Tailscale
A zero-config mesh VPN that makes remote access to servers, containers, and NAS boxes feel like local networking
Tailscale is a mesh VPN built on WireGuard that replaces the classic “configure a server, generate certs, distribute client configs” workflow with a single install-and-authenticate step. Founded in 2019 by ex-Google engineers, the company has raised $272M and the client software is open-source (BSD-3 licensed)source.
The pitch most reviews lead with is “it’s stupid easy to set up.” That’s accurate, but it skips the practical question a solo operator actually asks: what does this unlock in my day-to-day workflow that wasn’t worth the hassle before?
The solopreneur workflow (the part most reviews skip)
In our research, the most compelling use of Tailscale for a small operator is not running a VPN in the traditional sense — it’s making your private infrastructure feel like localhost from anywhere.
VS Code Remote SSH — With Tailscale installed on your laptop and your VPS, the SSH host becomes a Tailscale IP or DNS name. You connect from a coffee shop, a coworking space, a cellular hotspot — the WireGuard tunnel handles it. No SSH gateway, no jump box, no public-facing SSH port. The latency penalty over direct WireGuard is negligible for editingsource.
Docker networking — For a private Docker registry or a multi-container setup split across machines, Tailscale lets containers communicate via your tailnet names instead of public IPs or reverse proxies. The tailscale serve command can expose a container internally by wrapping it with a Tailscale-sidecar. A staging database lives on your home server; your VPS talks to it over the mesh. No firewall gymnastics.
CI/CD runners — Instead of exposing your CI runner to the public internet, install Tailscale on the runner and target your private VPS by tailnet name in your pipeline config. Build artifacts stay off the public wire.
Pricing
Tailscale’s freemium model works well until you hit a specific wall.
| Tier | Price | Key limits |
|---|---|---|
| Personal (Free) | $0 | Up to 6 users, 100 devices, basic ACLs, subnet routing |
| Standard | $8/user/month | SSO/SAML, ACL groups, audit logging, device posture |
| Premium | $18/user/month | SCIM, webhooks, user management APIs, advanced posture |
| Enterprise | Custom | All Premium + dedicated support, custom SLAs |
source — Free tier
source — Standard tier
source — Premium and Enterprise
Pricing was restructured in 2025–2026 (Pricing v4). The old Starter plan at $6/user/month was replaced by Standard at $8/user/month — a 33% uplift that drew criticism from small teamssource. Existing customers were grandfathered for 12 monthssource.
Discounts: 50% off for non-profits and educational institutions. Annual billing saves ~10–20%. GitHub open-source organizations get a free plansource.
When the free tier breaks
For a solo operator, the limit you hit first is not the 6-user cap — it’s rarely the 100-device cap either. The real wall is feature gating. Funnel (public ingress through Tailscale), advanced SSH session recording, and webhooks require Standard or Premiumsource. If your workflow depends on exposing a local service publicly via Tailscale Funnel, the free tier stops being viable at that moment.
Headscale: the escape hatch
Headscale is an open-source self-hosted implementation of Tailscale’s coordination server. It lets you run your own control plane so no traffic metadata touches Tailscale’s servers. The trade-off is that you now manage a coordination server — something Tailscale’s whole pitch was designed to eliminatesource. For most solopreneurs with a handful of devices, the free SaaS tier is less operational overhead.
Who this is for
- A solo developer running a SaaS on a VPS who wants to SSH in from unpredictable networks without exposing port 22.
- Someone with a home NAS (Synology, TrueNAS) they access from coffee shops and coworking spaces.
- A small team (2–6 people) that needs shared access to staging environments without paying for a dedicated VPN gateway.
- Anyone tired of managing WireGuard config files for more than a few devices.
Who it’s NOT for
- Organizations with strict compliance requirements that mandate full self-hosting of all networking infrastructure (those should evaluate Headscale or traditional WireGuard at a minimum).
- Teams that need per-session MFA on every SSH connection — Tailscale can integrate with your IdP, but the granularity is coarser than a dedicated SSH bastion.
- Anyone who wants a traditional “all traffic through the VPN” tunnel that anonymizes their internet browsing. Tailscale is a mesh for connecting devices, not a privacy consumer VPN.
How we researched this
We reviewed Tailscale’s documentation and pricing pages, user discussions on Reddit (r/Tailscale and r/selfhosted), comparison analyses covering Tailscale vs WireGuard vs Headscale, and third-party pricing trackers. Sources are linked inline in this piece. Pricing reflects Tailscale’s publicly available plans as of May 2026.