Coordination Servers
A control server in Tailscale (officially called a "coordination server") is a centralized component that manages network coordination and device registration, but doesn't handle actual data traffic. It acts as the control plane in Tailscale's hybrid architecture, where control is centralized but data flows directly between devices in a peer-to-peer mesh.
[uxmo4a]
[niwe4k]
Core Functions
The coordination server performs several essential tasks:
[niwe4k]
- Device registry and discovery: Maintains a complete registry of all devices (nodes) in your tailnet, including IP addresses, client versions, public keys, locations, and operating systems
- Key distribution: Exchanges WireGuard public keys between nodes so they can establish encrypted connections [s7crb9]
- Authentication: Handles user authentication and device authorization
- NAT traversal coordination: Manages endpoint information between devices and selects optimal DERP relay servers when direct peer-to-peer connections aren't possible [niwe4k]
Control Plane vs. Data Plane
Tailscale separates its architecture into two distinct planes:
[uxmo4a]
- Control plane (hub-and-spoke): The coordination server exchanges tiny encryption keys and policies with minimal traffic
- Data plane (mesh): Actual encrypted traffic flows directly between devices peer-to-peer using WireGuard, not through the coordination server
This design means the coordination server is never a bottleneck for your data, and network performance scales with the number of nodes rather than being limited by a central gateway.
[uxmo4a]
Self-Hosted Alternative
Headscale is an open-source, self-hosted reimplementation of Tailscale's coordination server. It allows you to run your own control plane on infrastructure you control while still using official Tailscale clients on your devices. You can configure Tailscale clients to connect to a custom control server URL instead of Tailscale's default
https://controlplane.tailscale.com.
[rr6tfm]
[kj79ce]
[tk0mlw]
[s7crb9]