---
title: "Tailscale security and trust model"
type: concept
tags: [security, zero-trust, encryption, firewall, privacy]
created: 2026-07-07
updated: 2026-07-07
sources: ["raw/docs_page-zero-trust-networking-definition-tailscale-docs.md", "raw/docs_page-can-tailscale-decrypt-my-traffic-tailscale-docs.md", "raw/docs_page-is-my-traffic-routed-through-your-servers-tailscale-docs.md", "raw/docs_page-what-devices-can-connect-to-or-know-mine-tailscale-docs.md", "raw/docs_page-what-firewall-ports-should-i-open-to-use-tailscale-tailscale.md", "raw/docs_page-tailscale-encryption-tailscale-docs.md"]
confidence: high
---

## Definition

Tailscale is built on a **zero-trust** model: the core premise is that "you can't trust the physical network anymore." Zero Trust Networking (ZTN) is an architecture descended from Google's BeyondCorp design. Instead of a "hard crunchy outside, soft chewy inside" perimeter firewall, Tailscale puts a firewall around every device and service and keeps every session encrypted between each pair of endpoints, so an attacker with physical network access sees only "meaningless encrypted packets" and cannot easily perform "lateral motion" between devices.

## How It Works

**Tailscale cannot decrypt your traffic.** Devices running Tailscale only exchange their public keys; private keys never leave the device. All traffic is end-to-end encrypted, always.

**Traffic is not routed through Tailscale's servers by default.** Tailscale routes traffic over the shortest path possible -- in most cases a direct, peer-to-peer connection. When a direct connection cannot be established, devices bounce traffic off geographically distributed relay servers called **DERPs**. Relayed traffic is already encrypted and is "no different security-wise than the other dozen hops your internet packets already make."

**Encryption layers** span the control plane and data plane:
- **Control plane** (key exchange, coordinating connections): a custom Noise IK-based protocol with X25519 (RFC7748). It can run over plain TCP or be wrapped in TLS.
- **Data plane** (device-to-device traffic): WireGuard. DERP servers "never access your unencrypted data; they only handle WireGuard packets that are already encrypted." Device-to-DERP connections are authenticated using a NaCl box construction on top of TLS.
- **NAT traversal**: a custom UDP protocol using NaCl box; it can only influence connection efficiency, "not the security of the data they carry."
- **TLS**: builds on Go crypto/tls, requiring a minimum of TLS 1.2 and supporting TLS 1.3, with ECDHE forward secrecy and AEAD (AES-128-GCM or ChaCha20-Poly1305).
- Tailnet Lock uses ED25519 signatures. Device TLS certificates come from Let's Encrypt for MagicDNS hostnames.

**Device visibility** is organized into tailnets by identity-provider domain. Devices in different tailnets cannot know about or connect to each other by default; cross-tailnet access requires explicit sharing. Within a tailnet the model is deny-by-default, but the **default access-control policy lets all devices connect to and know about each other**. Tailscale uses **netmap trimming** so a client sees only relevant devices. If a grant lets device-a connect to device-b, each can know about the other; with no such rule, neither can know about the other.

## Key Parameters

**Firewall ports.** Most of the time you **don't need to open any firewall ports** -- Tailscale uses NAT traversal so it "just works." When both devices are on difficult networks, you may open ports to help peer-to-peer connections:
- Let internal devices start **TCP connections to `*:443`** -- coordination server and DERP relays use HTTPS on port 443.
- Let internal devices start **UDP from `:41641` to `*:*`** -- direct WireGuard tunnels use UDP with a source port that defaults to `41641` (reconfigurable per device).
- Let internal devices start **UDP to `*:3478`** -- the STUN protocol, used only toward DERP servers.
- Let internal devices start **HTTP (TCP) connections to `*:80`** -- coordination server prefers HTTP on port 80 (falls back to 443), also used for captive-portal detection via a `/generate_204` endpoint returning a `204` status.

Static IP ranges (if IP-based rules are required):
- `login.tailscale.com` / `controlplane.tailscale.com` -- IPv4 `192.200.0.0/24`, IPv6 `2606:B740:49::/48`.
- `log.tailscale.com` -- IPv4 `199.165.136.0/24`, IPv6 `2606:B740:1::/48`.

DERP servers are named `derpN` where `1 <= N <= 28` (as of August 2025) and are reached at TCP port `443`.

## When To Use

The zero-trust model applies to every Tailscale deployment. Tailscale recommends an **incremental** rollout: first secure user devices with encrypted connections to [[concepts/subnet-routers|subnet routers]], then add end-to-end encryption to your most valuable servers one by one, lock down non-encrypted traffic, and finally retire the subnet routers for a fully migrated subnet.

## Risks & Pitfalls

- Tailscale's cryptographic implementations are **not FIPS compliant**, and primitives such as Curve25519, XSalsa20, ChaCha20-Poly1305, and the Noise and WireGuard protocols cannot be made FIPS compliant. This may matter for organizations with FIPS requirements.
- The default "allow all within a tailnet" policy is permissive -- restrict visibility with more prescriptive [[concepts/access-controls|access-control policies]] when needed.
- Hardcoding DERP IP addresses is discouraged; the set of relays grows over time, so use `*:443` and domain-based rules.
- All Tailscale log data is sent over TLS "without additional authentication or encryption."

## Related Concepts

- [[concepts/how-tailscale-works]]
- [[concepts/access-controls]]
- [[concepts/exit-nodes]]
- [[concepts/api-and-automation]]
- [[syntheses/tailscale-vs-vpn]]

## Sources

- raw/docs_page-zero-trust-networking-definition-tailscale-docs.md
- raw/docs_page-can-tailscale-decrypt-my-traffic-tailscale-docs.md
- raw/docs_page-is-my-traffic-routed-through-your-servers-tailscale-docs.md
- raw/docs_page-what-devices-can-connect-to-or-know-mine-tailscale-docs.md
- raw/docs_page-what-firewall-ports-should-i-open-to-use-tailscale-tailscale.md
- raw/docs_page-tailscale-encryption-tailscale-docs.md
