We’re in the middle of trying things out with Tailscale, which is looking really good & easy to use so far!

However, it just occurred to me - what actually happens if none of the Tailscale infrastructure is accessible, for whatever reason? Will established nodes still be able to talk to each other, or does every connection require some communication with Tailscale servers for exchanging / verifying keys etc?

If our servers are down, already connected clients keep working. New clients just can’t log in. And if clients move around, those notifications to peers pause too. We’re planned on fixing that last part, though.

Great, so it sounds like there’s a fair amount of resilience already – at least for mostly stationary clients!

I’m trying to figure out what kind of safety net we’ll need for accessing an external services we’re setting up, where we don’t really have access to any kind of management console and will rely on SSH – or waiting for a support request to be completed so we can get back in.

But if connected clients are still OK, I think that’s an acceptable trade-off for us in this situation.

Right. The idea is tailscale will keep working (other than network reconfigurations like adding new nodes) if the control server is down. You also shouldn’t need to file any tickets because if there is any control server downtime, we’ll surely hear about it quickly and can repair it before you contact us.

Generally the control server is only down for a minute or two at a time during maintenance.

Of course, I fully trust that’s the intention! Sometimes things happen that are outside of our control though, like the AWS outage last month…

Indeed! And even if the server is up, sometimes your office gets cut off from the Internet and you still want things to work locally. Tailscale is designed to work under those conditions, although you can’t actually add or remove nodes until the control server connection comes back.