{"id":636,"date":"2025-10-21T11:03:46","date_gmt":"2025-10-21T11:03:46","guid":{"rendered":"https:\/\/devsecopsschool.com\/blog\/?p=636"},"modified":"2025-10-21T11:03:47","modified_gmt":"2025-10-21T11:03:47","slug":"what-is-tailscale","status":"publish","type":"post","link":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/","title":{"rendered":"What is Tailscale?"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png\" alt=\"\" class=\"wp-image-637\" srcset=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png 1024w, https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-300x209.png 300w, https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-768x534.png 768w, https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1536x1069.png 1536w, https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-2048x1425.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1. What is Tailscale?<\/h2>\n\n\n\n<p>Tailscale is a <strong>mesh VPN \/ software-defined network overlay<\/strong> service that makes it easy to connect devices, services, and networks securely, regardless of where they are located. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<br>Key points:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It uses the open-source WireGuard protocol for encrypted point-to\u2010point tunnels. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>It allows devices to join a private network (called a \u201ctailnet\u201d) and talk to each other directly, rather than routing all traffic through a central VPN gateway. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>It is infrastructure\u2010agnostic: works in cloud, on-premises, IoT, mobile, etc. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>It integrates identity and access control, meaning access is managed via user identity, device trust, and network policy rather than just IP addresses. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>The company behind it, Tailscale Inc., was founded in 2019, and the product has grown significantly in the enterprise space. (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Tailscale?utm_source=chatgpt.com\">Wikipedia<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>In short: <strong>Tailscale = modern VPN\/mesh network service+overlay that uses WireGuard under the hood, with identity, access control, and ease-of-use.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Use Cases of Tailscale<\/h2>\n\n\n\n<p>Tailscale supports a wide variety of use cases\u2014from personal to enterprise. Some of the most common are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Business VPN \/ Remote Access<\/strong>: Provide remote workers, traveling employees, or contractors secure access to internal corporate resources (file shares, internal dashboards, home-grown apps) without the complexity of traditional VPNs. (<a href=\"https:\/\/tailscale.com\/blog\/patterns-from-the-field-use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Infrastructure Access<\/strong>: Access cloud VM instances, containers, on-premises servers, Kubernetes clusters, etc., securely from anywhere. (<a href=\"https:\/\/tailscale.com\/kb\/1377\/use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Site-to-Site \/ Multi-Cloud Connectivity<\/strong>: Connect multiple offices, cloud VPCs, regions, or mixed infrastructure in a mesh or hybrid topology without major firewall re-architecture. (<a href=\"https:\/\/tailscale.com\/blog\/patterns-from-the-field-use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Developer \/ Testing Environments<\/strong>: Allow devs to spin up machines\/tools anywhere, connect them into a private network, share resources, test services, etc. (<a href=\"https:\/\/tailscale.com\/blog\/patterns-from-the-field-use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Zero-Trust Networking &amp; Micro-segmentation<\/strong>: Use identity\u2010based access controls, device posture, and network policy enforcement to implement least-privilege access to nodes\/services. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Homelab \/ Personal Use<\/strong>: For individual users wanting to connect devices (phones, laptops, NAS, IoT) across networks securely and simply. (<a href=\"https:\/\/tailscale.com\/use-cases\/homelab?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>These use cases show that Tailscale isn\u2019t simply a \u201cVPN for remote work\u201d\u2014it\u2019s a flexible overlay network that can be used for many connectivity &amp; security patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. How Tailscale Works<\/h2>\n\n\n\n<p>Here\u2019s an explanation of how Tailscale operates, from the underlying technology up to how devices connect, with the latest details.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">a) Underlying Protocol &amp; Data Plane<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The data\u2010plane encryption is built on the WireGuard protocol: each node runs a WireGuard implementation (often wireguard-go) which establishes encrypted tunnels (peer-to-peer). (<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Tailscale intercepts routing on each device: each Tailscale node gets a private IP (e.g., in the 100.x.y.z range) and can connect directly to other nodes in the tailnet if possible. (<a href=\"https:\/\/www.caseyliss.com\/2024\/3\/27\/tailscale?utm_source=chatgpt.com\">Liss is More<\/a>)<\/li>\n\n\n\n<li>NAT traversal: Tailscale uses techniques to punch through NATs \/ firewalls; if direct peer\u2010to\u2010peer fails, it falls back to relay servers (called DERP \u2013 \u201cDesignated Encrypted Relay for Packets\u201d). (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">b) Control Plane &amp; Coordination<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tailscale uses a coordination server (control plane) to manage device registration, key distribution (public keys of peers), identity mapping, and policy enforcement. (<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Each device \u201cauthenticates\u201d via an identity provider (Google, Microsoft Entra, Okta, etc.) or other SSO\/OIDC flow. The identity is mapped to devices and used in ACLs. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>After a device is approved and joins the tailnet, the coordination server provides it with the public keys, IP addresses and connectivity metadata of other nodes it can talk to (according to policy).<\/li>\n\n\n\n<li>The coordination server does <strong>not<\/strong> sit in the data path for most traffic \u2014 once peers know about each other, they attempt direct connections. If direct fails, the relay may be used. This keeps latency low and avoids central bottlenecks. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">c) Routing, Access Control &amp; Topologies<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Each node has a list of \u201cAllowedIPs\u201d (or equivalent) that define which IP ranges\/peers it can send to via the Tailscale tunnel.<\/li>\n\n\n\n<li>Access control: Tailscale supports ACLs (Access Control Lists) that specify which users\/devices can access which nodes\/ports\/protocols. Identity + device posture are used. (<a href=\"https:\/\/tailscale.com\/features?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Topologies: Though meshes are default, you can also set up subnet routers (so a node acts as gateway to a subnet), exit nodes (so all traffic from certain devices routes via one node), and other hybrid patterns. (<a href=\"https:\/\/tailscale.com\/blog\/patterns-from-the-field-use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">d) Workflow Summary<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Install Tailscale client on a device (desktop, server, phone, etc.).<\/li>\n\n\n\n<li>Authenticate via your identity provider \u2192 device registers with the control plane.<\/li>\n\n\n\n<li>Device receives a unique Tailscale\u2010internal IP address and appears in the tailnet.<\/li>\n\n\n\n<li>Device learns of other nodes (public keys, IPs, endpoints) per access policy.<\/li>\n\n\n\n<li>When Device A wants to talk to Device B:\n<ul class=\"wp-block-list\">\n<li>It attempts direct UDP (WireGuard) connection to B using known endpoint, key.<\/li>\n\n\n\n<li>If NAT\/traversal fails, traffic relays via DERP.<\/li>\n\n\n\n<li>Traffic is end-to-end encrypted (WireGuard) between A and B (or via relay).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Access control: At B\u2019s side, the node checks ACL\/policy: is A allowed to connect? If yes, packet is accepted. If no, dropped.<\/li>\n\n\n\n<li>Optionally: Use exit node, subnet routing, or restrict traffic, run device posture checks, etc.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">e) Security &amp; Trust Model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Every node has a keypair; private key never leaves the device. The public key is shared with approved peers. (<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Identity is used to control access, not just network location (makes this a zero-trust network overlay). (<a href=\"https:\/\/tailscale.com\/blog\/better-enterprise-security-with-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>No central decryption point: unless traffic is forced via a certain node (exit node), it\u2019s end-to-end encrypted between peers. (<a href=\"https:\/\/virtualizationreview.com\/articles\/2024\/03\/18\/hands-on-tailscale.aspx?utm_source=chatgpt.com\">Virtualization Review<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. How Tailscale and WireGuard are Related<\/h2>\n\n\n\n<p>The relationship between Tailscale and WireGuard is foundational:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WireGuard is the <strong>underlying VPN protocol<\/strong> used by Tailscale to provide encrypted tunnels. Tailscale relies on WireGuard (and likely the wireguard-go implementation) for its data\u00adplane. (<a href=\"https:\/\/tailscale.com\/blog\/how-tailscale-works?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Tailscale builds <strong>additional layers<\/strong> on top of WireGuard:\n<ul class=\"wp-block-list\">\n<li>A coordination\/control plane (device registration, key distribution, node discovery)<\/li>\n\n\n\n<li>A NAT traversal\/relay fallback mechanism (DERP)<\/li>\n\n\n\n<li>Identity &amp; ACL integration (so you can use users\/groups, not just IPs)<\/li>\n\n\n\n<li>Easy installer clients across platforms, management UI\/console, enterprise features<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>In other words:\n<ul class=\"wp-block-list\">\n<li>WireGuard = secure tunneling engine<\/li>\n\n\n\n<li>Tailscale = complete solution around WireGuard + management + policy + ease of use<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>This means you benefit from WireGuard\u2019s speed, simplicity, and security, while Tailscale gives you the user-friendly overlay, orchestration, and enterprise features.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Tailscale Architecture (Detailed)<\/h2>\n\n\n\n<p>Here is how Tailscale is architected, including major components, flows, and deployment options.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">a) Major Components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tailscale Client\/Agent<\/strong>: Runs on each node (desktop, server, phone, IoT).\n<ul class=\"wp-block-list\">\n<li>Installs the WireGuard interface (wg0 or equivalent)<\/li>\n\n\n\n<li>Manages configuration, keypair generation, authorization<\/li>\n\n\n\n<li>Connects to the control plane<\/li>\n\n\n\n<li>Handles peer discovery, NAT traversal, DERP fallback<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Control \/ Coordination Plane<\/strong>: (Hosted by Tailscale or private if self-hosted)\n<ul class=\"wp-block-list\">\n<li>Handles device registration, identity authentication<\/li>\n\n\n\n<li>Maintains the list of nodes, public keys, endpoints<\/li>\n\n\n\n<li>Distributes ACLs\/policies to nodes<\/li>\n\n\n\n<li>Acts as \u201cdirectory\u201d not heavy traffic router<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>DERP Relay Network<\/strong>: Distributed relay servers around the world that devices use when direct peer-to-peer connection fails (due to symmetric NAT, blocked UDP, etc.). (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Tailnet<\/strong>: The logical network created by your devices. Nodes in your tailnet can talk (subject to ACLs).<\/li>\n\n\n\n<li><strong>Optional infrastructure components<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Subnet routers (to make entire subnets reachable)<\/li>\n\n\n\n<li>Exit nodes (to route internet traffic via a node)<\/li>\n\n\n\n<li>App connectors (to extend to SaaS or other resources)<\/li>\n\n\n\n<li>Integration with identity providers (IdPs), device posture, logging\/telemetry etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">b) Deployment Topologies<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Device to Device (Peer-to-Peer Mesh)<\/strong>: Default mode\u2014each device connects directly to others when possible.<\/li>\n\n\n\n<li><strong>Site-to-Site \/ Multi-Site<\/strong>: Use subnet routers on each network (office, cloud VPC) to connect entire subnets. (<a href=\"https:\/\/tailscale.com\/blog\/patterns-from-the-field-use-cases?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li><strong>Exit Node \/ Remote Access<\/strong>: A device acts as gateway for internet traffic. For example, home desktop becomes exit node for laptop.<\/li>\n\n\n\n<li><strong>Mixed Cloud + On-Premises<\/strong>: Nodes in different clouds and on-premises join the same tailnet; routing and policy applied uniformly. (<a href=\"https:\/\/tailscale.com\/kb\/1296\/aws-reference-architecture?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">c) Connectivity Flow<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Node boots client \u2192 authenticates to control plane via identity.<\/li>\n\n\n\n<li>Control plane assigns node a tailnet IP, registers its public key, learns endpoint info.<\/li>\n\n\n\n<li>Client receives list of peers and policies (ACLs).<\/li>\n\n\n\n<li>When node A wants to reach node B:\n<ul class=\"wp-block-list\">\n<li>Look up B\u2019s endpoint (public IP:port) via control information.<\/li>\n\n\n\n<li>Attempt UDP connection (WireGuard handshake) to B.<\/li>\n\n\n\n<li>If direct fails, use DERP relay to B.<\/li>\n\n\n\n<li>Once tunnel established (WireGuard) traffic flows encrypted.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Node B enforces that A\u2019s identity\/peer is allowed (via ACLs) before accepting traffic.<\/li>\n\n\n\n<li>If an exit node or subnet router is used, traffic from A may be routed via another node to reach target.<\/li>\n\n\n\n<li>Logging, telemetry, and policy enforcement run as part of the overlay.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">d) Security \/ Telemetry \/ Policy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ACLs allow specifying <strong>who<\/strong> (user, group) can access <strong>what<\/strong> (node, port, protocol). (<a href=\"https:\/\/tailscale.com\/features?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Device posture, identity provider integration, and SCIM auto-provisioning for enterprises. (<a href=\"https:\/\/tailscale.com\/enterprise?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Audit logs, network flow logs, and telemetry feed into SIEM or analytics systems. (<a href=\"https:\/\/tailscale.com\/features?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Because each node enforces policy locally, the system avoids a central \u201cchoke point\u201d for traffic and avoids single point of failure. (<a href=\"https:\/\/virtualizationreview.com\/articles\/2024\/03\/18\/hands-on-tailscale.aspx?utm_source=chatgpt.com\">Virtualization Review<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">e) Example Reference Architecture (AWS)<\/h3>\n\n\n\n<p>For example, deploying Tailscale in AWS may use:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agent-to-Agent connectivity: nodes (e.g., EC2) join tailnet directly.<\/li>\n\n\n\n<li>Subnet router: to expose AWS RDS\/private subnet to tailnet. (<a href=\"https:\/\/tailscale.com\/kb\/1296\/aws-reference-architecture?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Exit node: for remote users to route traffic through cloud or on-premises node.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Why Use Tailscale (Benefits)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rapid deployment: you can join devices to a private network in minutes without complex VPN infrastructure. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Low latency \/ high performance: because of direct peer connectivity and minimal central routing. (<a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Identity-based access, zero-trust networking: you control access by user\/device identity, not just network address. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Infrastructure\u2010agnostic: works across cloud, on-prem, mobile, IoT, etc. (<a href=\"https:\/\/tailscale.com\/why-tailscale?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n\n\n\n<li>Flexible network topology and segmentation: mesh, hubs, subnets, exit nodes\u2014all possible.<\/li>\n\n\n\n<li>Security features for enterprises: ACLs, device posture, audit logs, SIEM integration, etc.<\/li>\n\n\n\n<li>Open source at its core, and built on WireGuard, so benefits from modern cryptography and auditability. (<a href=\"https:\/\/tailscale.com\/company?utm_source=chatgpt.com\">Tailscale<\/a>)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u26a0\ufe0f Considerations &amp; Limitations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>While traffic is peer-to-peer by default, certain environments (e.g., corporate NATs blocking UDP) may need relay fallback or extra setup.<\/li>\n\n\n\n<li>Some advanced enterprise needs (very large scale, custom routing, regulatory constraints) may still require additional design.<\/li>\n\n\n\n<li>Because of the control plane involvement (though not in the data path), some organizations may evaluate trust and governance of the service.<\/li>\n\n\n\n<li>Though the free and paid tiers exist, enterprise features will incur cost, and careful policy design is required.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div class=\"wp-block-merpress-mermaidjs diagram-source-mermaid\"><pre class=\"mermaid\">flowchart LR\n  %% ================================\n  %% TAILSCALE: ARCHITECTURE OVERVIEW\n  %% ================================\n\n  %% ------- Tailnet Devices (Data Plane) -------\n  subgraph DEV1[\"Device A\"]\n    A_App[\"Apps\\nTCP or UDP\"]\n    A_RT[\"OS Routing\"]\n    subgraph A_Agent[\"Tailscale Agent\"]\n      A_WG[\"WireGuard wg0\"]\n      A_ACL[\"Local ACL Enforcer\"]\n      A_KP[\"Keypair\\nprivate key stays local\"]\n      A_CFG[\"Peer and AllowedIPs\\nDERP map\"]\n    end\n    A_NIC[\"NIC over UDP\"]\n  end\n\n  subgraph DEV2[\"Device B\"]\n    B_App[\"Services\\nTCP or UDP\"]\n    B_RT[\"OS Routing\"]\n    subgraph B_Agent[\"Tailscale Agent\"]\n      B_WG[\"WireGuard wg0\"]\n      B_ACL[\"Local ACL Enforcer\"]\n      B_KP[\"Keypair\"]\n      B_CFG[\"Peer and AllowedIPs\\nDERP map\"]\n    end\n    B_NIC[\"NIC over UDP\"]\n  end\n\n  %% ------- Control Plane (Out of band) -------\n  subgraph CTRL[\"Tailscale Control Plane\"]\n    IdP[\"Identity Provider\\nSSO or OIDC\"]\n    Reg[\"Device Registration\\nand Node Directory\"]\n    Keys[\"Key and Node Metadata\\npubkeys and endpoints\"]\n    Policy[\"ACLs and Groups and Posture\"]\n  end\n\n  IdP --> Reg\n  Reg --> Keys\n  Policy --> Keys\n\n  %% ------- DERP Relay Fabric (fallback) -------\n  subgraph DERP[\"DERP Relay Network\"]\n    D1[\"DERP Region 1\"]\n    D2[\"DERP Region 2\"]\n    D3[\"DERP Region N\"]\n  end\n\n  %% ------- Enrollment \/ Updates (Control plane traffic) -------\n  A_Agent -. \"auth and updates\" .-> CTRL\n  B_Agent -. \"auth and updates\" .-> CTRL\n\n  %% ------- Data Plane: Direct P2P (preferred) -------\n  A_WG -- \"UDP WireGuard direct\\nNAT traversal STUN like\" --> B_WG\n\n  %% ------- Data Plane: Relay (when direct fails) -------\n  A_WG -. \"Encrypted frames via DERP\" .- D1\n  D1 -. \"Encrypted frames\" .- B_WG\n\n  %% ------- Local Enforcement &amp; Routing -------\n  A_App --> A_RT --> A_WG\n  A_Agent --> A_ACL\n  A_ACL -. \"allow or deny\" .- A_WG\n  A_WG --> A_NIC\n\n  B_NIC --> B_WG\n  B_WG -. \"allow or deny\" .- B_ACL\n  B_ACL --> B_Agent\n  B_WG --> B_RT --> B_App\n\n  %% ------- Optional Topologies -------\n  subgraph NETX[\"Optional Gateways\"]\n    SubnetR[\"Subnet Router\\nroute LAN prefixes\"]\n    ExitNode[\"Exit Node\\nroute Internet\"]\n  end\n\n  B_WG --- SubnetR\n  A_WG --- ExitNode\n\n  %% ------- Styling -------\n  classDef agent fill:#e8fff5,stroke:#10b981,color:#111;\n  classDef wg fill:#f0f9ff,stroke:#0ea5e9,color:#111;\n  classDef plane fill:#fff7ed,stroke:#f59e0b,color:#111;\n  classDef ctrl fill:#eef2ff,stroke:#6366f1,color:#111;\n  classDef note fill:#ffffff,stroke:#d1d5db,stroke-dasharray:3 3,color:#111;\n\n  class A_Agent,B_Agent agent\n  class A_WG,B_WG wg\n  class A_NIC,B_NIC plane\n  class CTRL,IdP,Reg,Keys,Policy ctrl\n  class D1,D2,D3 plane\n  class SubnetR,ExitNode note\n<\/pre><\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. What is Tailscale? Tailscale is a mesh VPN \/ software-defined network overlay service that makes it easy to connect devices, services, and networks securely, regardless of where they are located. (Tailscale)Key points: In short: Tailscale = modern VPN\/mesh network service+overlay that uses WireGuard under the hood, with identity, access control, and ease-of-use. 2. Use &#8230; <a title=\"What is Tailscale?\" class=\"read-more\" href=\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\" aria-label=\"Read more about What is Tailscale?\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-636","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is Tailscale? - DevSecOps School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is Tailscale? - DevSecOps School\" \/>\n<meta property=\"og:description\" content=\"1. What is Tailscale? Tailscale is a mesh VPN \/ software-defined network overlay service that makes it easy to connect devices, services, and networks securely, regardless of where they are located. (Tailscale)Key points: In short: Tailscale = modern VPN\/mesh network service+overlay that uses WireGuard under the hood, with identity, access control, and ease-of-use. 2. Use ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\" \/>\n<meta property=\"og:site_name\" content=\"DevSecOps School\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-21T11:03:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-21T11:03:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png\" \/>\n<meta name=\"author\" content=\"Rajesh Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rajesh Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\"},\"author\":{\"name\":\"Rajesh Kumar\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"headline\":\"What is Tailscale?\",\"datePublished\":\"2025-10-21T11:03:46+00:00\",\"dateModified\":\"2025-10-21T11:03:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\"},\"wordCount\":1658,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png\",\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\",\"name\":\"What is Tailscale? - DevSecOps School\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png\",\"datePublished\":\"2025-10-21T11:03:46+00:00\",\"dateModified\":\"2025-10-21T11:03:47+00:00\",\"author\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\"},\"breadcrumb\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image.png\",\"contentUrl\":\"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image.png\",\"width\":2334,\"height\":1624},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/devsecopsschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is Tailscale?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/\",\"name\":\"DevSecOps School\",\"description\":\"DevSecOps Redefined\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c\",\"name\":\"Rajesh Kumar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g\",\"caption\":\"Rajesh Kumar\"},\"sameAs\":[\"http:\/\/devsecopsschool.com\/blog\"],\"url\":\"https:\/\/devsecopsschool.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is Tailscale? - DevSecOps School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/","og_locale":"en_US","og_type":"article","og_title":"What is Tailscale? - DevSecOps School","og_description":"1. What is Tailscale? Tailscale is a mesh VPN \/ software-defined network overlay service that makes it easy to connect devices, services, and networks securely, regardless of where they are located. (Tailscale)Key points: In short: Tailscale = modern VPN\/mesh network service+overlay that uses WireGuard under the hood, with identity, access control, and ease-of-use. 2. Use ... Read more","og_url":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/","og_site_name":"DevSecOps School","article_published_time":"2025-10-21T11:03:46+00:00","article_modified_time":"2025-10-21T11:03:47+00:00","og_image":[{"url":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png","type":"","width":"","height":""}],"author":"Rajesh Kumar","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rajesh Kumar","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#article","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/"},"author":{"name":"Rajesh Kumar","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"headline":"What is Tailscale?","datePublished":"2025-10-21T11:03:46+00:00","dateModified":"2025-10-21T11:03:47+00:00","mainEntityOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/"},"wordCount":1658,"commentCount":0,"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage"},"thumbnailUrl":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png","inLanguage":"en","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/","url":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/","name":"What is Tailscale? - DevSecOps School","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage"},"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage"},"thumbnailUrl":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image-1024x713.png","datePublished":"2025-10-21T11:03:46+00:00","dateModified":"2025-10-21T11:03:47+00:00","author":{"@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c"},"breadcrumb":{"@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/"]}]},{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#primaryimage","url":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image.png","contentUrl":"https:\/\/devsecopsschool.com\/blog\/wp-content\/uploads\/2025\/10\/image.png","width":2334,"height":1624},{"@type":"BreadcrumbList","@id":"https:\/\/devsecopsschool.com\/blog\/what-is-tailscale\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/devsecopsschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What is Tailscale?"}]},{"@type":"WebSite","@id":"https:\/\/devsecopsschool.com\/blog\/#website","url":"https:\/\/devsecopsschool.com\/blog\/","name":"DevSecOps School","description":"DevSecOps Redefined","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/e414b640530af05905c2162ba4259f6c","name":"Rajesh Kumar","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b02d9501846e698677d30ae5e3d8648980cdd60ebaab000d5001f4612c9f0ff7?s=96&d=mm&r=g","caption":"Rajesh Kumar"},"sameAs":["http:\/\/devsecopsschool.com\/blog"],"url":"https:\/\/devsecopsschool.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=636"}],"version-history":[{"count":1,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/636\/revisions"}],"predecessor-version":[{"id":638,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/636\/revisions\/638"}],"wp:attachment":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}