Tailscale Mesh VPN Architecture

Technical diagram showing Tailscale's mesh VPN architecture with control plane, data plane, and DERP relay servers

#wireguard #mesh-vpn #p2p #zero-trust #derp #nat-traversal #distributed #mesh-network #overlay-network
Tailscale Mesh VPN ArchitectureTailscale Control Planecontrol.tailscale.com• Authentication • Key Exchange• Policy Distribution • DERP SelectionDERPUS-WestsfoDERPEU-CentralfraDERPAsia-Pacificsydlaptop100.64.1.5alice.yak-bebop.ts.netmacOS • WireGuardEXITserver100.64.2.10exit.yak-bebop.ts.netLinux • Routes: 0.0.0.0/0phone100.64.3.8bob.yak-bebop.ts.netiOS • WireGuardSUBNEToffice-router100.64.4.1office.yak-bebop.ts.netRoutes: 192.168.1.0/24Office Network192.168.1.0/24Internal Resourcesdirectdirectdirectattempting directNAT Traversal Process1. DISCO packets via DERP2. STUN-like endpoint discovery3. Direct WireGuard tunnel4. Fallback to DERP relay if neededConnection TypesDirect WireGuard (encrypted P2P)DERP Relay (encrypted relay)Control Plane (auth, key exchange)Online/ConnectedMesh VPN Features• True mesh topology (no hub)• WireGuard encryption• Automatic NAT traversal• MagicDNS resolution• ACL-based access control

This diagram illustrates the architecture of Tailscale’s mesh VPN, showing:

  • Hybrid control/data plane architecture
  • Peer-to-peer WireGuard connections between nodes
  • DERP relay servers for NAT traversal fallback
  • Centralized coordination server for key exchange and policy distribution