Secure and private
Tailscale is end-to-end encrypted, so we can’t see your traffic.
Tailscale does not, and cannot, inspect your traffic. Tailscale uses WireGuard® for end-to-end encryption of your traffic. Your private keys stay on your device — and the code is open source so you can verify this independently. While Tailscale can’t observe the data transiting your tailnet, with network flow logs, you still have visibility into what’s going on in your network, with metadata about connections being made; to introspect traffic leaving your network, you can use an exit node to route all traffic through a particular egress point.
We are transparent about our company’s security practices: we publish our internal security policies publicly, our SOC 2 report is available self-serve to all of our customers, and we publish security bulletins about security vulnerabilities in Tailscale. We believe in building trust through transparency — by seeing where we are in terms of security, you can better evaluate our product and make an informed choice if Tailscale meets your needs.
You don’t need to trust us to use Tailscale. Although we are responsible for managing the coordination server that distributes public keys and settings for your tailnet, with tailnet lock, your nodes can verify the public keys distributed by the coordination server before trusting them for network connectivity.
Tailscale is architected with strong privacy in mind. Many features in Tailscale are built ‘the hard way’ so that we don’t collect unnecessary data — which means if we get compromised, your data isn’t breached. Tailscale runs a DNS server on every machine in your tailnet, Tailscale Funnel terminates TLS connections on your node, and SSH session recording streams your sensitive data over your tailnet to another node in your network.
Tailscale brings identity to the network layer, so that you can control access based on user identity, not only IP address.
With Tailscale, rather than managing access controls based only on IP addresses, you can intuitively and flexibly define which users should have access to which services based on existing user identities, as well as groups, services, and subnet ranges. You can still detect anomalous behavior based on unusual access patterns in your connection logs, with more context than you would have using just IP addresses.
You sign in to Tailscale with your identity provider, such as Google, Microsoft Entra ID, Okta, or any OIDC provider. By using your existing identity provider, it’s one fewer password to remember (or lose) — but it also means you can require multi-factor authentication to access resources on your network. You can sync membership information to automatically grant or revoke access to users as part of onboarding or offboarding, and grant groups from your identity provider access to specific resources.
Tailscale isn’t just used for managing user access to services — it can also be used to manage service to service access. You can control what an application can access based on its ACL tag service account identity.
Since every Tailscale node has a user or service identity, every packet in your network is authenticated. That means you can use Tailscale to add multi-factor authentication to any legacy service, use a Tailscale identity to authenticate users to your service, or use Tailscale as an auth proxy for a third-party service.
Tailscale works where you need it. Any platform, any runtime, anywhere.
Tailscale is hardware-agnostic — so you can make decisions about your hardware independently from decisions about your network. Tailscale creates an overlay network, using your existing network, which means it can be incrementally deployed. You don’t need to buy new network switches to use Tailscale, or to change your network architecture.
Tailscale allows you to connect from on-prem to cloud, site to site, cloud to cloud, and cluster to cluster. By allowing you to peer directly between infrastructure, Tailscale enables you to define your network as you wish and use whatever infrastructure is best for you.
Tailscale is available on a wide range of operating systems, including Linux, Windows, macOS, iOS, Android, ARM and more. Tailscale runs everywhere you run, including VMs, containers, functions, and even inside your applications. Tailscale works with almost anything — it already runs on your Steam Deck, Tesla, and robot vacuum cleaner.
Tailscale lets you segment your network and migrate to a zero-trust architecture.
Tailscale connects users to services, and services to services, directly to each other — not through a concentrator — which means no choke point for your traffic, or single point of failure for your network. Configuration is managed centrally, but pushed to every device, so that access rules are enforced locally. Without a concentrator, traffic isn’t throttled, and isn’t routed halfway across the world, so connections are low latency. And split tunneling means that only traffic meant for the network even goes over the network.
Tailscale is mesh-capable, so although we recommend your devices connect peer-to-peer, you can also use subnet routers to more easily and quickly connect existing subnets, VPCs, or embedded devices to your network. You’re free to use whatever network topology works best for you.
Access rules in Tailscale are fine-grained, so you can specify access for users, groups, and services to specific nodes, even including allowed ports and protocols. By default, all access is denied, so you can write access rules that follow the principle of least privilege. This effectively micro segments your network — so that each node is firewalled from and will not accept traffic from any other node unless explicitly allowed.
Tailscale helps you migrate to a zero trust network architecture: where being on a particular network or having a particular IP address isn’t sufficient for access, but instead, access is granted based on granular access controls. Even better, Tailscale lets you decouple the move to a new VPN from the move to a micro segmented network, so that you can make the move gradually and incrementally, at your own pace. Compare this to compute in the early 2010s: instead of moving your application to the cloud and simultaneously rearchitecting it, you could lift and shift and then gradually adopt containers and functions for new greenfield applications. Similarly, you can move to Tailscale, and then gradually restrict your access rules to further segment your network and adopt principles of zero trust.
Tailscale connects your devices no matter where they are, across any infrastructure.
Tailscale uses NAT traversal and DERP relay servers to connect to devices, even when they’re behind firewalls or NATs. Nearly all of the time, you don’t need to open any firewall ports to use Tailscale, and you can keep your network ingress and egress points locked down.
Tailscale stays connected and seamlessly transitions between networks — so you don’t have to log back in when you lose network connectivity. WireGuard uses a keepalive protocol to keep connections open, even if there is no traffic to a node on your network.
Tailscale makes your services easily addressable. Tailscale assigns your devices static IP addresses, which they maintain even as they move around on your network. You can access services based on their IPv4 or IPv6 addresses, or DNS names. You can even connect multiple subnets with overlapping IP ranges, and have them all accessible on the same network.
Despite providing end-to-end encryption, Tailscale is performant, with 10Gb/s throughput on bare metal. With such high throughput, most connections aren’t degraded — which means you don’t need to make a tradeoff between security and usability.
Tailscale can be set up by users in minutes, and deployed to servers programmatically.
It’s frustratingly easy to set up Tailscale: download it and log in on any device, and you’re connected to your own private network. Invite your team to your network and get started with Tailscale, without needing to put down a credit card. Since it just works, your users don’t need to deal with it as often, and your IT team gets fewer support tickets.
Tailscale is built with developers in mind. Tailscale can be deployed to your network programmatically, with fine-grained API scopes — you can set up a server so that when it connects to the network, it already has access to only what it’s supposed to. Your network access rules are configured as code, so you can manage them in git or with IaC tools. You can even build Tailscale into your application.
Tailscale makes the secure way, the easy way. WireGuard uses opinionated, modern cryptography with no user configurations, and no way to downgrade security. In Tailscale, access rules are default deny, and API keys automatically expire. Making security hard to mess up means there’s less mess to clean up.
A constant for network infrastructure is change. Tailscale is designed to work regardless of the shifts occurring in your network infrastructure. You can validate that access rules don’t change your desired controls over time. We make significant efforts to maintain backward compatibility with prior versions, to ensure versioning does not act as a blocker for your teams to produce their best work.