Yes — for personal use, the free tier includes up to 100 devices and lets you create a private network with no time limits. You only need to pay if you want exit nodes, subnet routing to devices you can't install Tailscale on, or advanced admin features.

How is this different from traditional VPN?

Traditional VPNs (OpenVPN, WireGuard) require a central server that all clients connect to. Tailscale uses a peer-to-peer mesh — your devices connect directly to each other when possible, only routing through a relay server (DERP) when NAT traversal fails. This means lower latency and no single point of failure.

Can I access my home network from anywhere?

Yes. Once Tailscale is installed on your phone and your home server, you can access your entire LAN as if you were at home. This works even on mobile data — no need to be on WiFi.

Does Tailscale see my traffic?

Tailscale uses WireGuard under the hood. Your traffic is end-to-end encrypted between devices. Tailscale's relay servers only handle NAT traversal when devices can't connect directly — they cannot decrypt your traffic. The control server stores your network topology (which devices exist) but not the content of your communications.

Can Tailscale replace Cloudflare Tunnel?

Different tools for different problems. Cloudflare Tunnel is for exposing services to the public internet (with authentication). Tailscale is for private device-to-device access — like SSH'ing into your home server from anywhere, or accessing a shared local folder. Many people use both.

Tailscale: VPN That Just Works (No Port Forwarding Required)

TL;DR Summary

Tailscale builds a private mesh network between your devices using WireGuard. Once installed, every device on your network is reachable from any other, anywhere in the world, as if they were on the same LAN. No router ports opened, no dynamic DNS to maintain, no central server to manage. I’ve been using it for 6 months and haven’t touched my router settings since.

The Core Problem: Accessing Devices Across Networks

Say you’re at a coffee shop and need to SSH into your home server. Or you’re traveling and need a file from your NAS. Or you’re at work and want to access your Home Assistant instance.

Traditional solutions:

Port forwarding — insecure, requires router access, breaks when ISP changes your IP
Static IP — expensive, ISPs don’t reliably offer this for residential connections
VPN (OpenVPN/WireGuard server) — one device acts as hub, all traffic flows through it, single point of failure
SSH tunneling — works but fragile, requires knowing your public IP

None of these are easy to set up and maintain for a normal person. Tailscale is different.

What Tailscale Actually Is

Tailscale is a control plane built on top of WireGuard. It handles the hard parts of peer-to-peer networking:

NAT traversal — devices behind firewalls and NAT find ways to connect directly to each other
Key management — WireGuard keys are generated and distributed automatically
Identity — devices authenticate via your SSO provider (Google, GitHub, Microsoft) instead of shared secrets
Network topology — you define which devices can reach which, and Tailscale enforces it

Once installed, you have a virtual network where every device has a stable IP address (like 100.64.0.x) and can reach every other device directly.

Installing Tailscale

On Your Server (Linux)

# Install
curl -fsSL https://tailscale.com/install.sh | sh

# Connect with your SSO
sudo tailscale up

# This opens a browser window for authentication

That’s it. Once authenticated, your server joins your private network and gets an IP like 100.64.0.2.

On Your Phone/Desktop

Download the Tailscale app for iOS, Android, macOS, or Windows. Log in with the same SSO provider and your device joins the network immediately.

You’ll see all your devices listed with their Tailscale IPs:

What You Can Do Once Connected

SSH from Anywhere

# From your laptop at a coffee shop
ssh user@100.64.0.2

# That's it. No IP to remember, no VPN client to connect.

Your server is reachable by its Tailscale IP from any device on your network. It works on mobile data too.

Access Your NAS

Map a network drive on macOS/Windows to \\100.64.0.2\\shared — no VPN client needed, no matter where you are.

VNC/Remote Desktop

Connect to your home computer via Tailscale IP: vnc://100.64.0.4 — feels like you’re on the same network.

Self-Hosted Services

Access your AdGuard at http://100.64.0.2:53, your Jellyfin at http://100.64.0.2:8096, your Home Assistant at http://100.64.0.2:8123 — all without exposing any ports.

Using Tailscale as an Exit Node

Tailscale’s free tier also lets you route all your traffic through a specific device — useful for using your home IP when you’re traveling, or routing through a server in a specific country.

On your home server, advertise as an exit node:

sudo tailscale up --exit-node

Then on your phone, enable exit node routing: Settings → Use exit node → select your home server.

Now all your phone’s internet traffic routes through your home server. Your ISP sees your home IP. This is useful on untrusted WiFi networks — you’re effectively on your own private VPN.

The most powerful feature: you can invite others to your network without giving them SSO credentials.

In the Tailscale admin console (tailscale.com/admin), create a shareable link. Anyone who clicks it and authenticates gets added to your network — no admin credentials shared.

For a family member to access your home server, just send them an invite link. They install Tailscale, log in, and can reach your services. Revoke access anytime from the admin console — their device is immediately removed from the network.

This is incredibly useful for:

Family tech support (remotely access a parent’s computer)
Small team infrastructure (contractors can join your network temporarily)
Client projects (give auditors read-only access to specific services)

ACLs: Control What Each Device Can Reach

Tailscale’s Access Control Lists let you define rules about which devices can reach which:

{
  "acls": [
    {
      "action": "accept",
      "src": ["group:family"],
      "dst": ["tag:homeserver:22,80,443,8080-8090"]
    },
    {
      "action": "accept",
      "src": ["jefferson-iphone"],
      "dst": ["tag:homeserver:22"]
    }
  ]
}

Your phone can only SSH into your server. Family devices can reach web services. Contractors can only reach specific tagged resources. Revoke a device and all rules stop applying immediately.

Combining with Cloudflare Tunnel

Tailscale and Cloudflare Tunnel solve different problems and work well together.

Use Tailscale for:

SSH, SCP, rsync
Database admin (direct port access)
VNC / remote desktop
Internal APIs between services

Use Cloudflare Tunnel for:

Public-facing services (Home Assistant to family members)
Services you want accessible without Tailscale installed
Adding Cloudflare’s auth layer to services without built-in login

Both run on your server with no conflict. Tailscale for your personal access, Cloudflare Tunnel for public access.

What I Run

My Tailscale network (all on free tier):

Device	Tailscale IP	Purpose
Home server	100.64.0.2	Primary homelab, SSH target
MacBook Pro	100.64.0.4	Daily driver
iPhone	100.64.0.3	Remote access, exit node client
Work laptop	100.64.0.5	SSH into home when traveling
Parents’ Pi	100.64.0.6	Remote support access

All traffic between devices is encrypted via WireGuard. I haven’t touched my home router in 6 months — port forwarding is disabled entirely.

Limitations

NAT traversal isn’t perfect. Some corporate networks or heavily restricted firewalls prevent peer-to-peer connections. When this happens, Tailscale falls back to DERP relay servers (run by Tailscale). Traffic still goes through Tailscale’s servers in this case — not ideal for latency, but it works.

Free tier has limits. 100 devices is plenty for personal use. But if you want subnet routing (Tailscale to route to an entire network segment, like accessing 192.168.x.x via your home gateway), you need Tailscale’s paid tier.

You need the app installed. Tailscale requires a client on each device. This works great for phones and computers, but harder for devices like smart TVs or IoT gadgets where you can’t install software.

Key Takeaways

Set and forget — install on each device, authenticate, done. Network just works.
Peer-to-peer — devices connect directly when possible, no VPN server bottleneck.
SSO authentication — no shared secrets, revoke access from admin console.
Free for personal use — 100 devices, all the core features.
Works everywhere — cellular, coffee shop WiFi, corporate networks. Your server is always reachable.

If you’ve been fighting with VPN configs, Dynamic DNS, or router ACLs — Tailscale is the upgrade. Once you’re on it, you stop thinking about remote access entirely.

TL;DR Summary#

The Core Problem: Accessing Devices Across Networks#

What Tailscale Actually Is#

Installing Tailscale#

On Your Server (Linux)#

On Your Phone/Desktop#

What You Can Do Once Connected#

SSH from Anywhere#

Access Your NAS#

VNC/Remote Desktop#

Self-Hosted Services#

Using Tailscale as an Exit Node#

Sharing Access Without Sharing Credentials#

ACLs: Control What Each Device Can Reach#

Combining with Cloudflare Tunnel#

What I Run#

Limitations#

Key Takeaways#