Tailscale is set up in minutes — no ports to open, no static IPs to manage, no certificates to handle. Built on the WireGuard protocol, Tailscale creates a mesh VPN network where devices connect directly peer-to-peer. The coordination server (control plane) only handles key exchange and configuration; actual traffic never passes through Tailscale servers. For teams and small companies, it is the fastest path to secure remote access.
Installation¶
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
tailscale status
After installation, the device automatically registers in your network (tailnet). Each device gets a stable IP address from the 100.x.y.z range and a DNS name. MagicDNS lets you access devices by name — instead of an IP address, you type ssh server-name.
Subnet Routing¶
sudo tailscale up --advertise-routes=192.168.1.0/24
Subnet routing exposes an entire local network through Tailscale without installing the client on every device. Typically, you install Tailscale on one server in the network and it serves as a gateway for accessing the rest — printers, NAS, IoT devices.
Exit Node¶
# Server
sudo tailscale up --advertise-exit-node
# Client
sudo tailscale up --exit-node=server-name
An exit node routes all internet traffic through a chosen server. Useful for secure connections from public Wi-Fi or accessing geo-restricted content. Unlike commercial VPN services, you use your own server.
ACL¶
{
"acls": [
{"action": "accept", "src": ["group:dev"], "dst": ["tag:server:*"]}
]
}
ACL (Access Control Lists) define who can communicate with what. User groups (group:dev, group:ops) and device tags (tag:server, tag:db) enable granular access control. Developers see only development servers, the ops team has access to production.
Painless VPN¶
Tailscale is the simplest path to VPN. For remote access, connecting offices and servers, or secure access to internal services. For a self-hosted alternative, consider Headscale.