Tailscale: just wow

Tuesday, September 9, 2025

An old (as in long-time) friend recommended Tailscale to me last week. I'd heard about it (something with VPN?) but hadn't used it. So I investigated.

Long story short: I had connected networks in three separate locations that same afternoon, without running into a single snag. Wow. Just wow. And for personal use, it's free!

"Zero-config"

Technically, Tailscale is based on Wireguard, an open source VPN package, that supports highly secured mesh networks in which each client is connected to all others. (It's all explained clearly in How Tailscale works. Don't you just love an organization that explains what it does in so much detail?). But what Tailscale offers is a whole range of services on top of that, collectively called a tailnet. Yes, it's zero-config. You install the client, log in with your Google-account (or one of the other supported providers) using two factor authentication or whatever you like, and all the other devices in your tailnet are suddenly and transparently available. This involves many tricks (also clearly explained on the web site) that you don't need to worry about.

MagicDNS

One of those tricks is called MagicDNS. It makes all of your devices available just by their host name. You can access them all using a fully qualified domain name (FQDN) unique to your tailnet, something like my-pi.tailxxx.ts.net, but you don't have to - you can just use the host name (in this case my-pi). That means when I'm home I can ssh into the pi using ssh my-pi but when I'm on the road, I can do exactly the same when connected to Tailscale! None of the other VPN's I tried allow me to do that. I have OpenVPN running, but I have to change my behaviour when I leave the house. No longer.

Subnets

The second trick is called Subnet routing. It allows any Tailscale client to expose the local subnet it's running on (like 192.168.0.xxx) to the tailnet. Suppose you have a printer running in your home network at IP address 192.168.0.104. You cannot install Tailscale on it, so it's not a machine in your tailnet. But if you have a Raspberry Pi lying around (I do, it runs pi-hole) you can add the Pi to the tailnet and "expose" the local network to the tailnet. Then, you can connect to the printer using its IP address from anywhere in the tailnet. The traffic to the printer goes through the Pi, but that's hardly noticeable.

Using subnet routing, I have connected three different local networks: two through Raspberry Pi's and one through a Synology NAS! And - I can't stress this enough! - I can access every IP in all three networks from my laptop.

Free plan

At this point I'd already be sold, but for my sort of situation there is a free plan - 3 users, 100 devices (that's tailscale clients - not the IP's reachable through subnet routing!), "Free forever". What's not to love?

Personal note

One of the things I noticed when starting to read up on Tailscale is the quality of the information on the web site. It's not often that you see an organization documenting its methods and technology, but also the reasoning behind technical decisions. Not only does Tailscale do this, it does it in extreme detail. It makes for some long blog posts (you can stop reading when it gets too technical - I know I do), but I find it confidence-inspiring. This is a company I'd like to work for ;-)