The Audit: Where Is the Leak in a Tailscale Mesh?
I’ve been running a Tailscale mesh between my Mac mini, my laptop, and my Android phone for a while now. It’s the connective tissue for the personal stack — the thing that lets my phone reach a service on the Mac mini without exposing a port to the internet.
The question I kept asking myself: where exactly is the leak? If I’m trusting Tailscale with this, what am I actually trusting them with?
This is the audit.
The Data Path: peer-to-peer, end-to-end encrypted
The good news first.
Tailscale is a wrapper around WireGuard. When my phone talks to my Mac mini, the two devices negotiate WireGuard keys directly and the traffic flows peer-to-peer. The encryption keys live on the devices, not on Tailscale’s servers.
That means Tailscale the company cannot see the contents of my traffic. Even if they wanted to. Even if they were compelled to. They don’t have the keys, and the data doesn’t pass through them in the first place — it goes device-to-device, with their relay (DERP) used only as a fallback when NAT traversal fails, and the relayed traffic is still encrypted end-to-end.
For the data path, the threat model is clean.
The Control Plane: this is the weak point
The control plane is a different story.
Tailscale runs a coordination server. Its job is the bookkeeping that makes the mesh work:
- Node identity — who is who, which public key belongs to which device, which devices belong to which account.
- NAT traversal — helping devices behind firewalls find each other so they can establish a direct WireGuard tunnel.
- ACLs — the rules for who can talk to whom on which ports.
None of this gives Tailscale your data. But all of it gives Tailscale a switch.
Concretely, the risks:
- If Tailscale’s coordination servers go down, new connections can’t be established and existing ones eventually fall over. My phone and my Mac mini “lose” each other.
- If Tailscale changes their terms, raises prices, or bans the account, the mesh stops working. The devices are fine; the wiring between them is gone.
- The metadata — which devices exist, when they’re online, which ones are trying to reach which — lives on their server.
So the audit verdict on Tailscale-the-SaaS: data privacy is absolute, but availability and identity are leased.
The fully self-hosted path: Headscale
If the goal is to remove the leased dependency, the answer is Headscale.
Headscale is an open-source reimplementation of the Tailscale coordination server. The data plane stays the same — it’s still WireGuard, still peer-to-peer, still the official Tailscale clients on each device. The only thing that changes is who runs the coordinator.
The setup:
- Run Headscale on a VPS or a small box. A $5 Hetzner or DigitalOcean instance is plenty. A Raspberry Pi at a friend’s house works too — the coordinator is a control-plane service, not a high-throughput one, so the box can be tiny.
- Point your Tailscale clients at it. The official iOS, Android, macOS, Windows, and Linux clients all support pointing at a custom coordination server. You log in with whatever auth Headscale is configured for (it supports OIDC, so you can plug it into your own identity provider) instead of
login.tailscale.com. - You own the coordinator. No one outside your infrastructure can disable the mesh. Identity, ACLs, and node registration all live on hardware you control.
The data plane is unchanged because the data plane was never the problem. What changes is the switch — there’s no longer a third party who can flip it.
The trade-off: convenience vs autonomy
| Property | Tailscale (SaaS) | Headscale (self-hosted) |
|---|---|---|
| Data privacy | Absolute (E2E WireGuard) | Absolute (E2E WireGuard) |
| Availability | Depends on Tailscale Inc. | Depends on your server |
| Ease of use | ”It just works” | You maintain the coordinator |
| Identity & ACLs | Lives on Tailscale’s servers | Lives on yours |
| Cost | Free tier, then per-user | Cost of a small VPS |
| Failure mode | Their outage = your outage | Your outage = your outage |
Note the last row. Self-hosting Headscale doesn’t eliminate the failure mode — it relocates it. If your $5 VPS dies and you don’t notice, the mesh degrades the same way it would during a Tailscale outage. The difference is that the responsibility — and the recovery — is yours.
My take
For most people, Tailscale-the-SaaS is the right call. The data path is genuinely secure, the control plane is operated by a company that has been straightforward about what they can and can’t see, and the time you’d spend running Headscale is better spent on whatever the mesh exists to serve.
The case for Headscale is specific: you want the personal stack to outlive any specific vendor’s terms of service, you already run a small VPS for other things, and you’d rather own the coordinator than negotiate with one. That’s the trade — a recurring small operations cost in exchange for removing a third-party switch.
I’m running Tailscale today. I’m building toward Headscale. The migration is cheap because the data plane doesn’t change — only the bookkeeping moves house.