{"slug":"control-and-data-planes","title":"Control and data planes","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Control and data planes\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nModern networks separate their operations into two distinct planes that work together: the [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane) and the [data plane](https://tailscale.com/docs/concepts/control-data-planes#data-plane). These planes maintain constant communication, and the separation helps organize network operations and makes networks more manageable, efficient, and reliable.\r\n\r\nIn a Tailscale network (known as a [tailnet](https://tailscale.com/docs/concepts/tailnet)), the control plane operates through the Tailscale [coordination server](https://tailscale.com/docs/concepts/control-data-planes#coordination-server), while the data plane runs on each tailnet device.\r\n\r\n## [Control plane](https://tailscale.com/docs/concepts/control-data-planes\\#control-plane)\r\n\r\nThe control plane is a vital part of a network that manages how data flows through the [data plane](https://tailscale.com/docs/concepts/control-data-planes#data-plane). You can think of the control plane as an air traffic controller; it oversees the entire network and makes high-level decisions. It performs many tasks, including identity management, network configuration, connection coordination, and policy management.\r\n\r\n- Authentication and identity functions of the control plane include validating device identities, maintaining [access control](https://tailscale.com/docs/features/access-control) policies, tracking device registration and removal, and managing device authorization states.\r\n- Network setup and maintenance functions of the control plane include distributing subnet routes, configuring DNS settings, managing [IP address assignments](https://tailscale.com/docs/concepts/ip-and-dns-addresses), and updating network configurations.\r\n- Connection coordination functions of the control plane include managing [NAT traversal](https://tailscale.com/blog/how-tailscale-works), peer discovery, distributing device information, selecting optimal [DERP](https://tailscale.com/docs/reference/derp-servers) regions, and maintaining device state information.\r\n- Policy management functions of the control plane include enforcing [access control](https://tailscale.com/docs/features/access-control) policies, managing [subnet routing](https://tailscale.com/docs/features/subnet-routers) rules, implementing [exit node](https://tailscale.com/docs/features/exit-nodes) configurations, and managing permissions.\r\n\r\n### [Coordination server](https://tailscale.com/docs/concepts/control-data-planes\\#coordination-server)\r\n\r\nThe Tailscale coordination server is a single, centralized server that manages [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane) operations and maintains a connection to all tailnet devices. It handles essential functions including device discovery, authentication, [key distribution](https://tailscale.com/blog/tailscale-key-management), and policy enforcement. It also distributes routing configurations and access control policies to Tailscale clients on tailnet devices, which convert these high-level instructions into to the lowest-level configuration the [data plane](https://tailscale.com/docs/concepts/control-data-planes#data-plane) can execute.\r\n\r\nAdditionally, the coordination server enables NAT traversal by managing endpoint information between devices and selecting optimal [DERP](https://tailscale.com/docs/reference/derp-servers) regions when [direct connections](https://tailscale.com/docs/reference/connection-types) aren't possible.\r\n\r\nIf the [coordination server becomes unavailable](https://tailscale.com/docs/reference/coordination-server-down), tailnet devices can still communicate with pre-established connections and use cached network policies. However, they won't be able to establish new connections, alter their keys, or retrieve network policy updates until the coordination server comes back online. This is because Tailscale doesn't route any traffic through the coordination server, device keys are stored locally, and network policies are cached locally.\r\n\r\n#### [Device discovery and NAT traversal](https://tailscale.com/docs/concepts/control-data-planes\\#device-discovery-and-nat-traversal)\r\n\r\nOne of the core functions of the coordination server is to maintain a registry of all devices in a tailnet. It also collects and manages device information, such as IP addresses, Tailscale client versions, public keys, location, and operating systems. The coordination server uses this information to populate device data on the Tailscale admin console, select [DERP servers](https://tailscale.com/docs/reference/derp-servers), apply [device posture](https://tailscale.com/docs/features/device-posture) policies, and facilitate connections.\r\n\r\n#### [State, policies, and configurations](https://tailscale.com/docs/concepts/control-data-planes\\#state-policies-and-configurations)\r\n\r\nThe Tailscale coordination server collects and distributes this device and network information across the tailnet. This information includes:\r\n\r\n- Device metadata, such as [IP addresses](https://tailscale.com/docs/concepts/ip-and-dns-addresses), Tailscale client versions, operating systems, and geographic location.\r\n- Device public keys and certificates.\r\n- Network configurations, such as [DNS](https://tailscale.com/docs/reference/dns-in-tailscale) name servers and preferred DERP servers.\r\n- Policies, such as access control policies, [device posture](https://tailscale.com/docs/features/device-posture) policies, and other security policies.\r\n\r\nKeeping this information on the coordination server helps ensure things like facilitating [NAT traversal](https://tailscale.com/blog/how-tailscale-works) through DERP servers, keeping configurations in sync across the tailnet, ensuring enforcement of access control policies, and surfacing data on the admin console.\r\n\r\n#### [Authentication, authorization, and key distribution](https://tailscale.com/docs/concepts/control-data-planes\\#authentication-authorization-and-key-distribution)\r\n\r\nWhile a traditional implementation of a centralized coordination server might manage authentication, Tailscale's coordination server does not handle user authentication. Authentication is outsourced to an [OAuth 2.0](https://tailscale.com/docs/features/oauth-clients), [OpenID Connect](https://tailscale.com/docs/integrations/identity/custom-oidc), or [identity provider](https://tailscale.com/docs/integrations/identity), which lets you maintain user accounts through an existing provider such as GitHub or Google. The coordination server does, however, manage authentication tokens and their lifecycles and enforce [access control](https://tailscale.com/docs/features/access-control) policies.\r\n\r\nAll device public keys are stored on the coordination server. The coordination server only permits devices to access the public keys of devices and resources they're allowed to access. As a result, devices in a tailnet aren't aware of other devices unless you grant them access.\r\n\r\n## [Data plane](https://tailscale.com/docs/concepts/control-data-planes\\#data-plane)\r\n\r\nThe data plane operates on individual devices within your tailnet, handling the actual movement of encrypted data between devices using the [WireGuard](https://tailscale.com/docs/concepts/wireguard) protocol.\r\n\r\nThe data plane manages packet [encryption](https://tailscale.com/docs/concepts/tailscale-encryption), applies routing rules from the [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane), and handles packet forwarding. It also establishes connections, continuously monitors connection health, manages bandwidth usage, and implements failover mechanisms when network conditions change.\r\n\r\n- Device-to-device communication functions of the data plane include establishing WireGuard tunnels, encrypting and decrypting traffic, managing direct connections between devices, implementing UDP-based communication, and handling connection migration.\r\n- Packet management functions of the data plane include forwarding encrypted packets between devices, applying routing rules to traffic, implementing packet filtering based on access control policies, managing packet queuing and prioritization, and handling packet fragmentation and reassembly.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Control and data planes</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Modern networks separate their operations into two distinct planes that work together: the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a> and the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">data plane</a>. These planes maintain constant communication, and the separation helps organize network operations and makes networks more manageable, efficient, and reliable.</p>\n<p>In a Tailscale network (known as a <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a>), the control plane operates through the Tailscale <a href=\"https://tailscale.com/docs/concepts/control-data-planes#coordination-server\">coordination server</a>, while the data plane runs on each tailnet device.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">Control plane</a></h2>\n<p>The control plane is a vital part of a network that manages how data flows through the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">data plane</a>. You can think of the control plane as an air traffic controller; it oversees the entire network and makes high-level decisions. It performs many tasks, including identity management, network configuration, connection coordination, and policy management.</p>\n<ul>\n<li>Authentication and identity functions of the control plane include validating device identities, maintaining <a href=\"https://tailscale.com/docs/features/access-control\">access control</a> policies, tracking device registration and removal, and managing device authorization states.</li>\n<li>Network setup and maintenance functions of the control plane include distributing subnet routes, configuring DNS settings, managing <a href=\"https://tailscale.com/docs/concepts/ip-and-dns-addresses\">IP address assignments</a>, and updating network configurations.</li>\n<li>Connection coordination functions of the control plane include managing <a href=\"https://tailscale.com/blog/how-tailscale-works\">NAT traversal</a>, peer discovery, distributing device information, selecting optimal <a href=\"https://tailscale.com/docs/reference/derp-servers\">DERP</a> regions, and maintaining device state information.</li>\n<li>Policy management functions of the control plane include enforcing <a href=\"https://tailscale.com/docs/features/access-control\">access control</a> policies, managing <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routing</a> rules, implementing <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a> configurations, and managing permissions.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/concepts/control-data-planes#coordination-server\">Coordination server</a></h3>\n<p>The Tailscale coordination server is a single, centralized server that manages <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a> operations and maintains a connection to all tailnet devices. It handles essential functions including device discovery, authentication, <a href=\"https://tailscale.com/blog/tailscale-key-management\">key distribution</a>, and policy enforcement. It also distributes routing configurations and access control policies to Tailscale clients on tailnet devices, which convert these high-level instructions into to the lowest-level configuration the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">data plane</a> can execute.</p>\n<p>Additionally, the coordination server enables NAT traversal by managing endpoint information between devices and selecting optimal <a href=\"https://tailscale.com/docs/reference/derp-servers\">DERP</a> regions when <a href=\"https://tailscale.com/docs/reference/connection-types\">direct connections</a> aren't possible.</p>\n<p>If the <a href=\"https://tailscale.com/docs/reference/coordination-server-down\">coordination server becomes unavailable</a>, tailnet devices can still communicate with pre-established connections and use cached network policies. However, they won't be able to establish new connections, alter their keys, or retrieve network policy updates until the coordination server comes back online. This is because Tailscale doesn't route any traffic through the coordination server, device keys are stored locally, and network policies are cached locally.</p>\n<h4><a href=\"https://tailscale.com/docs/concepts/control-data-planes#device-discovery-and-nat-traversal\">Device discovery and NAT traversal</a></h4>\n<p>One of the core functions of the coordination server is to maintain a registry of all devices in a tailnet. It also collects and manages device information, such as IP addresses, Tailscale client versions, public keys, location, and operating systems. The coordination server uses this information to populate device data on the Tailscale admin console, select <a href=\"https://tailscale.com/docs/reference/derp-servers\">DERP servers</a>, apply <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> policies, and facilitate connections.</p>\n<h4><a href=\"https://tailscale.com/docs/concepts/control-data-planes#state-policies-and-configurations\">State, policies, and configurations</a></h4>\n<p>The Tailscale coordination server collects and distributes this device and network information across the tailnet. This information includes:</p>\n<ul>\n<li>Device metadata, such as <a href=\"https://tailscale.com/docs/concepts/ip-and-dns-addresses\">IP addresses</a>, Tailscale client versions, operating systems, and geographic location.</li>\n<li>Device public keys and certificates.</li>\n<li>Network configurations, such as <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">DNS</a> name servers and preferred DERP servers.</li>\n<li>Policies, such as access control policies, <a href=\"https://tailscale.com/docs/features/device-posture\">device posture</a> policies, and other security policies.</li>\n</ul>\n<p>Keeping this information on the coordination server helps ensure things like facilitating <a href=\"https://tailscale.com/blog/how-tailscale-works\">NAT traversal</a> through DERP servers, keeping configurations in sync across the tailnet, ensuring enforcement of access control policies, and surfacing data on the admin console.</p>\n<h4><a href=\"https://tailscale.com/docs/concepts/control-data-planes#authentication-authorization-and-key-distribution\">Authentication, authorization, and key distribution</a></h4>\n<p>While a traditional implementation of a centralized coordination server might manage authentication, Tailscale's coordination server does not handle user authentication. Authentication is outsourced to an <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth 2.0</a>, <a href=\"https://tailscale.com/docs/integrations/identity/custom-oidc\">OpenID Connect</a>, or <a href=\"https://tailscale.com/docs/integrations/identity\">identity provider</a>, which lets you maintain user accounts through an existing provider such as GitHub or Google. The coordination server does, however, manage authentication tokens and their lifecycles and enforce <a href=\"https://tailscale.com/docs/features/access-control\">access control</a> policies.</p>\n<p>All device public keys are stored on the coordination server. The coordination server only permits devices to access the public keys of devices and resources they're allowed to access. As a result, devices in a tailnet aren't aware of other devices unless you grant them access.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">Data plane</a></h2>\n<p>The data plane operates on individual devices within your tailnet, handling the actual movement of encrypted data between devices using the <a href=\"https://tailscale.com/docs/concepts/wireguard\">WireGuard</a> protocol.</p>\n<p>The data plane manages packet <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a>, applies routing rules from the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a>, and handles packet forwarding. It also establishes connections, continuously monitors connection health, manages bandwidth usage, and implements failover mechanisms when network conditions change.</p>\n<ul>\n<li>Device-to-device communication functions of the data plane include establishing WireGuard tunnels, encrypting and decrypting traffic, managing direct connections between devices, implementing UDP-based communication, and handling connection migration.</li>\n<li>Packet management functions of the data plane include forwarding encrypted packets between devices, applying routing rules to traffic, implementing packet filtering based on access control policies, managing packet queuing and prioritization, and handling packet fragmentation and reassembly.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}