SSO and MFA
Tailscale relies on your existing identity provider to authenticate users, and automatically uses authentication settings like MFA.
Access Controls Lists
ACLs allow you to define which users can connect to which devices in your network.
Tailscale is built on top of WireGuard®, a modern VPN that provides end-to-end encryption between devices. Tailscale cannot read your traffic.
Tailscale has implemented procedures and policies in line with AICPA's trust services criteria.
Tailscale works with Latacora, a security firm that specializes in information security, to conduct security audits.
Tailscale publishes security bulletins to disclose security issues in our product.
Security by design
Tailscale connections are end-to-end encrypted with WireGuard®
Tailscale is built on top of WireGuard.
WireGuard is a modern VPN designed for usability, performance, and security. WireGuard uses state-of-the-art cryptography and provides end-to-end encryption for connection between devices. WireGuard’s protocol has been reviewed by cryptographers and the code audited, with only minor issues discovered and fixed.
We designed Tailscale to make it even easier to use WireGuard to secure your network connections.
Tailscale sees your metadata, not your data
Tailscale does not (and cannot) inspect your traffic. Privacy is a fundamental human right, and we designed Tailscale accordingly. We don’t want your data.
Your data is end-to-end encrypted and transmitted point-to-point. Your devices’ private encryption keys never leave their respective nodes, and our coordination server only collects and exchanges public keys. DERP relay servers do not log your data — you can confirm this yourself as the code is open-source. Even when your connection uses a DERP relay server, the only data Tailscale could see and capture is encrypted.
We never see information about your public Internet traffic. If you use an exit node, they’re your exit nodes, not ours, so we still can’t see your public Internet traffic. If you use MagicDNS or Split DNS, your public DNS queries may end up passing through your device’s local Tailscale DNS proxy, but they are not logged. Again, you can verify this yourself because the code is open-source.
We do receive metadata about which of your private nodes connect to which other private nodes, including public IP addresses. This is required to provide the service, as the purpose of Tailscale’s coordination server is to help your nodes find each other.
Your network remains available even if Tailscale is not
Tailscale connects devices point-to-point. Even if Tailscale's coordination server is down, you can still access your network.
Tailscale’s coordination server is used to help your nodes find each other. Once this information is exchanged, however, your nodes have all the information they need to connect. Though the coordination server needs to be available for you to make administrative changes, removing this dependency means you don’t have a single point of failure for your users to connect to your services.
Although Tailscale tries to connect devices point-to-point, that’s not always possible, so we have globally distributed DERP relay servers to help devices connect to each other when connections are hard to establish. The DERP servers run in multiple regions and have no shared state between regions, which means a DERP region can have an outage and your Tailscale clients will fail over to a different one.
Tailscale is written in Go
Tailscale uses wireguard-go. Tailscale’s core functionality, including the coordination server, logging infrastructure, DERP relay servers, and clients, are written in Go. Go is a language that provides automatic memory management, and so doesn’t rely on the developer to allocate and free up memory — which prevents a whole class of memory safety vulnerabilities.
Tailscale security features
SSO and MFA
Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA and context-aware access. Authenticate to Tailscale with identity providers including Google, Microsoft AD, GitHub, Okta, and OneLogin.
Access Controls Lists (ACLs)
Tailscale provides multiple user roles that restrict who can modify your tailnet’s configurations. These allow for separation of duties between admins who can modify users and devices, such as IT administrators, and those who can modify network configurations, such as the networking team.
To take advantage of all of Tailscale’s security features and best protect your network, we recommend following our hardening guide.
Tailscale publishes security bulletins to disclose security issues in our product.
If you’re directly affected by a security issue in Tailscale, and we have your contact information, we will contact you.
Securing a virtual private network requires both the provider and the user to share in the burden of responsibility. To understand how responsibilities are shared between you and Tailscale, see the shared responbility model.
Compliance & Certifications
Tailscale has completed a SOC 2 Type II certification.
Achieving SOC 2 compliance means that Tailscale has implemented procedures, policies and controls necessary to meet AICPA's trust services criteria for security, availability, and confidentiality, and that these processes and controls have been tested to ensure that they are operating effectively.
Obtain a copy of the report from our compliance page.
Tailscale publishes the security policies we use publicly, so you can transparently see where we are in terms of security maturity.
To track how these change over time, or to use these policies yourself, see the policies on GitHub.
Tailscale has many security controls in place to ensure the security of the service.
|Network & infrastructure security||
Tailscale works with Latacora to conduct security audits and ongoing analysis of our application security, network security, and corporate security. Latacora also provides feedback and guidance on new product features and Tailscale’s architecture.
In addition to securing your information, we keep it private. Tailscale values and respects your privacy. You are not the product.
Can Tailscale decrypt my traffic and see my data?
No. Devices running Tailscale only exchange their public keys. Private keys never leave the device. All traffic is end-to-end encrypted, always.
Is my traffic routed through your servers?
No. Tailscale routes traffic over the shortest path possible. In most cases, this is a direct, peer-to-peer connection.
In cases where a direct connection cannot be established, devices will communicate by bouncing traffic off one or more geographically distributed DERP relay servers. Your traffic remains end-to-end encrypted when it passes through a relay server, and Tailscale can’t decrypt it.
Will others be able to access my computer?
Tailscale allows you to connect your computer to other devices logged in to the same Tailscale network. Only devices that are permitted to access your computer as defined in ACLs can initiate connections to your computer. You can also locally block incoming connections to your device.
Does Tailscale encrypt my data?
Yes. Tailscale encrypts customer metadata in the coordination server at rest using 256-bit AES and in transit using TLS. Customer data is encrypted in transit using WireGuard.
Does Tailscale back up my data?
Tailscale backs up customer metadata in the coordination server hourly and tests backups at least annually.
Does Tailscale conduct security audits?
Yes. We work with Latacora to conduct regular security audits. These include traditional assessments, but also monitoring, maturity model review, design review and advisory services. On top of that, we also have peer code reviews, automated static analysis checks, and dependency vulnerability scans.
What infrastructure does Tailscale use?
Tailscale’s infrastructure includes the following:
- A client, run on each of a user’s devices. This is available for many platforms including macOS, Windows, Linux, iOS, and Android.
- A coordination server, which distributes public keys and controls settings for the service. Tailscale’s control plane runs on Linux servers in Amazon Web Service (AWS), in AWS Virtual Private Clouds (VPCs). Coordination server data is stored in SQLite, with analytics stored in Snowflake.
- Designated Encrypted Relay for Packets (DERP) relay servers, which help clients establish end-to-end encrypted connections where they have trouble connecting directly. Tailscale’s DERP relay servers run on Linux servers in multiple regions on multiple infrastructure providers. Learn more about How Tailscale works.
Is Tailscale’s infrastructure multi-tenant?
Yes. Tailscale’s coordination server, which distributes public keys and controls settings, is multi-tenant. This only stores customer metadata and public keys, not data or private keys.
Tailscale’s DERP relay servers, which help establish point-to-point connections, are multi-tenant. These only route encrypted customer data, never unencrypted data.
What data does Tailscale collect?
In order to provide the service, Tailscale collects device information, including OS, hardware, public IP addresses, network routing information, information on the installed Tailscale client, and other device settings. Tailscale also uses user account information, such as email addresses, to authenticate users to their accounts.
Does Tailscale have a DPA? Who are your subprocessors?
Yes. Tailscale provides a Data Privacy Addendum to all customers, and publishes a list of subprocessors.
Can I opt out of logging?
Tailscale collects customer metadata related to connection attempts, authentication, and routing to help us to monitor and debug networks.
If you opt out of logging, Tailscale may not be able to provide technical support. To learn how to opt out, see Opting out of client logging.
You cannot limit coordination server logs.
Is Tailscale SOC 2 compliant?
Yes. Tailscale has completed a SOC 2 Type II audit covering AICPA’s trust services criteria for security, availability, and confidentiality. Obtain a copy of the report from our compliance page. Note that the report is confidential, and prospective customers will need to contact support and sign an NDA to access the report.
Is Tailscale HIPAA compliant?
HIPAA defines controls for securing health information.
As Tailscale does not store customer data, only metadata, Tailscale doesn’t have any services in scope for HIPAA. US-based healthcare customers do not need and Tailscale does not execute business associate agreements (BAAs) with our US-based healthcare clients.
Tailscale can be a supporting safeguard for your HIPAA-compliant system to provide integrity and encryption for electronic protected health information transmitted over an electronic communications network (HIPAA 45 CFR § 164.312(e)(1)).
Is Tailscale PCI compliant?
PCI DSS defines controls for securing credit card information.
Tailscale does not store credit card information, and instead uses Stripe to securely process transactions. Stripe is certified to PCI DSS Service Provider Level 1, which is the highest level of security certification available in the payments industry.
As Tailscale does not store customer data, only metadata, Tailscale doesn’t have any services in scope for PCI DSS.
Tailscale can be a supporting safeguard for PCI compliance in your cardholder data environment, to encrypt transmission of cardholder data across open, public networks (PCI requirement 4).
Have a security concern about Tailscale?
Get in touch with our security team at firstname.lastname@example.org to disclose any security vulnerabilities.
Upon discovering a vulnerability, we ask that you act in a way to protect our users' information:
- Inform us as soon as possible.
- Test against fake data and accounts, not our users' information.
- Work with us to close the vulnerability before disclosing it to others.
Tailscale does not have a bounty program.