Tailscale and alternatives — private network between your devices
Who this guide is for: Home users and IT professionals who want to reach their own devices securely from outside the home without opening ports or maintaining a traditional VPN server.
Tailscale and alternatives — private network between your devices
Who this guide is for: Home users and IT professionals who want to reach their own devices securely from outside the home without opening ports or maintaining a traditional VPN server.
Tailscale is different from a normal VPN. It connects your own devices with each other in a private network without you having to manage a VPN server, and usually without opening ports in your router. In most cases traffic runs directly between devices; if that fails, Tailscale falls back to a relay.
What you gain, and what it costs
You gain easy, secure access to your own devices from anywhere without port forwarding, dynamic DNS, or a self-managed VPN server. For many people, this is the fastest route to “I can reach my NAS or home server again” without becoming a network administrator.
The cost is reliance on a coordination service and one more trust layer in your network design. Tailscale cannot see your content, but it does see metadata about devices and connections, and more advanced setups still require you to understand routes, exit nodes, and ACLs.
When this is overkill
If you never need to reach your devices from outside home, you do not need this. And if you want maximum autonomy and are willing to maintain your own WireGuard or Headscale setup, Tailscale may be too convenience-oriented for your requirements. Its strongest fit is for people who do want remote access but do not want open ports and server maintenance.
The problem Tailscale solves
Say you have a NAS, a server or a Raspberry Pi at home. You want access to it when you’re away. Traditional options:
- Port forwarding on your router: Works, but exposes your service to the internet. Every hour brings scanning attempts on port 22 (SSH) or 80 (HTTP).
- Running a VPN server (WireGuard/OpenVPN): Secure, but you need a stable IP address, you have to maintain the server yourself, and configuration is non-trivial.
- Tailscale: No open ports, no own server, works everywhere — including behind CG-NAT (most Dutch internet providers).
How Tailscale works
Tailscale builds a WireGuard mesh between your devices. Each device gets a fixed IP address in the 100.x.x.x range. Devices try to connect directly to each other peer-to-peer. If that is not possible, Tailscale falls back to a relay connection.
For coordination (which devices exist, who may connect to what) Tailscale uses their own control server. That doesn’t see your traffic — only the metadata of your network (which devices are seeking connections).
Works behind CG-NAT too: Tailscale uses DERP relay servers when direct connection is not possible. Even behind the most difficult NAT configurations it works.
Specifications
| Property | Value |
|---|---|
| Technology | WireGuard mesh |
| IP range | 100.64.0.0/10 (Tailscale specific) |
| Free tier | Yes — personal plan with limits |
| Paid | Teams and enterprise plans |
| Platforms | Windows, macOS, Linux, Android, iOS, FreeBSD |
| Router support | Yes (subnet routing) |
| Exit node | Yes — route traffic via a specific device |
| Open-source client | Yes |
| Control server | Tailscale cloud (or self-hosted via Headscale) |
Subnet routing — your entire home network accessible
If you set up Tailscale on a device at home (Raspberry Pi, NAS, server) and activate subnet routing, all devices on your home network become accessible via Tailscale — even devices without Tailscale installed.
Example: your NAS at 192.168.1.100 is reachable at that same address from your laptop at the office, via the Tailscale connection.
Exit node — VPN for all your traffic
You can set up a Tailscale device as an “exit node”. All your internet traffic then runs through that device. Useful when you have a secure home network and you’re on public Wi-Fi — you browse via your home connection.
This is comparable to a traditional VPN, but via your own hardware.
Alternatives
Headscale — self-hosted Tailscale control server
Tailscale’s control server coordinates the network. Headscale is an open-source, self-hosted implementation of that control server. You run it on your own VPS or server, and Tailscale clients connect to your server instead of Tailscale’s cloud.
Advantage: No dependency on Tailscale as a company. Full control over who has access. Disadvantage: You must manage, update and secure a server. More work.
When to choose Headscale: If privacy from Tailscale (the company) is a requirement, or if you want the control server under your own management.
ZeroTier — alternative mesh protocol
ZeroTier is a comparable mesh VPN technology with its own protocol. Works on more platforms (including some embedded systems) and has its own virtual network layer.
| Tailscale | ZeroTier | Headscale | |
|---|---|---|---|
| Protocol | WireGuard | ZeroTier own | WireGuard |
| Control server | Tailscale cloud | ZeroTier cloud | Self-hosted |
| Free tier | Unlimited devices / up to 6 users on Personal | 25 devices | Self-hosted |
| Setup | Very easy | Easy | Complex |
| Open-source | Client | Client | Fully |
WireGuard manual — maximum control
WireGuard configured directly without Tailscale or ZeroTier. You manage the keys, configuration files and server yourself. No dependency on external services.
When: If you already have a VPS or home server, and are willing to manage configuration manually. More work than Tailscale, but fully open-source and fully self-managed.
When to use what?
| Situation | Recommendation |
|---|---|
| Make home network accessible, simple | Tailscale free tier |
| No dependency on external control server | Headscale on own VPS |
| Home network as VPN exit node | Tailscale exit node |
| Maximum control, no external services | WireGuard manual |
| Embedded devices or exotic platforms | ZeroTier |
Installation in 3 steps (Tailscale)
- Create an account at tailscale.com with a supported login method
- Install the Tailscale client on each device:
curl -fsSL https://tailscale.com/install.sh | sh(Linux), or via app store - Run
tailscale upand authenticate — the device appears directly in your network
All devices with the same account are reachable at their 100.x.x.x address.
Caveats
Tailscale as a company: Tailscale’s control server coordinates your network. They see which devices exist and when they seek connections — not the content of traffic. If that is a concern: Headscale.
Free tier limitations: Tailscale’s Personal plan is generous for home use: unlimited devices, up to 6 users (check current limits at tailscale.com/pricing). For teams and businesses there are paid plans.
Next step
Decide first
- Which network setup fits your profile? — decide whether Tailscale is enough or whether you need router or segmentation work
Alternatives
- Setting up a GL.iNet travel router — VPN at router level
- Network security for crypto users — network as part of a broader security strategy