I was a big Tailscale fan. I centered my homelab around it. I ripped out BGP in favour of Tailscale Services, removed Authelia in favour of tsidp, and replaced WireGuard on all family devices with it. I started using golink - a really neat link shortener from Tailscale and read release notes with excitement.
I even went so far as building my own packages for Chainguard’s Wolfi Linux and my own containers. Every month I was excited about new features and kept track of minor issues which I found along the way.
However, some issues were not really minor. Those go on my special “unforgivable” list – a mental list I use as a sort of sunk-cost fallacy countermeasure. I try to keep such a list no matter how invested or how much I like something. The Tailscale list recently ran out of space.
TL;DR #
In the last few months the following issues occurred. Fixing them took days after the first user report.
- Android client DNS was broken for over a month.
- Tailscale Services broke and took down my homelab ingress.
- The new relay feature caused a memory leak.
- Control plane downtime impacted connectivity.
- CPU/Battery overhead remains several times higher than that of plain WireGuard.
The dealbreakers #
Broken Android DNS #
I’ll start with the biggest offender on the list. For over a full month Tailscale pushed versions of the Android client that were critically flawed. If you used Android, every time your phone switched from Wi‑Fi to mobile data, DNS resolution would silently fail. The only way to make DNS work again was to turn Tailscale off (and maybe on again).
It’s hard to explain how serious this issue was. Missed messages, missed emails, missed Signal calls, confusion about why my phone lost connectivity from time to time. It took me a while to confirm it was in fact a Tailscale issue (not my hardware, carrier, or setup).
The Play Store doesn’t let you downgrade. I had to use F-Droid and disable updates to have a usable phone again.
You know who noticed? My partner. Turning off the VPN is now a precautionary habit. That one month did lasting damage to trust. “VPNs cause issues” – even though WireGuard had been a set-and-forget thing for years.
Tailscale Services Broke #
This was the final straw. Tailscale Services is a neat feature that allows multiple hosts to advertise the same IP. When paired with the Tailscale Operator on Kubernetes it offers an alternative to something like MetalLB by providing a type=LoadBalancer service. I may have been one of the first users – I’ve been using it since it was in private beta. I host [a lot of services] on my homelab, among which is my email server.
I don’t take trains often, but this one day I had to catch a specific early train listed on my advanced ticket. Just as I was leaving home I decided to check I could open the ticket that was emailed to me. To my horror I realised I couldn’t access my email. Opening Tailscale dashboard showed that Services weren’t working with an obscure error message. I had no time to fix this; I had to put on my skates and go.
I was skating through London traffic trying to catch the train while simultaneously debugging Tailscale.
I hadn’t updated anything – what was going on? There was a new Tailscale release but, as usual, containers weren’t available. No bother. I build my own so I could bump version early regardless. No dice. I downgraded, I upgraded. Zero luck.
I was able to work around the issues by ssh-ing into my router, enabling subnet relays for the pod IP range, disabling network policies and changing the record to point directly to my mail server pod IP. I was only just able to pull up my train ticket.
The culprit was a silent server side change to Tailscale’s proprietary control plane, which totally bricked all services deployed by the Kubernetes operator. It took Tailscale two days to revert the change. I couldn’t really leave my “home production” broken for two days, I get questioned about why I took stuff down after no more than ~30 minutes of Home Assistant or Jellyfin downtime. Two days would have me fired. I had to call it.
This is the issue for those interested tailscale/tailscale#18186.
Granted, it’s still in public beta, but how could they not notice? Are they not using services at all via their operator?
Relay Memory Leak #
I noticed this both on my own hardware, and it was also noticed at work. The highly anticipated relay feature caused a memory leak. It caused styem OOMs on my machines and it took a while for Tailscale to acknowledge the issue.
I wasted time trying to downgrade before realising it was caused by enabling the new feature.
Control plane downtime (again) #
Tailscale went down again (HN thread) .
I expected existing connectivity to keep working during a control plane incident (at least for already-authorised nodes). In my case, parts of my setup (especially Tailscale Services) stopped working for a while anyway. With WireGuard and my previous load balancer it would have still worked.
The annoyances #
CPU usage & Network Speeds #
Tailscale implements WireGuard in userspace in order to augment it with all the Tailscale magic. This isn’t really a problem – except it comes with a performance bottleneck on weaker devices like home routers. My max speed via Tailscale is about half of the max speed I can get over kernel WireGuard.
Android battery usage #
Family phones are constantly out of battery. Everybody knows this is a big issue. It’s not a priority and there’s little you can do about it.
WireGuard uses ~3%. Tailscale uses ~30% of my daily battery life. And yes, this is without exit nodes and without persistent background connections to any Tailscale Services. I even sacrificed routing connections over Tailscale to my router’s Blocky instance to save myself significant chunks of battery.
The only thing I had persistently using Tailscale is the bare minimum: email and DAVx5. I configured the update frequency to be lower than before to reduce Tailscale chatter, but battery usage remained much higher than the unoptimised WireGuard case.
If you try to use a persistent (but idle) connection over Tailscale, you will run out of battery in no time. This is generally down to the keepalives Tailscale uses to keep holes in firewalls open – and they can’t be configured.
I wish I could make it work like WireGuard and stay silent. I wish I could tell it to use my router as an always-on static relay that it should prefer. I can’t.
NAS issues with torrents #
Tailscale tells you to install and configure Tailscale on your NAS. I did so on my Synology – which also runs qBittorrent. Occasionally some torrents were stuck in “Stalled” until qBittorrent was restarted. I didn’t get to the bottom of the issue (likely a qBittorrent bug), but let’s just say this stopped happening after I disabled Tailscale.
While not directly Tailscale’s fault, it’s a fault that arises from the “VPN on everything” model, which introduces extra complexity.
First-connect latency & relaying #
If you’re on Tailscale, open your laptop, and navigate to something behind Tailscale, you’ll notice web pages load strangely. At the very least it will load slowly – maybe for a second or so – while it performs network reconnaissance and winds up by exercising the full suite of protocols it can speak.
From what I’ve observed, the path selection works the other way around. Rather than “falling back to DERP,” it starts out relayed to get connectivity “quickly”, and then upgrades to a direct path if it can. That upgrade is good for performance, but it shows up as noticeable first-connect weirdness/latency.
There is no way to configure a hub-and-spoke architecture or to tell it to try to go direct first. Every time my phone tries to access a Tailscale device on the private network – well, it takes an extra second. Try running Tailscale ping between two machines that haven’t recently had traffic between them but are still on the same network.
Conclusion #
I still think Tailscale is a great product with great ideas. But for my homelab and my family devices, the reliability issues outweighed the convenience.
I probably shouldn’t have ended up relying solely on Tailscale Services, but it was the feature that made me commit to Tailscale in the first place – and it’s a homelab after all.
Bugs are normal, but the Tailscale is meant to fix the internet, not break it! It’s intended to be positioned in the critical path of all devices and to just work. I expect a certain amount of accountability and testing.
I’m now back to using plain WireGuard and my own DNS based loadbalancer - minilb. If Tailscale makes it possible to resolve the battery issues and starts pushing more stable releases, I’ll consider deploying it again.
