Concept

Tailscale

Tailscale is a WireGuard-based mesh VPN. Devices join a private **tailnet** and reach each other on stable `100.x` addresses, regardless of NAT/firewalls — connections are outbound-initiated, falling back to DERP relays when direct paths are blocked.

type conceptstatus activenetworking · vpn · wireguard · zero-trust

Key points

  • MagicDNS gives each node a name (<host>.<tailnet>.ts.net).
  • Works behind a deny-all-ingress firewall (no public inbound port needed).
  • Tailscale SSH (--ssh) intercepts port 22 with ACL-based auth — but it breaks key-based automation like Ansible, so use plain sshd for that and leave --ssh off.
  • Tailscale Funnel can expose a node publicly at *.ts.net (auto-TLS) with no open ports.

Details

Auth keys (ephemeral, tagged, reusable) let a node join unattended at boot — used here in the broker's startup script.

Sources

Compiled from wiki/concepts/Tailscale.md · git is the source of truth