Plans that work for everyone
Tailscale at Work
Starter
For teams or organizations looking for an easy-to-use, secure, legacy VPN replacement.
Users and devices
- Unlimited Users
- 100 devices + 10 devices per user Need more?
Features
- Limited ACLs
- Standard user roles
- ACL tags
- Auth Keys
- SSO with any IdP
- Configuration Audit Logging
- Webhooks
Premium
For companies who need service and resource level authentication and access control.
Users and devices
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- ACLs
- SSO with any IdP
- Network flow logging
- Tailscale SSH
- Tailscale Funnel
- GitOps for ACLs
- Advanced user roles
- MDM Policies
- Priority support
Enterprise
For companies who need advanced integrations, compliance and support for access control at scale.
Users and devices
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- User & Group provisioning (SCIM)
- Network flow logging with log streaming
- Tailscale SSH session recording
- Annual Billing
- Pay By Invoice
- Tailnet Lock
- Advanced Device Posture Management
- MDM Policies
- Priority support
- Additional Support Options
For any plan
Add-ons
Get more out of Tailscale with optional add-ons. Available on all plans. Head to the settings page to configure your add-ons.
Securely and privately browse the web with Tailscale + Mullvad. Learn more
Additional devices
Add devices without adding more users to your plan. Learn more
Tailscale at Home
Personal
For individuals who want to securely connect personal devices, for free.
Users and devices
- Up to 3 users w/ public domain
- Up to 100 devices. Need more?
Features
- Peer-To-Peer Connections
- MagicDNS
- Network, Resource-level, and Attribute-based Access Policies (ACLs)
- User Approval
- SSO with any IdP
Have any questions? Check out our product FAQ, licensing FAQ, or contact our sales team.
Compare plans and features
Compare plans | Personal | Starter | Premium | Enterprise |
---|---|---|---|---|
Pricing per active user/month | $0 | $6 | $18 | Custom |
Users & Devices | ||||
UsersA user is any distinct email address in your account. Personal includes 3 free users. Starter and Premium offer unlimited users; you pay for the number of active users at the end of your billing cycle. | 3 | Unlimited | Unlimited | Unlimited |
DevicesA device is any computer, phone, or server with Tailscale installed that's connected to your network. Device limits are pooled across your network. | 100 | 100 + 10/user | 100 + 20/user | 100 + 20/user |
Add-on devices | $0.50 each | $0.50 each | $0.50 each | $0.50 each |
Desktop & mobile apps | ||||
Virtual Private Networking | ||||
Peer-to-peer connectionsEstablish direct connections between nodes in your tailnet, to minimize latency. | ||||
End-to-end encryptionEncrypt all traffic end-to-end with WireGuard®. | ||||
IPv4 and IPv6Route both IPv4 and IPv6 traffic. | ||||
Split tunnellingSplit DNS traffic so only traffic to your internal network goes over Tailscale, and everything else goes directly to the internet. | ||||
Short DNS host names (MagicDNS)Automatically register human readable DNS names with MagicDNS to make it even easier to access devices and services on your network. | ||||
Exit nodesRoute Internet traffic through a designated egress point on your tailnet, like a traditional VPN. | ||||
Subnet routersRelay traffic from your tailnet through a gateway to a subnet of VPCs, corporate LANs, physical networks, and more. | ||||
App connectorsControl access to software as a service (SaaS) applications available over your tailnet. | ||||
HA failoverExpose the same subnet routers and app connectors on multiple routers to ensure availability even if one router goes offline. | ||||
IP space collision resolution (4via6 subnet routers)Route traffic to overlapping IPv4 subnets without renumbering with 4via6 subnet routers, by assigning unique IPv6 addresses for each subnet. | ||||
Regional routingRoute your traffic across distributed HA subnet routers or app connectors based on region. | ||||
Access control | ||||
Network-level access policies (ACLs)Precisely define access in your tailnet based on IP address, subnet, or port. | ||||
ACL testsTest ACLs to make sure they're properly scoped to avoid unnecessary exposure of critical systems on your network. | ||||
GitOps for ACLsUse a GitOps workflow to centralize management and version-control of your ACLs. | ||||
On-demand accessUse partner integrations to grant elevated privileges (e.g. on-call), including temporary access, using an approval workflow. | ||||
Resource-level access policiesUse ACL tags to assign identity to a device in order to enforce access based on roles and groups. | ||||
Restrict based on purpose (ACL tags)Assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. | ||||
Restrict based on groupAllow specific ACL-defined groups to access tagged nodes. | autogroups only | |||
Restrict based on individual userAllow specific ACL-defined users to access tagged nodes. | ||||
Application Networking | ||||
Service accountsPre-authenticate services or nodes (e.g., servers and ephemeral containers) added to your network. | ||||
Service provisioningAssign an identity to a service or node and restrict access on your tailnet, using ACL tags. | ||||
Tailscale Kubernetes operatorProvide full ingress and egress connectivity from Kubernetes clusters to non-Kubernetes resources, as well as cross-cluster peering, via Tailscale. | ||||
Tailscale SSHAuthenticate and encrypt SSH connections between devices in your tailnet, using Tailscale instead of SSH basic auth, keys, certs, or a bastion. | ||||
Tailscale FunnelRoute traffic from the Internet to a node in your tailnet to publicly share it with anyone, even if they aren’t using Tailscale. | ||||
User Management | ||||
User approvalPrevent new users in your organization from joining a tailnet until they’ve been approved by an admin | ||||
Standard user rolesStandard user roles include owner, admin, and member | ||||
Advanced user rolesAdvanced user roles include billing admin, IT admin, network admin, and auditor | ||||
SSO with any IdPLog in to Tailscale and manage users with any OIDC identity provider. | ||||
Custom authentication periodsEnforce that users re-authenticate with your identity provider at an interval you choose. By default, this is every 6 months | ||||
User & group provisioning (Azure AD + SCIM)Sync group membership and new or deactivated users from Azure AD. | ||||
User & group provisioning (Okta + SCIM)Sync group membership and new or deactivated users from Okta. | ||||
Endpoint & Posture Management | ||||
Device approvalReview and approve new devices and nodes before adding them to your tailnet. | ||||
Tailnet lockPrevent new, and potentially malicious, nodes from joining your tailnet without first being signed by an already trusted node. | ||||
Device posture managementUse posture conditions to more granularly control access in your network policies. | ||||
Postures based on custom attributesAttach custom posture attributes to your devices and use them as part of posture conditions. | up to 2 | |||
Device posture integrationsAutomatically synchronize device trust information from third-party posture checking tools and use it as part of posture conditions. | ||||
Mobile Device Management Policies | ||||
Customize UI VisibilityChange the visibility of UI elements in Tailscale Client menu | ||||
Runtime configurationsConfigure Tailscale behavior in end user devices eg. Automatically start Tailscale when user logs in, force tailscale to be always on, route all traffic via a specific exit node, and more | ||||
Configure MDM ToolsConfigure and deploy Tailscale using MDM solutions like SimpleMDM, Kandji, Microsoft Intune, Jamf | ||||
Monitoring & Compliance | ||||
WebhooksSubscribe to events on your tailnet, and forward those events to any integration or app — like Slack or Microsoft Teams. | ||||
Configuration audit loggingRecord actions that modify a tailnet's configuration, including type of action, actor, target resource, and time. | ||||
Network flow loggingRecord network traffic between nodes on your tailnet. | ||||
Tailscale SSH session recordingCapture and stream terminal sessions over Tailscale SSH for analysis or storage. | ||||
Log streamingSend real-time network traffic information to any SIEM or observability tool for analysis, or to a bucket for long-term storage. | configuration logs only | |||
Interfaces | ||||
UILog in to the tailscale.com admin console to manage users, nodes, and their permissions, on your tailnet. | ||||
CLIQuickly access information, manage devices or troubleshoot issues with a built-in command-line interface. | ||||
APIUse the API to manage your network's devices, ACLs, DNS settings, and more. | ||||
IaCConfigure your tailnet using Terraform or Pulumi. | ||||
Support | ||||
Customer supportUse the knowledge base or email us to get help with using Tailscale. | ||||
Priority supportIssue is prioritized based on severity. | ||||
Additional support optionsContact our sales team for information. | ||||
Payment Options | ||||
Pay by credit card | ||||
Pay by invoice | ||||
Annual billing |
Pricing FAQs
Does Tailscale have a free trial?
Yes! Customers who want to use Tailscale for commercial use will get a 14-day trial* of the product with no user limit. Customers who use Tailscale for personal use cases (e.g., homelabs, home VPN etc.) will continue to have access to the free tier plan.
Please see here for how we separate personal vs business use cases.
How does monthly active user billing work?
Tailscale will charge you at the end of each month for all active users on your account during that time period.
How do we determine who gets access to trials and who stays on the Personal plan?
We assume customers who sign up for Tailscale using a public domain (e.g., Gmail, Apple, personal GitHub etc.) fall under personal use. These use cases include playing games with friends, or securely connecting to anything from a DigitalOcean droplet to a Raspberry Pi, home security camera, or even a Steam Deck. These customers will automatically get access to the Personal (i.e., free tier) plan upon sign up.
We assume customers who sign up with a custom domain (e.g., @acme.com) will fall under the commercial use category. These use cases include securely connecting critical infrastructure - from production clusters, Kubernetes clusters, on-premise databases and more. These customers will get auto-enrolled into a 14-day trial* of the product. Personal users with custom domains can opt-out of the trial (see here for details).
What differentiates commercial vs personal use?
If you sign up for Tailscale with your personal email domain (e.g., a Gmail or Apple email account) or if you explicitly opt-out of the trial, then we will assume you are using Tailscale for personal use. In this scenario, your Tailscale account is owned by you solely for your own personal use. These use cases include playing games with friends, or securely connecting to anything from a DigitalOcean droplet to a Raspberry Pi, home security camera, or even a Steam Deck.
If you sign up for Tailscale with your work email or other custom domains (e.g., @acme.com), then we will assume you are using Tailscale for commercial use. In this scenario, the Tailscale account is owned by the company or organization that owns and controls that email domain. Your use of Tailscale with this account is presumed to be for commercial purposes. These use cases include securely connecting critical infrastructure - from production clusters, Kubernetes clusters, on-premise databases and more.
I am a user with a custom domain (e.g., @myname.com ) who plans to use Tailscale for personal use. Can I opt out of the trial?
Yes, you can opt out of the trial in the admin console. Once you end the trial, you will be on the Personal plan.
Please note, however, that the Personal plan is limited and is not intended for commercial use. If you sign up for Tailscale with your work email or other custom domains (e.g., @acme.com), then the Tailscale account is owned by the company or organization that owns and controls that email domain, regardless of which plan you are on.
How do device limits work?
Our Free plan offers the ability to add a maximum of 100 devices. However for our Starter, Premium, and Enterprise plans the total number of allowed devices increases as the number of provisioned users on the network increases. Device limits are pooled across the account.
For example: if you have 5 users on the Starter plan, you are entitled to 100 devices + (5 users x 10 devices each) = 150 devices. One user can have 30 provisioned devices and the remaining four users can each have 5 provisioned devices, leaving a pool of 100 devices for shared company resources (e.g. servers or file shares). Devices shared with you as a user don’t count towards your limit.
What if I need more devices than are available with the number of users I have in my plan? How does add-on device pricing work?
For example, if you sign up for the Starter plan and have 2 users, you are entitled to 120 devices. If you have 200 devices you want to add to your tailnet, you can purchase 80 more devices for your plan at $0.50 each, without needing to add more users.
What's the benefit of Access Control Lists (ACLs)?
ACLs allow your organization to adopt one of the core tenets of Zero Trust networking: least privileged access. Before joining your tailnet every user is authenticated using an identity provider (IdP) such as Okta, Azure AD, or Github. Organizations on certain plans can choose to segment their users into roles and groups (e.g. developer and engineering org) to apply policies at scale. ACL tags, the last piece to this puzzle, allow you to assign an identity to your devices. Once these pieces are in place, your teams can enforce least privilege access across your organization’s private network.
What is the difference between ACLs in Starter and Premium?
Customers on the Premium (and above) plan will get full ACL functionality. This includes having the ability to name individual users directly in ACL rules, the ability to create custom groups in the ACL file and the ability to name those custom groups in ACL rules. Customers in the Starter plans are are limited to the autogroups "admin" and "member" only. These are predefined roles created by Tailscale. Please see our ACL documentation for a more comprehensive explanation on ACLs and the Starter Plan ACL example for more information.
Do you offer discounts for non-profits or educational institutions?
Not-for-profit organizations and educational institutions are eligible for a 50% discount. In order to receive the discount, you will need to provide documentation of your registered entity. Choose your plan on the Billing page of the admin console, then contact us to have the discount applied.
Have more questions about our pricing?
Visit our knowledge base article for more details.