Tailscale for MSPs: Where the Architecture Falls Short
Tailscale is excellent for developer teams. For MSPs managing NVRs, PBX systems, and managed switches, here's where the agent-per-device model creates problems.
Tailscale is one of the best network tools built in the past decade. It wraps WireGuard in automatic NAT traversal, handles key exchange transparently, and gives every device a routable IP without manual configuration. For developer teams connecting laptops and cloud VMs, it is genuinely excellent.
For MSPs managing client infrastructure, the architecture creates specific friction. The same design decisions that make Tailscale clean for personal and developer use make it poorly suited for MSPs who need to reach devices that cannot run any software — and who need to answer NIS2 audit questions about where their session traffic goes.
How Tailscale Works
Tailscale creates a mesh network. Every device runs an agent and gets an IP in the 100.64.0.0/10 range. WireGuard handles the encryption between peers. When two devices can form a direct peer-to-peer connection, traffic flows directly. When that is not possible — behind CGNAT, strict firewalls, or certain ISP configurations — traffic routes through Tailscale's DERP (Designated Encrypted Relay for Packets) servers. Most DERP servers are located in the US.
The Agent Requirement
Every device in a Tailscale network must run the Tailscale agent. On Windows, Linux, and macOS, this is trivial. The problem for MSPs appears when you look at what is actually in a typical client site:
- Hikvision or Dahua NVR — proprietary firmware, no package installation possible
- Matrix Comsec or Yeastar PBX — embedded Linux, installing third-party software voids the support contract
- Cisco Catalyst or Ubiquiti managed switch — switch firmware, no agent
- IP phones, building controllers, industrial HMIs — same problem
Tailscale's answer to this is a subnet router: install the agent on a Linux machine at the client site, advertise the LAN subnet through it, and non-Tailscale devices become reachable via that hop. This works — but it requires a maintained Linux box at every client site. For 20 sites, that is 20 additional systems to manage, patch, and troubleshoot when the subnet router goes down and the client calls at midnight.
DERP Relay Servers and EU Data Residency
When a Tailscale connection uses a DERP relay, session traffic transits Tailscale's infrastructure. Tailscale says DERP traffic is end-to-end encrypted and unreadable by their servers — credible given the WireGuard model. But encryption is not the only question your DPO will ask. Under NIS2 Article 21, supply chain security means knowing where your session traffic goes, who operates that infrastructure, and whether a data processing agreement covers it. Those questions are worth raising with your DPO before assuming compliance.
The practical problem is that standard Tailscale plans do not let you restrict traffic to EU-only DERP nodes. When a client site is behind CGNAT — increasingly common as ISPs move to shared IPv4 — you cannot guarantee session traffic stays within EU infrastructure. That uncertainty is the issue, not a definitive compliance failure.
Pricing at MSP Scale
Tailscale Teams is priced per user. For 10 engineers at $6/user/month, the cost is $60/month — manageable. The model breaks down when you try to give clients limited access to their own equipment, or when you need per-site access delegation. Tailscale has no concept of client groups, MSP-managed access, or role-based access scoped to specific client sites. It is designed for a single organization managing its own devices, not for an MSP managing 30 different client organizations with different access requirements.
No Browser-Based RDP or VNC
Tailscale gives you network connectivity. Your engineers still need local client software to do anything useful with it: mstsc.exe or FreeRDP for RDP, a VNC viewer for VNC, a terminal emulator for SSH. On managed corporate laptops — which most field engineers use — software installation often requires IT exceptions. A browser-based session that opens in any tab, on any machine, from any network, removes that dependency entirely. There is a real operational difference between \"requires IT to approve one software install per engineer\" and \"open a URL.\"
The Router Gateway Approach
ProxyLink uses a different model. One WireGuard peer goes on the router or gateway at each client site — MikroTik, pfSense, OPNsense, OpenWRT, or a Debian box. Every device on every LAN and VLAN behind that router becomes reachable through the tunnel: Windows PCs, NVRs, PBX systems, managed switches, and anything else with an IP address. Nothing is installed on the individual devices.
Browser-based RDP, VNC, and SSH run on the relay server using Apache Guacamole. Engineers open a URL and the session renders in the browser. Session recordings and audit logs are built in on paid plans — not add-ons, not higher-tier features within those plans.
| Feature | Tailscale | ProxyLink |
|---|---|---|
| Agent per device | Required | One per router |
| Reach NVR / PBX / switches | Via subnet router (+1 node per site) | Yes, natively |
| Browser RDP / VNC | No | Yes |
| Traffic relay location | Global DERP (no EU-only guarantee) | Hetzner Germany only |
| Session recording | No | Yes |
| NIS2 audit log | No | Yes |
| MSP client groups | No | Yes |
| Pricing model | Per user / per device | Flat €69/mo, 300 tunnels |
When Tailscale Is the Right Choice
Tailscale is the right tool when every device in your fleet can run the agent: developer laptops, cloud VMs, Linux servers in your own infrastructure. For a software team connecting to staging environments or a small company where every endpoint is a laptop or server, it is hard to beat. If your MSP manages purely Windows and Mac endpoints — no cameras, no PBX, no switches — and you are not subject to EU data residency requirements, Tailscale is a workable choice.
When You Need a Different Architecture
If your clients have mixed environments — which most real MSP client sites do — agent-based access cannot cover the full device fleet. NVRs, switches, and PBX systems are out. Add NIS2 compliance requirements (EU relay traffic, immutable audit log, session recording), MSP-specific access delegation, and the need for browser-based sessions on locked-down engineer laptops, and the gateway tunnel model covers ground that Tailscale cannot reach without workarounds that each add operational overhead per site.
One WireGuard tunnel per client router. Every device on every VLAN reachable from a browser. Session recording available per proxy link. Try ProxyLink free at app.proxylink.dev — free, no card required.