Tailscale is one of my favorite companies. They're clearly on to something. Here's a great post by their CTO explaining a lot of the motivation and vision behind it: https://crawshaw.io/blog/remembering-the-lan

IMO the main outstanding questions/concerns are:

* Is the VPN model really the way to go? If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid. Tunneling services[0] are more of a Zero Trust approach, but they can't match the seamlessness of Tailscale once a node is connected to the tailnet.

* Can it expand into the layman market? I wonder if the average person will ever be willing to install a VPN app on all their devices. On the flipside, I could see TS partnering with someone like Google to integrate TS tightly with Android and set up a private network between all your Google-signed-in devices.

* The relay system - DERP is nice, but it's primarily intended for signaling/fallback. It feels like CGNAT adoption is growing faster than IPv6 is, and I wouldn't be surprised if fewer and fewer p2p connections succeed over time[1]. DERP forces everything over a single TCP connection (HOL blocking), and I'm not sure it even has any flow control.

* Use in web browsers - They got a demo of this working, but it's pretty involved. You have to compile the entire Tailscale Golang library to WebAssembly which is a large artifact, and it's DERP-exclusive.

* Portability in general - Depending on WireGuard, as awesome as it is, is fairly limiting. You either need admin privileges to create the TUN device, or you need to run an entire TCP stack in userspace alongside your own WireGuard implementation. I'd be interested to see something like Tailscale implemented on top of WebTransport.

[0]: https://github.com/anderspitman/awesome-tunneling

[1]: https://tailscale.com/blog/how-nat-traversal-works

• PLG88

  today at 9:03 AM

  Great insights, I think you will like OpenZiti, Anders, which is included in your list for both itself and zrok, which we built on top.

  Directly answering your concerns:

  - Deny by default and least privilege model means getting access to a node does not give you access to all services on the overlay. This includes SDKs so that only embedded apps are authorised, the apps have no listening ports on underlay and are literally unattackable via conventional IP-based tooling, all conventional network threats are immediately useless.

  - Its open source nature means its being adopted by companies to create more powerful ecosystems.

  - The overlay, while looking similar to DERP, uses individual service encryption and routing with flow control and smart routing (I know people who get much much better performance as a result).

  - Our SDK includes a 'clientless' endpoint for the browser called BrowZer - https://blog.openziti.io/introducing-openziti-browzer. All users need to do it log into their IdP and everything else is done automatically, without involvement from the user.

  - We don't build on Wireguard, which provides much more flexibility.

• thewebguyd

  yesterday at 10:17 PM

  > * Is the VPN model really the way to go? If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid. Tunneling services[0] are more of a Zero Trust approach, but they can't match the seamlessness of Tailscale once a node is connected to the tailnet.

  At the very least there's ACLs so you can tag devices and restrict access down to specific ports and protocols based on either user identity or device tag.

  At my org we use tailscale much like a VPN, to give users access to a few internal web apps, and with ACLs those users can only hit the webserver on 443 and nothing else to that node. This way the web server itself has no ports exposed on the host, ufw deny all incoming.

  I can't answer if the VPN model is really the way to go, long term - probably not, but for our use case Tailscale has been absolutely perfect, and we accepted the tradeoffs were worth it over a more "complete" zero-trust approach, and the complexities that come along with it.

  What Tailscale doesn't solve is access to the data that web app serves if the user's machine is compromised, as tailscale is just determining "can the user hit the webserver on port 443?" and does nothing to evaluate the state of the user's host.

  I guess that's all to say, I/we don't see Tailscale as a zero-trust solution, but more or less a more convenient VPN with easier to use ACLs. Cloudflare Tunnel and the likes are much better suited to implementing a zero trust approach.

  I think there's still value though. A zero trust approach is the correct way for most organizations, but there's still a big niche for Tailscale especially for small-medium orgs and self-hosters/homelabbers.

  • wkat4242

    yesterday at 10:31 PM

    Tailscale is not just more convenient but also more efficient if your VPN meshes a lot ( not all traffic going to the same place). Because nodes can establish connections directly. A traditional VPN can't do that.

    This is the main reason I use a mesh vpn (though not tailscale)

    • guerby

      today at 4:33 AM

      Out of curiosity which one and why?

  • frenchtoast8

    yesterday at 11:39 PM

    > What Tailscale doesn't solve is access to the data that web app serves if the user's machine is compromised, as tailscale is just determining "can the user hit the webserver on port 443?" and does nothing to evaluate the state of the user's host.

    Tailscale has some cybersecurity integrations to configure access depending on the device posture. For example, blocking access to a webserver if the device is out of date, or if malware is detected, or if the firewall is disabled, etc. But I don't use any of those integrations and can't speak to them.

    • cjcampbell

      today at 2:27 AM

      The posture implementation is quite easy to work with. There’s a growing list of integrations, and you can also roll your own with the posture API. I’ve used Kolide so far and will be integrating with Kandji on another tailnet. They also have Intune, JAMF, Crowdstrike, and SentinelOne.

      The same posture API can be used to restrict access to devices in your inventory or to set up just-in-time access to a sensitive asset. For the latter, you can use a Slack app provided by Tailscale or integrate with an identity governance workflow to set a posture attribute with a limited TTL. Your tailscale policy just needs to condition the relevant access on the attribute.

    • jychang

      yesterday at 11:56 PM

      I don't think most users use those integrations, they're mostly just a feature bullet point.

      • ehutch79

        today at 12:39 AM

        SO those features are unusable?

        • joneskoo

          today at 4:51 AM

          Most users (tailnets) are not an enterprise. Most users not using a feature doesn’t mean it’s not useful or valuable.

• jdolak

  yesterday at 10:09 PM

  On your first point, I've been using tailscale for a bit and its ACL feature addresses most of my concerns there. My laptop can ssh into any of my servers but not the other way around, and my servers cant talk to each other unless I set them to.

  • stampedbox

    today at 9:25 AM

    looking for this setup - please share if you could

  • notsylver

    yesterday at 11:14 PM

    Could you share your ACL setup? I haven't had time to look at it much but this sounds like exactly what I want to do.

• derefr

  today at 2:23 AM

  > If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid.

  In addition to the ACLs mentioned by the sibling, a tailnet is not quite a plain-old VPN overlay network, in that each device on a tailnet gets assigned a predictable, durable LAN IP address based on the credentials that device is logged into Tailscale with.

  Which means that, for at least the "personal" devices (laptops, phones, tablets), you can configure your servers on a tailnet to do something that's less finicky than full-on credential-based auth, but still more secure in practice than no auth: namely, host-based authentication — which should be a reasonable 1:1 proxy for user authentication (assuming the constraints from the previous paragraph.)

  To put that in concrete terms: on a tailnet, a user's SSH credential for a given server can simply be the fact that the user is able to originate the connection from the expected LAN IP address of the user's workstation. Except that instead of that LAN + the user's workstation living in a physical building, they're both virtual, and the user's physical workstation (of the moment) must provide credentials to bind to the tailnet IP that allows it to present itself as the virtual workstation.

• epscylonb

  yesterday at 10:27 PM

  Agree that they are on to something. I gave a tech talk about them a while ago at work and said that I think they are on the cusp of providing a consumer VPN product that appeals to mainstream consumers. The Apple of VPNs, everything "just works" and is easy to understand.

  • hattmall

    yesterday at 10:56 PM

    Do mainstream consumers really need a VPN?

    • parasubvert

      yesterday at 11:10 PM

      Tailscale isn’t really a VPN, it’s an OSI layer 5 for the TCP/IP world. It makes connectivity as easy as 90s LAN parties were.

      I use Tailscale - so I can do remote tech support on my 81 year old mother’s computer

      - So I can remote in to my desktop from anywhere with my mobile phone or iPad or Vision Pro or Steam Deck if I need a file or need to print something

      - watching streaming media from my home network when I’m travelling (and avoiding VPN blocks because my home computer isn’t on a known VPN network)

      And the best part is none of this required almost any configuration beyond (a) installing the software, (b) checking the “allow exit node” box on my home computer, (c) sharing my mom’s computer onto my tailnet.

      It really is just useful with minimal fuss.

      • mr_mitm

        today at 6:59 AM

        I get all that, but why do you say it's not a VPN and then go on describe it as a VPN at length? Of course it's a VPN.

        Is it because lot of people are just using a VPN as a proxy replacement, watering down the original meaning of the word?

        • eddythompson80

          today at 7:46 AM

          > Is it because lot of people are just using a VPN as a proxy replacement, watering down the original meaning of the word?

          Yes. The question was about a “mainstream consumer”. While “mainstream” is always a moving target, today (in March 2025) that mainstream consumer believes that a VPN == NordVPN == ExpressVPN == what we call/know as a proxy.

          NordVPN added some mesh features and you can CTRL-F this thread to find a confused person asking “how is tailscale different than Nord?”

      • epscylonb

        yesterday at 11:47 PM

        The Magic DNS feature is super cool as well. I'm not sure exactly what the mainstream killer app would be. But I feel like Tailscale is poised to execute if/when it arises.

        Perhaps the AI age makes everyone more data privacy conscious.

        I've also long thought that eventually every household will eventually have a mini server for home automation and storing personal information. The rise of the cloud kinda slowed this down, but I don't think cloud and home server are mutually exclusive.

        • dharmab

          today at 4:19 AM

          > I'm not sure exactly what the mainstream killer app would be.

          Maybe a NAS that comes with Jellyfin and Immich pre-installed? But that still leaves the problem of content...

      • leoqa

        today at 2:20 AM

        I hosted an Arma 3 server via Tailscale with a bunch of non technical folks running the daemon using magic links b

        • dharmab

          today at 3:13 AM

          I used to host an Arma 3 server using Kubernetes, I had a scalable set of headless clients to distribute the AI load. My friends called said it was the smoothest server they ever played on despite using hundreds of AI groups. With Tailscale I wouldn't have needed host networking enabled on the Pods, come to think of it.

          • EQYV

            today at 8:01 AM

            What do you mean by AI groups in this case?

    • devilbunny

      yesterday at 11:50 PM

      Yes, although many won't realize it.

      I use VPN (usually Tailscale, though I have the Proton subscription package that includes their VPN - mainly useful if for some reason my home internet is slow or out, otherwise I would just TS it) on all public WiFi. My work's remote access blocks logins from outside the US, so if I'm out of the country, my wife and I both need VPN to be able to log in.

      Interestingly, while my work's network blocks Tailscale's initial authentication, it doesn't actually block the traffic. I can authenticate my iPad via cell phone tethering or just before I leave the house and it will work when I connect to their network. It's a personal device without any access to their internal network, and I'm using the guest network, so I'm not compromising security to actual work devices. But when I'm stuck up there and I want to stream a movie from my NAS at home, I can.

    • dharmab

      yesterday at 11:58 PM

      I had some of my family install Tailscale to access my tailnet. They can watch movies from my collection more easily than using Netflix, and we can share files through the client with a single click. I have other friends using it to play old-school dedicated server games without having to deal with CGNAT/hairpin NAT problems.

    • enos_feedler

      today at 3:09 AM

      Maybe if there was a mainstream reason to connect home machines with their phones. Personal backup, game streaming, etc. im not in this camp of believing it but maybe!

      • dharmab

        today at 4:17 AM

        I do this - I self host my movies/TV, ebooks, comics, photos, etc. and use tailscale to access it from anywhere. It's not really great for "mainstream" but for "tech enthusiast" it's very useful. Basically anyone who would consider buying a NAS (most consumer NAS devices can also run Docker containers these days)

• reubenmorais

  yesterday at 11:42 PM

  > * Can it expand into the layman market?

  Maybe it's more enthusiast than layman, and I guess it's also not much of a market, but in the video arrrchival space it's pretty widespread, with people running e.g. Jellyfin behind Tailscale.

• Andrew_nenakhov

  today at 5:34 AM

  > I wonder if the average person will ever be willing to install a VPN app on all their devices.

  Of course the average person will be willing to install a VPN app: all it takes is a bit of internet censorship, blocking access to their favourite services, and some geofencing, where services limit access to them based on IP address.

  Just ask people from China, Russia, Ukraine, Turkey, UK, Germany, etc.

  • hn_throwaway_99

    today at 5:47 AM

    But what you're referring to as a "VPN app" is something very different than what the parent poster is referring to with respect to what Tailscale is.

    When you use services like NordVPN, Mullvad, Surfshark, etc., you're just installing a VPN client, and you're basically just using them as a reverse proxy to hide your IP address (present it as coming from another country). That is the use case you are talking about.

    Tailscale is very different. It is about setting up your own VPN so that you can access devices from your home or wherever from the Internet at large in a secure manner.

    • Dylan16807

      today at 9:28 AM

      > But what you're referring to as a "VPN app" is something very different than what the parent poster is referring to with respect to what Tailscale is.

      Does that matter? It still shows willingness to install.

    • JFingleton

      today at 8:17 AM

      Indeed. VPNs were originally created to allow secure remote connections to and between LANs. The whole privacy thing is a by-product, and they're not that great at it.

      Tor exists and is far better at providing privacy.

• gz5

  today at 12:20 AM

  I think you nailed it. TS is great but is in a middle ground niche with more targeted alternatives squeezing it from both sides:

  1. If you actually need strong security, you are likely to go with open source zero trust or their commercial versions.

  2. If you don't need strong security, you will often view VPN an insurance policy (TS simplifies but is still more difficult than 'do nothing').

  So you end up with a relatively narrow band of 'use cases' like NAT traversal; semi-privacy; access to private IP hosted services. Enough to sustain a venture funded company?

• spr-alex

  today at 3:20 AM

  we've got a tailscale integration that takes care of the security concerns. set policy to decide what can talk out to the tailscale node and what the tailscale gateway is granted access to. this is especially important when you can't run a tailscale client on the devices you want to connect

  https://github.com/spr-networks/spr-tailscale

• wkat4242

  yesterday at 10:29 PM

  Beyondcorp was mainly created to advocate cloud services and to minimise the (legit) worry off CIOs to see all their data in services connected to the entire internet.

  I still think VPN has a good usecase. It's great extra layer of defense and also a nice way to disclose access to devices at different locations.

  I don't use tailscale as it's too commercial for me but I use another VPN mesh service. Of course you still need to secure your endpoints properly.

  • PLG88

    today at 9:07 AM

    Even Google admits BeyondCorp could not replace all their VPN needs... I wrote a Reddit post on it a while back - https://www.reddit.com/r/zerotrust/comments/1bfb7od/thoughts...

• godelski

  today at 1:47 AM

    > set up a private network between all your ~~Google-signed-in~~ devices.
  

  I've been doing something like this as a fun side project. Idea is to get everything to pass through piholes and have both clear and VPN exit nodes. So then I can send some pis to people and we can create an internal network to share things like files, movies, streaming services, whatever. It also can increase security, especially making it easier for people like my parents when I need to fix their computers and I can just block malware for them, to some degree at least. It's also been very useful debugging stuff in my home network while I'm out somewhere else. And I can access any of my anywhere. I'm out traveling? Still got all my movies and stuff.

  One big issue is Apple, who doesn't seem to respect DNS and VPNs, especially local network access... the other aspect is that it makes some ssh automation annoying because they will change things, such as getting the name of the current ssid (wtf?!). So I can't just make a conditional in my config to go through TS instead of local network based on that

• LeoPanthera

  today at 2:22 AM

  > install a VPN app on all their devices

  I run it on my router, providing access to the entire subnet, so it doesn't have to be all your devices.

• VikingCoder

  today at 2:10 AM

  I personally feel like paid DERP is unfortunately the way of the future.

I'm curious to hear well-informed reasons from this crowd for why we can trust Tailscale given the non-self-hosted part of the architecture? Does it come down to Tailnet locks [1], not worrying that Tailscale will be compromised, not worrying that your home network is worth compromising, or something else?

[1]: https://tailscale.com/kb/1226/tailnet-lock

• stego-tech

  yesterday at 8:14 PM

  Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".

  So while also implementing Tailnet locks and other security measures to constrict traffic flow, I'd also consider going a step further by only permitting server or resource access based on client certificate validation (in other words, a client that's missing a trusted certificate is rejected from even attempting to initiate AuthN); that way even if your Tailscale network is compromised somehow, untrusted clients and endpoints can't make inroads into your infrastructure as easily.

  Is that a gigantic PITA to implement? Oh heck, you betcha it is, and I doubt 99% of folks need to go that far with their homelabs or home services. Still, that'd be my approach to zero trust - trusting Tailscale only so far as enabling virtual networking, but not blindly trusting traffic coming over that network at any point.

  • PLG88

    today at 9:09 AM

    Particularly as it does not include its own PKI, so E2EE is done by MITM your IdP (OICD/SAML etc) and therefore, under court order Tailscale can decrypt your traffic.

    We took the opposite approach with NetFoundry. (1) We open sourced the code (https://openziti.io/), (2) we built in PKI with private keys generated at source and destination so that even if traversing NF hosted data plane, we CANNOT decrypt traffic, (3) mTLS everywhere, (4) ability to bring your own PKI, and more.

  • codetrotter

    yesterday at 9:09 PM

    > Is that a gigantic PITA to implement? Oh heck, you betcha it is

    I use my own self-hosted Wireguard VPN server. I agree with a lot of what you were saying about client certificates etc. And I plan to eventually do that sort of thing on some of my services in my own Wireguard VPN too.

    But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?

    Setting up a Wireguard server is super simple. The only couple of things that complicate it a tiny bit is opening up a port for it for inbound connections if you host it from your home connection rather than a rented server, and managing the Wireguard public keys that are allowed to connect.

    But if you are going to do a whole client certificate setup on top anyway, the work of setting up your own Wireguard VPN is small in comparison.

    Unless like OP your ISP has put CGNAT on you.

    • stego-tech

      yesterday at 9:55 PM

      > But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?

      Already do! I tried Tailscale initially, but ultimately decided to put in the effort of a proper Wireguard setup. It's how my personal devices always get back to my home LAN, and then exit to the internet; it's also how I make sure every DNS lookup hits the Pi-Hole, for domain blocking wherever I am.

      I emphatically recommend learning WireGuard (and to a lesser degree, VPN Concentration) when practical and possible. Until then, Tailscale is an excellent product.

    • selfhoster

      today at 1:23 AM

      > Unless like OP your ISP has put CGNAT on you.

      I run Wireguard on a VPS and route public traffic with it over Wireguard to my home machine.

      Are you saying my ISP must not be CGNAT or else it wouldn't work?

      • codetrotter

        today at 2:53 AM

        No. I was talking specifically about the case where you want to host the Wireguard VPN server at home.

        See earlier in the comment where I said:

        > opening up a port for it for inbound connections if you host it from your home connection rather than a rented server

        Although I can see how it might not be clear that in the end where I’m mentioning CGNAT I am still specifically talking about hosting the VPN server from your home connection.

      • aborsy

        today at 2:07 AM

        How is this a good solution, when traffic is decrypted in the cloud, all traffic goes through one node, there is no ACL, key distribution, static IP, …?

        Tailscale addressed those issues.

  • HumanOstrich

    today at 12:01 AM

    > Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".

    That's not what Zero Trust means, at all.

    • stego-tech

      today at 5:35 AM

      …which is why I qualified it with the phrase, “extreme interpretation of”, and made sure to encapsulate “Zero trust” in quotes to make it clear I wasn’t being technically literal in my description. Grammar and punctuation matter when you’re deliberately misusing a known term as a metaphor to make a point.

      That being said, the core concept of ZTA is that no user or device should be trusted by default. So yes, my statement is still generally correct even if it’s not how the term is often or commonly used.

  • tjoff

    yesterday at 8:54 PM

    Then why go with tailscale in the first place?

    There is slacks nebula and other options that are completely self-hosted from the start.

    Feels like such a weird hype around tailscale.

    • stego-tech

      yesterday at 9:07 PM

      I feel like a lot of hype around Tailscale is because it vastly simplifies VPNs and their associated networking, especially for businesses, startups, or homelabs where the focus might be elsewhere or specific talent is unavailable. The problem arises when folks don't quite understand why specific decisions are being made, or use the product in nonstandard (or even negative) ways. I've seen stories of folks deploying Tailscale on every machine in their LAN, thinking that secures their traffic; using it to cross boundaries in the firewall or router between secure and insecure VLANs; and using it to connect to servers in lieu of a proper router or firewall with appropriate ACLs.

      Tailscale is an excellent piece of software, provided it's implemented in a way to emphasize security, and not weaken it. In OPs case, being used as an accessibility aide to a system that couldn't be secured any other way while preserving external access (in their case due to CGNAT) was an excellent use of Tailscale.

      • haswell

        yesterday at 9:33 PM

        Yeah, I mentally sum this up as the "Just Works" factor. As a happy Tailscale user, it's easy to see why it's so popular.

        I do think this simplicity is exactly what contributes to those weird and non-standard configurations.

        • stego-tech

          yesterday at 9:42 PM

          > I do think this simplicity is exactly what contributes to those weird and non-standard configurations.

          This is why I am confident I will always have employment in IT. As I make things simpler for others to use, they in turn will find new and innovative ways of making my eyes bleed from cursed workflows that once again require professional intervention for simplicity, efficiency, and security.

      • tjoff

        today at 6:33 AM

        But you demonstrately did not make it easy or simple.

        Of course there are tons of alternatives even if you are behind CGNAT. Nebula is but one.

      • xienze

        yesterday at 9:37 PM

        > I feel like a lot of hype around Tailscale is because it vastly simplifies VPNs and their associated networking

        Tailscale is based on Wire Guard, isn’t it? Now there’s a piece of software that truly made VPNs simple. I have a tunnel back into my LAN by way of an EC2 instance and all it took was two super simple config files on each machine.

        • nine_k

          today at 2:48 AM

          Wireguard vastly simplifies the transport level, and attains high performance because it runs in the kernel.

          Tailscale simplifies: authentication (including OIDC), authorization (via ACLs), DNS, NAT piercing. All of that is not obvious or easy for someone without deeper expertise.

    • xarope

      today at 2:45 AM

      I self host tailscale with headscale [0].

      [0]: https://github.com/juanfont/headscale

    • kajecounterhack

      yesterday at 9:37 PM

      They have nice clients (e.g. for MacOS, Tizen). Ofc headscale is a thing, but if you have a company, it's also nice to have someone to yell at if your mission-critical tailnet suddenly b0rks.

      Imo they don't charge all that much relative to their value, depending on who you're asking.

    • throwawaymaths

      yesterday at 9:16 PM

      have you ever managed a tailnet? it's so easy.

  • HPsquared

    yesterday at 9:00 PM

    If you can't trust service providers, you probably also can't trust software suppliers.

    • kortilla

      yesterday at 11:07 PM

      Not the same. In particular you don’t need to accept software updates from software suppliers and you can also require source code or use open source.

      This stuff was obvious and standard in the 80s-2000s. It’s only in the last 15-20 years that it became acceptable to get updates shoved down your throat.

      Service providers can cut off your access any day.

      Software providers cannot unless you’ve given them a live update channel direct to your env.

    • stego-tech

      yesterday at 9:57 PM

      I mean, yes? It's why Zero Trust is growing as an operations model. Supply chain attacks, vendor hostility, zero days being hoarded by nations and bad actors for exploit, the list goes on.

      You emphatically cannot trust vendors, suppliers, users, software, systems, or governments. Ergo, your infrastructure should be built with an appropriate risk assessment in mind, and have proper safeguards in place where feasible. That's just good OpSec.

      • today at 12:00 AM

    • drdaeman

      today at 4:59 AM

      Definitely not true. You can audit software (it could be not easy, but ultimately doable) and skip the updates until you have capacity to audit those. You can't audit a third-party service, no matter what you do.

  • hamandcheese

    today at 12:18 AM

    > I'd also consider going a step further by only permitting server or resource access based on client certificate validation

    This is where I'm the most curious on what Tailscale will do next. So far all their products seem to contrast at the IP level, but for enterprise use cases there's a real need for application level protections as well. Cloudflare Access is a great example of what I mean.

  • oDot

    yesterday at 8:39 PM

    Yes. The best way to avoid trouble is build redundancies to it, rather than refine the troublesome part to no end

  • xmichael909

    yesterday at 9:48 PM

    Why wouldn't you just not use Tailscale? What you are describing here is, ....

• some-guy

  yesterday at 8:26 PM

  I use Tailscale a lot. I don't fully trust anybody but I trust them more than I trust myself to set it up properly.

• sgc

  yesterday at 8:13 PM

  Use headscale: https://headscale.net/stable/

  • haswell

    yesterday at 8:30 PM

    What are the primary downsides of self-hosting this? The top issues that come to mind:

    1. Maintaining high availability

    2. Dealing with patches/upgrades

    But I'm also really curious how likely a self-hosted instance is to be an attack vector potentially more dangerous than using something like Tailscale.

    • eddieroger

      yesterday at 9:40 PM

      > 1. Maintaining high availability

      In my experience as a poor sysadmin (as in, bad), you don't /need/ HA for Headscale because the clients are pretty resilient. I've had my instance go down for a little bit and it's fine. Stale and new connections aren't, obviously, but it will work well enough that you won't realize Headscale itself has gone down until a while after it did.

      • PLG88

        today at 9:11 AM

        Probably fine for a home lab, I don't think its fine for a production organisation running critical services across the overlay.

    • huslage

      yesterday at 8:40 PM

      You own your attack surface at that point. Tailscale/Headscale is a matchmaker and key broker for the most part, the clients almost always (barring NAT issues) connect directly to one another. The normal security considerations apply as with running any service.

• mbesto

  yesterday at 9:35 PM

  The data sent from one node to another doesn't pass through TS's infra.

  I basically just see Tailscale as an auth paradigm for managing wireguard keys.

  • sureglymop

    yesterday at 11:15 PM

    I don't really understand this though.. The key exchange is perhaps the most important aspect.

    Just hypothetically, what if an intelligence service records your encrypted traffic and also happened to get AWS to mitm your communication with the tailscale key distribution server?

    Doesn't really matter if most of your traffic doesn't use their infrastructure if the most important parts of it do.

    • showerst

      yesterday at 11:57 PM

      If your threat model includes intelligence services and mitming AWS you should not be using tailscale, and you would hopefully already know that.

    • mbesto

      today at 3:22 AM

      > Using Tailscale introduces a dependency on Tailscale’s security. Using WireGuard directly does not. It is important to note that a device’s private key never leaves the device and thus Tailscale cannot decrypt network traffic. Our client code is open source, so you can confirm that yourself.

      https://tailscale.com/compare/wireguard

      My understanding is that (in theory) the only way this is possible is if the attacker introduces a new node and then connected to other nodes that are in the tailnet. What you're suggesting is that a single node that is connected to the other nodes gets compromised, but this isn't possible without already being able to compromise that specific node. Alternatively, if someone hacks Tailscale itself, the only way they could get access to any nodes would be to add their own node, but if you have alerting set up you would know and you could shut down the attacker.

• idatum

  yesterday at 11:05 PM

  I still find SSH adequate for connecting to a home server remotely. I don't have the CGNAT terrible problem but I also don't do any port forwarding on my home router.

  Instead, I have a VM running on a cloud provider that I SSH to from an OpenBSD box inside my home network. The SSH connection establishes a reverse SSH tunnel. This opens a port on the cloud VM to tunnel to my OpenBSD sshd port.

  With the reverse proxy to my home OpenBSD box established, I can use the SSH jump box option, -J. I connect to the cloud VM and "jump" through the tunnel to the OpenBSD box at home. You can even specify multiple jumps if I need to connect to another machine in my home.

  I can also set up a local tunnel through that jump for things like connecting to my Home Assistant server from my remote laptop or phone.

  I only have to trust my cloud provider.

  • sfink

    today at 2:54 AM

    If I'm understanding correctly, this will break whenever the IP address of your tunnel changes. You'll have to reestablish all of your connections.

    My use case for tailscale: have an SSH (or other) connection to my home server while working from home. Drive to a coffee shop, register on their network, and continue using the same connection. (Or hotspot, if I'm somewhere without Wifi.)

    The IP address of my server does not change. When at home, the packets do not leave my home network. When out and about, they do.

    It's magic to me. I set up a sophisticated (read: overkill) SSH tunneling setup previously, using Match rules in .ssh/config to autodetect the network I was on so that `ssh myserver` would always go via the correct route. But my connections were still interrupted broke when I switched, and I'm not good enough at networking to do any better.

    (I guess this is what Wireguard is for? I could access my server via a fixed IP address on my machine that goes to a tun device, and that would send the packets to the actual server if nearby otherwise hand off to the carrier pigeons? Is that what the tailnet is doing? I don't understand how packets get intercepted by tailscaled, though I do see a tailscale0 device. Is that just a vanity license plate version of tun0? Why does `ip route show` give me only routes through my actual devices, then? Never mind, this isn't a helpdesk. I'm just getting old and stupid, I think.)

• harrall

  yesterday at 10:53 PM

  For me, Tailscale is worth the trouble of not maintaining my own Wireguard setup.

  Everything on my home network is set up as if it were public-facing.

  • felbane

    today at 1:43 AM

    This baffles me. What's to maintain? I've been running wireguard for years and never had to do anything except scan a QR code when I get a new phone.

    By "as if it were public facing" I assume you mean locked down as much as possible using either router or host-based firewall rules?

    • harrall

      today at 4:09 AM

      By locked down I mean everything requires authentication (and authorization), everything is containerized, and I have fairly strict firewall defaults.

      Let me explain what I mean by low maintenance...

      I was a very early containerization adopter and set up a company and also my home network using Docker around 10 years ago. I chose Docker because I thought it was reasonably polished and was the future of deployment. Even though the landscape keeps moving with changes in Kubernetes, Helm, Rancher and stuff like that, the actual Docker part hasn't changed in 10+ years so I haven't had to change my setup for a decade. Low maintenance for me is software that can be left mostly untouched (except for minor updates) for a long time and I judge that based on the project's future, which for me is partly judged from a project's polish.

      Every time I tried WireGuard in the past, it didn't seem so polished. I don't want to waste time learning something that could go away. On the other hand, not only did Tailscale look pretty well set up, it was pretty much click and run which means that even if it were to fail, I would have not lost any time learning much about it.

      So low maintenance for me is "get the most out of as little work as possible" and choosing Tailscale was the decision to achieve that. So given that I've been using Tailscale for 1.5 years with near 0 amount of configuration and so far, no real downtime, it is adequately low maintenance.

  • selfhoster

    today at 1:35 AM

    > Everything on my home network is set up as if it were public-facing.

    That's Wireguard, I have the same, just Wireguard + VPS, everything I want available that is. I don't put every PC on my home network on the VPN, I could though, pretty easily.

• phito

  yesterday at 8:31 PM

  Yeah, I don't understand how it is so prevalent in the self-hosted community. I would never install this on my server, just use wireguard/openvpn ...

  edit: okay, CGNAT

  • gabeio

    yesterday at 10:29 PM

    > Yeah, I don't understand how it is so prevalent in the self-hosted community.

    Not just CGNAT but not having _any_ external ports open can be a beautiful thing. I used to have an ssh port (not on the standard 22) and the amount of auth attempts back then was insane. I now have a full firewall zero open ports but, thanks to tailscale, I can still safely access my machines while not being at home with zero unauthorized attempts.

    And since I am a security person, I use the tailscale lock feature so not even tailscale themselves can add nodes to my network. Even if they had a breach.

    I am a very happy customer.

    • jcgl

      today at 9:06 AM

      Wireguard, unlike SSH, behaves like a closed port unless the client successfully authenticates. As far as an unauthenticated client is concerned, you don't have a listening service ("opened port") at all.

      I mean, yeah, if you unfortunately have to deal with CGNAT, then you gotta do what you gotta do. But other than that, what's the issue with self-hosting Wireguard?

    • Carrok

      yesterday at 10:46 PM

      If you're using only key-auth and have password auth disabled, I'm not sure why unauthorized attempts are a problem.

      • gabeio

        yesterday at 11:27 PM

        > If you're using only key-auth and have password auth disabled, I'm not sure why unauthorized attempts are a problem.

        See xz vulnerability for more details. It’s about not trusting people with any of my ports/software (directly).

        • papichulo2023

          today at 8:52 AM

          Did you vet all Tailgate infra? Because now your attack surface is way higher. Wouldnt surprise the xz is somewhere there as well.

    • sureglymop

      yesterday at 11:09 PM

      If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...

      Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.

      I think tailscale also doesn't provide transient quantum resistance. Wireguard traffic can be made quantum resistant with a PSK. I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.

      • gabeio

        yesterday at 11:57 PM

        > If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...

        I do verify every node’s key. That’s kind of the point of tailscale lock unless I am missing something.

        > Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.

        I don’t understand what censorship has to do with a personal home network?

        Privacy on the other hand, is fair. For my usecase this is a home network I am not that concerned that they know what devices talk to what devices. Yes they know my ip address but that’s not valuable since it’s all defended by the tailnet lock.

        > I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn. Direct access to my network being limited behind tailscale with a requirement to be part of my tailscale network signature satisfies my requirements for no one else’s access to my network at all. And only if I am away from home does any of my traffic pass through a relay.

        Tailscale has more device support than any wireguard apps than I know of. I don’t believe wireguard has Apple TV support, but tailscale does.

        I am not the only member of my family either, including them in this network with the simplicity of tailscale’s apps is also important.

• GauntletWizard

  yesterday at 8:35 PM

  I trust Tailscale with my network traffic. I also trust a $50 cheap chinese 10G switch that I bought off amazon with a terrible and surely insecure management interface. Which is to say - I don't, but I don't need to trust it far.

  I do have enough trust in their client that's installed on my machine to believe that it's not actively malicious. I do trust that I can find my other devices, and trust tailscale to keep a list of them, and not randomly add other devices that I don't know, but I don't have perfect trust of that. All my internal services are still E2E encrypted over the Wireguard link; They run HTTPS with an internal cert authority. There's not ports open on them that shouldn't be, and while it's possible that one of them still gets popped, it's much less likely.

• goodpoint

  today at 7:52 AM

  We should not.

• porridgeraisin

  yesterday at 8:16 PM

  If you really want to host the control server yourself, you can use this open source implementation of it at https://github.com/juanfont/headscale

The tailscale.com/tsnet package in Go [1] is really useful if you've not looked at it before: you can make single binary HTTP or whatever servers that are only exposed inside your tailnet.

Their golink project [2] is a good example (and useful itself), but I've used it to build "peer to peer" comms for one application, and to host an API and Svelte SPA to control some other things in a tailnet.

[1] https://pkg.go.dev/tailscale.com/tsnet

[2] https://github.com/tailscale/golink

• PLG88

  today at 9:13 AM

  Check out OpenZiti - https://openziti.io/. It looks like Tailscale but is open source, takes zero trust principles to its logical conclusion, and includes a whole suite of SDKs (alongside host based tunnelers and VMs) making it super easy to embed private, obsfucated, secure connectivity directly into your apps. Heck, you don't even need listening ports on the host OS network, therefore you app cannot be found or attacked from network/IP. Here is a good blog using Go SDK as an example - https://blog.openziti.io/go-is-amazing-for-zero-trust

• b_fiive

  yesterday at 8:59 PM

  If you're a rust fan we make a similar library, that's all-in on "p2p-QUIC", with pre-baked protocols to import on top: https://github.com/n0-computer/iroh

  • tsujamin

    today at 12:23 AM

    That’s super cool, I was going to say “nat punching and public relays are a requirement for me” but you already do that! Definitely filing this away for future projects.

• mafro

  today at 4:05 AM

  I've been using tailscale/tailscale-caddy[1] successfully to serve applications only on my tailnet. It says highly experimental, but it's worked just fine for me.

  [1] https://github.com/tailscale/caddy-tailscale

• xlii

  yesterday at 8:36 PM

  How difficult it is to use? Right now I’m working on orchestrating dev-local service clusters here I bind plenty of hosts to mimick real world. I’m using proxy tunneling to punch in but I’d love to have Tailscale endpoint which I could use to connect external devices (like mobile clients or non-technical stakeholders for show and tell).

  • tsujamin

    today at 12:19 AM

    It’s pretty simple, I’ve not updated my package version in a while but iirc you give it a state directory, an auth key, and you get a Dial-like interface you can use with the stdlib http libraries

• ksajadi

  today at 3:13 AM

  Absolutely. You can run a go process that becomes a Tailscale client without any other dependencies. This is what I use it for issuing JWT for service authentication: https://github.com/AltaCoda/tailbone

• aranw

  yesterday at 8:47 PM

  I've been using Tailscale for awhile now and even developed a few internal apps using tsnet as well but I had no idea about golink and it's awesome. Thanks for sharing that!

• gabeio

  yesterday at 10:33 PM

  You don't actually need tsnet for that. tailscale cli itself running the subcommand serve will allow you to share a specific port on your machine either with your tailnet or use funnel and share it out to the internet.

  I pulled tsnet out of my go application and switched entirely to `tailscale serve` and just use the header that adds to auth my family into apps I write. I love it.

  • tsujamin

    today at 12:21 AM

    funnel and serve are also awesome, but in this case the use case necessitated a single binary that worked without the full package installed/didn’t touch the routing table or tun device

    • gabeio

      today at 12:33 AM

      Ah if you truly need a single binary, yes it is nice.

      I had some issues with builds every once in a while, which is another reason I switched to using tailscale serve instead.

• apitman

  yesterday at 9:19 PM

  See also OpenZiti: https://openziti.io/

  • PLG88

    today at 8:40 AM

    For replacing port forwarding, OpenZiti definitely works. zrok, which is built on top of OpenZiti, could also be a great option for sharing resources - https://zrok.io/

I was once in South Africa and needed to look up my prescriptions in the CVS app. I had lost my pills and needed to show a local pharmacist what I needed. CVS geoblocked me. Luckily I had a TailScale exit node running at home, which solved the problem.

• danudey

  yesterday at 9:28 PM

  I was on a cruise ship a few weeks ago and realized that, instead of being throttled, a lot of sites were completely blocked. Very irritating. They also do DPI on the cruise ship network so that VPN clients like OpenVPN are blocked regardless of port.

  Without a laptop handy, I had to use my iPhone to set up a droplet running Ubuntu, then install vray onto it and configure it to run on port 443. vray uses "standard" SSL to tunnel connections, so to DPI it just looks like normal HTTPS traffic and I was able to pass traffic through the firewall when I needed to access something that was blocked. It makes me wonder if TailScale would also bypass their analysis, or if it would be blocked as well.

  (I didn't abuse this to the detriment of the network, and I did pay for the "streaming package" on sea days when I had a lot of traffic to run)

  • kdmtctl

    yesterday at 10:52 PM

    Wireguard is easy to block. Some VPN providers do implement an obfuscation layer for it, but Tailscale uses plain WG, so if WG is blocked, you will get no connection. Control plane would still work, though.

    • devilbunny

      yesterday at 11:59 PM

      Intriguingly, my work network (both guest and employee networks) blocks OpenVPN, commercial VPN (Proton I use, plus a couple of others I tried just as an experiment), and Tailscale authentication, but if the device is already authenticated to the tailnet, it will continue to work. Turns out that work uses the same ISP my home does, so perhaps that's part of it, but I have another TS exit node running at my in-laws' house (so I can remotely maintain their network, and so I can get out to the Internet via TS even if my home is down), and they're in another state with a different ISP.

      I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.

      • kdmtctl

        today at 8:38 AM

        It's easy to block the control plane because Tailscale has endpoints listing all current control and DERP servers. On Linux you can use a SOCKS proxy for control plane traffic, if connections still work. Some firewalls are really restrictive.

        I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.

  • nl

    today at 12:22 AM

    I've run a SSH server on port 443 to bypass blocking before. Probably wouldn't work if they are _actually_ doing DPI, but a surprising number of networks don't - just have blocklists and only support port 80 and 443 access.

  • abdullahkhalids

    yesterday at 10:38 PM

    Tor Browser should have worked with the right bridge or proxy.

  • deadbabe

    today at 12:00 AM

    Why not just use shadowsocks

• deuschelandian

  yesterday at 8:20 PM

  When I was in Germany - Capital One blocked access to my account unless I confirmed via SMS or tapping my card. Both of which I didn’t have with me.

  Tunnelling into my home machine I was able to access the account and transfer money I needed.

  Sure a VPN might be able to do this too but it’s nice being able to exit via a connection you control.

  I can also watch Plex movies without exposing ports.

  • codethief

    yesterday at 9:34 PM

    Another data point: I was at Doha airport recently and logged into their public WiFi. Unfortunately, they seemed to be MitM'ing certain connections, mostly to well-known domains. To work around this, I tried setting up Mullvad (which I had used occasionally in the past) but they downgraded Mullvad.net to HTTP, too. Thankfully, I had Tailscale already set up and I could easily book their Mullvad package and add Mullvad as an exit node to my Tailnet. Problem solved.

• HPsquared

  yesterday at 9:02 PM

  Alternative: OpenVPN server on your router.

  • gabeio

    yesterday at 10:38 PM

    > OpenVPN server on your router.

    Honestly I would suggest wireguard on your router before openvpn.

    • deuschelandian

      yesterday at 11:36 PM

      That’s all Tailscale is really.

      • metadat

        today at 12:04 AM

        Tailscale even supports OPNSense routers (BSD-based):

        https://tailscale.com/kb/1097/install-opnsense

        I'm not sure about the performance yet, however.

  • import

    yesterday at 11:48 PM

    10 times slower than Wireguard

I used Tailscale the other week to solve a problem where a government website was blocking me from scraping it from GitHub Actions... so I ran an exit node on an Apple TV on my homework and configure the GitHub Actions worker to use that instead. Worked great! https://til.simonwillison.net/tailscale/tailscale-github-act...

• djsjajah

  yesterday at 10:53 PM

  You could have also self-hosted the GitHub Actions runner which might have been easier as long as you had something to run the runner on.

  • today at 4:35 AM

Hugged: https://web.archive.org/web/20250305011820/https://blog.6nok...

• miyuru

  today at 1:56 AM

  Thanks, I am also getting this unusual error on blog.6nok.org.

  "This Deployment is paused by the owner.

  Your connection is working correctly.

  Vercel is working correctly."

  • tills13

    today at 3:41 AM

    Maybe a cost based trigger on the vercel project?

    • frontsideair

      today at 6:17 AM

      Exactly, I had a spend limit since I didn’t want to break the bank. It’s back up now.

    • o1o1o1

      today at 4:43 AM

      I'd be very interested, is there someone who could elaborate please?

      I'm terrified using a service like Vercel because I heard about the massive cost trap that can hit you hard and I don't know if there is any alternative for (easily & quickly) hosting NextJS apps.

      • ashfn

        today at 8:32 AM

        Its relatively straightforward to host a nextjs app in a docker container and route it with nginx and cloudflare, but you probably wont get as good uptime

      • frontsideair

        today at 6:19 AM

        That’s exactly why I put the spend limit, and this was the first time to confirm that it actually works.

I remember Hamachi did the same as Tailscale in the 90s, we used it to play virtual LAN DOOM. Greed killed it.

• adamors

  yesterday at 8:48 PM

  Hamachi was amazing, one of the best, most focused apps I've ever used. We were kids but it was still easy to use. Then they were bought by LogMeIn and was killed unceremoniously.

  Also, it's old but not 90s old: https://swapped.cc/#!/hamachi released in 2004 actually.

• dugmartin

  yesterday at 8:24 PM

  The Hamachi UI and UX were great. I was very sad when it got bloated and then killed like a beached whale. I just looked and I guess it lives on as a whalezombie at https://vpn.net/.

• kdmtctl

  yesterday at 10:56 PM

  This is ZeroTier territory. Not as polished as Tailscale, but provides L2 like Himachi and has been bulletproof for years already.

• papichulo2023

  today at 8:58 AM

  Hamachi was the OG user friendly VPN.

• pushcx

  yesterday at 8:12 PM

  I remember XBConnect and GameSpy for playing Xbox Halo 1 over the internet. I think a couple were invented for every big game or console before 2010 or so.

  Tailscale doesn't really address connecting to strangers, though.

• xyst

  today at 1:28 AM

  I completely forgot about Hamachi. Remember using this as a teenager for creating private xbox lobbies over the internet

• TacticalCoder

  yesterday at 10:11 PM

  Not identical but in the 90s to play Windows games that only had a LAN mode over the Internet, we were using Kali in the 90s: https://en.wikipedia.org/wiki/Kali_(software)

  This allowed us to play Warcraft II with random strangers: RTS games over the Internet... Felt like the future!

  • rrrx3

    today at 2:22 AM

    So many good memories from Kali!

We’re using Tailscale for our internal network, and it’s amazing. We’re a team distributed across multiple countries, and with Tailscale, it’s like we’re sitting in a single office, connected to the same router. And on top of that, we get centrally managed ACLs for everyone, TLS certificates, and SSO with Microsoft accounts. Amazing stuff!

My main gripe, though, is DNS. It’s great to be able to reach prod-db-1, prod-db-2, and prod-db-3, tag them as „db“ and create a rule to allow TCP on db:5432. however, it’s annoying that all of this is supported, but not the obvious extension - DNS records for the tags, so I can point apps to a group of servers belonging to the same tag.

• rudasn

  yesterday at 11:10 PM

  I don't get it. `db` should resolve to all host ips? Wouldnt a load balancer make more sense in that scenario?

  • 9dev

    today at 6:48 AM

    Consider `db` resolves to multiple A records:

      db.   IN   A    100.64.123.1   # prod-db-1.
      db.   IN   A    100.64.123.2   # prod-db-2.
      db.   IN   A    100.64.123.3   # prod-db-3.
    

    This is good for service discovery—e.g., you can configure something like RabbitMQ to discover cluster members from an A record—and it's nice for browsers, which will pick one host at random when connecting, which effectively is load balancing.

    In a usual setup, the problem is that if a host goes down, clients will still try to reach it because it's still in the DNS record; but with Tailscale, the "DNS" is generated by the local Tailscale daemon on the fly, so you get a live view, and if this was implemented, it would be possible to only return available servers for tag queries.

    • bboreham

      today at 8:22 AM

      Nit: the host is not picked at random, but according to the RFC3484 algorithm.

      Since people typically don’t believe me about this, here it is from someone who has done a lot of networking programming:

      https://daniel.haxx.se/blog/2012/01/03/getaddrinfo-with-roun...

• bcye

  yesterday at 9:50 PM

  I noticed that limitation quickly too. My solution was to just point A records on my domain to the tailscale internal ip and use the let's encrypt wildcard certificate my registrar (porkbun) provides out of the box.

• vluft

  yesterday at 11:23 PM

  yup, I ended up implementing that myself via a coredns extension that does DNS for both tags and hosts. obviously not zero effort, but it ended up being quite straightforward, and has been working flawlessly since then.

• cess11

  yesterday at 9:17 PM

  Similar to how you would use keepalived to get a virtual IP and broker between addresses under it?

  • 9dev

    yesterday at 9:29 PM

    Yes, but with all the benefits of Tailscale nodes—automatic DNS resolution, ACLs, and TLS certificates out of the box, and so on. The building blocks are all there, it’s just that nobody has built the feature yet.

Tailscale is not just a wrapper around Wireguard, as some people imply in the comments. The codebase is far bigger, and it does far more. They are different products.

What Tailscale does is difficult to do with Wireguard: Easy VPN, SSO with MFA, key distribution, static private IP for each node, peer to peer direct connectivity, split tunneling, fine grained access control rules down to per port and application, Wireguard over TCP, NAT transversal for devices behind firewall, central management, sharing nodes with others, DNS, file sending, routing rules (with exit nodes, subnet routers, “via”), key rotation, …

Wireguard connects peer A to peer B, and its simplicity stops there.

I found Tailscale to be a very good tool, that I extensively use.

My only concern is: what happens if their infrastructure is compromised at some point, like Okta’s? Assuming I have tail lock enabled.

We recently did a pretty big rollout of Tailscale and tbh I am presently surprised with how well it works. Between subnet routing to our bare metal stuff and the Kubernetes operator, especially the ability to expose services to the Tailnet has been a big win.

I was a doubter a bit as to how it would work at a bigger org but so far rock solid, easy to setup and great user experience.

I've harped on some Tailscale implementations before for what I perceived to be nonsensical or bad approaches, but this one is an excellent example of its capabilities. In no particular order:

* It's not reliant on port forwarding at your firewall

* It can get around bad ISP habits, like CGNAT or a lack of IPv6 (or IPv4)

* As the OP points out, it's broadly compatible with various forms of exit nodes

Straightforward and to-the-point. Great writeup.

Tailscale also allows you to issue valid TLS certificates (`tailscale cert`), which is crazy useful for certain local development tasks, EG developing SSO for a mobile application where the SSO provider mandates TLS and the mobile devices dont easily allow you to bypass self-signed certificates. They keep piling on awesome features, big fan.

The Tailscale k8s operator is also great.

• 9dev

  yesterday at 9:02 PM

  I use these certificates for almost any management UI of internal services that would go unencrypted for convenience otherwise, even for Postgres servers. It’s really versatile.

I love tailscale! I am now on vacation and all my devices can still use pihole running on a raspberry pi at home on the other side of the world. And it was trivial to set up!

My favourite use of tailscale:

I have a bluetooth gateway (Cassia X1000) in my workshop where I normally develop. I was at home doing some Android work at one point rather than at the workshop and needed to test some new Cassia functionality.

Tailscale exit node in the workshop.

Tailscale client on my linux dev laptop at home.

Started up the android emulator via Android Studio, connected to the Cassia via the app being debugged, debugged what I needed to, shipped it.

At the time it seemed like actual magic had happened.

Tailscale is also crazy unreliable in my experience, at least on Android. It had to be force quit and restarted every day, and even outside of that apps would randomly get connection errors. And they don't seem to care about bug reports. I ended up switching to regular Wireguard, which has since been perfectly reliable.

The features here seem to be fairly standard with most the WireGuard based VPNs these days. For example, I use Nord for my use-case which is very similar to the author's. This allows me to rsync my home directory between my laptop, tablet, phone's Termux env, and desktop (all running Linux) to maintain configuration parity and file locality regardless of where I turn these devices on, so long as they have internet.

Does Tailscale have features that set it apart now that other VPNs have gotten the private mesh thing down pretty well?

• baq

  yesterday at 8:01 PM

  It just works, literally. I haven’t tried nord, but I’ve got clients on Mac, Linux, windows, rpis, it all just works. I used to run pivpn, but the key exchange magic Tailscale employs is so much simpler and it somehow works on networks blocking unknown packets like the pivpn I had set up on some random udp port.

  • Hikikomori

    yesterday at 8:11 PM

    How is it on Android? Tried different vpns to access my pihole but its really slow at resolving sometimes.

    • genewitch

      yesterday at 8:29 PM

      I use it on android to talk to my synology and a proxmox server at my house from anywhere.

      It comes in handy from time to time. I run a "public" subsonic server but I don't have most of my own productions on it, but I can open VLC on android and go to a bookmarked share and play it all there.

      Also stuff like NVR camera feeda I can look at over tailscale, too. No "cloud" storage needed.

      I wish there was an easy reliable way to do this that didn't involve a for-profit; but until awful things happen I am fine using this for low-friction, trivial network access.

    • codethief

      yesterday at 9:42 PM

      I've used it on Android to stream the occasional video or song from my Jellyfin server while using mobile data. Not bad at all, plus they finally seem to have gotten their battery drain issues under control.

      Recently, as I have been traveling through the Middle East and East Africa, I have also used Tailscale on my phone to protect myself on public wifis and to work around MitM attempts, see my other comment further up.

    • baq

      yesterday at 8:28 PM

      Android is the only major OS I haven’t tried, but given its Linux roots I’d assume it’s first tier.

    • porridgeraisin

      yesterday at 8:36 PM

      It's great for my limited usecase (SSHing/HTTPing to my laptop/computer)

• zrail

  yesterday at 8:03 PM

  Maybe not if all you're doing is hooking some nodes together. That said, I have personally used these Tailscale features that with a quick glance I don't see Meshnet having:

  - ephemeral nodes are super useful for things like attaching a GitHub action runner or a fly.io instance to your tailnet

  - Tailscale's ACL system has a ton of capabilities

  - getting corporate buy-in is possible, vs trying to get a business to buy into Nord meshnet for actual workloads

• yjftsjthsd-h

  yesterday at 8:00 PM

  What other VPNs do mesh networking? I only know of zerotier (proprietary) and nebula (FOSS except that the Android app is proprietary)

  • PLG88

    today at 9:16 AM

    Check out OpenZiti. Its open source, and does zero trust principles better. I wrote a blog comparing it and Tailscale - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-ne...

  • vizzier

    yesterday at 8:46 PM

    Probably the closest to tailscale, optionally selfhosted, and using wireguard meshing would be https://netbird.io/

  • johnmaguire

    yesterday at 8:06 PM

    Shameless plug, but some of the Nebula team (including myself) works on https://www.defined.net/ (proprietary managed Nebula networks.)

    Also, ZeroTier is "open-source ish." They use the BSL license for most of their code (https://www.zerotier.com/blog/on-the-gpl-to-bsl-transition/) and I believe you can self-host (https://docs.zerotier.com/selfhost/)

    • rainsford

      today at 12:56 AM

      I've tried Nebula before, admittedly a while ago, and it seemed interesting, but much less user friendly than Tailscale. But one of these days I would like to play around with defined.net just to see what other options are out there.

      I also tried ZeroTier and was extremely unimpressed, although again that was a few years ago. The performance on single threaded systems was absolutely terrible, which suggests some deeply broken code and made it unusable with a cheap VPS. The paceof development was also pretty slow and the insistence on homebrew crypto was also not confidence inspiring compared to something that used a proven solution like Wireguard.

    • yjftsjthsd-h

      yesterday at 8:26 PM

      > Shameless plug, but some of the Nebula team (including myself) works on https://www.defined.net/ (proprietary managed Nebula networks.)

      My one objection to Nebula is that its Android app is proprietary, and your response is to plug the even more proprietary way to run it?

      > Also, ZeroTier is "open-source ish."

      So it's not FOSS.

      • johnmaguire

        yesterday at 8:57 PM

        Sorry, I wasn't aware you had objections to proprietary products! After all, this was a thread about Tailscale and alternatives. :) Many people find it painful to setup a VPN network and prefer a managed solution (e.g. Tailscale instead of Wireguard.) Likewise, people have different understandings of what exactly FOSS means and I'm not deeply familiar with the BSL, so I'm not sure whether it would meet your needs.

        Best of luck in your search! Maybe take a look at Tinc or Yggdrasil.

        • yjftsjthsd-h

          today at 6:59 AM

          > Likewise, people have different understandings of what exactly FOSS means and I'm not deeply familiar with the BSL, so I'm not sure whether it would meet your needs.

          https://mariadb.com/bsl11/

          > The Business Source License (this document, or the “License”) is not an Open Source license.

          I'm gonna take them at their word.

          > Best of luck in your search! Maybe take a look at Tinc or Yggdrasil.

          I did, but thanks:)

    • ebr4him

      today at 8:37 AM

      ZeroTier works where Tailscale (Wireguard) is blocked eg Egypt.

  • wkat4242

    yesterday at 10:33 PM

    There's zerotier, nebula like others have managed and also a few more older and fringey ones like tinc and hamachi that basically invented the same concept 10+ years before the rest.

• dawnerd

  yesterday at 8:40 PM

  I was all on board with WireGuard myself but couldn’t get smb working reliably. Saw someone say they’re had better performance with tailscale and sure enough I can actually use it. It’s not perfect or anything but quite amazing considering it’s still just WireGuard under the hood. Whatever magic configs they have, good job

• Spooky23

  yesterday at 8:01 PM

  The beauty of it is that you control it. And even scale it to console stuff. For my use, that’s desirable.

  That said, I can totally see where a less DIY solution. VPNs fundamentally aren’t novel and there’s nothing wrong with Nord and similar products. (Although I don’t put any stock in the no logging claims)

• yesterday at 7:55 PM

• minton

  yesterday at 8:43 PM

  I had no idea Nord offered that and we’ve used them for years.

Tailscale is Canadian from what I can see, and not american. Which is a plus these days.

• andix

  yesterday at 10:32 PM

  Absolutely. We aren't allowed to introduce new services from US companies anymore. It's just too risky right now, who knows what's going to happen next in this trade war. What's happening to Canada and Mexico can happen to any country.

And it's Canadian. Cool. We have a policy now that doesn't allow us to bring in new services from US companies.

• steve_adams_86

  today at 1:37 AM

  Kind of:

    Schedule A
    Tailscale Entity
    Existing customer accounts as of September 2, 2024 Tailscale Inc., a Canadian business corporation
    New customer accounts on or after September 3, 2024 Tailscale US Inc., a Delaware corporation
  

  My account is associated with Tailscale US Inc., unfortunately.

  https://tailscale.com/terms

• andix

  yesterday at 10:11 PM

  Downvotes on this comment, nice. It's about reducing exposure in a possible trade war.

Also, their building up on top of a 'platform' is wonderful: funnel, exit nodes, sharing, ssh, drive etc.

I wonder if they can figure out a way to distribute compute eventually via their network (not just clunky ssh): 'my' storage is already shared with 'my' nodes, why not 'my' compute? :)

Seems like a great company/business.

• bradfitz

  yesterday at 11:54 PM

  That was actually something we debated launching before Tailscale SSH but ended up doing Tailscale SSH first because the state problem for compute was annoying and we'd seen the App Engine etc progression through the problem space and knew it could be a time suck.

  I still want to do it and we continue to brainstorm on the problem of state management and how to do it in an HA way, so you can run services where the compute bounces around some node in a set that's up and reachable on the tailnet but the state is durable and in sync between the nodes. It's a fun problem.

  • textlapse

    today at 1:20 AM

    Looks like the layers are there for a Tailscale API: I could imagine writing a platform-independent Go 'app' that uses funnel+drive that could 'float' around the nodes.

    Anyway, a fun problem (or worse, a solution looking for a problem as I couldn't immediately think of a problem that would require it just yet. May be distributed training and such)

    Cool to see a bradfitz reply though!

Tailscale is becoming less useful as network providers become hostile to it.

Last week I noticed McDonalds guest wifi is blocking new connections over the tailscale control ports. It will pass wireguard mesh traffic for established sessions, but their firewall rules prevent you from establishing new ones.

• crims0n

  yesterday at 9:28 PM

  It was for that reason OpenVPN set up in SSL mode over TCP 443 was king, a few years ago most firewalls could not distinguish it from regular TLS encrypted web traffic. These days with application layer "next gen" firewalls though, a zealous network administrator can distinguish between the two and block just the VPN connection if they so choose.

  • kdmtctl

    yesterday at 11:02 PM

    Chinese V2Ray derivatives are indistinguishable from regular traffic and still penetrate the GFW but get detected when used for domestic services, which is not advised. Work best for short lived sessions in restrictive environments.

• drdaeman

  today at 5:07 AM

  Any Wireguard-based solutions are quickly becoming useless in modern hostile networks due to extreme simplicity of protocol detection. You need at least something like Shadowsocks (at minimum), or more likely XRay or VLESS and build the mesh yourself.

• devilbunny

  today at 12:09 AM

  So connect over cellular or personal hotspot, then connect to WiFi to avoid burning your data. This is definitely becoming more common.

  I discovered the workaround purely by accident, when I took my laptop to work (which is unusual, it's a personal device not used for work but I needed to do some work on files that were on it). It was logged into my Tailscale when I last turned it on at the house and I discovered that it reconnected fine as long as it didn't have to do the authentication over the work network.

• parasubvert

  yesterday at 11:21 PM

  Are they blocking the global tailscale IP addresses / host names for their DERP relays? Tailscale will tunnel over HTTPS if it can’t establish a UDP relay.

VPNs are complicated and its rarely a case of one is better than another.

Tools for the job, should be our watchword ... phrase 8)

IPSEC is somewhat old school but very solid - if you can do opportunistic IPSEC via DNS etc it can be rather nifty. You can also use FRRRRRRRRRRRR to do it routed. IPSEC with BINAT can be used to avoid issues involving duplicate network addressing.

I default to IPSEC for site to site links.

OpenVPN is more TCP/IP related compared to IPSEC - that's very simplified. You can easily set an IP address for a client and other niceties.

OpenVPN is superb for massive client deployment. If you have a central CA and can deploy certs on all devices eg via MS AD CA then you can use a single config file for all clients, which is a doddle to deploy via GPO.

Tailscale is the new kid on the block. As with all new kids you need to examine what works for you and you could be one person or an entire multi national.

The real world is rather messy. For example your home/office/corp network will almost certainly have a MTU of 1500 bytes. When you hit the internets it gets really messy. Some British Telecom links (for example) will support mini jumbo frames and some won't and the real world continues to get more and more complicated.

I used to expose my workstation RDP directly but with a non-standard port. Then I became a "homelabber", and paranoid, and added a mix of nginx with basic auth in front of Guacamole. The UX in browser is so abysmal that I used it to configure direct RDP when I really needed to work remotely when traveling. Then I learned Tailscale and it is really liberating. Just direct RDP with negligible (for me) risks. I run OneDrive, JetBrains Toolbox, Podman just visible in the tray and what else as services, such as OpenVPN, etc. I keep Tailscale running only when I travel. I think paranoia should stop at some point, yet I still read the top comment about security/trust very attentively.

I'm thinking about exposing some services outside of my LAN, and wondering whether it would be better to go with Tailscale or Cloudflare Tunnel. [1]. At a high-level both solutions seems pretty similar, with a client service running on the machine you want to share.

My sense is that tailscale makes sense for a more locked-down service that is not accessible to the general public (although they do have a way to open up access to the world [4], it felt like more of a temporary thing than a permanent solution when I was looking into it).

And Cloudflare is more for exposing a service to the world, with support for a custom domain name, DDoS protection and other IP blocking feaures, etc. Cloudflare does have a "Zero Trust Network Access" product that I think might offer similar functionality to Tailscale, but honestly pretty hard to tell what it does from their website or how hard it would be to set up.

They both have free tiers that are pretty generous for "homelab" use cases. [2][3]

Does that sound pretty much correct? Are Tailscale and Cloudflare competitors with a lot of overlapping functionality? Or are they mostly distinct products serving different use cases/markets?

[1] https://developers.cloudflare.com/cloudflare-one/connections...

[2] https://tailscale.com/pricing

[3] https://www.cloudflare.com/plans/

[4] https://tailscale.com/kb/1223/funnel

• aborsy

  today at 3:14 AM

  Cloudflare Access is a reverse proxy: you encrypt to Cloudflare, Cloudflare decrypts and scans the traffic, Cloudflare re encrypts to the origin server.

  So, traffic is not end to end encrypted (Cloudflare man in the middles the traffic). That’s the reason we didn’t use it. Otherwise it’s a good service.

• briHass

  today at 6:13 AM

  Good luck with CF's Tunnel. It may have been the complexity of my network at work, but I wasted a day trying to get that to work. Endless web setup 'wizards' and clicking around different components and their settings in the CF portal. It felt like trying to build out a moderately complicated cloud infra environment.

  Tailscale is dead simple, even to create 'routers' that act more like a VPN appliance inside your network. It really does feel like something Apple would've come out with in their hayday: missing advanced features for power users, but is somehow able to deliver what feels like magic with minimal setup.

I previously used WireGuard and for a bit tried just having an SSH tunnel with autossh, but in the end just settled on using Tailscale, because it doesn’t ask me to manually manage the keys and also doesn’t drop around every 30 minutes for a bit and doesn’t need weird hacks to expose ports for my Docked network traffic.

That said, what messed with me greatly was the fact that Tailscale seems to have an MTU of 1280 whereas Docker by default had 1500 which lead to inexplicably dropped overlay traffic with nonsensical log messages in my reverse proxy web server.

Basically, I had to delete docker_gwbridge and recreate it with some specific options: https://docs.docker.com/engine/swarm/networking/#customize-t...

It was quite the mess. I have no idea why Docker couldn’t just figure out that it needs the smaller MTU by itself, cause it listens for the Swarm on an interface that’s related to Tailscale and it can see what MTU that has.

Still, Tailscale in of itself is pretty nice.

• vetrom

  today at 1:29 AM

  tldr - wireguard doesn't do per-peer MTU: https://www.wireguard.com/todo/#per-peer-pmtu

  Its due to some strangeness in general with tcpip layers that don't forward PMTU discovery ICMP messages. You'll see the same thing in some cell networks, and wireguard is particularly fragile here, because wireguard itself doesn't have a PMTU discovery mechanism.

  Or, to be more exact, wireguard currently doesn't have a method to 'bubble up' a PMTU process to the inner wireguard interface from mtu-impacting events in its outer layer.

  There's hacks like https://github.com/luizluca/wireguard-ipv6-pmtu/blob/main/wi... that try to handle this by monitoring outer route discovered MTUs and then applying them to wireguard routes.

  In applications where I've had to deal with this (wireguard over cellmodem networks), I tool my network setup to poll whatever the cell network mtu happens to be and then set the wireguard MTU appropriately.

  This gets really painful though if you think you wanna do something like run a network that really wants a >1280 MTU over tailscale. It's pretty much not doable, and it is, in fact, my biggest gripe with tailscale. Yes, its suboptimal for the 'whole-internet' usecase, but I really do want my wireguard links to be 9000 MTU.

  Maybe wireguard will get that in the future, since it is an acknowledged problem. I bet someone in the conjunction of secure networking and HPC spaces could even justify paying the wireguard team to implement it.

I think for simple cases, it's great. If you have remote boxes somewhere that needs administration, it's awesome.

If you have more complex cases, the IPTables/Netfilter rules make it vastly more difficult to manage, particularly if you're running docker-compose (or anything using IPTables rules) on the same box and trying to troubleshoot the packets coming out of docker and going into tailscale.

And then trying to figure out what tailscale is doing with your packets is not great as well. They've also broken features I relied upon with a minor release.

Their nat traversal doesn't always work, as sometimes I get connected to a DERP server, so that limits the network speeds across the internet.

I blame CG-NAT quite a bit -- it's really why we can't have nice things these days -- and I get tailscale is trying to fix a bunch of that. But the reality is, I just want an interface just like eth0 or wl0, not an IT infrastructure to move my packets across.

I tried using tailscale to share my hdhomerun prime tuners over the internet, but sadly, it doesn't seem to work due to Tailscale's lack of support for mDNS lookups[0][1]. You can't just forward the port b/c the hdhr device packets have a ttl of 1 hop (and, while you could change the ttl through iptables, that seems like a lot of trouble).

I can open a stream manually through http://192.168.1.189:5004/auto/v600 while connected to tailscale (w/ my apple tv in-home as an exit node) on my laptop outside of the house, but when I open the HDHR/Channels apps, they can't detect the HDHR tuner itself.

Apparently this "just works" with openvpn, so I've been thinking about just switching back to that.

[0]: https://github.com/tailscale/tailscale/issues/1013

[1]: https://old.reddit.com/r/HDHR/comments/z8byns/watching_remot...

> I know its local IP address and can ssh into it easily when I’m home, but when I’m outside, that’s not possible as it’s not exposed to the internet.

I never understood this problem. I just create a Tor hidden service when I want to ssh into a machine behind a firewall.

Site looks down. Archive link: https://archive.is/OtRtF

I use tailscale to build my personal podcast that include local weather and stocks I interested in. Running the whole pipeline on a steamdeck and use tailscale to securely delivery the generated podcast to my phone.

• yjftsjthsd-h

  yesterday at 8:34 PM

  How are you going from weather and stock information to a podcast? Is there some sort of TTS step there?

  • smy20011

    yesterday at 10:08 PM

    Yeah, fully local LLM+TTS setup.

    Use jupyter notebook to fetch the stock and weather info and feed that into a local LLM and convert that to speech using opensource TTS.

    https://github.com/smy20011/MorningRadio

  • frotaur

    yesterday at 9:10 PM

    See notebookLM, as an example

• necessary

  yesterday at 8:37 PM

  What is the delivery mechanism?

  • smy20011

    yesterday at 10:07 PM

    Local server.

    https://github.com/smy20011/MorningRadio

We can also try to selfhost this https://github.com/openp2p-cn/openp2p

Tailscale is great but one thing i dont like about it is that i cannot re-use ip addresses. This feature is offered by ZeroTier it can be very useful if for some reason you have to format and re-install os and everything.. Unfortunately, i cannot use zerotier because the speed i get over it is terrible

Does anyone have some insight why installing security/tailscale on freebsd is installing security/ca_root_nss which contains a very scary message?

https://github.com/freebsd/freebsd-ports/blob/ec981e26cd3128...

• treve

  today at 6:43 AM

  The error message is somewhat self explanatory. Tailscale installs new root certs. Freebsd does not endorse them. You're giving complete trust to tailscale.

  In case that wasn't helpful, maybe you have a more specific question

I have to point out that their online videos are amazing to leaen how to quickly set up certain features like SSH. In less than 5 minutes I had VSCode on a Macbook Air connected to my desktop machine running Linux on a completely different network.

I set up a Wireguard tunnel into my home network years ago, before Tailscale was really a thing, and I always wonder if I should switch, but I can never make the effort worth it in my head. If I was starting all over, I'd go Tailscale for sure, but a single tunnel really gets me 99% of the way there.

Is there any simple FOSS alternative to tailscale that you can self-host?

The only thing I need is to simply connect to the home network and I dont want to need to open and forward ports etc in routers and firewalls for it to work, just something simple plug and play and is secure.

• mfro

  yesterday at 9:20 PM

  It's functionally just a VPN. Selfhosting wireguard or openvpn is not particularly difficult.

  • wkat4242

    yesterday at 10:35 PM

    No it's not the same as normal wireguard with some 'just works' config sauce. Devices can connect directly and also find the best way to do it. For example two devices in the same office will create a direct path between them without having to go through the off-site vpn server.

    At this mesh vpn is really good.

  • knowaveragejoe

    yesterday at 9:50 PM

    It uses Wireguard, sure, but it's using a coordination service to give you a effectively a flat network mesh instead of hub and spoke.

• duskwuff

  yesterday at 9:32 PM

  Yes - https://headscale.net/

  Fully compatible with Tailscale client binaries; it just replaces the control server.

• knowaveragejoe

  yesterday at 9:49 PM

  > The only thing I need is to simply connect to the home network and I dont want to need to open and forward ports etc in routers and firewalls for it to work, just something simple plug and play and is secure

  That's tailscale, basically. Install on devices and they can magically talk to each other across the internet with no other configuration.

  If you really want to, you can run headscale and manage the coordination plane yourself as well.

  https://github.com/juanfont/headscale

CGNAT _can_ make it easier to access your server.

If your Internet provider and your mobile provider is the same company, they could put all your connected devices in the same IP block within the CGNAT IP range.

Now, not only you can access your device at home while away using your cellphone, you can also connect to your partner's phone with the same IP address at (or away from) home.

Some Internet providers in China very recently started providing this service, e.g. https://www.chiphell.com/thread-2666772-1-1.html (in Chinese). In addition to the convenience of accessing your home server while on the go, they also make the traffic within the CGNAT free.

• klabb3

  yesterday at 8:39 PM

  Easier than what? You mean it can in these special cases become like not having a CGNAT?

  > they also make the traffic within the CGNAT free

  So.. both data caps and breaking the principle of net neutrality?

  • yegle

    yesterday at 8:53 PM

    Easier than asking family members to install a new software, then ask them to share their "node" to you.

    Imagine you can remote desktop connect to your parents' computer after their phone call.

    The data cap is on your cell service (the US also has that). Net neutrality is debatable given the traffic is between my own devices so presumably no one gets hurt (think of accessing and streaming from your NAS at home).

• genewitch

  yesterday at 8:31 PM

  Lol I will be seriously surprised if at&t offers this, but I can see the tmo starlink thing potentially doing it.

  I signed up for the tmo beta even though I am not a tmo subscriber. Now I have a cool thing to test, can I access my behind-starlink stuff from my cellphone?

• apitman

  yesterday at 9:30 PM

  This is actually pretty interesting

super useful, at airgarage we have a network of license plate readers deployed around the country and tailscale is a game changer for remote access and debugging. https://www.airgarage.com/capabilities/license-plate-recogni...

Networking SmartFriends: Is port forwarding intrinsically a bad idea (as compared to using Tailscale Funnel) from a security perspective if I want to expose, say, a Plex server running on my NAS to the outside world?

• amlib

  yesterday at 11:54 PM

  The main question is weather you want to share something like a Plex server with other people and force/convince them to essentially install a VPN to do so (which usually mean other VPNs are out of the game. You can't, for example, have Tailscale work alongside an adblock VPN in Android). To me thats a deal breaker and quite a burden to the people who want to access it. You are better off putting all those services behind a reverse proxy with a cert from let's encrypt.

  • CharlesW

    today at 12:07 AM

    All good points, thank you! I was considering Tailscale Funnel (which is like Cloudflare Tunnel) and doesn’t require Tailscale on the client side. https://tailscale.com/blog/introducing-tailscale-funnel

• arsome

  yesterday at 9:24 PM

  It's largely equivalent here - you're just exposing something via a tunnel rather than directly via your home IP.

  That could have benefits, for example, if you're concerned about a DDoS attack on that service taking your home internet out, you may be able to work around it like this. But it won't mitigate a gaping hole in the underlying service which you're still exposing.

  It could also have drawbacks, like limited bandwidth and higher latency, which would make it highly unsuitable for something like a game server.

• zamadatix

  yesterday at 10:59 PM

  The Funnel won't add secure activity to what happens inside the connection itself.

• sieabahlpark

  yesterday at 9:08 PM

  [dead]

I don’t understand why one would use Tailscale over WireGuard. Is it because it’s easier to setup sort of like how Dropbox was? I’m primarily wary of the rug being pulled out and Tailscale suddenly costing me a lot of money whereas my WireGuard setup seems more stable in the long term.

Or is there more to it that I’m missing?

• qwerpy

  today at 1:31 AM

  I'm in the same boat. I set up wireguard network on my unraid server at my main house. Then set up a network to network bridge to another unraid server at my other house. My devices (really just my phone) can use either a phone to LAN connection or a complete tunneled connection to my server, from anywhere. My devices at either of my houses behave as if they're on the same network.

  It wasn't very intuitive to set up but it took less than an hour and it has worked flawlessly for years. Unraid definitely made it a bit easier. Seems Tailscale almost completely solves that complexity for the initial setup and each additional device.

• christina97

  today at 12:32 AM

  Yes: much easier to set up. It also provides a backup relay node system in case it can’t establish direct connection between your devices.

  When you set up wireguard you have to update every system’s config to add a new device, Tailscale does this for you. That’s the key thing.

• rainsford

  today at 12:48 AM

  Wireguard is not an alternative to Tailscale, any more than FTP is an alternative to Dropbox. And not just because Tailscale actually uses Wireguard under the hood. Also if your comment is a sarcastic callback to the "why don't you just use FTP" comments when Dropbox came out, well done.

  Wireguard is a great VPN protocol, but what the basic protocol doesn't do is make it transparently easy to use in a wide variety of edge cases without having to reconfigure anything. If all I want is two devices to be able to talk to each other, at least one of which is in a fixed location where I have total control over the network, then yeah, raw Wireguard is probably a decent solution. If I want to do anything else, I need a management layer on top of Wireguard, and Tailscale is by far the best solution for that out there.

  As a thought exercise, consider a home network where a laptop connects to a NAS to store media files. I take the laptop to some random destination and connect it to hotel WiFi, while someone else takes the NAS to a totally different hotel and connects it to the WiFi. With Tailscale, the laptop can immediately directly access the NAS without even having to change the mount point. Think about what it would take to set up similar functionality with raw Wireguard. I'm not saying this is a common scenario, or that you can't do the same thing manually. But the fact that such a setup would just work is pretty impressive.

• 2OEH8eoCRo0

  today at 12:29 AM

  Tailscale uses wireguard

I selfhost tailscale with headscale, I used a helm chart in a k8s cluster, works great.

I ran into a corporate network recently that blocked the Tailscale DERP servers.

Been using it since the early days and it has become a core tool in my arsenal. Tailscale along with 5G and RDP or Parsec means I have access to my powerful home server and primary dev machine no matter where I am. Can even access it on my iPhone (only RDP).

• 0xFF0123

  today at 1:13 AM

  Parsec have a mobile app as well

Does it have "entry nodes" ? For exemple if I wanted to receive emails on my server while my home connection does not have an open port 25.

• Duralias

  yesterday at 9:08 PM

  They don't host anything like that, DERP servers are, aside from Funnel, internal to the tailscale network.

  But you can proxy traffic using a VPS really easily, which is basically the reverse of exit nodes.

• anderiv

  yesterday at 8:16 PM

  Tailscale Funnel could likely do this.

  • forty

    yesterday at 8:53 PM

    Funnel looks cool but apparently it doesn't help for non https traffic https://www.reddit.com/r/Tailscale/comments/1cyv6vf/wow_5_st...

Tailscale is super awesome, I was amazed when I first set it up that it just worked out of the box. It can be set up by everyone without having to expose ports on the router (something that is often not even possible anymore due to CGNAT), so you get a lot of convenience without giving up security

It is one of the tools I use as well and I pay for it. It makes life so much easier. At work we have to test a lot of country dependent settings and with TS and Mullvad is is very simple. I can also access my home network easily.

• samstave

  yesterday at 11:40 PM

  > I can also access my home network easily.

  expand plz

I work +1000km away from home, and I work by shifts, tailscale has helped me a lot on running stuff back at home.

I was even able to stream my games through the tunnel with a (decent enough) latency of 27ms with variance of 2ms.

Admittedly, I could buy a gaming laptop, but I don't want to carry a heavy laptop 4 times a month :P

Tailscale is great. I put my whole company on it shortly after joining (we had some servers with RDP exposed to the internet...). It has had ~0 problems in the last year, and non-technical people are able to use it with ease.

> I have used Tailscale only for personal reasons so far, using the free tier; they have enterprise plans for enterprise use cases that I have no idea about.

Does anybody know of any good materials on the enterprise use cases and configs? e.g. blogs, screencasts, etc.

• CharlesW

  yesterday at 8:53 PM

  This seems like a good place to start: https://tailscale.com/blog/patterns-from-the-field-use-cases

  • ezekg

    yesterday at 9:20 PM

    I guess more specifically, I've been looking for material on k8s machine-to-machine networking using Tailscale.

    • lakomen

      yesterday at 10:25 PM

      Talos has something about Wireguard, but I never used it in the k8s context

I absolutely love Tailscale, it's been a game changer for accessing my home gear from anywhere.

Is there an alternative to Tailscale with a lower memory footprint? I wanted to run Tailscale on a small router, but it failed due to out-of-memory (OOM) issues.

• ash

  yesterday at 8:59 PM

  Have you tried "Smaller binaries" instruction? https://tailscale.com/kb/1207/small-tailscale

  • frontsideair

    today at 7:08 AM

    Thanks, this could’ve worked for my Raspberry Pi! I would’ve tried it if it was still in commission. Next time?

  • yamrzou

    yesterday at 9:03 PM

    No, thank you. I'll try it.

• NexRebular

  yesterday at 8:42 PM

  Maybe Nebula? You can do one yaml config file with all the certificates and firewall rules making it easy to script device provisioning too.

  • yamrzou

    yesterday at 9:02 PM

    I'm mainly looking for a solution that punches through NAT the way Tailscale does.

    • NexRebular

      yesterday at 9:23 PM

      Nebula has NAT punching as well[1]. Or does Tailscale do even more magic on it?

      [1] https://nebula.defined.net/docs/config/punchy/

      • yamrzou

        yesterday at 9:29 PM

        It seems to have relays which is interesting. For comparison, here is Tailscale's article on how they do NAT traversal: https://tailscale.com/blog/how-nat-traversal-works/

• caconym_

  yesterday at 8:35 PM

  Wireguard?

  • yamrzou

    yesterday at 9:01 PM

    Wireguard doesn't do NAT traversal on its own, which is, IMHO, the killer feature of Tailscale.

    • selfhoster

      today at 1:40 AM

      I wasn't sure and still am not what your statement means, I checked Google, their AI tool offered this:

      "Yes, WireGuard does support NAT traversal, though it doesn't handle it natively; it relies on techniques like UDP hole punching to establish connections between peers behind NATs."

      That makes no sense to me, I have my peers talking to each other on the Wireguard VPN behind my ISP NAT. I do have one UDP port open on the VPS that they all talk to. Is that what you mean by, "Wireguard doesn't do NAT traversal on its own, which is, IMHO, the killer feature of Tailscale."?

      If so, how does not having to open one UDP port which can't really be detected anyway, justify having all your traffic controlled by a third party through servers (I forget what Tailscale called them) you don't own?

    • caconym_

      today at 1:27 AM

      Taking on all the monolithic complexity of Tailscale just to get NAT traversal can be arguably not worth it, e.g. https://news.ycombinator.com/item?id=42132131

      Fair enough if you're stuck behind a CGNAT though.

> it’s no longer possible thanks to a cursed thing called CGNAT

as someone who does publicly expose services that have auth, why does CGNAT make exposing ports publicly bad?

• jjcob

  yesterday at 7:52 PM

  It makes it impossible, because your modem/router no longer has a public IP that you can connect to from the internet.

• jen729w

  yesterday at 7:56 PM

  FYI my ISP (Aussie Broadband) will put you on a non-CGNAT subnet if you call and ask.

  Tailscale is a better idea.

  • joshstrange

    yesterday at 9:13 PM

    My ISP (USA, Metronet) will give you a static IP (instead of their CGNAT) for $10/mo which I happily pay.

    Tailscale is great but direct is always better IMHO.

• yesterday at 7:53 PM

• tass

  yesterday at 7:59 PM

  Other replies explained the why, though cgnat wouldn’t be a problem if you also had ipv6.

  Luckily for me I have a regular ip4 address but if that ever changed I’d be out of luck unless my isp (quantum fibre) implemented a proper ipv6 solution.

  • aodin

    yesterday at 8:07 PM

    I have Quantum Fiber in Colorado and enabled IPv6 on the old CenturyLink C4000XG modem following these directions: https://www.centurylink.com/home/help/internet/modems-and-ro...

    • tass

      today at 1:05 AM

      That uses 6rd which is typically slow (since it basically proxies through an ipv4->6 bridge), and in my case it worked on their provided router but not with opnsense.

  • SR2Z

    yesterday at 11:53 PM

    CGNAT isn't used with ipv6, right?

    • tass

      today at 5:55 AM

      I’m not an expert on this but I can’t imagine why it would be deployed that way given the complexity it adds.

• yesterday at 8:01 PM

• ThePowerOfFuet

  yesterday at 7:52 PM

  Not bad, impossible; it is NAT over which you have no control and thus cannot forward ports.

To add on to this, more than just useful, incredible team building it!

Is Tailscale useful if you don't have CGNAT? I solve the problem in the article using Wireguard on my router and a dyndns client.

In a way I think all these solutions just keep enabling IPv4 to continue and that sucks. Does Tailscale offer anything in an IPv6 world? Are they another company with an interest in stopping IPv6 progress?

This should just be called "why VPNs are useful", i think?

> But my old Raspberry Pi was too weak to run it, so I ended up uninstalling it, and unrelatedly my pet project grew out and has its place in the cloud now.

It’s incredible how shitty modern software is that a raspberry pi couldn’t run a basic VPN.

If any tailscale devs see this you should try to reproduce this issue and use it as an opportunity to clean up a bunch of dumb assumptions that likely hurt real users as well, just through less direct means like battery consumption and slower overall performance.

• frontsideair

  today at 7:10 AM

  I saw from the comments that they provide smaller binaries, which may have worked on my Raspberry Pi. Maybe I’ll give it a try one day.

  https://tailscale.com/kb/1207/small-tailscale

You can do all of this stuff with Nebula (from slack oss), without some centralized service. I use it on all my computers and it works great.

• frontsideair

  today at 7:12 AM

  This is the first time I’m hearing about Nebula. How does it compare to Tailscale?

I have nothing but performance issues with tailscale. On both my iPhone and my iPad it _destroys_ my battery. It uses some 40+ hours of background time in just a few days. On my PC whenever I come back home and tailscale was running, everything is out of memory and not running correctly.

That's my experience. I wish it was better.

• zimpenfish

  yesterday at 9:22 PM

  > On both my iPhone and my iPad it _destroys_ my battery.

  On my iPhone, I've not even noticed any battery problems whilst running Tailscale 24/7. Are you running it with an exit node that funnels all traffic? I've just got it active for my nodes which might be why it's basically doing nothing.

  • sixothree

    today at 4:15 AM

    Default install. Very literally 20+ hours a day of background time.

    • zimpenfish

      today at 8:10 AM

      Just checked on my phone - for the last 24 hours, Tailscale has 5m screen, 22h 45m background for less than 1% of battery usage (as in it shows "-" below the 1% entries.)

      Can't remember what the default install is - do you have "VPN On Demand" turned on? That should keep it mostly idle unless you're actually talking to one of your nodes, I think?

I kind of have a mental block around Tailscale even though it would be useful in some cases for me, because the name "Tailscale" instantly trips all my snake oil trauma responses. Can't they call it "Weyergourd" or something?

I use it extensively as well.

- My home PC, my laptop, and my phone are the participants.

- My home PC is connected to a GPU, and runs a colab runtime, SSHD, as well as a simple http file server in $HOME (actually, C:/Users/username, its windows)

- My laptop doesn't have an NVIDIA GPU, so it just runs SSHD and a file server.

- My phone serves nothing, but has an SSH client, and a http client obviously.

There is simple hostname based DNS setup by tailscale automatically, so I can just go to http://laptop:8000 to access all my files, or just ssh to username@computer

Accessing everything from everywhere is absolutely great. And this is all on their free tier.

Unrelated to tailscale, I use parsec for a similar solution for remote desktop, their "machine level user" feature allows me to initiate remote desktop from certain client devices directly.

Too smooth.

related: https://aplaceofmind.notion.site/Tales-of-my-Tailscale-Usage...

I love tailscale, but the performance overhead on file transfer (my primary use case for it) is very real.

Samba transfers take a 15 megabyte per second hit over tailscale even with a fairly fast CPU on both ends (Ryzen 3600 and Ryzen 7900X3D) on my local network

• homebrewer

  yesterday at 7:34 PM

  Try netbird, it's the same idea but with support for using kernel-mode WireGuard when one of the peers is able to connect to another one directly without doing NAT tricks (so either both peers are on the same subnet, or at least one of them has a public IP).

• nsbk

  yesterday at 8:12 PM

  It is indeed! I used to connect to a Synology NAS as remote backup location through Tailscale and the transfers would peak at around 5 MB/s.

  Now I mount the NAS volumes to a host at the same location and sftp to it. It’s still dog slow at 30MB/s but that’s the NAS limitation.

  Direct access to the NAS can also be achieved via Subnet Routers

  https://tailscale.com/kb/1019/subnets

• SteveNuts

  yesterday at 7:37 PM

  In my experience Samba is just a slow protocol due to its chattiness.

  • RamRodification

    yesterday at 7:41 PM

    Samba is not a protocol. It's an implementation of dozens of services and a dozen protocols, including SMB (Server Message Block).

  • huang_chung

    yesterday at 7:51 PM

    This is just wrong. Tuned properly SMB is much faster than SFTP.

• vlovich123

  yesterday at 7:50 PM

  15 MiB/s is trivially handled by any CPU you're likely to run. Indeed 100 MiB/s seems reasonable. 15 MiB/s cap seems either the protocol being used is doing too many round trips (assuming the machines you're testing with are far apart) or the network that's being set up requires routing through Tailscale's infra for hole punching.

  • laidoffamazon

    yesterday at 7:55 PM

    Not a cap. It’s the delta. About 117megabytes a second measured by windows explorer to around 101.

    These are on my local network, connected to my switch over 1gig Ethernet.

    • vlovich123

      yesterday at 8:02 PM

      Ok a 12% differential on a LAN is kind of surprising. I wonder what Tailscale could possibly doing that would be causing this issue because aside from the control plane I don't believe they're in the data path all that much. Maybe WireGuard on Windows isn't as optimized as it is on Linux?

      https://www.reddit.com/r/linux/comments/9bnowo/wireguard_ben... from 7 years ago is about trying to get it running at 10Gbps speeds.

    • baq

      yesterday at 8:04 PM

      IME it adds about (at least) 1ms of latency over local networks. You should be able to use a different dns suffix to use the LAN interface instead of Tailscale.

  • immibis

    yesterday at 7:54 PM

    It sounds like the traffic gets routed through a Tailscale relay because all attempts at direct connection failed. A direct connection would have been as fast as a direct connection.

• bb88

  yesterday at 7:44 PM

  They have a DERP server I guess. Your traffic might be going through one of those.

• renewiltord

  yesterday at 7:42 PM

  WG is quite fast. Can’t be the limiter. Like this guy I’ve driven 1 G easily on 7950 and Epyc 9654. I think I did 10 G but I can’t recall because at some point I just moved everything local and did 40 G. But I’m sure it would work on CPU on reasonable machine

  https://old.reddit.com/r/mikrotik/comments/112mo4v/is_there_...

  • laidoffamazon

    yesterday at 7:57 PM

    Tailscale is using a user space implementation of WG on my Windows machine for obvious reasons - I am imagining that to be part of the bottleneck.

    • dgacmu

      yesterday at 8:42 PM

      A very likely culprit is the packet encapsulation changing things for the worse. An informative test would be to tcpdump (wireshark, etc) the packet stream with and without tailscale. Look at packet sizes, etc.

      The overhead shouldn't be 15% but there could be some weird interaction with the link MTU for the VPN causing, e.g., smaller packets to be sent with more overhead.

• huang_chung

  yesterday at 7:52 PM

  You likely have network misconfiguration like MTU issue. Don't blame Samba if you cannot configure properly.

In other words (they do get to this point right away), port forwarding is pretty useful, and most of us don't have it anymore.

I'm sick and tired of the way ISPs treat us. It's literally written into my lease what company I will pay for internet, and how much I will pay them. It is not, however, written in my lease how fast the connection will be. Not only am I unable to forward ports, I can't even change my own WiFi password! Sure, I could make a fuss and probably obtain access to my router, but it isn't worth the hassle.

But why is there a hassle to begin with? How in the hell is it in anyone's interest to keep me from configuring my own router? I can come up with plenty of authoritative bullshit answers to this question, but they are all authoritative bullshit. I think that's the real answer: we have systemically built our society to operate on authoritative bullshit. sigh

Tailscale is a usable workaround, but it shouldn't exist. It shouldn't need to exit. I just want to be able to host a server. Is that really so much to ask?

• devilbunny

  today at 12:24 AM

  > Not only am I unable to forward ports, I can't even change my own WiFi password!

  You can't BYOD? I got a lot of info out of the install techs when my home fiber was installed, including the router password, because they saw my setup and said "whoa... this is not a normal person setup". I said no, it isn't, you want me to walk you through what I've got? They did.

  I ended up putting their device to DMZ all traffic to my device and turning off its radios (I have multiple AP's with wired backend). Technically double NAT, but in the first step all ports were forwarded, so it didn't affect anything. It took me a while to have a weekend where my wife was gone and I could risk breaking things for a few hours, but after that I was able to remove their device entirely. Turns out it uses a VLAN on the outgoing connection, so I had to figure out how to set that up on my router.

• zamadatix

  yesterday at 11:05 PM

  The number of users who even understand why they might want to do that aren't a consideration when they build such a service/agreement. It's only considering what the average tenant is looking for, which is more akin to "water comes out of the pipes when I move in" than "do I get to mess with the plumbing?".

• sfRattan

  yesterday at 10:46 PM

  The authoritative bullshit isn't what society is running on, it's what society is giving as an excuse for enshittification that enriches interested parties.

  Your landlord (I'm guessing based on having seen it before) gets kickbacks from the ISP to force all tenants onto a specific (probably overpriced) Internet plan. The interest in keeping you from configuring your own router is in allowing the ISP's enshittifying further monetization tactics to proceed unopposed. The two big ones I've seen in this kind of setup are:

  Using DNS enforced by the router to gather data and place ads on any 404 error.

  Sharing their WiFi network that you lease with the ISP's other customers nearby.

See also Nebula:

https://nebula.defined.net/docs/

https://nebula.defined.net/docs/guides/quick-start/

...I believe 100% open source. You can basically hub between different devices (including iOS/Android) that are identified via certs. Recommended to have one or more public "lighthouses" so anything that can reach a lighthouse can reach any of your other servers (maybe kindof "syncthing for vpn/overlay-network?").

I've dorked around with it a little bit, but it's rare enough that I need access to my home network while out that I haven't doubled down on proper cert, key management, rotation, etc.

• yjftsjthsd-h

  today at 5:21 AM

  The Nebula Android app is not open source:( That's why I dropped it, personally.

  https://github.com/DefinedNet/mobile_nebula/issues/19#issuec...

  https://github.com/DefinedNet/mobile_nebula/issues/142

I like tailscale as a replacement for the dogshit enterprise VPNs I have had to use in the past (looking at you, ZScaler). But for personal/single home use it’s overkill.

I used to run a WireGuard server on a raspberry pi with ddns to update dns record on an as needed basis.

Eventually replaced it with my gateways built in WireGuard server which also has ddns enabled

The use cases described by the author are taken care of with a simple wg server. Sure you don’t get the distributed peer network of tailscale but I can live without that.

[dead]

[flagged]

tailscale to expose a port is such overkill. just use ngrok for that.

• ghoshbishakh

  today at 9:16 AM

  For simple problems use simple tools. I believe the simplest tunneling tool out there is https://pinggy.io . Tailscale is for a different use case. Not just exposing one port to the interenet.

• PLG88

  today at 8:37 AM

  or one of the many alternatives - https://github.com/anderspitman/awesome-tunneling. I will advocate for zrok.io as I work on its parent project, OpenZiti. zrok is open source and has a free (more generous and capable) SaaS than ngrok.