Tailscale and alternatives — private network between your devices
Tailscale creates an encrypted mesh network of all your devices without opening ports or managing a VPN server. We explain how it works and when to choose Headscale or WireGuard.
Tailscale and alternatives — private network between your devices
Tailscale is different from a normal VPN. It connects your own devices with each other in a private network — without managing a VPN server, without opening ports in your router, and without all your traffic running through a central point.
The problem Tailscale solves
Say you have a NAS, a server or a Raspberry Pi at home. You want access to it when you’re away. Traditional options:
- Port forwarding on your router: Works, but exposes your service to the internet. Every hour brings scanning attempts on port 22 (SSH) or 80 (HTTP).
- Running a VPN server (WireGuard/OpenVPN): Secure, but you need a stable IP address, you have to maintain the server yourself, and configuration is non-trivial.
- Tailscale: No open ports, no own server, works everywhere — including behind CG-NAT (most Dutch internet providers).
How Tailscale works
Tailscale builds a WireGuard mesh between your devices. Each device gets a fixed IP address in the 100.x.x.x range. Devices connect directly to each other — peer-to-peer — without a central server relaying traffic.
For coordination (which devices exist, who may connect to what) Tailscale uses their own control server. That doesn’t see your traffic — only the metadata of your network (which devices are seeking connections).
Works behind CG-NAT too: Tailscale uses DERP relay servers when direct connection is not possible. Even behind the most difficult NAT configurations it works.
Specifications
| Property | Value |
|---|---|
| Technology | WireGuard mesh |
| IP range | 100.64.0.0/10 (Tailscale specific) |
| Free tier | Yes — unlimited devices for personal use |
| Paid | Teams and enterprise plans |
| Platforms | Windows, macOS, Linux, Android, iOS, FreeBSD |
| Router support | Yes (subnet routing) |
| Exit node | Yes — route traffic via a specific device |
| Open-source client | Yes |
| Control server | Tailscale cloud (or self-hosted via Headscale) |
Subnet routing — your entire home network accessible
If you set up Tailscale on a device at home (Raspberry Pi, NAS, server) and activate subnet routing, all devices on your home network become accessible via Tailscale — even devices without Tailscale installed.
Example: your NAS at 192.168.1.100 is reachable at that same address from your laptop at the office, via the Tailscale connection.
Exit node — VPN for all your traffic
You can set up a Tailscale device as an “exit node”. All your internet traffic then runs through that device. Useful when you have a secure home network and you’re on public Wi-Fi — you browse via your home connection.
This is comparable to a traditional VPN, but via your own hardware.
Alternatives
Headscale — self-hosted Tailscale control server
Tailscale’s control server coordinates the network. Headscale is an open-source, self-hosted implementation of that control server. You run it on your own VPS or server, and Tailscale clients connect to your server instead of Tailscale’s cloud.
Advantage: No dependency on Tailscale as a company. Full control over who has access. Disadvantage: You must manage, update and secure a server. More work.
When to choose Headscale: If privacy from Tailscale (the company) is a requirement, or if you want the control server under your own management.
ZeroTier — alternative mesh protocol
ZeroTier is a comparable mesh VPN technology with its own protocol. Works on more platforms (including some embedded systems) and has its own virtual network layer.
| Tailscale | ZeroTier | Headscale | |
|---|---|---|---|
| Protocol | WireGuard | ZeroTier own | WireGuard |
| Control server | Tailscale cloud | ZeroTier cloud | Self-hosted |
| Free tier | Unlimited devices | 25 devices | Self-hosted |
| Setup | Very easy | Easy | Complex |
| Open-source | Client | Client | Fully |
WireGuard manual — maximum control
WireGuard configured directly without Tailscale or ZeroTier. You manage the keys, configuration files and server yourself. No dependency on external services.
When: If you already have a VPS or home server, and are willing to manage configuration manually. More work than Tailscale, but fully open-source and fully self-managed.
When to use what?
| Situation | Recommendation |
|---|---|
| Make home network accessible, simple | Tailscale free tier |
| No dependency on external control server | Headscale on own VPS |
| Home network as VPN exit node | Tailscale exit node |
| Maximum control, no external services | WireGuard manual |
| Embedded devices or exotic platforms | ZeroTier |
Installation in 3 steps (Tailscale)
- Create an account at tailscale.com (Google, Microsoft or email)
- Install the Tailscale client on each device:
curl -fsSL https://tailscale.com/install.sh | sh(Linux), or via app store - Run
tailscale upand authenticate — the device appears directly in your network
All devices with the same account are reachable at their 100.x.x.x address.
Caveats
Tailscale as a company: Tailscale’s control server coordinates your network. They see which devices exist and when they seek connections — not the content of traffic. If that is a concern: Headscale.
Free tier limitations: Tailscale’s free tier is generous for personal use. For teams and businesses there are paid plans.
See also:
- Which network setup fits your threat profile? — network overview per threat level
- Setting up a GL.iNet travel router — VPN at router level as alternative
- Network security for crypto users — network as part of a broader security strategy