Technical overviews
About WireGuard and 2FA/MFA login
WireGuard® is a modern and fast encrypted networking protocol that offers a number of performance benefits over traditional VPNs and TLS. Among …
How Tailscale assigns IP addresses
Tailscale makes it easy to connect to your network by providing you with a stable IP address for each node (a device or a server). These …
Smaller binaries for embedded devices
Learn how to build an extra-small Tailscale binary for deployment in disk space constrained environments.
Kernel vs. netstack subnet routing & exit nodes
Tailscale can act as a subnet router or exit node in one of two different modes: kernel mode (root on Linux) userspace mode (all non-Linux …
Userspace networking mode (for containers)
Userspace Networking mode allows running Tailscale where you don’t have access to create a VPN tunnel device. This often happens in …
Machine certificates
The mechanism by which nodes can join a domain is enforced by machine certificates. When a new device tries to join the Tailscale network, we …
Protect your SSH servers using Tailscale
What is Secure Shell (SSH)? The secure shell protocol, or SSH, has been around now for over 25 years. It was designed to securely connect to a …
Tailnet lock white paper
This white paper on tailnet lock is a draft. It is shared to solicit feedback on the design and implementation of tailnet lock. Abstract …
DERP Servers
Learn how DERP relay servers link your nodes peer-to-peer as a side channel during NAT traversal, and as a fallback if NAT traversal fails.
"Zero Trust Networking" definition
Zero Trust Networking (ZTN) is an architecture descended from Google’s BeyondCorp design. Although many products now advertise “zero …