You’ve got a laptop, a desktop, a NAS in the closet, and a Raspberry Pi running Home Assistant. How do they all talk to each other securely — without opening ports, fighting with firewall rules, or renting a cloud server just to route traffic?
Here’s the short answer: Tailscale makes this stupidly simple. It’s a zero-config mesh VPN built on WireGuard®, free for personal use (100 devices, 6 users), and it genuinely delivers on the “it just works” promise.
But wait — is this a VPN or isn’t it? That’s the first thing to get straight. But Tailscale isn’t a “hide my IP” VPN like NordVPN or Surfshark. Instead, it’s a mesh networking tool that connects your devices directly to each other. So think private network, not public internet shield. (The Premium plan adds Mullvad exit nodes for privacy routing, but that’s a separate feature, not what Tailscale is built for.)
How Tailscale Works (And Why It’s Different)
Traditional VPNs use a hub-and-spoke model — all traffic funnels through a single server. But Tailscale flips this architecture. Every device in your network (they call them “nodes”) gets a unique IP from Tailscale’s cloud coordination server, then establishes direct WireGuard connections peer-to-peer. When a direct connection isn’t possible — symmetric NAT, double NAT, that sort of thing — it automatically falls back to DERP relay servers. The key point: you never have to think about any of this.
| Dimension | Tailscale | Traditional VPN (OpenVPN/WireGuard) | ZeroTier |
|---|---|---|---|
| Architecture | Mesh (P2P) | Hub-and-Spoke | Mesh |
| Setup | Login and go | Generate keys + config files | Register network + configure |
| Control plane | Tailscale-hosted (closed-source) | Self-hosted | Self-hosted or cloud |
| Free tier | 100 devices, 6 users | Your own server hardware | 25 nodes |
| NAT traversal | Automatic (STUN + DERP) | Manual port forwarding | Automatic |
For a full comparison between mesh VPNs and traditional providers, check our ProtonVPN Review.
Hands-On: What Using Tailscale Actually Looks Like
I set up Tailscale on a Synology DS220+ NAS, a Windows 11 desktop, and a macOS laptop. Total time from downloading the first client to pinging the NAS by hostname: about 8 minutes. And that includes the download. No config files. No port forwarding on the router. Just authenticate with Google, click “Add device,” and it connects. Still, it felt almost too easy — I kept checking if I’d missed a step.
MagicDNS is the feature that sold me. Instead of typing 192.168.1.105 to reach your NAS, you type synology-nas.tailnet.net. It’s a small shift, but it changes how you think about device access. And your homelab starts to feel like a real private cloud.
And the ACL system deserves a mention too. Each device gets an identity certificate, and you can write simple policy rules: “allow my work laptop to reach the NAS, but block it from the Home Assistant Pi.” That kind of granularity normally requires a separate VLAN setup or firewall rule set. Here it’s a 10-line config file.
Tailscale Limitations: What to Watch Out For
Tailscale isn’t flawless, and here’s what gave me pause:
- The control plane is closed-source. The client software is open (tailscale/tailscale on GitHub), but the coordination server that manages your network is proprietary. If you’d rather self-host, there’s Headscale — an open-source community reimplementation. But it’s not official, and it requires a VPS to run.
- Premium features cost extra. Mullvad exit nodes, SCIM integration, and advanced ACL rules are locked behind the $18/user/month Premium tier.
- Free admin limit. Your network can have 6 users, but only 3 of them can manage settings. For a family homelab this rarely matters, but for a team it’s a hard cap.
- The admin UI is minimal. Compared to a full-featured commercial VPN dashboard, Tailscale’s web interface feels sparse. That’s by design — they keep it simple — but it can be disorienting if you’re used to graphs and analytics.
Bottom Line: Is Tailscale Worth Trying?
Tailscale rethinks what a VPN should be — not a tunnel to the internet, but a secure mesh connecting your devices. The free tier is generous enough for almost any homelab or small team, and the zero-config setup genuinely delivers. If you’ve ever spent an afternoon wrestling with WireGuard config files or port forwarding rules, Tailscale is worth every minute of the 8 it takes to get started.
So if you’re new to self-hosted networking and want to compare Tailscale with a traditional VPN provider, our ProtonVPN Review covers what a standard VPN offers for remote access and privacy.
Disclosure: Some links below are affiliate links. If you sign up through them, I may earn a commission at no extra cost to you.
Tailscale is free for personal use. But if you want to self-host Headscale (the open-source control server) for full control over your mesh network, you'll need a VPS. Here are two solid options:
- Vultr — starts at $6/mo, global datacenters in 32 locations (great for low-latency Tailscale nodes)
- DigitalOcean — $200 credit for new users, 15 global regions, one-click Docker deploys
A $6/mo VPS is more than enough to run Headscale + the Tailscale CLI — or even a full homelab jump box.