Tailscale Personal Mesh VPN Cheat Sheet

Updated 2026-05-21

Next Topic: Unity Gaming Engine Cheat Sheet

Tailscale is a managed mesh VPN that wraps the WireGuard protocol in an automated key-exchange and identity layer, creating a private network — called a tailnet — that spans all your devices without manual VPN configuration. Because WireGuard tunnels are extremely lightweight, Tailscale builds a full point-to-point mesh rather than the hub-and-spoke topology of legacy VPNs: every device talks directly to every other device, with encrypted relays (DERP) kicking in only when NAT traversal cannot establish a direct path. The key insight for practitioners is that Tailscale separates the control plane (key coordination via login.tailscale.com) from the data plane (direct WireGuard tunnels), so the control plane carries almost no traffic while data flows peer-to-peer at near-native speeds.

What This Cheat Sheet Covers

This topic spans 19 focused tables and 158 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Architecture and Core ConceptsTable 2: Identity Providers and AuthenticationTable 3: Installing TailscaleTable 4: MagicDNS and DNS ConfigurationTable 5: Access Control Lists (ACL Policy File)Table 6: Exit NodesTable 7: Subnet RoutersTable 8: Tailscale SSHTable 9: Tailscale Funnel and ServeTable 10: Taildrop and Taildrive File SharingTable 11: Sharing Nodes and Managing UsersTable 12: NAS and Home Lab IntegrationsTable 13: Kubernetes and Cloud IntegrationTable 14: Plans, Pricing, and LimitsTable 15: Auth Keys and Device ProvisioningTable 16: Security Best PracticesTable 17: Troubleshooting and DiagnosticsTable 18: Comparing Tailscale and AlternativesTable 19: Common Everyday Use Cases

Table 1: Architecture and Core Concepts

Understanding Tailscale's layered design — WireGuard encryption, a coordination server for key exchange, NAT traversal via STUN/ICE, and DERP relays as a fallback — is the foundation for every feature and troubleshooting step that follows.

Concept	Example	Description
Tailnet	All your devices share the `yak-bebop.ts.net` domain	Your private network of all Tailscale-connected devices; every device on the tailnet can reach every other device according to your ACL policy.
WireGuard data plane	`wg show tailscale0` shows active peer tunnels	Tailscale uses WireGuard (specifically `wireguard-go`) for end-to-end encrypted tunnels; private keys never leave the local device.
Coordination server	`login.tailscale.com` exchanges public keys	A central key drop-box (control plane) that distributes public keys and policy to all nodes; it carries almost zero traffic — only metadata.
Mesh network	Node A connects directly to node B without a gateway	Every node gets WireGuard tunnels to every other permitted node; no central traffic bottleneck unlike hub-and-spoke VPNs.
NAT traversal (STUN/ICE)	Two nodes behind separate CGNAT routers connect directly	Tailscale uses STUN and ICE standards to punch through firewalls; works even when both nodes are behind NAT with no open ports.
DERP relay servers	`tailscale netcheck` shows relay latency to `nyc.relay.tailscale.com`	Designated Encrypted Relay for Packets — HTTPS-based fallback relay when direct connection is blocked; DERP servers cannot decrypt traffic since it is WireGuard-encrypted.

Table 1: Architecture and Core Concepts

Concept	Example	Description
Tailnet	All your devices share the `yak-bebop.ts.net` domain	Your private network of all Tailscale-connected devices; every device on the tailnet can reach every other device according to your ACL policy.
WireGuard data plane	`wg show tailscale0` shows active peer tunnels	Tailscale uses WireGuard (specifically `wireguard-go`) for end-to-end encrypted tunnels; private keys never leave the local device.
Coordination server	`login.tailscale.com` exchanges public keys	A central key drop-box (control plane) that distributes public keys and policy to all nodes; it carries almost zero traffic — only metadata.
Mesh network	Node A connects directly to node B without a gateway	Every node gets WireGuard tunnels to every other permitted node; no central traffic bottleneck unlike hub-and-spoke VPNs.
NAT traversal (STUN/ICE)	Two nodes behind separate CGNAT routers connect directly	Tailscale uses STUN and ICE standards to punch through firewalls; works even when both nodes are behind NAT with no open ports.
DERP relay servers	`tailscale netcheck` shows relay latency to `nyc.relay.tailscale.com`	Designated Encrypted Relay for Packets — HTTPS-based fallback relay when direct connection is blocked; DERP servers cannot decrypt traffic since it is WireGuard-encrypted.