Is Tailscale's Cross-Region Networking Worth the Effort? A Hands-On Review and Guide to Avoiding Pitfalls

Let me start with the conclusion

If you just want to access your company’s machine running your code from home, or connect to your home NAS from your phone while you’re out and about, Tailscale is probably the most hassle-free option available right now. Install it, log in, and you’re good to go—all in less than five minutes.

But if you plan to use it as a high-traffic relay within China, or expect the free version to run stably at full bandwidth indefinitely, you’d better adjust your expectations first. This tool’s real strength lies in ”allowing a few devices to find each other, connecting directly whenever possible, and using the relay as a fallback when direct connections aren’t available”—it’s not meant to replace that FRP server you’ve been running for three years.

Here are my honest thoughts after using it for over half a year, along with a few pitfalls I’ve run into. I’m not here to hype it up or bash it—after reading this, you should be able to decide for yourself whether it’s right for you.

Several Solutions for Accessing the Internet from Behind a Firewall: What Are the Differences?

First, I’ll list a few common options available on the market so you don’t have to keep looking them up. I’ll explain which ones are best suited for whom, rather than simply ranking them by quality.

FRP This is a tried-and-true solution. The principle is straightforward: you need a VPS with a public IP address to act as a relay; internal machines connect to it, and external users access your network through the VPS. It’s the most stable option, and speed is the most controllable, since all traffic passes through your own server. The trade-off is that you have to maintain a VPS—even a cheap one costs several dozen yuan a month—and handle its upkeep yourself. This approach is suitable for those who are willing to tinker, demand high stability, and have significant traffic.

Cloudflare Tunnel This takes a different approach. You don’t need to buy a VPS; Cloudflare provides a free tunnel that comes with its own domain and HTTPS certificate. The setup is ridiculously simple—it’s up and running with just one Docker command. However, its servers are all located overseas, so latency from within China is relatively high, connections occasionally drop, and it doesn’t support UDP. If you just want to expose a web service for a client demo or share a file with a friend, this is the most hassle-free option. However, if you plan to use it for online gaming or remote desktop access, the experience will be subpar.

ZeroTier Similar to Tailscale, it brings scattered devices into a virtual local area network. ZeroTier has been around longer and has a larger user base in China. The problem is that its root servers are often unreachable from within China, and reconnecting after a disconnection is slow—so the user experience can be a bit hit-or-miss.

Tailscale Based on WireGuard, it uses peer-to-peer encryption at the core. It first attempts to establish a direct connection (P2P) between two devices; if successful, it connects directly, with speeds approaching those of a bare-metal network. If that fails, it falls back to a relay server (DERP) for forwarding. It has a lower configuration barrier than the others mentioned above, with clients available for Windows, Mac, Linux, Android, and iOS—simply install and log in.

These four aren’t interchangeable; it’s more like each has its own specific role. At home, I use Tailscale to connect my everyday devices, while at work, I have an FRP server set up as a dedicated relay, and I use Cloudflare Tunnel for ad-hoc demos. Mixing them all actually works best for me.

What's Tailscale actually like to use?

Once you've installed the client and logged in with your GitHub or Google account, your device will be connected to the network. Each machine will be assigned a static IP address in the 100.x.x.x range. From then on, you can access it directly using that IP address—no need to remember a port or configure a domain name.

There are two types of everyday experiences.

When both devices are on the same local area network, or when network conditions are good enough to allow a direct P2P connection, the speed is essentially at the raw network level. When I access my home NAS from work, file transfers can reach over 30 MB/s—it’s almost no different from doing it locally. The latency for an SSH connection to the server is only about ten milliseconds, which is much smoother than those commercial remote desktop tools.

The problem is when the P2P connection fails. Tailscale automatically falls back to the official relay node (DERP) for forwarding. Most of the official DERP nodes are located overseas, so latency when connecting from within China can skyrocket to 100 or 200 milliseconds, and bandwidth is also limited. Under these conditions, remote desktop connections will be choppy, and transferring large files is out of the question.

There’s one limitation to keep in mind with the free version: each account is limited to 100 devices and 3 users. This is more than enough for individuals and small teams; if you’re actually dealing with hundreds of devices, you should have already considered upgrading to a paid plan or setting up your own system.

Build One from Scratch—Up and Running in Three Steps

Suppose you have a Linux server at home and a laptop outside the home, and you want to connect them to the same network.

First, install the client on both machines. On Linux, this is usually done with a single command:

curl -fsSL https://tailscale.com/install.sh | sh

For Windows and Mac, go directly to the official website to download the installer. It's also available in the respective app stores for mobile devices.

Step 2: Run scale up, a browser window will pop up asking you to log in and grant authorization. If you log in to all devices with the same account, they will automatically join the same network.

Step 3: Take Tailscale Status Take a look at the connection status. You'll see each device's IP address and whether it's currently connected directly or via a relay. At this point, the two machines can already ping each other.

If you want your laptop outside your home to be able to access your entire home LAN (not just the server running Tailscale), you'll need to enable subnet routing on the server:

tailscale up --advertise-routes=192.168.1.0/24

Replace the subnet with your actual home network subnet. Then, in the device settings of your Tailscale dashboard, approve the subnet route for this device. Many people forget this step, which results in them being unable to access other devices on the internal network—and they end up thinking their configuration is wrong.

A Few Pitfalls I've Actually Run Into

What should I do if the relay is too slow? High latency with official DERP within China is a major drawback. The solution is to set up your own domestic relay node on a VPS with a public IP address. Once set up, devices that can’t connect via P2P will route through your own relay, reducing latency to just a few dozen milliseconds. The configuration isn’t too difficult—there are ready-made Docker images available online—but be sure to open the corresponding ports (typically 3478/UDP and a custom TCP port), as cloud service providers’ security groups often don’t include them by default.

Subnet routing is not working. In 90% of cases, it’s because you forgot to approve it in the admin console. Tailscale’s security policy requires that even if you’ve advertised a subnet, it won’t take effect until an administrator explicitly approves it. Go to the admin console, find that device, and simply click “Allow” in the routing settings.

The device occasionally loses its connection and does not reconnect. This issue is commonly seen on clients running on OpenWrt routers or on laptops that have been woken from sleep mode. Usually, simply restarting the service will resolve it. If you want a permanent solution, setting Tailscale to start automatically at boot and adding a script to periodically check the connection (restarting the service if the ping fails) can save you a lot of trouble.

Confusion over ACL permissions. By default, all devices on the same network can access each other. As the number of devices increases, you may want to restrict certain machines to one-way access. Tailscale’s ACLs are written in JSON; the rules aren’t particularly complex, but it’s easy to get tripped up when configuring them for the first time. We recommend starting with the simplest rule—”allow all”—and tightening the restrictions once everything is working properly.

When I Don't Recommend Using Tailscale

Having talked so much about the benefits, I should also mention the situations where it isn’t suitable, so you don’t end up spending a lot of time on it only to realize you’re heading in the wrong direction.

If what you're going to do isFixed, High-Volume Transshipment—For example, if you’re consistently transferring dozens of gigabytes of backups every day or streaming video surveillance feeds—then FRP paired with a reliable VPS is a better fit. Tailscale’s strengths lie in its flexibility and convenience, not in handling high-traffic relaying; plus, once you go through DERP, you don’t have full control over bandwidth or stability.

If youExpose only one HTTP serviceFor external use—such as giving a client a quick demo—Cloudflare Tunnel is more convenient than Tailscale. It comes with its own domain and certificate, so you don’t need the other party to install a client; you just send them a link.

If youPursuing Complete Autonomy and ControlIf you don’t even want to entrust your account system to Tailscale, you might want to check out Headscale. It’s an open-source control plane implementation of the Tailscale protocol. Set it up yourself—the client remains unchanged, and you retain full control. The configuration is a bit more involved, so it’s best suited for tech-savvy people with a penchant for perfection.

A Few Final Words of Honesty

There’s no silver bullet when it comes to bypassing corporate firewalls. I’ve seen too many people spend half a year chasing after the ”perfect solution,” only to find that their needs could have been met with just an FRP or a Cloudflare Tunnel. I’ve also seen people who clearly just needed to remotely connect two computers, but insisted on setting up a complicated VPN tunnel instead.

Tailscale's value lies in making it as easy as possible for a few devices to find each other. It doesn't solve every problem, but for the specific issues it addresses, it currently works best.

My advice is this: Start by trying the free version for a week and add all the devices you need to connect to on a daily basis. Once everything is running smoothly, decide whether to set up your own DERP, upgrade to Headscale, or add an FRP based on the actual bottlenecks you encounter. Don’t try to do everything at once right from the start—that’s just asking for trouble.

en_USEnglish