English for Tailscale
Learn the English vocabulary for Tailscale: mesh networks, nodes, and ACLs, explained for discussing zero-config VPN infrastructure clearly.
“The VPN is down” means something different for Tailscale than for a traditional VPN, because there’s no central server to be down in the first place — the vocabulary here lets you explain what’s actually failing when a peer-to-peer mesh network has connectivity problems.
Key Vocabulary
Tailnet — the private network formed by all devices connected under a single Tailscale account or organization, functioning as an isolated mesh network only those devices can join. “Everyone on the engineering team is on the same tailnet now, so any service running on a teammate’s dev machine is reachable by hostname without exposing it to the public internet.”
Node — a single device or machine connected to a tailnet, each with a stable identity and IP address regardless of what network it’s physically on. “That laptop is a node on our tailnet even when it’s on a coffee shop wifi — it still gets the same private IP and can reach internal services exactly like it would on the office network.”
Mesh network — a network topology where nodes connect directly to each other peer-to-peer rather than routing all traffic through a central server, which is how Tailscale avoids a single point of failure. “Traffic between these two nodes goes directly over the mesh network — it’s not being routed through any central server, so latency is just whatever the direct path between them costs.”
ACL (Access Control List) — the ruleset defining which nodes on a tailnet can reach which other nodes and on what ports, Tailscale’s mechanism for enforcing least-privilege network access. “The connection is being blocked by the ACL, not a firewall — that node’s tag isn’t in the allowed list for reaching the database group, so we need to update the policy file, not chase a network issue.”
DERP relay — a fallback relay server Tailscale uses to route traffic between two nodes when a direct peer-to-peer connection can’t be established, typically due to restrictive NAT or firewall rules. “Their connection is slower than expected because it’s falling back to a DERP relay instead of connecting directly — probably a NAT type on one end that’s blocking the direct path.”
Common Phrases
- “Is this node actually on the tailnet, or does it need to be re-authenticated?”
- “Is this an ACL problem or an actual network connectivity issue?”
- “Are these two nodes connecting directly, or is this going through a DERP relay?”
- “What tag is this node assigned, and does the ACL allow it to reach that group?”
- “Is the whole tailnet affected, or just this one node?”
Example Sentences
Diagnosing a blocked connection:
“This isn’t a network outage — the ACL policy doesn’t grant the dev tag access to the prod-db group, so the connection is being deliberately blocked at the policy level, not failing due to connectivity.”
Explaining unexpectedly high latency: “Latency between these two nodes is way higher than it should be for a direct connection — they’re falling back to a DERP relay because of NAT traversal issues, so we’re looking at a routing problem, not a bandwidth one.”
Describing tailnet architecture in onboarding: “Every engineer’s laptop and every internal service is a node on the same tailnet, so once you’re authenticated, you can reach internal tools by hostname exactly the same way whether you’re in the office or working remotely.”
Professional Tips
- Say tailnet, not “the VPN,” when precision matters — it clarifies you’re describing Tailscale’s specific mesh model, not a traditional hub-and-spoke VPN.
- Check the ACL before assuming a connectivity problem is a network issue — a blocked-by-policy failure and a genuine outage look identical from the client side but need completely different fixes.
- Mention DERP relay fallback explicitly when diagnosing unexpected latency between two nodes — it points straight at a NAT traversal issue instead of a vague “the network is slow.”
- Use node consistently instead of “machine” or “device” in tailnet discussions — it matches Tailscale’s own terminology and avoids ambiguity in ACL and routing conversations.
Practice Exercise
- Write a sentence explaining what a tailnet is.
- Explain the difference between a direct mesh connection and a DERP relay fallback.
- Describe how you’d diagnose whether a blocked connection is an ACL issue or a network issue.