Seattle, London, San Francisco, Frankfurt, Tokyo, Sydney, Bangalore, Singapore… and more.
Single sign-on. A way to log in to site B using the identity of site A. See Identity Provider for more information.
The set of machines in a Tailscale network is referred to as a tailnet. Each machine in the tailnet is considered a node and is assigned a unique Tailscale IP address by the coordination server. Nodes can directly communicate with one another unless the traffic is restricted by the tailnet’s access rules (ACLs).
A “personal tailnet” refers to a shared domain single-user tailnet (e.g. gmail.com), and an “organization tailnet” refers to a custom domain tailnet.
A Tailscale employee.
Each machine in a tailnet is assigned a unique IP address that never changes for your device, even when the machine device switches between home Ethernet, cellular hotspot, or coffee shop Wi-Fi networks. The address is assigned by the coordination server and always of the form 100.x.y.z (for example, 100.101.102.103). Use MagicDNS to automatically register memorable hostnames for machines in the network.
In VPNs, the term tunnel usually refers to a virtual tunnel between the your machine and a peer you’re trying to talk to.
WireGuard is the underlying cryptographic protocol that Tailscale speaks.