Skip to content

Tailscale — Trivia & Interesting Facts

Surprising, historical, and little-known facts about Tailscale and WireGuard-based networking.

Tailscale was founded by ex-Google engineers who built the internal network

Avery Pennarun, Brad Fitzpatrick, and David Crawshaw co-founded Tailscale in 2019. Brad Fitzpatrick previously created LiveJournal and memcached, and worked on the Go standard library at Google. The team's experience with Google's BeyondCorp (zero-trust networking) directly influenced Tailscale's design philosophy: every device should be able to securely connect to every other device without VPN concentrators or firewall rules.

Tailscale uses WireGuard but adds the missing control plane

WireGuard is an excellent tunnel protocol, but it requires manual key distribution and IP assignment. Tailscale wraps WireGuard with an automated control plane that handles key exchange, peer discovery, NAT traversal, and IP assignment. This is analogous to how EVPN provides a control plane for VXLAN — the tunnel protocol is useful only when combined with orchestration.

DERP servers are Tailscale's fallback for the worst NAT scenarios

When direct peer-to-peer connections are impossible (symmetric NAT on both sides), Tailscale falls back to DERP (Designated Encrypted Relay for Packets) servers. DERP relays encrypted WireGuard packets over HTTPS, meaning traffic goes through Tailscale's infrastructure. However, because the traffic is WireGuard-encrypted end-to-end, the DERP servers cannot inspect the payload. Tailscale operates DERP servers on every major continent.

Tailscale assigns addresses from the 100.64.0.0/10 CGNAT range

Tailscale allocates addresses from 100.64.0.0/10 (the Carrier-Grade NAT range defined in RFC 6598) for its mesh network. This was a pragmatic choice — the CGNAT range is unlikely to conflict with local networks (most use 10.0.0.0/8 or 192.168.0.0/16), yet it's a recognized private-ish range. Each device gets a stable /32 address that persists across network changes, meaning your laptop has the same Tailscale IP at home, at a coffee shop, and on cellular.

NAT traversal in Tailscale uses techniques from the VoIP era

Tailscale's NAT traversal implementation uses STUN, hole punching, and birthday attack-based techniques to establish direct peer-to-peer connections through NAT. These techniques were originally developed for VoIP (SIP/RTP) in the 2000s. Tailscale achieves direct connections in approximately 94% of cases according to their published statistics — the remaining 6% falls back to DERP relay.

MagicDNS gives every device a hostname that works everywhere

Tailscale's MagicDNS feature automatically registers DNS names for every device in your tailnet (e.g., my-laptop.tailnet-name.ts.net). These names resolve to Tailscale IP addresses, so ssh my-laptop works regardless of whether you're on the same LAN or across the world. This eliminates the need to remember IP addresses or maintain a separate DNS infrastructure for internal services.

Tailscale ACLs are defined in a single JSON file, not distributed across devices

Unlike traditional firewalls where rules are scattered across dozens of devices, Tailscale's access control is defined in a single centralized policy file (HuJSON format). The control plane pushes the relevant rules to each node. This means a security team can review the entire network's access policy in one place — a property that traditional enterprise networks can only dream of.

Headscale is an open-source alternative to Tailscale's coordination server

Headscale, created by Juan Font in 2021, is an open-source implementation of the Tailscale coordination server. It allows self-hosting the control plane while still using the Tailscale client software (which is also open source). Headscale demonstrates that Tailscale's architecture is clean enough to reimplement: the control plane is just key distribution and peer coordination, while WireGuard handles all the actual encryption and tunneling.

Tailscale SSH eliminates SSH key management entirely

Tailscale SSH allows users to SSH into machines using their Tailscale identity instead of SSH keys. The Tailscale client acts as an SSH server that authenticates users via their Tailscale identity (backed by an SSO provider), then generates short-lived SSH certificates on the fly. This eliminates the entire SSH key lifecycle — generation, distribution, rotation, and revocation — replacing it with identity-based access.

Subnet routers let Tailscale reach devices that can't run Tailscale

Not every device can install Tailscale (printers, IoT devices, legacy servers). Subnet routers are Tailscale nodes that advertise routes to local subnets, allowing any Tailscale device to reach those non-Tailscale resources. This is functionally identical to a traditional VPN concentrator, but it's deployed as a single binary on any Linux box rather than requiring dedicated hardware. Multiple subnet routers can advertise the same routes for redundancy.