Tailscale

1. What is Tailscale?

Tailscale is a secure, peer-to-peer networking tool built on top of WireGuard (a modern VPN protocol).
It creates a virtual private network (VPN-like) overlay, but unlike traditional VPNs, it forms a mesh network: every device can potentially connect directly to every other device.

Architecture: Client → VPN Server → Destination.
The client always connects to a central VPN server.
The VPN server forwards traffic to the target destination.
The destination sees traffic as coming from the VPN server, not the actual client.
This setup hides the client’s IP but introduces latency and a single point of failure.

Architecture: Peer-to-Peer mesh.
Each device runs a lightweight agent that authenticates via Tailscale’s coordination servers, but then talks directly to other peers whenever possible.
No single “choke point server” — connections are distributed and resilient.
Uses the same encryption protocol as a VPN (WireGuard), but connection paths differ.

Problem: Devices are often behind NAT (home routers, firewalls) that block unsolicited inbound traffic.
Solution in Tailscale:
- Both peers send simultaneous UDP packets toward each other (called UDP hole punching).
- This convinces NAT devices on both sides to “open a hole,” allowing traffic to flow directly.
This method works most of the time without requiring you to expose ports to the open internet.

When UDP hole punching doesn’t work (e.g., symmetric NATs, locked-down firewalls), Tailscale uses DERP relays:

What is DERP?
- Stands for Designated Encrypted Relay for Packets.
- A global fleet of relay servers run by Tailscale, placed in many geographic regions.
- They don’t terminate connections — they only forward encrypted WireGuard packets.
How DERP works:
1. Both peers connect outbound to the same DERP server (firewalls usually allow outbound HTTPS/UDP).
2. Each peer maintains a persistent connection to DERP.
3. DERP simply forwards packets from Peer A’s connection to Peer B’s connection.
4. Because the packets are still encrypted end-to-end with WireGuard, DERP cannot read the contents.
Why DERP enables hidden machines to connect:
- Machines behind restrictive NATs can always initiate outbound connections (to DERP).
- Since both peers make outbound connections to DERP, they don’t need to open inbound ports.
- DERP becomes a neutral mailbox in the cloud, shuttling encrypted packets between peers.
Performance tradeoff:
- Direct peer-to-peer is faster (LAN-like speeds).
- DERP adds extra latency (traffic takes a detour via relay).
- But DERP guarantees connectivity even in hostile networking environments.

No need to expose ports: services stay behind NAT/firewalls.
Cross-platform: works on Linux, macOS, Windows, iOS, Android, containers.
Easy setup: no need to run your own VPN server.
Scalability: great for teams, servers, IoT, or personal homelabs.
Performance: when hole punching succeeds, latency is similar to a direct LAN connection.
Resiliency: when hole punching fails, DERP ensures connectivity.

VPNs = centralized, client-server, mask client identity.
Tailscale = decentralized mesh, peer-to-peer first, fallback to encrypted relays.
Hole punching enables direct communication without exposing ports.
DERP relays provide a universal fallback by acting as a neutral packet forwarder.