What it is
Tailscale is the network layer recommended in our standard pocket AI setup. Free tier handles most hobbyist deployments.
Why we use it
- Identity-based mesh networking — devices get stable addresses bound to user identity
- Zero-config NAT traversal across home / office / VPS
- Free tier covers most pocket AI hobbyist setups
- ACLs let you restrict which devices can reach the agent
Why we wouldn't
- Tailscale itself is a SaaS dependency (mitigated by Headscale, the open-source control plane)
- Some corporate environments restrict third-party VPNs
Best for
- Keeping agent dashboards off the public internet
- Multi-device homelab access without port forwarding
- Distributed agents across multiple physical locations
Not for
- Air-gap deployments (use direct WireGuard or local-only)
- Workloads where vendor dependency is a hard no
Long review
Tailscale is one of the rare bits of 2026 infrastructure that we recommend without caveats. The free personal tier (up to 100 devices, 3 users, no time limit) covers nearly every hobbyist and small-team self-hosted AI setup we've designed. Identity-based mesh networking is genuinely better than IP-based VPN for our use case — every device gets a stable name (your-laptop.tailnet.ts.net), access is granted to identities rather than IP ranges, and the whole thing “just works” across home, office, VPS and travel. The ACL system is powerful enough for most production needs. Tailscale-the-company is a SaaS dependency, which we'd flag for compliance-mandated environments — those can run Headscale (the open-source control plane) on their own infrastructure to avoid vendor dependency. We don't have an affiliate relationship with Tailscale; we recommend them on technical merit.