Legacy Pricing
These are pricing plans are no longer available.
This page is kept online as a reference for customers on legacy plans. See our current pricing plans.
Free
For individuals or small teams who want all that Tailscale has to offer, for free.
$0
Per active user/month
Get started for free
Users and devices
- Up to 3 users w/Custom Domain
- Up to 100 devices.
Features
- Peer-To-Peer Connections
- MagicDNS
- Network, Resource-level, and Attribute-based Access Policies (ACLs)
- User Approval
- SSO with standard IdP
Starter
For teams or organizations looking for an easy-to-use, secure, legacy VPN replacement.
$6
Per active user/month
Get started for free
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 10 devices per user
Features
- Limited ACLs
- ACL tags
- Auth Keys
- SSO with standard IdP
- Configuration Audit Logging
- Webhooks
Premium
For companies who need service and resource level authentication and access control.
$18
Per active user/month
Get started for free
Users and devices
- First 3 users free
- Unlimited Users
- 100 devices + 20 devices per user
Features
- ACLs
- SSO with advanced IdP
- Network flow logging
- Tailscale SSH
- Tailscale Funnel
- GitOps for ACLs
- Admin user roles
- MDM Policies
- Priority support
Enterprise
For companies who need advanced integrations, compliance and support for access control at scale.
Custom
Purpose-built for business
Contact Sales
Users and devices
- Unlimited Users
- 100 devices + 20 devices per user
Features
- User & Group provisioning (SCIM)
- Network flow logging with log streaming
- Tailscale SSH session recording
- Annual Billing
- Pay By Invoice
- Tailnet Lock
- Advanced Device Posture Management
- MDM Policies
- Additional Support Options
Add-ons
Get more out of Tailscale with optional add-ons. Available on all plans. Head to the settings page to configure your add-ons.
Securely and privately browse the web with Tailscale + Mullvad.
Learn more
Have any questions? Check out our product FAQ, licensing FAQ, or contact our sales team.
Compare plans and features
| Compare plans | Free | Starter | Premium | Enterprise |
|---|---|---|---|---|
| Pricing per active user/month | $0 | $6 | $18 | Custom |
| Users & Devices | ||||
UsersA user is any distinct email address in your account. You get 3 users for free in Starter and Premium. | 3 | Unlimited | Unlimited | Unlimited |
DevicesA device is any computer, phone, or server with Tailscale installed that's connected to your network. Device limits are pooled across your network. | 100 | 100 + 10/user | 100 + 20/user | 100 + 20/user |
| Desktop & mobile apps | ||||
| Virtual Private Networking | ||||
Peer-to-peer connectionsEstablish direct connections between nodes in your tailnet, to minimize latency. | ||||
End-to-end encryptionEncrypt all traffic end-to-end with WireGuard®. | ||||
IPv4 and IPv6Route both IPv4 and IPv6 traffic. | ||||
Split tunnellingSplit DNS traffic so only traffic to your internal network goes over Tailscale, and everything else goes directly to the internet. | ||||
Short DNS host names (MagicDNS)Automatically register human readable DNS names with MagicDNS to make it even easier to access devices and services on your network. | ||||
Exit nodesRoute Internet traffic through a designated egress point on your tailnet, like a traditional VPN. | ||||
Subnet routersRelay traffic from your tailnet through a gateway to a subnet of VPCs, corporate LANs, physical networks, and more. | ||||
App connectorsControl access to software as a service (SaaS) applications available over your tailnet. | ||||
HA failoverExpose the same subnet routers and app connectors on multiple routers to ensure availability even if one router goes offline. | ||||
IP space collision resolution (4via6 subnet routers)Route traffic to overlapping IPv4 subnets without renumbering with 4via6 subnet routers, by assigning unique IPv6 addresses for each subnet. | ||||
Regional routingRoute your traffic across distributed HA subnet routers or app connectors based on region. | ||||
| Access control | ||||
Network-level access policies (ACLs)Precisely define access in your tailnet based on IP address, subnet, or port. | ||||
ACL testsTest ACLs to make sure they're properly scoped to avoid unnecessary exposure of critical systems on your network. | ||||
GitOps for ACLsUse a GitOps workflow to centralize management and version-control of your ACLs. | ||||
On-demand accessUse partner integrations to grant elevated privileges (e.g. on-call), including temporary access, using an approval workflow. | ||||
Resource-level access policiesUse ACL tags to assign identity to a device in order to enforce access based on roles and groups. | ||||
Restrict based on purpose (ACL tags)Assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. | ||||
Restrict based on groupAllow specific ACL-defined groups to access tagged nodes. | autogroups only | |||
Restrict based on individual userAllow specific ACL-defined users to access tagged nodes. | ||||
Separation of administrative duties (User roles)Assign admin roles to appropriately manage permissions, including IT admin, Network admin, Billing admin, and Auditor roles. | ||||
| Application Networking | ||||
Service accountsPre-authenticate services or nodes (e.g., servers and ephemeral containers) added to your network. | ||||
Service provisioningAssign an identity to a service or node and restrict access on your tailnet, using ACL tags. | ||||
Tailscale Kubernetes operatorProvide full ingress and egress connectivity from Kubernetes clusters to non-Kubernetes resources, as well as cross-cluster peering, via Tailscale. | ||||
Tailscale SSHAuthenticate and encrypt SSH connections between devices in your tailnet, using Tailscale instead of SSH basic auth, keys, certs, or a bastion. | ||||
Tailscale FunnelRoute traffic from the Internet to a node in your tailnet to publicly share it with anyone, even if they aren’t using Tailscale. | ||||
| User Management | ||||
User approvalPrevent new users in your organization from joining a tailnet until they’ve been approved by an admin | ||||
Standard user rolesStandard user roles include owner, admin, and member | ||||
Advanced user rolesAdvanced user roles include billing admin, IT admin, network admin, and auditor | ||||
SSO with standard IdP (e.g., Google, Microsoft, GitHub, Keycloak, custom)Log in to Tailscale and manage users with any free native and/or custom OIDC identity provider. | ||||
SSO with advanced IdP (e.g., Okta, OneLogin, JumpCloud, custom)Log in to Tailscale and manage users with any paid and/or custom OIDC identity provider. | ||||
Custom authentication periodsEnforce that users re-authenticate with your identity provider at an interval you choose. By default, this is every 6 months | ||||
User & group provisioning (Azure AD + SCIM)Sync group membership and new or deactivated users from Azure AD. | ||||
User & group provisioning (Okta + SCIM)Sync group membership and new or deactivated users from Okta. | ||||
| Endpoint & Posture Management | ||||
Device approvalReview and approve new devices and nodes before adding them to your tailnet. | ||||
Tailnet LockPrevent new, and potentially malicious, nodes from joining your tailnet without first being signed by an already trusted node. | ||||
Device posture managementUse posture conditions to more granularly control access in your network policies. | ||||
Postures based on custom attributesAttach custom posture attributes to your devices and use them as part of posture conditions. | up to 2 | |||
Device posture integrationsAutomatically synchronize device trust information from third-party posture checking tools and use it as part of posture conditions. | ||||
| Mobile Device Management Policies | ||||
Customize UI VisibilityChange the visibility of UI elements in Tailscale Client menu | ||||
Configure auto-updates settingsConfigure checking and installing Tailscale latest version automatically | ||||
Runtime configurationsConfigure Tailscale behavior in end user devices eg. Automatically start Tailscale when user logs in, force tailscale to be always on, route all traffic via a specific exit node, and more | ||||
Configure MDM ToolsConfigure and deploy Tailscale using MDM solutions like SimpleMDM, Iru, Microsoft Intune, Jamf | ||||
| Monitoring & Compliance | ||||
WebhooksSubscribe to events on your tailnet, and forward those events to any integration or app — like Slack or Microsoft Teams. | ||||
Configuration audit loggingRecord actions that modify a tailnet's configuration, including type of action, actor, target resource, and time. | ||||
Network flow loggingRecord network traffic between nodes on your tailnet. | ||||
Tailscale SSH session recordingCapture and stream terminal sessions over Tailscale SSH for analysis or storage. | ||||
Log streamingSend real-time network traffic information to any SIEM or observability tool for analysis, or to a bucket for long-term storage. | configuration logs only | |||
| Interfaces | ||||
UILog in to the tailscale.com admin console to manage users, nodes, and their permissions, on your tailnet. | ||||
CLIQuickly access information, manage devices or troubleshoot issues with a built-in command-line interface. | ||||
APIUse the API to manage your network's devices, ACLs, DNS settings, and more. | ||||
IaCConfigure your tailnet using Terraform or Pulumi. | ||||
| Support | ||||
Customer supportUse the documentation or email us to get help with using Tailscale. | ||||
Priority supportGet support with a response SLA. | ||||
| Additional support options | ||||
| Payment Options | ||||
| Pay by credit card | ||||
| Pay by invoice | ||||
| Annual billing | ||||
