Architecture
How Tailscale Works
Tailscale uses a control plane and data plane separation architecture for secure, efficient networking.
Architecture
Control Plane: Device authentication, key exchange, network configuration
Data Plane: P2P direct connections with DERP relay fallback
DERP Relay Servers
Designated Encrypted Relay for Packets - used when P2P direct connection fails
- Global DERP nodes deployed for low latency
- Data remains encrypted, relays cannot decrypt
- Automatic selection of nearest node
Connection Process
1
Device Registration: Register with control server, get virtual IP (100.x.x.x)
2
Address Discovery: Use STUN protocol to discover public address and NAT type
3
NAT Traversal: Attempt UDP hole punching for P2P direct connection
4
DERP Fallback: Use relay servers when P2P fails
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Tailscale Architecture β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Control Plane: Device authentication, key exchange, network configuration βββββΆβ undefined βββββΆβ undefined β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Tailscale Control Plane: Device authentication, key exchange, network configuration β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Tailscale Data Plane: P2P direct connections with DERP relay fallback β
β β
β Device A ββββββP2P DirectββββββΆ Device B β
β (100.x.x.x) (100.x.x.x) β
β \ / β
β \ DERP Relay(Backup) / β
β \__________________/ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ