On this page
Tailscale Architecture
Build a zero-config mesh VPN on top of WireGuard—the coordination server exchanges public keys and ACLs, NAT traversal establishes direct tunnels, and it automatically falls back to DERP relays when direct connectivity is not possible. The control plane is centralized while the data plane is decentralized: traffic does not pass through the central server.
Overview
Tailscale (2019) builds a zero-config mesh VPN on top of WireGuard: the coordination server exchanges public keys and ACLs, and nodes establish direct WireGuard tunnels between each other via NAT traversal (STUN/UPnP/port prediction); when direct connectivity is not possible, it automatically falls back to DERP relays. The core innovation is transforming WireGuard's static configuration into an auto-managed mesh overlay, while keeping the data plane independent of the central server. The open-source alternative headscale allows for fully self-hosted deployments.
Separation of Control Plane and Data Plane
Tailscale is not peer-to-peer — it is a mesh overlay with centralized coordination:
Control Plane (Coordination Server):
- HTTPS (REST + long-poll): exchanges public keys, endpoints, and ACLs
- Does not transmit user data
- Open-source alternative: headscale
Data Plane:
- WireGuard tunnels (userspace: wireguard-go or kernel: wireguard.ko)
- Between peers: direct UDP (if NAT traversal succeeds) or via DERP relay
The coordination server provides the peer list, public keys, endpoint hints, and ACL rules. Once the connection is established, nodes communicate directly with each other using WireGuard.
DERP
DERP (Detoured Encrypted Routing Protocol) is Tailscale's relay network, used when direct connections fail:
[Node A] → TLS → DERP Server → TLS → [Node B]
DERP Protocol:
1. Node → DERP: HTTPS (TLS) connect to :443 or custom port
→ Authentication: the node signs with its own Tailscale private key — DERP does not require logging into the tailnet
2. DERP → Node: server info (region, version)
3. Subsequent:
- DERP forwards WireGuard-encrypted packets (cannot decrypt them)
- Peer discovery (Peer Present / Peer Gone messages)
- ping/pong keepalives
Self-hosted DERP: Requires TLS certificates + public ports. The verify-clients option relies on tailscaled connecting to the coordination server to verify client identity — if the coordination server is unreachable (e.g., blocked in China), this option is unavailable.
NAT Traversal
Before establishing a WireGuard tunnel, Tailscale performs traversal:
Strategy (in order of priority):
1. Both nodes on the same LAN → direct LAN IP (host firewall must allow)
2. One side has Full Cone NAT → STUN → get external IP:port → remote connects
3. Both sides have Symmetric NAT → port prediction + birthday attack:
Each peer simultaneously sends UDP to the guessed ports of the other (probing multiple ports)
→ If a pair matches → direct connection established
4. UPnP/NAT-PMP/PCP: if the router supports it → map ports → equivalent to public IP
5. If all above fail → DERP relay (fallback)
Port Prediction:
Observe the NAT's port allocation pattern (incremental, hash, random):
Incremental: port_N = base_port + N
Hash: port_N = f(proto, src_ip, src_port, dst_ip, dst_port)
Random: unpredictable → hole punching impossible → only DERP available
References
- Tailscale blog: "How NAT traversal works"
- headscale: github.com/juanfont/headscale
- DERP: tailscale.com/kb/1232/derp
Keywords: Tailscale, coordination server, DERP, NAT traversal, port prediction, wireguard-go, headscale, ACL