Tailscale is my favorite modern VPN because it feels like giving every machine a private, static IP address with zero manual routing, while still letting me lock the door based on identity. Under the hood it’s just WireGuard peers, but the control plane, ACL engine, and client experience remove all the toil that usually comes with DIY mesh VPNs.

Reasons it’s such a great tool

  • Zero-config mesh: each client establishes peer-to-peer WireGuard sessions using Tailscale’s NAT traversal and DERP relays, so you rarely touch firewall rules.
  • Identity-aware security: access rules are written against users, groups, devices, or tags instead of brittle IP ACLs.
  • Infrastructure agnostic: the same tailnet can span laptops, Kubernetes nodes, Hyper-V VMs, and subnets/VPCs via subnet routers.
  • Privacy-first: keys stay on your devices, traffic is end-to-end encrypted, and the control plane only sees metadata.

Hands-on: expose a dev service safely

  1. Optional: exit node or funnel – promote that node as an exit or use Funnel to hand out a public URL when you really need to demo something.

Share it with your tailnet using Tailscale Serve/Funnel:

tailscale serve https / hello http://localhost:5000

Now every device on your tailnet can hit https://hello.your-tailnet.ts.net over WireGuard without exposing localhost to the public internet.

Run your service locally (example Flask app):

pip install flask
python -m flask --app hello run --port 5000

Install the client on macOS/Linux:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-dns=false

Subnet routers and exit nodes

Can’t install the client on every box? Turn any Linux VM into a subnet router:

sudo tailscale up --advertise-routes=10.10.0.0/24 --accept-dns=false

Approve the route in the admin console and suddenly your NAS, printers, or prod VPC are reachable over the same identity-aware network. You can also declare per-user exit nodes (tailscale up --advertise-exit-node) for managed egress at coffee shops.

Sensible automation hooks

  • ACLs-as-code: store tailscale.com/admin/acls in git and roll out via CI.
  • API + Terraform: script device approvals, key rotation, or route management.
  • SSH over Tailscale: skip inbound port 22 entirely and let tailscale ssh enforce policy.

Tips before rolling it out company-wide

  • Give every human their own tailnet account backed by SSO, then tag devices (e.g., tag:prod-db) for ACL clarity.
  • Use groups and device tags in ACLs so rules read like “group:devs can reach tag:staging-services on port 443”.
  • Deploy at least one subnet router per site and optionally a small exit-node stack for auditing/inspection.
  • Review tailnet logs; metadata still shows who accessed what without decrypting payloads.

Further reading