Features How it works For agents Pricing Join waitlist
BUILT ON WIREGUARD® ZERO-TRUST BY DEFAULT PER-AGENT IDENTITY SELF-HOSTABLE CONTROL PLANE AUDIT LOGS FOREVER NO DATA RETENTION BUILT ON WIREGUARD® ZERO-TRUST BY DEFAULT PER-AGENT IDENTITY SELF-HOSTABLE CONTROL PLANE AUDIT LOGS FOREVER NO DATA RETENTION
[001] · HERO DUCKTAILS.AI / 2026
Private beta · v0.1.0

Mesh networks built for the AI era.

Ducktails is a zero-config mesh VPN for humans and autonomous agents. Connect any device, server, or AI worker into one private network in under 60 seconds. The infrastructure Tailscale forgot to build.

Start 14-day trial Read the docs
$_ curl -fsSL ducktails.ai/install | sh
60s To connect
· Devices & agents
0KB Data we store
joey@macbook:~/ — ducktails
LIVE MESH / 6 NODES
macbook nas prod-1 agent_01
ZERO-CONFIG END-TO-END ENCRYPTED WORKS BEHIND ANY NAT ONE IDENTITY PER DEVICE PER-AGENT KILL SWITCHES AUDIT LOGS FOREVER SELF-HOSTABLE ZERO-CONFIG END-TO-END ENCRYPTED WORKS BEHIND ANY NAT ONE IDENTITY PER DEVICE PER-AGENT KILL SWITCHES AUDIT LOGS FOREVER SELF-HOSTABLE
02 The problem
The internet wasn't built for laptops and servers. It definitely wasn't built for thousands of autonomous agents spawning, working, and dying in your infrastructure.
— every SRE, 2026
  • ×
    VPN stacks were built for 1999. Static IPs. Manual configs. Ports you forgot you forwarded. Certificates that expire at 2am.
  • ×
    Tailscale treats agents as an afterthought. No per-agent identity. No audit trail of which worker touched what. No kill switch when a model goes rogue.
  • ×
    Corporate VPNs are slow and centralized. Every packet hairpins through Chicago. Your AWS-to-GCP agent request takes 600ms to go 4 feet.
  • ×
    Self-hosting is gated behind "Enterprise." Want to run your own control plane? That'll be a sales call and $40k/year, please.
03 Spec sheet

Built like infrastructure.

Every feature earns its place. No bloat, no "AI-enhanced" marketing slop. Just the networking primitives modern teams and agents actually need.

01Setup

60-second install

One curl command. Sign in with Google, GitHub, or SSO. Devices find each other automatically. Never edit a config file again.

02Security

End-to-end encrypted

Built on WireGuard®. Traffic never decrypts on our servers. We run zero logs. We literally can't read your data.

03Network

Any network, anywhere

Direct peer-to-peer when possible, relayed when not. NAT, corporate firewall, hotel wifi — your mesh stays up.

04Agents · Our wedge

First-class AI agent identity

Every autonomous worker gets its own network identity, ACL, and audit trail. Kill a rogue agent with one click. See every connection it made, every resource it touched, every second of its life on your network. This is what Tailscale doesn't give you.

$ ducktails agents list
agent_01 active scraping api.stripe.com
agent_02 active writing db-1.prod
agent_03 paused last seen 3m ago
agent_04 killed exceeded rate limit
05Control

ACLs in plain English

Stop writing YAML at midnight. Describe access rules the way you'd tell a teammate: "dev-team can SSH to staging servers, not prod." We compile it to secure policy automatically.

// acl.ducktails
allow dev-team ssh tag:staging
deny dev-team ssh tag:prod
allow agents http tag:api-internal
allow joey@ * *
06Trust

Self-hostable, day one

Don't trust us? Run our control plane on your own hardware. No "call sales." No enterprise gate. Open source clients.

07Platforms

Every platform, one identity

macOS, Windows, Linux, iOS, Android, Docker, Kubernetes sidecar. Your laptop, your phone, your prod cluster — all on the same tail.

08Observability

Audit logs, forever

Every connection. Every denial. Every ACL change. Exportable to Datadog, Splunk, S3. SOC 2 auditors love us. You will too.

09Developer

API for everything

REST, gRPC, CLI, Terraform provider. Provision mesh nodes programmatically. GitOps your entire network topology.

04 How it works

Three commands. One tail.

Your whole fleet — laptops, servers, containers, AI agents — reachable by name, encrypted end-to-end, in the time it takes to make coffee.

  1. Install your first device

    Run curl -fsSL ducktails.ai/install | sh. Sign in with your existing IdP — Google, GitHub, Microsoft, Okta. You're on the tail.

  2. Add the next one

    Same command, same login. The devices find each other through our coordination server and open a direct encrypted tunnel. No IPs to memorize.

  3. Just use them

    SSH to your home server from anywhere. Reach your prod DB from your phone. Let your AI agent hit a private API. ducktails ping nas-home — done.

  4. Scale to thousands

    Tag devices, write ACLs in plain English, provision agents via API. Your network grows from 3 nodes to 3,000 without adding complexity.

05 The wedge

AI agents don't belong on a human VPN.

In 2026 your infrastructure isn't just humans anymore. It's browsers, scrapers, autonomous workers, and LLM-driven agents spawning in milliseconds, hitting APIs, mutating databases, and dying. They need their own identity model. We built it.

// Per-agent identity

Every autonomous worker gets a unique network identity — not a shared service account. Revoke one without touching the others.

// Full audit trail

Which agent hit which endpoint at which time with which response code. Exportable, queryable, forever.

// Kill switches

Model hallucinating? Rate-limit blown? Cost runaway? One click disconnects an agent from your entire mesh. Instantly.

// Ephemeral by design

Spin up 500 agents for a job, tear them down after. No residual credentials, no stale ACL entries, no cleanup.

// Per-agent rate limits

Cap bandwidth, request volume, or destination scope per agent. Stop one rogue worker from nuking your AWS bill.

// LLM-native ACLs

Describe agent permissions in English. Our compiler turns "allow scraper to read, not write" into verified policy.

06 Pricing

No free tier. No sales calls. No bullshit.

Honest pricing you can read in 30 seconds. Every plan includes every feature. The price scales with your fleet, not your anxiety. Cancel anytime.

Starter
Solo builders, homelabs, and side projects
$8 /month
  • Up to 20 devices
  • 1 user account
  • Unlimited bandwidth
  • All platforms
  • Community support
  • 7-day free trial
Start trial
Team
Startups, dev teams, and AI operations
$12 /user/mo
  • Unlimited devices & agents
  • Per-agent identity & audit logs
  • SSO (Google, Okta, Microsoft)
  • Plain-English ACLs
  • Kill switches & rate limits
  • Priority email support
  • 14-day free trial
Start trial →
Enterprise
Regulated industries & large fleets
Custom
  • Everything in Team
  • Self-hosted control plane
  • SCIM provisioning
  • SOC 2 Type II reports
  • Audit logs, forever
  • Dedicated Slack channel
  • Custom contracts & invoicing
Contact sales
07 Join the beta

Get on the pond.

Private beta is rolling out now. Drop your email and we'll send you an invite this week. No spam, no marketing drip — just access.