Tailscale Data and Logging
Overview
A common question when adopting Tailscale is: what does Tailscale itself see? This page summarizes what stays private, what metadata the Tailscale coordination server stores, and what is logged. It is based on Tailscale’s own documentation:
Note
Tailscale changes its product over time. Treat the specifics below (retention windows, plan availability, defaults) as a snapshot and confirm against the linked Tailscale docs for anything compliance-sensitive.
What Tailscale never sees
- Traffic content. All traffic between nodes is end-to-end encrypted with WireGuard. The coordination server brokers connections but is not in the data path in a way that can read your data.
- Private keys. Each node generates its WireGuard key pair locally. The private key never leaves the device; only public keys are shared with the coordination server for connection setup.
Note
When two nodes cannot establish a direct peer-to-peer connection, traffic is relayed through Tailscale’s DERP relay servers. Even then it stays end-to-end encrypted: DERP forwards opaque encrypted packets and cannot read the contents.
Metadata the coordination server stores
To coordinate the network, Tailscale’s control plane holds:
- Public keys of every node (the cluster connector pods and every enrolled user device).
- Node / device information such as OS, hardware, hostname, installed client version, public IP addresses, and an approximate location derived from that IP.
- Network routing information, for example the subnet / VPC CIDRs that connectors advertise.
- Identity and account details from your SSO / OAuth provider (identity and domain metadata), plus the ACL policy document itself.
- Connection metadata: which nodes are connected to which, including their endpoint public IP addresses. This is connection topology, not traffic content.
Logs
- Client operational logs. Tailscale clients emit operational logs to
log.tailscale.com, covering events such as connections opening and closing between machines, not the traffic itself. These are on by default; they can be disabled, but doing so limits Tailscale’s ability to provide support. - Configuration audit logs. Record administrative changes to the tailnet (actor, action, target resource, timestamp), useful for tracing who changed what. Tailscale retains these for a defined window (90 days at time of writing).
- Network flow logs. Off by default and available on higher-tier plans. When enabled, they capture connectivity patterns over time and can be streamed to an external destination (for example a SIEM).
What this means in practice
For a gateway-based deployment (connectors in your clusters advertising private routes), the sensitive payload, your traffic to Kubernetes APIs, databases, and internal services, is never visible to Tailscale. What Tailscale holds is the network’s control-plane metadata: who and what is on the tailnet, how nodes are connected, and the access policy. If your compliance posture requires it, network flow logs can be enabled and exported to your own logging stack for independent retention and analysis.