{"slug":"terminology-and-concepts","title":"Terminology and concepts","tags":["tailscale","logging"],"agent_summary":"Last validated: Jan 12, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Terminology and concepts\r\n\r\nLast validated: Jan 12, 2026\r\n\r\n## [Access control lists](https://tailscale.com/docs/reference/glossary\\#access-control-lists)\r\n\r\nAn [access control list](https://tailscale.com/docs/features/access-control/acls) (ACL) manages system access using rules in the [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file). You can use ACLs to filter traffic and enhance security by managing who and what can use which resources.\r\n\r\n## [tags](https://tailscale.com/docs/reference/glossary\\#tags)\r\n\r\nA [tag](https://tailscale.com/docs/features/tags) lets you assign an [identity](https://tailscale.com/docs/reference/glossary#identity-provider) (that's separate from human users) to [devices](https://tailscale.com/docs/reference/glossary#device). You can use tags in your [access rules](https://tailscale.com/docs/features/access-control/acls) to restrict access.\r\n\r\n## [admin console](https://tailscale.com/docs/reference/glossary\\#admin-console)\r\n\r\nThe admin console is the central location to manage your Tailscale network (known as a [tailnet](https://tailscale.com/docs/reference/glossary#tailnet)). You can manage devices on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. When you make changes from the admin console, the [coordination server](https://tailscale.com/docs/concepts/control-data-planes#coordination-server) updates the changes to your tailnet immediately.\r\n\r\nYou can access the admin console at [admin console](https://login.tailscale.com/admin).\r\n\r\n## [API](https://tailscale.com/docs/reference/glossary\\#api)\r\n\r\nAPI is an acronym for application programming interface. APIs define a set of rules to interact with an application or service programmatically. The [Tailscale API](https://tailscale.com/api) lets you manage your Tailscale account and tailnet.\r\n\r\n## [CLI](https://tailscale.com/docs/reference/glossary\\#cli)\r\n\r\nCLI is an acronym for command line interface. The Tailscale [CLI](https://tailscale.com/docs/reference/tailscale-cli) includes a robust set of commands with functionality that GUI applications might not have. The Tailscale CLI is installed automatically when you install Tailscale on Linux, macOS, or Windows.\r\n\r\n## [Client](https://tailscale.com/docs/reference/glossary\\#client)\r\n\r\nThe Tailscale client is a software application that runs on a device so the device can join and participate in a [tailnet](https://tailscale.com/docs/reference/glossary#tailnet). The client uses the [WireGuard](https://tailscale.com/docs/reference/glossary#wireguard) protocol to create encrypted peer-to-peer connections. The client is available for multiple operating systems. Much of the client code is [open source](https://tailscale.com/opensource).\r\n\r\n## [Coordination server](https://tailscale.com/docs/reference/glossary\\#coordination-server)\r\n\r\nA [coordination server](https://tailscale.com/docs/concepts/control-data-planes#coordination-server) is a central server that maintains a connection to all devices in your [Tailscale network](https://tailscale.com/docs/reference/glossary#tailnet). It manages [encryption](https://tailscale.com/docs/concepts/tailscale-encryption) keys, network changes, access policy changes, and maintains a connection to all devices in your Tailscale network. The coordination server is part of the [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane), not the [data plane](https://tailscale.com/docs/concepts/control-data-planes#data-plane). It avoids being a performance bottleneck by not relaying traffic between devices.\r\n\r\n## [Device](https://tailscale.com/docs/reference/glossary\\#device)\r\n\r\nA device is anything other than a user. It can be physical or virtual and sends, receives, or processes data on your Tailscale network.\r\n\r\n## [Device key](https://tailscale.com/docs/reference/glossary\\#device-key)\r\n\r\nA device key is a unique public and private key pair for a specific [device](https://tailscale.com/docs/reference/glossary#device). More than one user can use a device key, but each device can only have one device key. The combination of a specific user with a device key represents a unique device.\r\n\r\n## [Firewall](https://tailscale.com/docs/reference/glossary\\#firewall)\r\n\r\nA firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain's [access rules](https://tailscale.com/docs/features/access-control/acls).\r\n\r\n## [Full tunnel](https://tailscale.com/docs/reference/glossary\\#full-tunnel)\r\n\r\nWith a traditional virtual private network (VPN), full tunnel describes a configuration where all traffic from a client is sent through the VPN, including internet-bound traffic. With Tailscale, you can route all internet-bound traffic by setting a device on your network as an [exit node](https://tailscale.com/docs/features/exit-nodes). If your clients are configured to use an exit node and also have routes or connectivity to other Tailscale [devices](https://tailscale.com/docs/reference/glossary#device), [subnet routers](https://tailscale.com/docs/features/subnet-routers), or [app connectors](https://tailscale.com/docs/features/app-connectors/how-to/setup), then Tailscale will still operate as a [split tunnel](https://tailscale.com/docs/reference/glossary#split-tunnel) VPN, routing traffic directly to each endpoint without routing traffic through the exit node first.\r\n\r\n## [Identity Provider](https://tailscale.com/docs/reference/glossary\\#identity-provider)\r\n\r\nAn identity provider is a method for users to authenticate to a [tailnet](https://tailscale.com/docs/concepts/tailnet). Examples of [identity providers](https://tailscale.com/docs/integrations/identity) include Google, Okta, and Microsoft. Tailscale is not an identity provider but relies other identity providers for authentication.\r\n\r\n## [Key expiry](https://tailscale.com/docs/reference/glossary\\#key-expiry)\r\n\r\nKey expiry is the end of the validity period for a cryptographic key. An expired key can no longer encrypt or decrypt data, nor authenticate a device to a Tailscale network.\r\n\r\nUsing Tailscale means you never have to manage [encryption](https://tailscale.com/docs/concepts/tailscale-encryption) keys directly. Tailscale automatically expires keys and requires them to be regenerated at regular intervals. You can disable key expiry for long-lived devices from the admin console.\r\n\r\n## [MagicDNS](https://tailscale.com/docs/reference/glossary\\#magicdns)\r\n\r\n[MagicDNS](https://tailscale.com/docs/features/magicdns) automatically registers memorable hostnames for devices in your Tailscale network. It also extends and improves DNS functionality.\r\n\r\n## [NAT traversal](https://tailscale.com/docs/reference/glossary\\#nat-traversal)\r\n\r\nNAT is an acronym for [network address translation](https://en.wikipedia.org/wiki/Network_address_translation). [NAT traversal](https://tailscale.com/blog/how-nat-traversal-works) is a way to connect devices across the internet through barriers such as firewalls. Most internet devices can't talk to each other because of firewalls and devices that do network address translation. [NAT traversal works](https://tailscale.com/blog/how-tailscale-works#the-control-plane-key-exchange-and-coordination) around these barriers, allowing [data to traverse the network](https://tailscale.com/docs/reference/glossary#nat-traversal).\r\n\r\n## [Network topology](https://tailscale.com/docs/reference/glossary\\#network-topology)\r\n\r\nA network topology is an arrangement of devices in a network. It shows the connections between them. Examples of network topologies include star, bus, hub-and-spoke, mesh, and hybrid.\r\n\r\nTraditional virtual private networks (VPNs) use a [hub-and-spoke topology](https://tailscale.com/blog/how-tailscale-works#hub-and-spoke-networks). Each device communicates with another in this setup by sending all traffic through a central gateway device. Tailscale operates as a [mesh topology](https://tailscale.com/blog/how-tailscale-works#mesh-networks) where each device can talk directly to others using [NAT traversal](https://tailscale.com/docs/reference/glossary#nat-traversal).\r\n\r\n## [Node](https://tailscale.com/docs/reference/glossary\\#node)\r\n\r\nA node is a combination of a user and a [device](https://tailscale.com/docs/reference/glossary#device).\r\n\r\n## [Overlay network](https://tailscale.com/docs/reference/glossary\\#overlay-network)\r\n\r\nAn overlay network is a virtual network built on top of the [underlay](https://tailscale.com/docs/reference/glossary#underlay-network) network, where nodes communicate using logical addresses and encrypted tunnels independent of the underlay's addressing or topology. Tailscale forms an overlay network (the [tailnet](https://tailscale.com/docs/reference/glossary#tailnet)) that gives each node a stable identity and IP address, regardless of how the underlay changes.\r\n\r\n## [Peer](https://tailscale.com/docs/reference/glossary\\#peer)\r\n\r\nA peer is another [node](https://tailscale.com/docs/reference/glossary#node) that your device is trying to talk to. A peer might or might not be in the same domain.\r\n\r\n## [Relay](https://tailscale.com/docs/reference/glossary\\#relay)\r\n\r\nA relay is an intermediary server that passes data between two or more devices in a network. Tailscale uses a special type of globally distributed relay server called [Designated Encrypted Relay for Packets (DERP)](https://tailscale.com/docs/reference/derp-servers). DERP relay servers function as a fallback to connect devices when NAT traversal fails.\r\n\r\n## [Split tunnel](https://tailscale.com/docs/reference/glossary\\#split-tunnel)\r\n\r\nSplit tunnel, as opposed to [full tunnel](https://tailscale.com/docs/reference/glossary#full-tunnel), describes a VPN configuration where only some traffic (specific IP ranges, domains, or subnets) is sent through the VPN, while all other traffic goes directly to the internet by using the device's local internet gateway. In Tailscale, this means only traffic destined for other Tailscale [devices](https://tailscale.com/docs/reference/glossary#device), [subnet routers](https://tailscale.com/docs/features/subnet-routers), or [app connectors](https://tailscale.com/docs/features/app-connectors/how-to/setup) uses the tailnet, leaving general internet traffic untouched.\r\n\r\n## [SSO](https://tailscale.com/docs/reference/glossary\\#sso)\r\n\r\nSSO is an acronym for [single sign-on](https://tailscale.com/docs/integrations/identity). Single sign-on lets users log in to one site using the identity of another.\r\n\r\n## [Tailnet](https://tailscale.com/docs/reference/glossary\\#tailnet)\r\n\r\nA [tailnet](https://tailscale.com/docs/concepts/tailnet) is another term for a Tailscale network, which is an interconnected collection of users, devices, and resources. The network has a [control plane](https://tailscale.com/docs/concepts/control-data-planes#control-plane) and a [data plane](https://tailscale.com/docs/concepts/control-data-planes#data-plane) that work in unison to manage access and send data between devices.\r\n\r\nThere are personal and organization tailnets. A personal tailnet is a shared domain single-user tailnet (like `gmail.com`). An organization tailnet is a custom domain tailnet (like `example.com`),\r\n\r\n## [Tailnet policy file](https://tailscale.com/docs/reference/glossary\\#tailnet-policy-file)\r\n\r\nThe tailnet policy file stores your Tailscale network's access rules, along with other tailnet configuration items. It uses [human JSON (HuJSON)](https://github.com/tailscale/hujson) and conforms to the [Tailscale policy syntax](https://tailscale.com/docs/reference/syntax/policy-file).\r\n\r\n## [Tailscalar](https://tailscale.com/docs/reference/glossary\\#tailscalar)\r\n\r\nA Tailscalar is a Tailscale employee.\r\n\r\n## [Tailscale IP address](https://tailscale.com/docs/reference/glossary\\#tailscale-ip-address)\r\n\r\nA [Tailscale IP address](https://tailscale.com/docs/reference/glossary#tailscale-ip-address) is a [unique IP address](https://tailscale.com/docs/concepts/ip-and-dns-addresses) assigned to each device in your Tailscale network. It's always in the form `100.x.y.z` (for example, `100.100.123.123`). It stays the same even when switching between your home internet connection, cellular networks, or coffee shop Wi-Fi networks.\r\n\r\n## [Tunnel](https://tailscale.com/docs/reference/glossary\\#tunnel)\r\n\r\nIn networking, a tunnel is an encapsulated connection between one or more points in a network. It lets users, devices, or resources communicate securely over a public data network.\r\n\r\n## [Underlay network](https://tailscale.com/docs/reference/glossary\\#underlay-network)\r\n\r\nAn underlay network is the physical or existing IP network over which Tailscale runs, such as your home Wi-Fi, office LAN, or your cloud or data center's internet connection. Tailscale uses this underlay for actual packet transport, creating an [overlay network](https://tailscale.com/docs/reference/glossary#overlay-network) on top of the underlay that handles encryption, NAT traversal, access controls, and many more features.\r\n\r\n## [WireGuard](https://tailscale.com/docs/reference/glossary\\#wireguard)\r\n\r\n[WireGuard](https://www.wireguard.com/) is the underlying cryptographic protocol that Tailscale uses.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Terminology and concepts</h1>\n<p>Last validated: Jan 12, 2026</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#access-control-lists\">Access control lists</a></h2>\n<p>An <a href=\"https://tailscale.com/docs/features/access-control/acls\">access control list</a> (ACL) manages system access using rules in the <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a>. You can use ACLs to filter traffic and enhance security by managing who and what can use which resources.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tags\">tags</a></h2>\n<p>A <a href=\"https://tailscale.com/docs/features/tags\">tag</a> lets you assign an <a href=\"https://tailscale.com/docs/reference/glossary#identity-provider\">identity</a> (that's separate from human users) to <a href=\"https://tailscale.com/docs/reference/glossary#device\">devices</a>. You can use tags in your <a href=\"https://tailscale.com/docs/features/access-control/acls\">access rules</a> to restrict access.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#admin-console\">admin console</a></h2>\n<p>The admin console is the central location to manage your Tailscale network (known as a <a href=\"https://tailscale.com/docs/reference/glossary#tailnet\">tailnet</a>). You can manage devices on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. When you make changes from the admin console, the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#coordination-server\">coordination server</a> updates the changes to your tailnet immediately.</p>\n<p>You can access the admin console at <a href=\"https://login.tailscale.com/admin\">admin console</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#api\">API</a></h2>\n<p>API is an acronym for application programming interface. APIs define a set of rules to interact with an application or service programmatically. The <a href=\"https://tailscale.com/api\">Tailscale API</a> lets you manage your Tailscale account and tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#cli\">CLI</a></h2>\n<p>CLI is an acronym for command line interface. The Tailscale <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">CLI</a> includes a robust set of commands with functionality that GUI applications might not have. The Tailscale CLI is installed automatically when you install Tailscale on Linux, macOS, or Windows.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#client\">Client</a></h2>\n<p>The Tailscale client is a software application that runs on a device so the device can join and participate in a <a href=\"https://tailscale.com/docs/reference/glossary#tailnet\">tailnet</a>. The client uses the <a href=\"https://tailscale.com/docs/reference/glossary#wireguard\">WireGuard</a> protocol to create encrypted peer-to-peer connections. The client is available for multiple operating systems. Much of the client code is <a href=\"https://tailscale.com/opensource\">open source</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#coordination-server\">Coordination server</a></h2>\n<p>A <a href=\"https://tailscale.com/docs/concepts/control-data-planes#coordination-server\">coordination server</a> is a central server that maintains a connection to all devices in your <a href=\"https://tailscale.com/docs/reference/glossary#tailnet\">Tailscale network</a>. It manages <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a> keys, network changes, access policy changes, and maintains a connection to all devices in your Tailscale network. The coordination server is part of the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a>, not the <a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">data plane</a>. It avoids being a performance bottleneck by not relaying traffic between devices.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#device\">Device</a></h2>\n<p>A device is anything other than a user. It can be physical or virtual and sends, receives, or processes data on your Tailscale network.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#device-key\">Device key</a></h2>\n<p>A device key is a unique public and private key pair for a specific <a href=\"https://tailscale.com/docs/reference/glossary#device\">device</a>. More than one user can use a device key, but each device can only have one device key. The combination of a specific user with a device key represents a unique device.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#firewall\">Firewall</a></h2>\n<p>A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain's <a href=\"https://tailscale.com/docs/features/access-control/acls\">access rules</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#full-tunnel\">Full tunnel</a></h2>\n<p>With a traditional virtual private network (VPN), full tunnel describes a configuration where all traffic from a client is sent through the VPN, including internet-bound traffic. With Tailscale, you can route all internet-bound traffic by setting a device on your network as an <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a>. If your clients are configured to use an exit node and also have routes or connectivity to other Tailscale <a href=\"https://tailscale.com/docs/reference/glossary#device\">devices</a>, <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a>, or <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup\">app connectors</a>, then Tailscale will still operate as a <a href=\"https://tailscale.com/docs/reference/glossary#split-tunnel\">split tunnel</a> VPN, routing traffic directly to each endpoint without routing traffic through the exit node first.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#identity-provider\">Identity Provider</a></h2>\n<p>An identity provider is a method for users to authenticate to a <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a>. Examples of <a href=\"https://tailscale.com/docs/integrations/identity\">identity providers</a> include Google, Okta, and Microsoft. Tailscale is not an identity provider but relies other identity providers for authentication.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#key-expiry\">Key expiry</a></h2>\n<p>Key expiry is the end of the validity period for a cryptographic key. An expired key can no longer encrypt or decrypt data, nor authenticate a device to a Tailscale network.</p>\n<p>Using Tailscale means you never have to manage <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a> keys directly. Tailscale automatically expires keys and requires them to be regenerated at regular intervals. You can disable key expiry for long-lived devices from the admin console.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#magicdns\">MagicDNS</a></h2>\n<p><a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> automatically registers memorable hostnames for devices in your Tailscale network. It also extends and improves DNS functionality.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#nat-traversal\">NAT traversal</a></h2>\n<p>NAT is an acronym for <a href=\"https://en.wikipedia.org/wiki/Network_address_translation\">network address translation</a>. <a href=\"https://tailscale.com/blog/how-nat-traversal-works\">NAT traversal</a> is a way to connect devices across the internet through barriers such as firewalls. Most internet devices can't talk to each other because of firewalls and devices that do network address translation. <a href=\"https://tailscale.com/blog/how-tailscale-works#the-control-plane-key-exchange-and-coordination\">NAT traversal works</a> around these barriers, allowing <a href=\"https://tailscale.com/docs/reference/glossary#nat-traversal\">data to traverse the network</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#network-topology\">Network topology</a></h2>\n<p>A network topology is an arrangement of devices in a network. It shows the connections between them. Examples of network topologies include star, bus, hub-and-spoke, mesh, and hybrid.</p>\n<p>Traditional virtual private networks (VPNs) use a <a href=\"https://tailscale.com/blog/how-tailscale-works#hub-and-spoke-networks\">hub-and-spoke topology</a>. Each device communicates with another in this setup by sending all traffic through a central gateway device. Tailscale operates as a <a href=\"https://tailscale.com/blog/how-tailscale-works#mesh-networks\">mesh topology</a> where each device can talk directly to others using <a href=\"https://tailscale.com/docs/reference/glossary#nat-traversal\">NAT traversal</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#node\">Node</a></h2>\n<p>A node is a combination of a user and a <a href=\"https://tailscale.com/docs/reference/glossary#device\">device</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#overlay-network\">Overlay network</a></h2>\n<p>An overlay network is a virtual network built on top of the <a href=\"https://tailscale.com/docs/reference/glossary#underlay-network\">underlay</a> network, where nodes communicate using logical addresses and encrypted tunnels independent of the underlay's addressing or topology. Tailscale forms an overlay network (the <a href=\"https://tailscale.com/docs/reference/glossary#tailnet\">tailnet</a>) that gives each node a stable identity and IP address, regardless of how the underlay changes.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#peer\">Peer</a></h2>\n<p>A peer is another <a href=\"https://tailscale.com/docs/reference/glossary#node\">node</a> that your device is trying to talk to. A peer might or might not be in the same domain.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#relay\">Relay</a></h2>\n<p>A relay is an intermediary server that passes data between two or more devices in a network. Tailscale uses a special type of globally distributed relay server called <a href=\"https://tailscale.com/docs/reference/derp-servers\">Designated Encrypted Relay for Packets (DERP)</a>. DERP relay servers function as a fallback to connect devices when NAT traversal fails.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#split-tunnel\">Split tunnel</a></h2>\n<p>Split tunnel, as opposed to <a href=\"https://tailscale.com/docs/reference/glossary#full-tunnel\">full tunnel</a>, describes a VPN configuration where only some traffic (specific IP ranges, domains, or subnets) is sent through the VPN, while all other traffic goes directly to the internet by using the device's local internet gateway. In Tailscale, this means only traffic destined for other Tailscale <a href=\"https://tailscale.com/docs/reference/glossary#device\">devices</a>, <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a>, or <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup\">app connectors</a> uses the tailnet, leaving general internet traffic untouched.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#sso\">SSO</a></h2>\n<p>SSO is an acronym for <a href=\"https://tailscale.com/docs/integrations/identity\">single sign-on</a>. Single sign-on lets users log in to one site using the identity of another.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tailnet\">Tailnet</a></h2>\n<p>A <a href=\"https://tailscale.com/docs/concepts/tailnet\">tailnet</a> is another term for a Tailscale network, which is an interconnected collection of users, devices, and resources. The network has a <a href=\"https://tailscale.com/docs/concepts/control-data-planes#control-plane\">control plane</a> and a <a href=\"https://tailscale.com/docs/concepts/control-data-planes#data-plane\">data plane</a> that work in unison to manage access and send data between devices.</p>\n<p>There are personal and organization tailnets. A personal tailnet is a shared domain single-user tailnet (like <code>gmail.com</code>). An organization tailnet is a custom domain tailnet (like <code>example.com</code>),</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">Tailnet policy file</a></h2>\n<p>The tailnet policy file stores your Tailscale network's access rules, along with other tailnet configuration items. It uses <a href=\"https://github.com/tailscale/hujson\">human JSON (HuJSON)</a> and conforms to the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">Tailscale policy syntax</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tailscalar\">Tailscalar</a></h2>\n<p>A Tailscalar is a Tailscale employee.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tailscale-ip-address\">Tailscale IP address</a></h2>\n<p>A <a href=\"https://tailscale.com/docs/reference/glossary#tailscale-ip-address\">Tailscale IP address</a> is a <a href=\"https://tailscale.com/docs/concepts/ip-and-dns-addresses\">unique IP address</a> assigned to each device in your Tailscale network. It's always in the form <code>100.x.y.z</code> (for example, <code>100.100.123.123</code>). It stays the same even when switching between your home internet connection, cellular networks, or coffee shop Wi-Fi networks.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#tunnel\">Tunnel</a></h2>\n<p>In networking, a tunnel is an encapsulated connection between one or more points in a network. It lets users, devices, or resources communicate securely over a public data network.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#underlay-network\">Underlay network</a></h2>\n<p>An underlay network is the physical or existing IP network over which Tailscale runs, such as your home Wi-Fi, office LAN, or your cloud or data center's internet connection. Tailscale uses this underlay for actual packet transport, creating an <a href=\"https://tailscale.com/docs/reference/glossary#overlay-network\">overlay network</a> on top of the underlay that handles encryption, NAT traversal, access controls, and many more features.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/glossary#wireguard\">WireGuard</a></h2>\n<p><a href=\"https://www.wireguard.com/\">WireGuard</a> is the underlying cryptographic protocol that Tailscale uses.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}