Everyone loves Tailscale, but it's masking a critical gap in how most people think about networks

At a glance:

• Tailscale provides easy-to-use peer-to-peer VPN tunnels for device connectivity but doesn't replace proper network infrastructure
• The tool can mask underlying network issues rather than solving them, potentially hiding problems that could worsen over time
• Tailscale has limitations including lack of mDNS support, inability to fix physical network problems, and potential issues with MTU sizes and overlapping routes

What Tailscale Does (And Doesn't Do)

Tailscale is a software-defined network (SDN) that utilizes peer-to-peer VPN tunnels to keep data secure while connecting devices across different networks. Its simplicity and ease of setup have made it popular among home lab enthusiasts and professionals alike. The service allows users to create robust networks of devices without requiring deep networking knowledge, as it abstracts away many of the complex configuration challenges traditionally associated with networking.

However, Tailscale is not a complete replacement for underlying network infrastructure. While it enables connections to services when outside your home network, it won't magically fix connection issues. At best, it masks or side-steps problems to make connections appear better for certain uses. This creates a potential blind spot for users who might assume their network is properly configured simply because Tailscale is working. The fundamental networking concepts that ensure hardware layers remain safe, solid, and secure still require attention, and jumping too quickly into SDN configuration for everything can lead to problems down the line.

Using Tailscale as a Management Plane

The author, who has been writing about technology since 2018 and currently works at XDA, emphasizes that Tailscale is most effective when used as a management plane rather than a replacement for the underlying network. This approach provides disaster recovery capabilities when networking issues arise, allowing administrators to reconnect to admin pages of appliances to fix problems. Additionally, using Tailscale for SSH connections keeps that traffic encrypted without exposing ports over the internet, enhancing security.

This usage pattern also illustrates a critical point about Tailscale's limitations. Because it maintains a persistent connection, it can hide underlying issues with device discovery, network paths to shared resources, or mismatched subnets. The author specifically mentions that they intentionally disconnect from their Tailnet at times to stay aware of these potential issues, which also keeps their management layer untouchable until they reconnect, enhancing overall network security. This deliberate disconnection strategy helps prevent the complacency that can arise when network problems are masked by the overlay.

How Tailscale Can Mask Network Problems

The ease with which Tailscale can be deployed creates a risk of masking multiple underlying network issues. According to Tailscale's own blog, the service allows administrators to create robust networks without needing to properly scope firewall rules, fine-tune DNS and network configurations, or set up certificate authorities. While this convenience is valuable, it can lead to a false sense of security where users assume their network is secure simply because Tailscale is running.

For example, when setting up a Minecraft server for friends, Tailscale eliminates the need to open ports directly to the internet. However, the server setup process might still prompt users to open a port or do so automatically, leaving an unnecessary open port in the underlying network configuration. Similarly, Tailscale hides NAT (and CG-NAT) complexity, which is fine when only connecting through Tailnet but becomes problematic when normal internet traffic still flows through the underlying architecture, potentially exposing instabilities that wouldn't be apparent through the Tailscale interface.

Limitations of Tailscale's Architecture

Despite its benefits, Tailscale has several architectural limitations that users should understand. The service relies on the underlying network paths to function, meaning it cannot magically repair packet loss, fix flaky Wi-Fi, replace crummy cables, or resolve ISP issues. Any disruption that would affect normal browsing will also impact the Tailnet connection.

One technical limitation involves MTU (Maximum Transmission Unit) settings. Tailscale's transport layer uses MTU 1280, which works well with physical networks that typically use 1500. However, cellular hotspots and other devices may not support this packet size, potentially leading to broken TCP sessions or partial connectivity when attempting to push larger MTU packets where unsupported. Additionally, overlapping routes can cause failover issues. If one router advertises only 10.0.0.0/24 while another advertises 10.0.0.0/16, network segments can go offline until the more specific subnet is properly configured to advertise both ranges.

Network Feature Limitations

Tailscale doesn't support every networking feature that users might expect. One of the most requested features from the community is mDNS support, which would enable auto-configuration and discovery over the Tailnet. Other services like ZeroTier have implemented mDNS over SDN, but they use a different protocol that functions like a virtual network switch rather than Tailscale's peer-to-peer tunnels using WireGuard.

The fundamental architecture of VPN protocols, which don't naturally pass multicast and other types of network traffic, presents a challenge for implementing mDNS in Tailscale. Adding this feature would likely require significant architectural changes and could potentially overwhelm Tailscale's central servers with multicast traffic. While users can still access networked printers through Tailscale, features like AirPrint won't work without alternative configurations, such as printing directly via the printer's IP address or setting up a print service on a always-on device like a NAS.

The Balanced Approach to Tailscale

Tailscale's ability to work across various networking configurations is both a strength and a weakness. Its forgiving nature makes networking accessible to less experienced users but also creates the temptation to use it as the primary connectivity layer while ignoring underlying issues. The author advocates for a balanced approach: using Tailscale as a control plane management layer while learning proper networking construction. This strategy provides a "spare parachute" when configuring network elements, allowing for experimentation with the safety net of Tailscale's remote access capabilities.

Ultimately, Tailscale remains an excellent tool for remote access and network management, but it's not a solution for network instability, poor performance, or glitches originating from the underlying infrastructure. The most effective implementation combines Tailscale's convenience with proper network design principles, ensuring that the underlying infrastructure remains robust even as the overlay provides additional functionality and security.