I killed my OpenVPN server 6 months ago. In its place: a 7-node Tailscale mesh that connects my rural Georgia home server, AWS production host, Mac Studio, and 4 mobile devices. Zero configuration, sub-50ms latency, and it just works.

Here's why mesh networking beats traditional VPNs, and why zero trust is the only sane way to do security in 2026.

🧠 The Problem with Traditional VPNs

For years, I ran OpenVPN on an AWS instance. It worked. Barely.

The pain points:

  • Single point of failure. VPN server goes down? Nobody can access anything.
  • Certificate hell. Managing device certs, rotating keys, revocation lists, endless admin overhead.
  • Performance bottleneck. All traffic routes through one server. My home → VPN → AWS → home = 300ms round trip.
  • Mobile is painful. iOS VPN profiles break constantly. Connection drops every time you switch networks.
  • Castle-and-moat security. Once you're inside the VPN, you can access everything. No granular controls.

I spent 4 hours debugging a cert expiry issue in December 2025. That was the last straw.

⚙️ Enter Tailscale

Tailscale is a zero-config mesh VPN built on WireGuard. Every device gets a permanent IP (100.x.y.z) and can talk directly to every other device.

How it works:

  • Install Tailscale on each device
  • Authenticate with your identity provider (Google, GitHub, Okta)
  • Devices discover each other via Tailscale's coordination server
  • NAT traversal establishes direct peer-to-peer connections
  • If direct connection fails, traffic relays through DERP servers

The magic: peer-to-peer means my Mac Studio talks directly to my home server (both on the same LAN) at full gigabit speed. No cloud relay.

🚀 My 7-Node Mesh

# Tailscale status output
$ tailscale status

100.126.47.114  overseer      linux   (Proxmox host, GA)
100.127.77.89   ctmprod       linux   (AWS us-east-1)
100.118.203.128 papayabox     windows (Windows host, GA)
100.101.23.45   macstudio     macOS   (Mac Studio M3 Ultra)
100.92.15.88    iphone        iOS     
100.85.44.22    ipad          iOS     
100.73.91.16    pixel         android 

Direct connections (peer-to-peer):
  overseer ↔ macstudio    (1ms, LAN)
  ctmprod ↔ macstudio     (24ms, direct)
  iphone ↔ ctmprod        (48ms, direct)

Relayed connections (DERP):
  pixel ↔ overseer        (85ms, relayed via NYC)

Use cases:

  • SSH access: `ssh overseer` from anywhere (Tailscale resolves hostnames)
  • Internal services: Grafana, Portainer, Proxmox UI, all accessible via Tailscale IPs, no public exposure
  • File sharing: SMB mounts from my phone to home server (stream movies, access docs)
  • Development: Test code on Mac Studio, deploy to ctmprod, monitor on overseer, all via private IPs

💡 ACLs: Zero Trust in Action

Tailscale's ACLs (Access Control Lists) let you define granular permissions. I use HuJSON (human JSON with comments) to manage them:

{
  // Admin group (me + Mac Studio)
  "groups": {
    "group:admin": ["petie@petieclark.com", "macstudio"]
  },
  
  // ACLs
  "acls": [
    // Admin can access everything
    {"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
    
    // Production server can only access databases on overseer
    {"action": "accept", "src": ["ctmprod"], "dst": ["overseer:5432", "overseer:6379"]},
    
    // Mobile devices can access web UIs but not SSH
    {"action": "accept", "src": ["tag:mobile"], "dst": ["*:80", "*:443", "*:3000"]},
    
    // Block all other traffic by default
    {"action": "deny", "src": ["*"], "dst": ["*:*"]}
  ],
  
  // Tag definitions
  "tagOwners": {
    "tag:mobile": ["petie@petieclark.com"]
  }
}

This is zero trust: every connection is authenticated and authorized. My phone can access Grafana but can't SSH into production. ctmprod can query databases but can't browse the web through my home network.

📊 Performance Comparison

# Ping times (Mac Studio → ctmprod)

OpenVPN (before):
  Avg: 87ms
  Jitter: 45ms
  Packet loss: 2%

Tailscale (after):
  Avg: 24ms
  Jitter: 3ms
  Packet loss: 0%

# SSH session latency

OpenVPN: Noticeable lag when typing
Tailscale: Feels like local terminal

# File transfer (1GB test)

OpenVPN: 4min 32s (3.7 MB/s)
Tailscale: 1min 48s (9.5 MB/s)

Tailscale is faster because it uses direct peer-to-peer connections instead of routing everything through a central server. WireGuard's modern crypto is also more efficient than OpenVPN's.

🔒 Security Model

Old model (VPN): Trust the network. Once you're in, you're trusted.

New model (Tailscale): Trust the identity. Every device, every connection, every port is authenticated.

Key differences:

  • Identity-based: Devices are tied to user accounts (via SSO), not certificates
  • Automatic key rotation: WireGuard keys rotate regularly without manual intervention
  • Audit logs: See every connection, every device, every ACL decision in the admin console
  • Revocation: Lost your phone? Revoke it from the web UI in 10 seconds

I sleep better knowing a compromised device can't pivot to my entire network. ACLs limit blast radius.

🔥 What Could Go Wrong

Tailscale is centralized. If their coordination servers go down, you can't add new devices (existing connections keep working). They've had 99.97% uptime in my 6 months.

NAT traversal can fail. Some corporate firewalls block it. Fallback to DERP relay works but adds latency.

Free tier limits. 100 devices max (I'm at 7). Paid plans start at $5/user/month.

For serious self-hosters, Headscale exists (open-source Tailscale control server). I haven't needed it yet, the free tier is generous.

🧠 Lessons Learned

  • Mesh > hub-and-spoke. Direct peer-to-peer is faster and more resilient.
  • Zero trust is practical. ACLs sound complex but take 10 minutes to set up and massively improve security.
  • WireGuard is fast. 4,000 lines of code vs OpenVPN's 600,000. Simpler = faster + more secure.
  • Mobile UX matters. Tailscale on iOS 'just works.' OpenVPN was a constant fight.
  • Eliminate public exposure. I closed 15 public ports after migrating to Tailscale. Attack surface: minimal.
  • GitOps for ACLs. Store your ACL policy in Git, review changes like code, deploy via API.

Six months in, I have zero regrets. Tailscale removed an entire category of problems from my life. No more VPN debugging at 2am, no more certificate renewals, no more firewall rules.

It's not often technology lives up to the hype. Tailscale does.

Next up: I'm experimenting with Tailscale SSH (replacing SSH keys with SSO auth). Stay tuned.