Legacy Pricing
These are pricing plans are no longer available.
This page is kept online as a reference for customers on legacy plans. See our current pricing plans.
Free
For individuals or small teams who want all that Tailscale has to offer, for free.
$0
Per active user/month
Get started for free
Users and devices
- Up to 3 users w/Custom Domain
- Up to 100 devices. Need more?
Features
- Peer-To-Peer Connections
- MagicDNS
- Network, Resource-level, and Attribute-based Access Policies (ACLs)
- User Approval
- SSO with standard IdP
Starter
For teams or organizations looking for an easy-to-use, secure, legacy VPN replacement.
$6
Per active user/month
Get started for free
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 10 devices per user Need more?
Features
- Limited ACLs
- ACL tags
- Auth Keys
- SSO with standard IdP
- Configuration Audit Logging
- Webhooks
Premium
For companies who need service and resource level authentication and access control.
$18
Per active user/month
Get started for free
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- ACLs
- SSO with advanced IdP
- Network flow logging
- Tailscale SSH
- Tailscale Funnel
- GitOps for ACLs
- Admin user roles
- MDM Policies
- Priority support
Enterprise
For companies who need advanced integrations, compliance and support for access control at scale.
Custom
Purpose-built for business
Contact Sales
Users and devices
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- User & Group provisioning (SCIM)
- Network flow logging with log streaming
- Tailscale SSH session recording
- Annual Billing
- Pay By Invoice
- Tailnet Lock
- Advanced Device Posture Management
- MDM Policies
- Additional Support Options
Add-ons
Get more out of Tailscale with optional add-ons. Available on all plans. Head to the settings page to configure your add-ons.
Securely and privately browse the web with Tailscale + Mullvad.
Learn more
Additional devices
You can always add devices without adding more users to your plan.
Learn more
Have any questions? Check out our product FAQ, licensing FAQ, or contact our sales team.
Compare plans and features
| Compare plans | Free | Starter | Premium | Enterprise |
|---|---|---|---|---|
| Pricing per active user/month | $0 | $6 | $18 | Custom |
| Users & Devices | ||||
UsersA user is any distinct email address in your account. You get 3 users for free in Starter and Premium. | 3 | Unlimited | Unlimited | Unlimited |
DevicesA device is any computer, phone, or server with Tailscale installed that's connected to your network. Device limits are pooled across your network. | 100 | 100 + 10/user | 100 + 20/user | 100 + 20/user |
| Add-on devices | $0.50 each | $0.50 each | $0.50 each | $0.50 each |
| Desktop & mobile apps | ||||
| Virtual Private Networking | ||||
Peer-to-peer connectionsEstablish direct connections between nodes in your tailnet, to minimize latency. | ||||
End-to-end encryptionEncrypt all traffic end-to-end with WireGuard®. | ||||
IPv4 and IPv6Route both IPv4 and IPv6 traffic. | ||||
Split tunnellingSplit DNS traffic so only traffic to your internal network goes over Tailscale, and everything else goes directly to the internet. | ||||
Short DNS host names (MagicDNS)Automatically register human readable DNS names with MagicDNS to make it even easier to access devices and services on your network. | ||||
Exit nodesRoute Internet traffic through a designated egress point on your tailnet, like a traditional VPN. | ||||
Subnet routersRelay traffic from your tailnet through a gateway to a subnet of VPCs, corporate LANs, physical networks, and more. | ||||
App connectorsControl access to software as a service (SaaS) applications available over your tailnet. | ||||
HA failoverExpose the same subnet routers and app connectors on multiple routers to ensure availability even if one router goes offline. | ||||
IP space collision resolution (4via6 subnet routers)Route traffic to overlapping IPv4 subnets without renumbering with 4via6 subnet routers, by assigning unique IPv6 addresses for each subnet. | ||||
Regional routingRoute your traffic across distributed HA subnet routers or app connectors based on region. | ||||
| Access control | ||||
Network-level access policies (ACLs)Precisely define access in your tailnet based on IP address, subnet, or port. | ||||
ACL testsTest ACLs to make sure they're properly scoped to avoid unnecessary exposure of critical systems on your network. | ||||
GitOps for ACLsUse a GitOps workflow to centralize management and version-control of your ACLs. | ||||
On-demand accessUse partner integrations to grant elevated privileges (e.g. on-call), including temporary access, using an approval workflow. | ||||
Resource-level access policiesUse ACL tags to assign identity to a device in order to enforce access based on roles and groups. | ||||
Restrict based on purpose (ACL tags)Assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. | ||||
Restrict based on groupAllow specific ACL-defined groups to access tagged nodes. | autogroups only | |||
Restrict based on individual userAllow specific ACL-defined users to access tagged nodes. | ||||
Separation of administrative duties (User roles)Assign admin roles to appropriately manage permissions, including IT admin, Network admin, Billing admin, and Auditor roles. | ||||
| Application Networking | ||||
Service accountsPre-authenticate services or nodes (e.g., servers and ephemeral containers) added to your network. | ||||
Service provisioningAssign an identity to a service or node and restrict access on your tailnet, using ACL tags. | ||||
Tailscale Kubernetes operatorProvide full ingress and egress connectivity from Kubernetes clusters to non-Kubernetes resources, as well as cross-cluster peering, via Tailscale. | ||||
Tailscale SSHAuthenticate and encrypt SSH connections between devices in your tailnet, using Tailscale instead of SSH basic auth, keys, certs, or a bastion. | ||||
Tailscale FunnelRoute traffic from the Internet to a node in your tailnet to publicly share it with anyone, even if they aren’t using Tailscale. | ||||
| User Management | ||||
User approvalPrevent new users in your organization from joining a tailnet until they’ve been approved by an admin | ||||
Standard user rolesStandard user roles include owner, admin, and member | ||||
Advanced user rolesAdvanced user roles include billing admin, IT admin, network admin, and auditor | ||||
SSO with standard IdP (e.g., Google, Microsoft, GitHub, Keycloak, custom)Log in to Tailscale and manage users with any free native and/or custom OIDC identity provider. | ||||
SSO with advanced IdP (e.g., Okta, OneLogin, JumpCloud, custom)Log in to Tailscale and manage users with any paid and/or custom OIDC identity provider. | ||||
Custom authentication periodsEnforce that users re-authenticate with your identity provider at an interval you choose. By default, this is every 6 months | ||||
User & group provisioning (Azure AD + SCIM)Sync group membership and new or deactivated users from Azure AD. | ||||
User & group provisioning (Okta + SCIM)Sync group membership and new or deactivated users from Okta. | ||||
| Endpoint & Posture Management | ||||
Device approvalReview and approve new devices and nodes before adding them to your tailnet. | ||||
Tailnet lockPrevent new, and potentially malicious, nodes from joining your tailnet without first being signed by an already trusted node. | ||||
Device posture managementUse posture conditions to more granularly control access in your network policies. | ||||
Postures based on custom attributesAttach custom posture attributes to your devices and use them as part of posture conditions. | up to 2 | |||
Device posture integrationsAutomatically synchronize device trust information from third-party posture checking tools and use it as part of posture conditions. | ||||
| Mobile Device Management Policies | ||||
Customize UI VisibilityChange the visibility of UI elements in Tailscale Client menu | ||||
Configure auto-updates settingsConfigure checking and installing Tailscale latest version automatically | ||||
Runtime configurationsConfigure Tailscale behavior in end user devices eg. Automatically start Tailscale when user logs in, force tailscale to be always on, route all traffic via a specific exit node, and more | ||||
Configure MDM ToolsConfigure and deploy Tailscale using MDM solutions like SimpleMDM, Kandji, Microsoft Intune, Jamf | ||||
| Monitoring & Compliance | ||||
WebhooksSubscribe to events on your tailnet, and forward those events to any integration or app — like Slack or Microsoft Teams. | ||||
Configuration audit loggingRecord actions that modify a tailnet's configuration, including type of action, actor, target resource, and time. | ||||
Network flow loggingRecord network traffic between nodes on your tailnet. | ||||
Tailscale SSH session recordingCapture and stream terminal sessions over Tailscale SSH for analysis or storage. | ||||
Log streamingSend real-time network traffic information to any SIEM or observability tool for analysis, or to a bucket for long-term storage. | configuration logs only | |||
| Interfaces | ||||
UILog in to the tailscale.com admin console to manage users, nodes, and their permissions, on your tailnet. | ||||
CLIQuickly access information, manage devices or troubleshoot issues with a built-in command-line interface. | ||||
APIUse the API to manage your network's devices, ACLs, DNS settings, and more. | ||||
IaCConfigure your tailnet using Terraform or Pulumi. | ||||
| Support | ||||
Customer supportUse the documentation or email us to get help with using Tailscale. | ||||
Priority supportGet support with a response SLA. | ||||
| Additional support options | ||||
| Payment Options | ||||
| Pay by credit card | ||||
| Pay by invoice | ||||
| Annual billing | ||||
