Security by design
Tailscale connections are end-to-end encrypted with WireGuard®
Tailscale is built on top of WireGuard.
WireGuard is a modern VPN designed for usability, performance, and security. WireGuard uses state-of-the-art cryptography and provides end-to-end encryption for connection between devices. WireGuard’s protocol has been reviewed by cryptographers and the code audited, with only minor issues discovered and fixed.
We designed Tailscale to make it even easier to use WireGuard to secure your network connections.
Tailscale sees your metadata, not your data
Tailscale does not (and cannot) inspect your traffic. Privacy is a fundamental human right, and we designed Tailscale accordingly. We don’t want your data.
Your data is end-to-end encrypted and transmitted point-to-point. Your devices’ private encryption keys never leave their respective nodes, and our coordination server only collects and exchanges public keys. DERP relay servers do not log your data — you can confirm this yourself as the code is open-source. Even when your connection uses a DERP relay server, the only data Tailscale could see and capture is encrypted.
We never see information about your public Internet traffic. If you use an exit node, they’re your exit nodes, not ours, so we still can’t see your public Internet traffic. If you use MagicDNS or Split DNS, your public DNS queries may end up passing through your device’s local Tailscale DNS proxy, but they are not logged. Again, you can verify this yourself because the code is open-source.
We do receive metadata about which of your private nodes connect to which other private nodes, including public IP addresses. This is required to provide the service, as the purpose of Tailscale’s coordination server is to help your nodes find each other.
Your network remains available even if Tailscale is not
Tailscale connects devices point-to-point. Even if Tailscale's coordination server is down, you can still access your network.
Tailscale’s coordination server is used to help your nodes find each other. Once this information is exchanged, however, your nodes have all the information they need to connect. Though the coordination server needs to be available for you to make administrative changes, removing this dependency means you don’t have a single point of failure for your users to connect to your services.
Although Tailscale tries to connect devices point-to-point, that’s not always possible, so we have globally distributed DERP relay servers to help devices connect to each other when connections are hard to establish. The DERP servers run in multiple regions and have no shared state between regions, which means a DERP region can have an outage and your Tailscale clients will fail over to a different one.
Tailscale is written in Go
Tailscale uses wireguard-go. Tailscale’s core functionality, including the coordination server, logging infrastructure, DERP relay servers, and clients, are written in Go. Go is a language that provides automatic memory management, and so doesn’t rely on the developer to allocate and free up memory — which prevents a whole class of memory safety vulnerabilities.
Security Features
SSO and MFA
Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA and context-aware access. Authenticate to Tailscale with identity providers including Google, Microsoft AD, GitHub, Okta, and OneLogin.
Access Controls Lists (ACLs)
Tailscale’s ACLs allow you to define what users, groups, IP addresses, CIDRs, hosts, and tags can connect to each other in your network. Using ACLs, you can define role-based access controls for users accessing services in your network in terms of user identities, rather than in terms of IP addresses. ACLs are directional and default deny.
User roles
Tailscale provides multiple user roles that restrict who can modify your tailnet’s configurations. These allow for separation of duties between admins who can modify users and devices, such as IT administrators, and those who can modify network configurations, such as the networking team.
To take advantage of all of Tailscale’s security features and best protect your network, we recommend following our hardening guide.
Security disclosures
Tailscale publishes security bulletins to disclose security issues in our product.
If you’re directly affected by a security issue in Tailscale, and we have your contact information, we will contact you.
Securing a virtual private network requires both the provider and the user to share in the burden of responsibility. To understand how responsibilities are shared between you and Tailscale, see the shared responbility model.
Tailnet lock
Tailnet lock lets you control which nodes are signed and verified by trusted nodes in your tailnet, meaning you don’t need to trust the Tailscale coordination server for distributing public node keys to peer nodes in your tailnet. You can control which nodes are trusted to sign another node’s public key.
Compliance & Certifications
SOC 2
Tailscale has completed a SOC 2 Type II certification.
Achieving SOC 2 compliance means that Tailscale has implemented procedures, policies and controls necessary to meet AICPA's trust services criteria for security, availability, and confidentiality, and that these processes and controls have been tested to ensure that they are operating effectively.
Obtain a copy of the report from our legal page.
Security policies
Tailscale publishes the security policies we use publicly, so you can transparently see where we are in terms of security maturity.
To track how these change over time, or to use these policies yourself, see the policies on GitHub.
Security Controls
Tailscale has many security controls in place to ensure the security of the service.
Network & infrastructure security
- Requires business need to access the production environment.
- Requires SSO and MFA to manage the production environment.
- Requires connections over Tailscale or using SSH keys to access the production environment.
- Logs operations in the production environment, and audits these for unusual activity.
Data security
- Encrypts data at rest and in transit.
- Backs up data at least hourly, and tests recovery at least annually.
- Retains data in line with our Privacy Policy.
Application security
- Requires a peer review for source code changes.
- Regularly conducts audits of our source code.
- Regularly reviews potential vulnerabilities in our environment and applies relevant patches.
- Reviews access permissions at least quarterly.
Incident response
- Responds to security issues reported to [email protected] promptly.
- Discloses security issues in security bulletins.
Business practices
- Checks references for all new employees.
- Requires new and existing employees to regularly complete security awareness training.
- Requires new employees to sign a non-disclosure agreement.
- Reviews new vendors prior to using their services, and existing vendors at least annually.
Tailscale works with Latacora to conduct security audits and ongoing analysis of our application security, network security, and corporate security. Latacora also provides feedback and guidance on new product features and Tailscale’s architecture.
Privacy
In addition to securing your information, we keep it private. Tailscale values and respects your privacy. You are not the product.
To learn more about what data we collect, and how we use it, see our Privacy Policy.
