Legacy Pricing
These are pricing plans are no longer available.
This page is kept online as a reference for customers on legacy plans. See our current pricing plans.
Free
For individuals or small teams who want all that Tailscale has to offer, for free.
$0
Per active user/month
Users and devices
- Up to 3 users w/Custom Domain
- Up to 100 devices. Need more?
Features
- Peer-To-Peer Connections
- MagicDNS
- Network, Resource-level, and Attribute-based Access Policies (ACLs)
- User Approval
- SSO with standard IdP
Starter
For teams or organizations looking for an easy-to-use, secure, legacy VPN replacement.
$6
Per active user/month
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 10 devices per user Need more?
Features
- Limited ACLs
- ACL tags
- Auth Keys
- SSO with standard IdP
- Configuration Audit Logging
- Webhooks
Premium
For companies who need service and resource level authentication and access control.
$18
Per active user/month
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- ACLs
- SSO with advanced IdP
- Network flow logging
- Tailscale SSH
- Tailscale Funnel
- GitOps for ACLs
- Admin user roles
- MDM Policies
- Priority support
Enterprise
For companies who need advanced integrations, compliance and support for access control at scale.
Custom
Purpose-built for business
Users and devices
- Unlimited Users
- 100 devices + 20 devices per user Need more?
Features
- User & Group provisioning (SCIM)
- Network flow logging with log streaming
- Tailscale SSH session recording
- Annual Billing
- Pay By Invoice
- Tailnet Lock
- Advanced Device Posture Management
- MDM Policies
- Additional Support Options
Add-ons
Get more out of Tailscale with optional add-ons. Available on all plans. Head to the settings page to configure your add-ons.
Securely and privately browse the web with Tailscale + Mullvad.
Learn more
Additional devices
You can always add devices without adding more users to your plan.
Learn more
Have any questions? Check out our product FAQ, licensing FAQ, or contact our sales team.
Compare plans and features
| Compare plans | Free | Starter | Premium | Enterprise |
|---|---|---|---|---|
| Pricing per active user/month | $0 | $6 | $18 | Custom |
| Users & Devices | ||||
UsersA user is any distinct email address in your account. You get 3 users for free in Starter and Premium. | 3 | Unlimited | Unlimited | Unlimited |
DevicesA device is any computer, phone, or server with Tailscale installed that's connected to your network. Device limits are pooled across your network. | 100 | 100 + 10/user | 100 + 20/user | 100 + 20/user |
| Add-on devices | $0.50 each | $0.50 each | $0.50 each | $0.50 each |
| Desktop & mobile apps | ||||
| Virtual Private Networking | ||||
Peer-to-peer connectionsEstablish direct connections between nodes in your tailnet, to minimize latency. | ||||
End-to-end encryptionEncrypt all traffic end-to-end with WireGuard®. | ||||
IPv4 and IPv6Route both IPv4 and IPv6 traffic. | ||||
Split tunnellingSplit DNS traffic so only traffic to your internal network goes over Tailscale, and everything else goes directly to the internet. | ||||
Short DNS host names (MagicDNS)Automatically register human readable DNS names with MagicDNS to make it even easier to access devices and services on your network. | ||||
Exit nodesRoute Internet traffic through a designated egress point on your tailnet, like a traditional VPN. | ||||
Subnet routersRelay traffic from your tailnet through a gateway to a subnet of VPCs, corporate LANs, physical networks, and more. | ||||
App connectorsControl access to software as a service (SaaS) applications available over your tailnet. | ||||
HA failoverExpose the same subnet routers and app connectors on multiple routers to ensure availability even if one router goes offline. | ||||
IP space collision resolution (4via6 subnet routers)Route traffic to overlapping IPv4 subnets without renumbering with 4via6 subnet routers, by assigning unique IPv6 addresses for each subnet. | ||||
Regional routingRoute your traffic across distributed HA subnet routers or app connectors based on region. | ||||
| Access control | ||||
Network-level access policies (ACLs)Precisely define access in your tailnet based on IP address, subnet, or port. | ||||
ACL testsTest ACLs to make sure they're properly scoped to avoid unnecessary exposure of critical systems on your network. | ||||
GitOps for ACLsUse a GitOps workflow to centralize management and version-control of your ACLs. | ||||
On-demand accessUse partner integrations to grant elevated privileges (e.g. on-call), including temporary access, using an approval workflow. | ||||
Resource-level access policiesUse ACL tags to assign identity to a device in order to enforce access based on roles and groups. | ||||
Restrict based on purpose (ACL tags)Assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. | ||||
Restrict based on groupAllow specific ACL-defined groups to access tagged nodes. | autogroups only | |||
Restrict based on individual userAllow specific ACL-defined users to access tagged nodes. | ||||
Separation of administrative duties (User roles)Assign admin roles to appropriately manage permissions, including IT admin, Network admin, Billing admin, and Auditor roles. | ||||
| Application Networking | ||||
Service accountsPre-authenticate services or nodes (e.g., servers and ephemeral containers) added to your network. | ||||
Service provisioningAssign an identity to a service or node and restrict access on your tailnet, using ACL tags. | ||||
Tailscale Kubernetes operatorProvide full ingress and egress connectivity from Kubernetes clusters to non-Kubernetes resources, as well as cross-cluster peering, via Tailscale. | ||||
Tailscale SSHAuthenticate and encrypt SSH connections between devices in your tailnet, using Tailscale instead of SSH basic auth, keys, certs, or a bastion. | ||||
Tailscale FunnelRoute traffic from the Internet to a node in your tailnet to publicly share it with anyone, even if they aren’t using Tailscale. | ||||
| User Management | ||||
User approvalPrevent new users in your organization from joining a tailnet until they’ve been approved by an admin | ||||
Standard user rolesStandard user roles include owner, admin, and member | ||||
Advanced user rolesAdvanced user roles include billing admin, IT admin, network admin, and auditor | ||||
SSO with standard IdP (e.g., Google, Microsoft, GitHub, Keycloak, custom)Log in to Tailscale and manage users with any free native and/or custom OIDC identity provider. | ||||
SSO with advanced IdP (e.g., Okta, OneLogin, JumpCloud, custom)Log in to Tailscale and manage users with any paid and/or custom OIDC identity provider. | ||||
Custom authentication periodsEnforce that users re-authenticate with your identity provider at an interval you choose. By default, this is every 6 months | ||||
User & group provisioning (Azure AD + SCIM)Sync group membership and new or deactivated users from Azure AD. | ||||
User & group provisioning (Okta + SCIM)Sync group membership and new or deactivated users from Okta. | ||||
| Endpoint & Posture Management | ||||
Device approvalReview and approve new devices and nodes before adding them to your tailnet. | ||||
Tailnet lockPrevent new, and potentially malicious, nodes from joining your tailnet without first being signed by an already trusted node. | ||||
Device posture managementUse posture conditions to more granularly control access in your network policies. | ||||
Postures based on custom attributesAttach custom posture attributes to your devices and use them as part of posture conditions. | up to 2 | |||
Device posture integrationsAutomatically synchronize device trust information from third-party posture checking tools and use it as part of posture conditions. | ||||
| Mobile Device Management Policies | ||||
Customize UI VisibilityChange the visibility of UI elements in Tailscale Client menu | ||||
Configure auto-updates settingsConfigure checking and installing Tailscale latest version automatically | ||||
Runtime configurationsConfigure Tailscale behavior in end user devices eg. Automatically start Tailscale when user logs in, force tailscale to be always on, route all traffic via a specific exit node, and more | ||||
Configure MDM ToolsConfigure and deploy Tailscale using MDM solutions like SimpleMDM, Kandji, Microsoft Intune, Jamf | ||||
| Monitoring & Compliance | ||||
WebhooksSubscribe to events on your tailnet, and forward those events to any integration or app — like Slack or Microsoft Teams. | ||||
Configuration audit loggingRecord actions that modify a tailnet's configuration, including type of action, actor, target resource, and time. | ||||
Network flow loggingRecord network traffic between nodes on your tailnet. | ||||
Tailscale SSH session recordingCapture and stream terminal sessions over Tailscale SSH for analysis or storage. | ||||
Log streamingSend real-time network traffic information to any SIEM or observability tool for analysis, or to a bucket for long-term storage. | configuration logs only | |||
| Interfaces | ||||
UILog in to the tailscale.com admin console to manage users, nodes, and their permissions, on your tailnet. | ||||
CLIQuickly access information, manage devices or troubleshoot issues with a built-in command-line interface. | ||||
APIUse the API to manage your network's devices, ACLs, DNS settings, and more. | ||||
IaCConfigure your tailnet using Terraform or Pulumi. | ||||
| Support | ||||
Customer supportUse the knowledge base or email us to get help with using Tailscale. | ||||
Priority supportGet support with a response SLA. | ||||
| Additional support options | ||||
| Payment Options | ||||
| Pay by credit card | ||||
| Pay by invoice | ||||
| Annual billing | ||||
Pricing FAQs
Does Tailscale have a free trial?
Tailscale has a Free plan that includes nearly everything Tailscale has to offer for up to 100 devices, and up to 3 provisioned users.
How does monthly active user billing work?
Tailscale will charge you at the end of each month for all active users on your account during that time period. Tailscale will automatically apply a credit for 3 monthly active users to the Starter and Premium plan. For example, if you have 10 active users in a month then you will only be billed for 7 of them.
How do device limits work?
Our Free plan offers the ability to add a maximum of 100 devices. However for our Starter, Premium, and Enterprise plans the total number of allowed devices increases as the number of provisioned users on the network increases. Device limits are pooled across the account.
For example: if you have 5 users on the Starter plan, you are entitled to 100 devices + (5 users x 10 devices each) = 150 devices. One user can have 30 provisioned devices and the remaining four users can each have 5 provisioned devices, leaving a pool of 100 devices for shared company resources (e.g. servers or file shares). Devices shared with you as a user don’t count towards your limit.
How does add-on device pricing work?
For example, if you sign up for the Starter plan and have 2 users, you are entitled to 120 devices. If you have 200 devices you want to add to your tailnet, you can purchase 80 more devices for your plan at $0.50 each, without needing to add more users.
What's the benefit of Access Control Lists (ACLs)?
ACLs allow your organization to adopt one of the core tenets of Zero Trust networking: least privileged access. Before joining your tailnet every user is authenticated using an identity provider (IdP) such as Okta, Azure AD, or Github. Organizations on certain plans can choose to segment their users into roles and groups (e.g. developer and engineering org) to apply policies at scale. ACL tags, the last piece to this puzzle, allow you to assign an identity to your devices. Once these pieces are in place, your teams can enforce least privilege access across your organization’s private network.
What is the difference between ACLs in Starter and Premium?
Customers on the Premium (and above) plan will get full ACL functionality. This includes having the ability to name individual users directly in ACL rules, the ability to create custom groups in the ACL file and the ability to name those custom groups in ACL rules. Customers in the Starter plans are are limited to the autogroups "admin" and "member" only. These are predefined roles created by Tailscale. Please see our ACL documentation for a more comprehensive explanation on ACLs and the Starter Plan ACL example for more information.
Do you offer discounts for non-profits or educational institutions?
Not-for-profit organizations and educational institutions are eligible for a 50% discount. In order to receive the discount, you will need to provide documentation of your registered entity. Choose your plan on the Billing page of the admin console, then contact us to have the discount applied.
