🤠 Tailscale's Free Tier Just Doubled. If You've Been Putting It Off, Today's The Morning.

In partnership with

This is an IT Support Group

Thursday Toolbox 🤠

One tool. Free for six users. Three minutes to deploy. Replaces about $4,000 a year of VPN and remote-access tooling. If it's not in your stack yet, today's the morning.

GM IT pros!

Happy Thursday! New format we're trying — Thursday Toolbox. One tool, deep, practical, no news roundup. Friday's chaos hits tomorrow. Today's just a tool you should know about and probably already half-considered installing. Let's do it.

-Stetson

Today's Tool: Tailscale

The free-tier just doubled in size. If you've been "meaning to get around to it," the bar to entry just disappeared.

The problem it actually solves

You support five users across four physical locations, three of which have residential ISPs and dynamic IPs. Two of those users need to RDP into a server back at HQ. One needs to access a Synology NAS at her sister-in-law's office. The boss wants to grab files from the home server when he's traveling. A vendor needs occasional read-only access to one specific machine. The line-of-business app at the colo only listens on a private VLAN.

The traditional answer to all of this is some combination of: a SonicWall with site-to-site VPN tunnels, port-forwards on every router you don't fully trust, OpenVPN configs you have to babysit, dynamic-DNS hacks, a jump host nobody's patched in 18 months, and a spreadsheet of who needs what access. The cost is real. The maintenance is worse. And every public-facing endpoint you open is one more thing the ransomware kids are scanning every fifteen minutes.

Tailscale is the answer. It is a mesh VPN built on WireGuard that makes every device on every network behave like it's on the same LAN. No port-forwarding, no public IPs exposed, no router config, no certificates to manage manually. You install the agent, log in with SSO, and the device gets a stable private IP that just works.

What changed on April 8 (this is the actual news hook)

Tailscale overhauled their pricing on April 8, 2026 and the relevant piece for IT pros is this: the free Personal plan now allows up to six users with unlimited user-owned devices. The previous limit was three users; the previous device cap was 100 per network. Both of those caps are now gone for free-tier users.

For a small MSP, a five-person dev team, or a household-plus-side-business, six users with unlimited devices is enough to never pay Tailscale a dollar. They retired the old Personal Plus paid tier (which existed to bridge the gap between three-user free and per-seat business) and just folded its features into free. Existing Personal Plus subscribers get auto-migrated.

If you priced this out a year ago and decided it wasn't worth the spend for your specific shop size, the math just changed. Re-evaluate this morning.

The 5-minute setup

You can have a working Tailscale network across three machines in less time than it takes to fill out the change-management ticket explaining why you wanted one.

1. Sign up at tailscale.com with the SSO of your choice. Google Workspace, Microsoft 365, GitHub, Apple ID — pick whichever your team already lives in. Don't make a separate Tailscale-only login; you'll regret it in six months.

2. Install the agent on the first machine. Linux: curl -fsSL https://tailscale.com/install.sh | sh. macOS: App Store or brew install tailscale. Windows: download the MSI. Mobile: native apps in both stores. Run tailscale up (or click the GUI). It'll open a browser to authenticate.

3. Repeat on a second machine. Same login, same dance. Now run tailscale ip on each — you'll see a 100.x.x.x address. SSH to that address from one machine to the other. It works. There is no step three.

4. Turn on MagicDNS. Admin console → DNS → enable MagicDNS. Now every machine has a hostname like laptop.tailnet-name.ts.net that resolves over the tailnet. Stop typing IPs.

5. Add a subnet router for legacy LAN access. If you have a printer or a NAS or a piece of vendor gear that can't run the agent, install the agent on any always-on Linux box on that subnet, run tailscale up --advertise-routes=192.168.50.0/24, approve the route in the admin console. Now the entire 192.168.50.x range is reachable from any tailnet device. This is the move that retires three of your four legacy VPN tunnels.

The features that quietly turn into a security upgrade

The real argument for Tailscale isn't "it replaces my VPN," it's "it replaces my VPN and upgrades my security posture in the same install." Highlights:

ACLs as code. Access policy is a JSON file in the admin console. You can grant "the contractor's laptop can reach port 3389 on this one server, nothing else, expires in 30 days" in literally six lines. Version-controlled, reviewable, undoable. Compare to firewall rules nobody can find.

Tailscale SSH. Built-in SSH that uses tailnet identity instead of SSH keys. You can disable password auth, disable key-based auth, and require Tailscale SSO to even attempt a connection. The "rotate every SSH key in the org" project? Skip it. Use this instead.

Exit nodes. Designate any tailnet device as an exit node and your other devices can route their public traffic through it. The use case isn't watching foreign Netflix — it's "my user is on hotel wifi and I want all their traffic going out through our office IP for both security and source-IP-allowlisted SaaS."

Tailnet Lock. Cryptographic verification that a malicious admin can't add a rogue device to your network. This is overkill for a five-person shop. It's a job-saver for anyone with compliance requirements.

When Tailscale is the wrong tool

Two cases, both important:

Cases where you genuinely need site-to-site at the network layer. Some legacy applications, some VoIP setups, and some compliance-driven environments need traditional IPsec tunnels with both ends fully owned by you. Tailscale's subnet routers cover most of these but not all. If you have a "the auditor needs to see a specific firewall rule" situation, the auditor probably also wants to see an IPsec tunnel.

Cases where the dependency on Tailscale's coordination server is unacceptable. Tailscale's data plane is peer-to-peer (your packets don't go through their servers), but the coordination plane (auth, key exchange, ACL distribution) does. If your environment cannot tolerate any third-party SaaS in the auth path, the answer is Headscale — the open-source self-hosted control server that speaks the same protocol. Same client, same UX, your servers, your sovereignty.

The Thursday homework

One thing. Sign up. Install on two machines. Verify it works. Add it to your "things I know how to deploy in five minutes" list. Total time: under fifteen minutes including the coffee refill.

Then this weekend, decide whether to roll it out to your team. The free six-user tier covers a remarkable number of IT shops and home labs. The $8/seat Standard tier covers everyone else. Either way the math works.

A Quick Word From The Shameless Plug Department

Tailscale is most powerful when you can drive it from the command line — tailscale up, tailscale status, tailscale ssh, the whole CLI surface. If "I'd use this more if I were comfortable on the bash side" is the sentence stopping you, Shell Samurai is hands-on Linux practice in your browser. No VM, no cloud credit card, structured progression from "what's a pipe" to "you're writing your own bash scripts." Built for the Windows admin who keeps getting handed Linux tasks. Shameless plug, zero regrets. shellsamurai.com

Last week Viktor wrote a brief, built a landing page, and opened a pull request.

Last week, Viktor wrote a campaign brief, built a landing page, opened a pull request, generated a board-ready PDF from live Stripe data, and sent a follow-up email to a churned customer. All from Slack. Same colleague that also pulls your reports and monitors your dashboards. 5,700+ teams. 3,000+ integrations.

Start free. $100 in credits →

That's the toolbox. If this format lands, hit reply and tell me what tool you want next week — I've got a list, but the list is better when you tell me what you're actually trying to solve. Friday roundup hits tomorrow with the regular snark. If you're hiring or job-hunting, the board is at jobs.thisisanitsupportgroup.com.

Stay paranoid. Stay patched. See you tomorrow 🤠

-Stetson