I was a big Tailscale fan. I centered my homelab around it. I ripped out BGP in favour of Tailscale Services, removed Authelia in favour of tsidp, and replaced WireGuard on all family devices with it. I started using golink - a really neat link shorterer from Tailscale and read release notes with excitement.
I even went so far as building my own packages for Chainguard’s Wolfi Linux and building my own containers. Every month I was excited about new features and kept track of minor issues which I found along the way.
However, some issues were not really minor. Those go on my special my “unforgivable” list – a mental list I use as a sort of sunk-cost fallacy countermeasure. I try to keep such a list no matter how invested or how much I like something. The Tailscale list recently ran out of space.
TL;DR #
In the last few months the following issues occured. Fixing them took days following user bug reports.
- Android client DNS was broken for over a month.
- Tailscale Services broke and took down my homelab ingress.
- The new relay feature caused a memory leak.
- Control plane downtime impacted connectivity.
- CPU/Battery overhead remains several times higher than that of plain WireGuard.
The dealbreakers #
Broken Android DNS #
I’ll start with the biggest offender on the list. For over a full month, Tailscale pushed versions of the Android client that were critically flawed. Every time your phone switched from Wi‑Fi to mobile data, DNS resolution would silently fail. The only way to make DNS work again was to turn Tailscale off (and maybe on again).
It’s hard to explain how serious this issue was. Missed messages, missed emails, missed Signal calls, confusion about why my phone lost connectivity from time to time. It took me a while to confirm it was in fact a Tailscale issue (not my hardware, carrier, or setup).
The Play Store doesn’t let you downgrade. I had to use F-Droid and disable updates to have a usable phone again.
You know who noticed? My partner. Turning off the VPN is now a precautionary habbit. That one month did lasting damage to trust. “VPNs cause issues” - even though WireGuard had been a set-and-forget thing for years.
Tailscale Services Broke #
This was the final straw. Tailscale Services is a neat feature that allows multiple hosts to advertise the same IP. When paired with the Tailscale Operator on Kubernetes it offers an alternative to something like MetalLB by providing a type=LoadBalancer service. I may have been one of the first users - I’ve been using it since it was in private beta.
I don’t take trains often, but this one day I had to catch a specific early train listed on my advanced ticket. Just as I was leaving home I decided to check I could open the ticket what was emailed to me. To my horror I realised I couldn’t access my email. Opening Tailscale dashboard showed that Services weren’t working with an obscure error message. I had no time to fix this I had to put on my skates and go.
I’m skating through London traffic trying to catch the train while simultaneously debugging Tailscale.
I hadn’t updated anything - what was going on? There was a new Tailscale release but, as usual, containers weren’t available. No bother. I build my own so I could bump them regardless. No dice. I downgraded, I upgraded. No luck.
I was able to work around the issues by ssh-ing into my router, enabling subnet relays for the pod IP range, disabling network policies and changing the record to point directly to my mail server pod IP. I was only just able to pull up my train ticket.
Tailscale fixed it two days later. In home “production”, I get questioned about why I took stuff down after no more than ~30 minutes of Home Assistant or Jellyfin downtime. Two days would have me fired. I had to call it.
This is the issue for those interested tailscale/tailscale#18186.
Granted, it’s still in public beta, but how could they not notice? Are they not using services at all via their operator?
Relay Memory Leak #
I noticed this both on my own hardware, and it was also noticed at work. The highly anticipated relay feature caused a memory leak. It took a while for Tailscale to acknowledge the issue.
This led to downtime and debugging. I tried to downgrade before realising it was caused by enabling the new feature.
Control plane downtime (again) #
Tailscale went down again (HN thread) .
I expected existing connectivity to keep working during a control plane incident (at least for already-authorised nodes). In my case, parts of my setup stopped working for a while anyway – which is not what I want from something that’s effectively my “always-on” remote access.
The annoyances #
CPU usage #
Tailscale implements WireGuard in userspace in order to augment it with all the Tailscale magic. This isn’t really a problem – except it comes with a performance bottleneck on weaker devices like home routers. My max speed via Tailscale is about half of the max speed I can get over kernel WireGuard.
Android battery usage #
Family phones are constantly out of battery. Everybody knows this is a big issue. It’s not a priority and there’s little you can do about it.
WireGuard uses ~3%. Tailscale uses ~30% of my daily battery life. And yes, this is without exit nodes and without persistent background connections to any Tailscale Services. I even sacrificed routing connections over Tailscale to my router’s Blocky instance to save myself significant chunks of battery.
The only thing I had persistently using Tailscale is the bare minimum: email and DAVx5. I configured the update frequency to be lower than before to reduce Tailscale chatter, but battery usage remained much higher than the unoptimised WireGuard case.
If you try to use a persistent (but idle) connection over Tailscale, you will run out of battery in no time. This is generally down to the keepalives Tailscale uses to keep holes in firewalls open – and they can’t be configured.
I wish I could make it work like WireGuard and stay silent. I wish I could tell it to use my router as an always-on static relay that it should prefer. I can’t.
NAS issues with torrents #
Tailscale tells you to install and configure Tailscale on your NAS. I did so on my Synology – which also runs qBittorrent. Occasionally some torrents were stuck in “Stalled” until qBittorrent was restarted. The culprit: a VPN (like Tailscale).
This may not directly be Tailscale’s fault, but it’s a fault of the “VPN on everything” model, which introduces these kinds of failures. I consider this a mild case of the DNS catastrophe.
First-connect latency & relaying #
If you’re on Tailscale, open your laptop, and navigate to something behind Tailscale, you’ll notice it loads “weird”. At the very least it will load slowly – maybe for a second or so – while it performs network reconnaissance and winds up by exercising its full suite of protocols it can speak.
From what I’ve observed, the path selection works the other way around. Rather than “falling back to DERP” it starts out relayed to get connectivity “quickly”, and then upgrades to a direct path if it can. That upgrade is good for performance, but it shows up as noticeable first-connect weirdness/latency.
There is no way to configure a hub-and-spoke architecture or to tell it try to go direct first. Every time my phone tries to access a Tailscale device on the private network – well, it takes an extra second. Try running tailscale ping between two machines that haven’t recently had traffic between them but are still on the same network.
Conclusion #
I still think Tailscale is a great product with great ideas. But for my homelab and my family devices, the reliability issues outweighed the convenience.
I probably shouldn’t have ended up relying solely on tailscale services, but it was the feature that made me commit to tailscale in the first place – and it’s a homelab after all.
Bugs are normal, but the Tailscale is designed and advertised as a full mesh VPN which fixes the internet. It’s intended to be positioned in the critical path of all devices and to just work. I expect a certain amount of accountability and testing.
I’m now back to using plain wireguard and my own DNS based loadbalancer - minilb. If tailscale makes it possible to resolve the battery issues and starts pushing more stable release, I’ll consider deploying it again.
