Tailscale: The Mesh-VPN Market Leader for Private Cloud Access

Mesh VPNs are replacing the old concentrator model. Anyone stepping into this space cannot avoid one name: Tailscale.

The service has been the UX gold standard in the mesh VPN segment for years. More than 5 million monthly active users, BSD-3 licensed clients, MagicDNS, and one of the smoothest onboarding experiences on the market speak for themselves.

We evaluated Tailscale in the same lab environment we used to test NetBird. This time with two lenses: once as a pure product, and once along the EU sovereignty axis that runs through this series.

As of May 2026, evaluated on Tailscale Cloud with Standard and Premium features.

What Tailscale is

Tailscale is a WireGuard-based peer-to-peer mesh with a hosted control plane. The idea: WireGuard is great, but key distribution and authentication are painful, so Tailscale delivers exactly that layer as a managed service.

Three properties define the profile:

• Made in Toronto: The company was founded in 2019 by Avery Pennarun, David Crawshaw, David Carney, and Brad Fitzpatrick, all with Google backgrounds. Headquartered in Toronto, Canada, with a remote-first team.
• Market reach: Around 5 million monthly active users, roughly 20,000 paying customers, around 290 employees, and a 2026 Webby Award winner in "Developer Tools & APIs".
• Hybrid license model: Clients are BSD-3 open source on GitHub, while the control plane (coordination server) is proprietary and not officially self-hostable.

This last property is the central difference to NetBird and also the reason why a community reimplementation of the control plane, Headscale, exists (covered in Post 3 of this series).

Architecture in one picture

Five points explain the setup without a diagram:

• Clients connect directly peer-to-peer via WireGuard as soon as they can reach each other.
• The coordination server (control plane) manages identities, ACLs, routes, and distributes public keys.
• DERP relays serve as a TURN equivalent when a direct P2P path is not possible. Tailscale runs a global DERP network including locations in Europe.
• MagicDNS distributes meaningful hostnames automatically across the tailnet, with no need to set up your own DNS.
• Tailnet Lock can be enabled optionally and provides cryptographic protection against a compromised control plane (more on this in the security section).

Important: The coordination server runs on AWS Linux hosts in the United States, with metadata in SQLite and backups to S3. As of May 2026, no EU region is offered for the control plane.

Features that make the difference

What sets Tailscale apart from a bare WireGuard setup or a pure mesh implementation is the set of product-grade features around it:

• MagicDNS: Hostnames like db.tailnet-name.ts.net are resolved automatically across your entire tailnet, with no need to run DNS or maintain a hosts file.
• Tailscale SSH: SSH connections are authorized via tailnet ACLs, without separate SSH keys or bastion hosts. Authentication runs through your IdP, optionally with a re-auth on every login.
• Funnel: An internal service in the tailnet can be selectively exposed to the public internet, TLS-terminated, without a custom reverse proxy or public IP.
• Serve: The counterpart for purely internal exposure, useful for making a dev server reachable to colleagues without exposing it publicly.
• Subnet routers and exit nodes: The classic VPN use case still works. A node can route entire subnets into the tailnet or serve as an internet exit node.
• Tailnet Lock: New nodes are only accepted if they are signed by signing keys (TKA, Tailnet Key Authority) that are already present in the tailnet. Even a compromised control plane cannot inject malicious nodes.

Tailnet Lock is the product's most honest security move: Tailscale puts itself into the threat model as a potential attacker.

Identity providers and SSO

Tailscale is consistently IdP-driven. There is no email-and-password sign-up. Every account hangs on an external identity provider. Supported natively:

For mature enterprise setups this is pleasant, because SSO and MFA run through your existing IdP. For very small hobbyist setups, the mandatory external IdP can be a hurdle, especially if you do not already have a Workspace or Microsoft license.

Self-hosting the control plane is not officially supported. If you need that, Headscale is the answer, which we will cover in the next post in this series.

Cloud tiers: What do you pay, and when?

Tailscale simplified its pricing model in 2025/2026. These tiers are active:

Important: Existing customers on the older Personal+, Starter, or Business tiers stay on their current pricing for the time being. Anyone signing up new in 2026 starts on the current model with the tiers listed above.

Two observations for the practical comparison: Tailscale bills per user, not per active user like NetBird. Devices are unlimited, which can be cheaper in device-heavy scenarios (server fleets, IoT). Per user, Standard at $8 sits noticeably above NetBird Team at $5, which adds up on larger teams.

Clients and day-to-day comfort

Platform coverage is broad: Linux, Windows, macOS, iOS, Android, plus NixOS, Synology, FreeBSD, Docker, and router integrations (OPNsense, pfSense via add-on).

What we noted positively during the evaluation:

• Setup time: Our first tailnet was up and running in under two minutes, from browser login to first connection. That is the bar for the whole genre.
• Mobile apps: Both the iOS and Android client are polished, quick-connect works, and MagicDNS is active immediately.
• Auto-updates: Available on all desktop platforms, reducing the classic VPN rollout effort to almost zero.
• Admin UI: The web dashboard is the most mature admin surface we have seen in this segment, including a live tailnet view, an ACL editor with JSON schema, and audit logs.

If any one product has shaped this entire genre, it is this one. Tailscale is the bar that other vendors have to clear.

EU sovereignty: An honest read

EU sovereignty is the running thread in this series, and Tailscale deserves an honest assessment here. Without bashing, but without sugar-coating the gaps:

• Headquartered in Toronto, Canada. Not the US, but Canada is a member of the Five Eyes alliance and not under EU jurisdiction.
• Control plane on AWS in the United States. Connection metadata is processed there, and an EU region is not selectable as of May 2026.
• Closed-source control plane. Auditing is only partially possible. Tailscale ships security updates regularly, and external audit reports are available to prospects under NDA.
• Certifications: SOC 2 Type II yes. ISO 27001 and DORA are not actively advertised. GDPR processes are documented, but the architecture is not "EU-first".
• Tailnet Lock softens the trust placed in the control plane cryptographically, but it does not solve the data residency question for metadata.

Important: For NIS2 and DORA contexts, we recommend not deploying Tailscale without an additional sourcing assessment. The product quality is excellent. The EU sovereignty story is not.

If you want Tailscale's feature set together with sovereignty, the path leads to Headscale, covered in the next post in this series.

Where Tailscale shines today, and where it does not

Strengths

• The UX is, in our experience, unmatched. Onboarding, mobile apps, MagicDNS, and SSH integration set the standard.
• The feature set (Funnel, Serve, subnet routers, exit nodes, Tailscale SSH) covers almost every mesh VPN use case.
• BSD-3 clients on GitHub, with full client-side auditability.
• A global DERP network including EU locations keeps fallback latency low.
• Tailnet Lock is an honest security move that includes Tailscale itself in the threat model.

Limitations

• The control plane is proprietary and not officially self-hostable.
• Data residency for metadata is not available in the EU.
• No official ISO 27001 or DORA certification, which adds vendor-assessment work in regulated contexts.
• Standard tier costs $8/user/month, which adds up on larger teams compared to NetBird Team at $5/user.
• Mandatory IdP is good for security but a hurdle for very small hobbyist setups.

When Tailscale is the right choice

Four scenarios where Tailscale clearly moves to the front of the field:

1) "We need the best UX and fast adoption."

Tailscale is the reference here. Employees install in minutes, MagicDNS and Tailscale SSH make internal services immediately reachable, and the mobile apps pick up field staff without friction.

2) "We are building a developer-tooling setup or a modern homelab."

Funnel, Serve, and Tailscale SSH fit perfectly into DevX stacks. You can make preview environments, local dev servers, and CI runners reachable without a public IP.

3) "We are not a NIS2 or DORA mandatory organization, and sovereignty is not the top criterion."

Then the trade-offs are acceptable. You get the most mature product in this market without sovereignty pulling you back.

4) "We want Tailscale features, but we want sovereignty."

Then the path leads to Headscale, an open-source community reimplementation of the Tailscale control plane that works with the official Tailscale clients. That is exactly where we pick up in the next post.

Conclusion

Tailscale is the most mature mesh VPN on the market in May 2026 and, in many contexts, the most productive choice. The UX is unmatched, the feature set is broad, and Tailnet Lock shows that the company takes security seriously. If EU sovereignty is a hard requirement, however, it is worth looking at NetBird or the upcoming introduction of Headscale.

If you are currently making the mesh VPN choice for your company, setting up a NIS2 or DORA program, or building sovereign access into your private cloud, we at Infralovers are happy to support you. We would be glad to advise you on our Sovereign Cloud offering and combine that with our training portfolio on NIS2 Compliance and Cloud Native Essentials.