Tailscale

Why deploy Tailscale on Render?

Tailscale is a zero-configuration VPN service built on top of WireGuard that creates secure mesh networks between devices. It solves the problem of accessing devices and services behind firewalls or NATs without complex network configuration, enabling secure connections to private infrastructure from anywhere.

This template deploys a fully configured Tailscale subnet router that acts as a VPN gateway to your entire Render private network—just add your auth key and you'll have secure access to all your internal 10.x.x.x services from anywhere. Setting this up manually means configuring Wireguard, managing routing tables, and ensuring the container stays connected; this template handles the networking plumbing so you're tunneled in within minutes. Since it runs as a Render service alongside your other apps, it automatically shares the same private network with zero additional configuration.

Architecture

What you can build

After deploying, you'll have a Tailscale subnet router running on Render that lets you access any private service in your Render network from your local machine or other Tailscale-connected devices. This means you can connect directly to internal IPs and private databases without exposing them to the public internet. You'll need to approve the subnet routes in your Tailscale admin panel before the first connection.

Key features

• Subnet Router Gateway: Acts as a Tailscale subnet router to expose all internal 10.x.x.x IPs in your Render private network to your Tailscale mesh.
• One-Click Deployment: Deploy directly to Render with a single button click using a Tailscale auth key as the only required configuration.
• WireGuard-Based VPN: Built on Tailscale's zero-config VPN which uses WireGuard for encrypted tunneling without manual network configuration.
• Private Service Access: Connect to any Render private service from your local machine or other Tailscale nodes using internal hostnames resolved via dig.
• Auth Key Security: Supports one-off Tailscale auth keys for maximum security when provisioning the subnet router.

Use cases

• DevOps engineer securely accesses Render private databases from local machine
• Remote developer connects to internal staging APIs without exposing them publicly
• Platform team debugs private microservices across Render network from anywhere
• Security-conscious startup restricts database access to VPN-connected team members only

Prerequisites

• Tailscale Auth Key: An authentication key used to connect this service to your Tailscale network as a subnet router.

Next steps

1. Open the Tailscale admin panel and enable the subnet routes for 10.0.0.0/8 — You should see the routes change from 'Awaiting approval' to 'Enabled' under your new Render machine
2. Connect to Tailscale on your local device and ping a Render private service internal IP — You should receive successful ping responses showing connectivity through the subnet router
3. Open the Render web shell for your subnet router and run dig — You should see the internal 10.x.x.x IP address returned, confirming DNS resolution works over the VPN

Resources

• Tailscale official site