Tailscale is a modern VPN solution that builds secure, peer-to-peer mesh networks using the WireGuard protocol.
I use Tailscale primarily to access my homelab from outside, specially useful for syncthing
How it works
reference: https://tailscale.com/blog/how-tailscale-works
Data Plane: WireGuard Tunnels
Tailscale uses WireGuard to create encrypted tunnels between devices (“nodes”).
Unlike traditional VPNs that use a central hub (hub-and-spoke), Tailscale enables a mesh network where every node can connect directly to others, improving performance and reducing latency.
Control Plane: Key Exchange and Coordination
Tailscale nodes generate their own encryption keys and communicate with a central coordination server (login.tailscale.com).
This server acts as a “key drop box” to distribute public keys and connection info, but never handles private keys or actual data traffic.
NAT Traversal
Tailscale uses advanced NAT traversal techniques (STUN, ICE) to allow connections even when devices are behind firewalls or NATs, with no need for manual port forwarding.
DERP Relays
If direct connections aren’t possible, Tailscale relays encrypted traffic through global DERP (Designated Encrypted Relay for Packets) servers.
DERP servers just forward encrypted packets.