Tailscale review — private mesh network for your own devices
Tailscale connects all your devices in an encrypted private network without opening ports or managing a VPN server. No anonymity — but a powerful tool for remote home network access.
Tailscale review
Tailscale is not a regular VPN. It doesn’t hide your IP address or encrypt your internet traffic. What it does do: connect your own devices in a private network, regardless of where they are — at home, at the office, on the road. It does this without opening ports, without managing your own server, and without NAT headaches.
How Tailscale works
Tailscale builds a WireGuard mesh between your devices. Each device in your network gets a fixed IP address in the 100.x.x.x range. Connections are peer-to-peer: your laptop connects directly to your NAS at home, not through a central server.
For coordination — which devices exist, who may connect — Tailscale uses its own cloud control server. That server doesn’t see your traffic itself, but does know which devices are in your network.
Works behind CG-NAT: Most ISPs use CG-NAT (you share an IP address with other customers). Regular VPN servers can’t break through this. Tailscale uses DERP relay servers when a direct connection fails.
Tailscale vs a regular VPN
| Tailscale | Mullvad / ProtonVPN | |
|---|---|---|
| Purpose | Connect your own devices | Anonymize internet traffic |
| Hides IP | ❌ | ✅ |
| Encrypts internet traffic | ❌ | ✅ |
| Own devices reachable | ✅ | ❌ |
| Requires open ports | ❌ | n/a |
| Control server | Tailscale cloud | VPN provider |
Tailscale and a VPN are not mutually exclusive — you can use both simultaneously for different purposes.
Practical use cases
Reach NAS or server at home: Activate subnet routing on a home device. All devices on your home network are then reachable from your Tailscale network — including devices without Tailscale installed.
Exit node: Set a home device as exit node. All your internet traffic then runs through your home connection. Useful on public Wi-Fi — comparable to a self-hosted VPN.
Remote device management: SSH to home without dynamic DNS, port forwarding, or firewall changes. Works even when the device is behind CG-NAT.
Pricing
| Plan | Price | Devices | Users |
|---|---|---|---|
| Personal (free) | €0 | 100 | 1 |
| Personal Pro | €18/year | 100 | 1 |
| Business | €6/user/month | Unlimited | Multiple |
The free Personal tier is sufficient for most home users.
Headscale — self-hosted control server
Tailscale’s control server coordinates the network but doesn’t see your traffic. For those who also don’t want that metadata knowledge at Tailscale, Headscale exists: an open-source, self-hosted implementation of the control server. Tailscale clients then connect to your own server.
Headscale requires a VPS or always-on server and some configuration. See the Tailscale guide for setup instructions.
Caveats
Control server trust: Tailscale’s cloud knows which devices are in your network and when they connect. It doesn’t see your traffic, but the metadata stays with Tailscale. Use Headscale if that’s a concern.
No anonymity: Tailscale doesn’t hide your IP address from websites you visit. It’s a connectivity tool, not an internet traffic privacy tool.
Always-on connection: To keep home devices reachable, one device must always be on. A Raspberry Pi or NAS is ideal for this.
Alternatives
| Tailscale | ZeroTier | Netbird | WireGuard manual | |
|---|---|---|---|---|
| Setup | Zero-config | Simple | Simple | Complex configuration |
| Control server | Tailscale cloud | ZeroTier cloud | Netbird cloud / self-host | Fully yours |
| Self-host option | Via Headscale | Via ZeroTier-one | Built-in | n/a |
| Open-source client | ✅ | ✅ | ✅ | ✅ |
| Free tier | 100 devices | 25 devices | 5 users | Always free |
ZeroTier is the closest alternative: similar mesh concept, control server can be self-hosted. Netbird is newer and fully self-hostable out of the box. WireGuard manually gives maximum control but requires your own server and per-device configuration.
For home use, Tailscale is the simplest choice. For full control without cloud dependency: Netbird or WireGuard directly.
Conclusion
Tailscale is the simplest way to connect your own devices over the internet. Zero-config, works behind CG-NAT, free for home use. If you’ve ever wished you could SSH home without port forwarding hassle — this is the solution.
Don’t confuse it with a VPN for anonymity. For that, use Mullvad or IVPN.
See also:
- Tailscale guide: setup and configuration — step-by-step installation and Headscale
- VPN: what it does and doesn’t do — difference between Tailscale and a real VPN
- Mullvad VPN review — VPN for anonymizing internet traffic
- Threat profile: IT professional — home network as attack surface