Tailscale review — private mesh network for your own devices
Who is this for? Home users and IT professionals who want to securely reach their own devices from outside — without open ports or managing a VPN server. See the [Tailscale guide](/en/guides/tailscale-mesh-vpn-guide/) for setup and alternatives.
Tailscale review
Who is this for? Home users and IT professionals who want to securely reach their own devices from outside — without open ports or managing a VPN server. See the Tailscale guide for setup and alternatives.
Tailscale is not a regular VPN. It is mainly designed to connect your own devices securely to each other. Tailnet traffic is encrypted, but Tailscale is not primarily built to anonymise your general web traffic the way Mullvad or IVPN are.
How Tailscale works
Tailscale builds a WireGuard mesh between your devices. Each device in your network gets a fixed IP address in the 100.x.x.x range. Connections are usually peer-to-peer: your laptop connects directly to your NAS at home and falls back to a relay if direct traffic does not work.
For coordination — which devices exist, who may connect — Tailscale uses its own cloud control server. That server doesn’t see your traffic itself, but does know which devices are in your network.
Works behind CG-NAT: Most ISPs use CG-NAT (you share an IP address with other customers). Regular VPN servers can’t break through this. Tailscale uses DERP relay servers when a direct connection fails.
Tailscale vs a regular VPN
| Tailscale | Mullvad / ProtonVPN | |
|---|---|---|
| Purpose | Connect your own devices | Anonymize internet traffic |
| Hides IP | No | Yes |
| Encrypts traffic | Yes, inside your tailnet / via exit node | Yes, via VPN provider |
| Own devices reachable | Yes | No |
| Requires open ports | No | n/a |
| Control server | Tailscale cloud | VPN provider |
Tailscale and a VPN are not mutually exclusive — you can use both simultaneously for different purposes.
Practical use cases
Reach NAS or server at home: Activate subnet routing on a home device. All devices on your home network are then reachable from your Tailscale network — including devices without Tailscale installed.
Exit node: Set a home device as exit node. All your internet traffic then runs through your home connection. Useful on public Wi-Fi — comparable to a self-hosted VPN.
Remote device management: SSH to home without dynamic DNS, port forwarding, or firewall changes. Works even when the device is behind CG-NAT.
Pricing
| Plan | Price | Devices | Users |
|---|---|---|---|
| Personal | Free | Unlimited | Up to 6 |
| Standard | Paid per user | Unlimited | Unlimited |
| Premium | Paid per user | Unlimited | Unlimited |
The free Personal tier is sufficient for most home users.
Headscale — self-hosted control server
Tailscale’s control server coordinates the network but doesn’t see your traffic. For those who also don’t want that metadata knowledge at Tailscale, Headscale exists: an open-source, self-hosted implementation of the control server. Tailscale clients then connect to your own server.
Headscale requires a VPS or always-on server and some configuration. See the Tailscale guide for setup instructions.
Caveats
Control server trust: Tailscale’s cloud knows which devices are in your network and when they connect. It doesn’t see your traffic, but the metadata stays with Tailscale. Use Headscale if that’s a concern.
No anonymity: Tailscale doesn’t hide your IP address from websites you visit. It’s a connectivity tool, not an internet traffic privacy tool.
Always-on connection: To keep home devices reachable, one device must always be on. A Raspberry Pi or NAS is ideal for this.
Alternatives
| Tailscale | ZeroTier | Netbird | WireGuard manual | |
|---|---|---|---|---|
| Setup | Zero-config | Simple | Simple | Complex configuration |
| Control server | Tailscale cloud | ZeroTier cloud | Netbird cloud / self-host | Fully yours |
| Self-host option | Via Headscale | Via ZeroTier-one | Built-in | n/a |
| Open-source client | Yes | Yes | Yes | Yes |
| Free tier | Unlimited devices | 25 devices | 5 users | Always free |
ZeroTier is the closest alternative: similar mesh concept, but with a different protocol. Netbird is newer and strong on self-hosting. WireGuard manually gives maximum control but requires your own server and per-device configuration.
For home use, Tailscale is the simplest choice. For full control without cloud dependency: Netbird or WireGuard directly.
Pros and cons
Pros
- Zero-config setup — devices join the network without port forwarding, firewall changes, or dynamic DNS
- Works behind CG-NAT — reaches home devices even when the ISP uses shared IP addresses
- Free Personal tier supports unlimited devices and up to 6 users — sufficient for home use indefinitely
- Exit node feature routes all traffic through a home device — acts as a self-hosted VPN on public Wi-Fi
- Headscale allows self-hosting the control server for users who don’t want Tailscale to see device metadata
Cons
- Does not hide your IP address from websites — not a replacement for Mullvad or ProtonVPN for anonymity
- Control server knows which devices are in your network and when they connect — metadata stays with Tailscale unless using Headscale
- Keeping home devices reachable requires one device to be always on
Conclusion
Tailscale is the simplest way to connect your own devices over the internet. Zero-config, works behind CG-NAT, free for home use. If you’ve ever wished you could SSH home without port forwarding hassle — this is the solution.
Don’t confuse it with a VPN for anonymity. For that, use Mullvad or IVPN.
See also:
- Tailscale guide: setup and configuration — step-by-step installation and Headscale
- VPN: what it does and doesn’t do — difference between Tailscale and a real VPN
- Mullvad VPN review — VPN for anonymizing internet traffic
- Profile: IT professional — home network as attack surface