For years we ran corporate VPNs with hand-rolled OpenVPN or WireGuard. They work but they cost time: expiring certs, route updates, clients that won't talk. From mid-2023 we started replacing them with Tailscale.
What Tailscale is
A mesh VPN built on WireGuard, with a SaaS control plane. Each device (laptop, server, NAS, phone) installs the app, logs in via SSO (Google, Microsoft, GitHub), and joins the mesh. No certs, no public IP required, automatic NAT traversal.
What changed in our company
- Access to NAS and internal servers: previously required corporate VPN; now
ssh server.tail-xxxxx.ts.netfrom anywhere. - New colleague onboarding: was 30-45 minutes; now 5.
- Client access: with node tags and ACLs we expose to a client only their servers.
Magic DNS and Funnel
Magic DNS gives readable names (nas.tail-xxxxx.ts.net). Funnel publishes an internal service on public HTTPS without opening firewall ports — handy for vendor webhooks during development.
Real cost
Free tier: 3 users, 100 devices. Personal Pro 5 USD/user/month up to 20 users, then Business at 18 USD/user/month. For our current size (8 people + tagged client nodes), Business stays well below the cost of a hardware firewall.
What it does NOT replace
Tailscale is a mesh for nodes you want to connect. It is not a perimeter firewall, not an IDS, not a full SSO proxy. For mid-size SMEs it is enough. For regulated or complex multi-site environments, it lives alongside other tools.