Tailscale is pretty useful
302 comments
·March 5, 2025apitman
thewebguyd
> * Is the VPN model really the way to go? If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid. Tunneling services[0] are more of a Zero Trust approach, but they can't match the seamlessness of Tailscale once a node is connected to the tailnet.
At the very least there's ACLs so you can tag devices and restrict access down to specific ports and protocols based on either user identity or device tag.
At my org we use tailscale much like a VPN, to give users access to a few internal web apps, and with ACLs those users can only hit the webserver on 443 and nothing else to that node. This way the web server itself has no ports exposed on the host, ufw deny all incoming.
I can't answer if the VPN model is really the way to go, long term - probably not, but for our use case Tailscale has been absolutely perfect, and we accepted the tradeoffs were worth it over a more "complete" zero-trust approach, and the complexities that come along with it.
What Tailscale doesn't solve is access to the data that web app serves if the user's machine is compromised, as tailscale is just determining "can the user hit the webserver on port 443?" and does nothing to evaluate the state of the user's host.
I guess that's all to say, I/we don't see Tailscale as a zero-trust solution, but more or less a more convenient VPN with easier to use ACLs. Cloudflare Tunnel and the likes are much better suited to implementing a zero trust approach.
I think there's still value though. A zero trust approach is the correct way for most organizations, but there's still a big niche for Tailscale especially for small-medium orgs and self-hosters/homelabbers.
wkat4242
Tailscale is not just more convenient but also more efficient if your VPN meshes a lot ( not all traffic going to the same place). Because nodes can establish connections directly. A traditional VPN can't do that.
This is the main reason I use a mesh vpn (though not tailscale)
guerby
Out of curiosity which one and why?
frenchtoast8
> What Tailscale doesn't solve is access to the data that web app serves if the user's machine is compromised, as tailscale is just determining "can the user hit the webserver on port 443?" and does nothing to evaluate the state of the user's host.
Tailscale has some cybersecurity integrations to configure access depending on the device posture. For example, blocking access to a webserver if the device is out of date, or if malware is detected, or if the firewall is disabled, etc. But I don't use any of those integrations and can't speak to them.
cjcampbell
The posture implementation is quite easy to work with. There’s a growing list of integrations, and you can also roll your own with the posture API. I’ve used Kolide so far and will be integrating with Kandji on another tailnet. They also have Intune, JAMF, Crowdstrike, and SentinelOne.
The same posture API can be used to restrict access to devices in your inventory or to set up just-in-time access to a sensitive asset. For the latter, you can use a Slack app provided by Tailscale or integrate with an identity governance workflow to set a posture attribute with a limited TTL. Your tailscale policy just needs to condition the relevant access on the attribute.
jychang
I don't think most users use those integrations, they're mostly just a feature bullet point.
jdolak
On your first point, I've been using tailscale for a bit and its ACL feature addresses most of my concerns there. My laptop can ssh into any of my servers but not the other way around, and my servers cant talk to each other unless I set them to.
notsylver
Could you share your ACL setup? I haven't had time to look at it much but this sounds like exactly what I want to do.
derefr
> If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid.
In addition to the ACLs mentioned by the sibling, a tailnet is not quite a plain-old VPN overlay network, in that each device on a tailnet gets assigned a predictable, durable LAN IP address based on the credentials that device is logged into Tailscale with.
Which means that, for at least the "personal" devices (laptops, phones, tablets), you can configure your servers on a tailnet to do something that's less finicky than full-on credential-based auth, but still more secure in practice than no auth: namely, host-based authentication — which should be a reasonable 1:1 proxy for user authentication (assuming the constraints from the previous paragraph.)
To put that in concrete terms: on a tailnet, a user's SSH credential for a given server can simply be the fact that the user is able to originate the connection from the expected LAN IP address of the user's workstation. Except that instead of that LAN + the user's workstation living in a physical building, they're both virtual, and the user's physical workstation (of the moment) must provide credentials to bind to the tailnet IP that allows it to present itself as the virtual workstation.
reubenmorais
> * Can it expand into the layman market?
Maybe it's more enthusiast than layman, and I guess it's also not much of a market, but in the video arrrchival space it's pretty widespread, with people running e.g. Jellyfin behind Tailscale.
epscylonb
Agree that they are on to something. I gave a tech talk about them a while ago at work and said that I think they are on the cusp of providing a consumer VPN product that appeals to mainstream consumers. The Apple of VPNs, everything "just works" and is easy to understand.
hattmall
Do mainstream consumers really need a VPN?
parasubvert
Tailscale isn’t really a VPN, it’s an OSI layer 5 for the TCP/IP world. It makes connectivity as easy as 90s LAN parties were.
I use Tailscale - so I can do remote tech support on my 81 year old mother’s computer
- So I can remote in to my desktop from anywhere with my mobile phone or iPad or Vision Pro or Steam Deck if I need a file or need to print something
- watching streaming media from my home network when I’m travelling (and avoiding VPN blocks because my home computer isn’t on a known VPN network)
And the best part is none of this required almost any configuration beyond (a) installing the software, (b) checking the “allow exit node” box on my home computer, (c) sharing my mom’s computer onto my tailnet.
It really is just useful with minimal fuss.
devilbunny
Yes, although many won't realize it.
I use VPN (usually Tailscale, though I have the Proton subscription package that includes their VPN - mainly useful if for some reason my home internet is slow or out, otherwise I would just TS it) on all public WiFi. My work's remote access blocks logins from outside the US, so if I'm out of the country, my wife and I both need VPN to be able to log in.
Interestingly, while my work's network blocks Tailscale's initial authentication, it doesn't actually block the traffic. I can authenticate my iPad via cell phone tethering or just before I leave the house and it will work when I connect to their network. It's a personal device without any access to their internal network, and I'm using the guest network, so I'm not compromising security to actual work devices. But when I'm stuck up there and I want to stream a movie from my NAS at home, I can.
enos_feedler
Maybe if there was a mainstream reason to connect home machines with their phones. Personal backup, game streaming, etc. im not in this camp of believing it but maybe!
dharmab
I had some of my family install Tailscale to access my tailnet. They can watch movies from my collection more easily than using Netflix, and we can share files through the client with a single click. I have other friends using it to play old-school dedicated server games without having to deal with CGNAT/hairpin NAT problems.
Andrew_nenakhov
> I wonder if the average person will ever be willing to install a VPN app on all their devices.
Of course the average person will be willing to install a VPN app: all it takes is a bit of internet censorship, blocking access to their favourite services, and some geofencing, where services limit access to them based on IP address.
Just ask people from China, Russia, Ukraine, Turkey, UK, Germany, etc.
hn_throwaway_99
But what you're referring to as a "VPN app" is something very different than what the parent poster is referring to with respect to what Tailscale is.
When you use services like NordVPN, Mullvad, Surfshark, etc., you're just installing a VPN client, and you're basically just using them as a reverse proxy to hide your IP address (present it as coming from another country). That is the use case you are talking about.
Tailscale is very different. It is about setting up your own VPN so that you can access devices from your home or wherever from the Internet at large in a secure manner.
gz5
I think you nailed it. TS is great but is in a middle ground niche with more targeted alternatives squeezing it from both sides:
1. If you actually need strong security, you are likely to go with open source zero trust or their commercial versions.
2. If you don't need strong security, you will often view VPN an insurance policy (TS simplifies but is still more difficult than 'do nothing').
So you end up with a relatively narrow band of 'use cases' like NAT traversal; semi-privacy; access to private IP hosted services. Enough to sustain a venture funded company?
spr-alex
we've got a tailscale integration that takes care of the security concerns. set policy to decide what can talk out to the tailscale node and what the tailscale gateway is granted access to. this is especially important when you can't run a tailscale client on the devices you want to connect
LinAGKar
Tailscale is also crazy unreliable in my experience, at least on Android. It had to be force quit and restarted every day, and even outside of that apps would randomly get connection errors. And they don't seem to care about bug reports. I ended up switching to regular Wireguard, which has since been perfectly reliable.
iamdamian
I'm curious to hear well-informed reasons from this crowd for why we can trust Tailscale given the non-self-hosted part of the architecture? Does it come down to Tailnet locks [1], not worrying that Tailscale will be compromised, not worrying that your home network is worth compromising, or something else?
stego-tech
Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".
So while also implementing Tailnet locks and other security measures to constrict traffic flow, I'd also consider going a step further by only permitting server or resource access based on client certificate validation (in other words, a client that's missing a trusted certificate is rejected from even attempting to initiate AuthN); that way even if your Tailscale network is compromised somehow, untrusted clients and endpoints can't make inroads into your infrastructure as easily.
Is that a gigantic PITA to implement? Oh heck, you betcha it is, and I doubt 99% of folks need to go that far with their homelabs or home services. Still, that'd be my approach to zero trust - trusting Tailscale only so far as enabling virtual networking, but not blindly trusting traffic coming over that network at any point.
codetrotter
> Is that a gigantic PITA to implement? Oh heck, you betcha it is
I use my own self-hosted Wireguard VPN server. I agree with a lot of what you were saying about client certificates etc. And I plan to eventually do that sort of thing on some of my services in my own Wireguard VPN too.
But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?
Setting up a Wireguard server is super simple. The only couple of things that complicate it a tiny bit is opening up a port for it for inbound connections if you host it from your home connection rather than a rented server, and managing the Wireguard public keys that are allowed to connect.
But if you are going to do a whole client certificate setup on top anyway, the work of setting up your own Wireguard VPN is small in comparison.
Unless like OP your ISP has put CGNAT on you.
stego-tech
> But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?
Already do! I tried Tailscale initially, but ultimately decided to put in the effort of a proper Wireguard setup. It's how my personal devices always get back to my home LAN, and then exit to the internet; it's also how I make sure every DNS lookup hits the Pi-Hole, for domain blocking wherever I am.
I emphatically recommend learning WireGuard (and to a lesser degree, VPN Concentration) when practical and possible. Until then, Tailscale is an excellent product.
selfhoster
> Unless like OP your ISP has put CGNAT on you.
I run Wireguard on a VPS and route public traffic with it over Wireguard to my home machine.
Are you saying my ISP must not be CGNAT or else it wouldn't work?
HumanOstrich
> Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".
That's not what Zero Trust means, at all.
stego-tech
…which is why I qualified it with the phrase, “extreme interpretation of”, and made sure to encapsulate “Zero trust” in quotes to make it clear I wasn’t being technically literal in my description. Grammar and punctuation matter when you’re deliberately misusing a known term as a metaphor to make a point.
That being said, the core concept of ZTA is that no user or device should be trusted by default. So yes, my statement is still generally correct even if it’s not how the term is often or commonly used.
tjoff
Then why go with tailscale in the first place?
There is slacks nebula and other options that are completely self-hosted from the start.
Feels like such a weird hype around tailscale.
stego-tech
I feel like a lot of hype around Tailscale is because it vastly simplifies VPNs and their associated networking, especially for businesses, startups, or homelabs where the focus might be elsewhere or specific talent is unavailable. The problem arises when folks don't quite understand why specific decisions are being made, or use the product in nonstandard (or even negative) ways. I've seen stories of folks deploying Tailscale on every machine in their LAN, thinking that secures their traffic; using it to cross boundaries in the firewall or router between secure and insecure VLANs; and using it to connect to servers in lieu of a proper router or firewall with appropriate ACLs.
Tailscale is an excellent piece of software, provided it's implemented in a way to emphasize security, and not weaken it. In OPs case, being used as an accessibility aide to a system that couldn't be secured any other way while preserving external access (in their case due to CGNAT) was an excellent use of Tailscale.
xarope
I self host tailscale with headscale [0].
kajecounterhack
They have nice clients (e.g. for MacOS, Tizen). Ofc headscale is a thing, but if you have a company, it's also nice to have someone to yell at if your mission-critical tailnet suddenly b0rks.
Imo they don't charge all that much relative to their value, depending on who you're asking.
throwawaymaths
have you ever managed a tailnet? it's so easy.
HPsquared
If you can't trust service providers, you probably also can't trust software suppliers.
kortilla
Not the same. In particular you don’t need to accept software updates from software suppliers and you can also require source code or use open source.
This stuff was obvious and standard in the 80s-2000s. It’s only in the last 15-20 years that it became acceptable to get updates shoved down your throat.
Service providers can cut off your access any day.
Software providers cannot unless you’ve given them a live update channel direct to your env.
stego-tech
I mean, yes? It's why Zero Trust is growing as an operations model. Supply chain attacks, vendor hostility, zero days being hoarded by nations and bad actors for exploit, the list goes on.
You emphatically cannot trust vendors, suppliers, users, software, systems, or governments. Ergo, your infrastructure should be built with an appropriate risk assessment in mind, and have proper safeguards in place where feasible. That's just good OpSec.
drdaeman
Definitely not true. You can audit software (it could be not easy, but ultimately doable) and skip the updates until you have capacity to audit those. You can't audit a third-party service, no matter what you do.
hamandcheese
> I'd also consider going a step further by only permitting server or resource access based on client certificate validation
This is where I'm the most curious on what Tailscale will do next. So far all their products seem to contrast at the IP level, but for enterprise use cases there's a real need for application level protections as well. Cloudflare Access is a great example of what I mean.
oDot
Yes. The best way to avoid trouble is build redundancies to it, rather than refine the troublesome part to no end
xmichael909
Why wouldn't you just not use Tailscale? What you are describing here is, ....
some-guy
I use Tailscale a lot. I don't fully trust anybody but I trust them more than I trust myself to set it up properly.
sgc
Use headscale: https://headscale.net/stable/
haswell
What are the primary downsides of self-hosting this? The top issues that come to mind:
1. Maintaining high availability
2. Dealing with patches/upgrades
But I'm also really curious how likely a self-hosted instance is to be an attack vector potentially more dangerous than using something like Tailscale.
eddieroger
> 1. Maintaining high availability
In my experience as a poor sysadmin (as in, bad), you don't /need/ HA for Headscale because the clients are pretty resilient. I've had my instance go down for a little bit and it's fine. Stale and new connections aren't, obviously, but it will work well enough that you won't realize Headscale itself has gone down until a while after it did.
huslage
You own your attack surface at that point. Tailscale/Headscale is a matchmaker and key broker for the most part, the clients almost always (barring NAT issues) connect directly to one another. The normal security considerations apply as with running any service.
mbesto
The data sent from one node to another doesn't pass through TS's infra.
I basically just see Tailscale as an auth paradigm for managing wireguard keys.
sureglymop
I don't really understand this though.. The key exchange is perhaps the most important aspect.
Just hypothetically, what if an intelligence service records your encrypted traffic and also happened to get AWS to mitm your communication with the tailscale key distribution server?
Doesn't really matter if most of your traffic doesn't use their infrastructure if the most important parts of it do.
showerst
If your threat model includes intelligence services and mitming AWS you should not be using tailscale, and you would hopefully already know that.
mbesto
> Using Tailscale introduces a dependency on Tailscale’s security. Using WireGuard directly does not. It is important to note that a device’s private key never leaves the device and thus Tailscale cannot decrypt network traffic. Our client code is open source, so you can confirm that yourself.
https://tailscale.com/compare/wireguard
My understanding is that (in theory) the only way this is possible is if the attacker introduces a new node and then connected to other nodes that are in the tailnet. What you're suggesting is that a single node that is connected to the other nodes gets compromised, but this isn't possible without already being able to compromise that specific node. Alternatively, if someone hacks Tailscale itself, the only way they could get access to any nodes would be to add their own node, but if you have alerting set up you would know and you could shut down the attacker.
idatum
I still find SSH adequate for connecting to a home server remotely. I don't have the CGNAT terrible problem but I also don't do any port forwarding on my home router.
Instead, I have a VM running on a cloud provider that I SSH to from an OpenBSD box inside my home network. The SSH connection establishes a reverse SSH tunnel. This opens a port on the cloud VM to tunnel to my OpenBSD sshd port.
With the reverse proxy to my home OpenBSD box established, I can use the SSH jump box option, -J. I connect to the cloud VM and "jump" through the tunnel to the OpenBSD box at home. You can even specify multiple jumps if I need to connect to another machine in my home.
I can also set up a local tunnel through that jump for things like connecting to my Home Assistant server from my remote laptop or phone.
I only have to trust my cloud provider.
sfink
If I'm understanding correctly, this will break whenever the IP address of your tunnel changes. You'll have to reestablish all of your connections.
My use case for tailscale: have an SSH (or other) connection to my home server while working from home. Drive to a coffee shop, register on their network, and continue using the same connection. (Or hotspot, if I'm somewhere without Wifi.)
The IP address of my server does not change. When at home, the packets do not leave my home network. When out and about, they do.
It's magic to me. I set up a sophisticated (read: overkill) SSH tunneling setup previously, using Match rules in .ssh/config to autodetect the network I was on so that `ssh myserver` would always go via the correct route. But my connections were still interrupted broke when I switched, and I'm not good enough at networking to do any better.
(I guess this is what Wireguard is for? I could access my server via a fixed IP address on my machine that goes to a tun device, and that would send the packets to the actual server if nearby otherwise hand off to the carrier pigeons? Is that what the tailnet is doing? I don't understand how packets get intercepted by tailscaled, though I do see a tailscale0 device. Is that just a vanity license plate version of tun0? Why does `ip route show` give me only routes through my actual devices, then? Never mind, this isn't a helpdesk. I'm just getting old and stupid, I think.)
harrall
For me, Tailscale is worth the trouble of not maintaining my own Wireguard setup.
Everything on my home network is set up as if it were public-facing.
felbane
This baffles me. What's to maintain? I've been running wireguard for years and never had to do anything except scan a QR code when I get a new phone.
By "as if it were public facing" I assume you mean locked down as much as possible using either router or host-based firewall rules?
harrall
By locked down I mean everything requires authentication (and authorization), everything is containerized, and I have fairly strict firewall defaults.
Let me explain what I mean by low maintenance...
I was a very early containerization adopter and set up a company and also my home network using Docker around 10 years ago. I chose Docker because I thought it was reasonably polished and was the future of deployment. Even though the landscape keeps moving with changes in Kubernetes, Helm, Rancher and stuff like that, the actual Docker part hasn't changed in 10+ years so I haven't had to change my setup for a decade. Low maintenance for me is software that can be left mostly untouched (except for minor updates) for a long time and I judge that based on the project's future, which for me is partly judged from a project's polish.
Every time I tried WireGuard in the past, it didn't seem so polished. I don't want to waste time learning something that could go away. On the other hand, not only did Tailscale look pretty well set up, it was pretty much click and run which means that even if it were to fail, I would have not lost any time learning much about it.
So low maintenance for me is "get the most out of as little work as possible" and choosing Tailscale was the decision to achieve that. So given that I've been using Tailscale for 1.5 years with near 0 amount of configuration and so far, no real downtime, it is adequately low maintenance.
selfhoster
> Everything on my home network is set up as if it were public-facing.
That's Wireguard, I have the same, just Wireguard + VPS, everything I want available that is. I don't put every PC on my home network on the VPN, I could though, pretty easily.
phito
Yeah, I don't understand how it is so prevalent in the self-hosted community. I would never install this on my server, just use wireguard/openvpn ...
edit: okay, CGNAT
gabeio
> Yeah, I don't understand how it is so prevalent in the self-hosted community.
Not just CGNAT but not having _any_ external ports open can be a beautiful thing. I used to have an ssh port (not on the standard 22) and the amount of auth attempts back then was insane. I now have a full firewall zero open ports but, thanks to tailscale, I can still safely access my machines while not being at home with zero unauthorized attempts.
And since I am a security person, I use the tailscale lock feature so not even tailscale themselves can add nodes to my network. Even if they had a breach.
I am a very happy customer.
Carrok
If you're using only key-auth and have password auth disabled, I'm not sure why unauthorized attempts are a problem.
sureglymop
If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...
Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I think tailscale also doesn't provide transient quantum resistance. Wireguard traffic can be made quantum resistant with a PSK. I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
GauntletWizard
I trust Tailscale with my network traffic. I also trust a $50 cheap chinese 10G switch that I bought off amazon with a terrible and surely insecure management interface. Which is to say - I don't, but I don't need to trust it far.
I do have enough trust in their client that's installed on my machine to believe that it's not actively malicious. I do trust that I can find my other devices, and trust tailscale to keep a list of them, and not randomly add other devices that I don't know, but I don't have perfect trust of that. All my internal services are still E2E encrypted over the Wireguard link; They run HTTPS with an internal cert authority. There's not ports open on them that shouldn't be, and while it's possible that one of them still gets popped, it's much less likely.
tsujamin
The tailscale.com/tsnet package in Go [1] is really useful if you've not looked at it before: you can make single binary HTTP or whatever servers that are only exposed inside your tailnet.
Their golink project [2] is a good example (and useful itself), but I've used it to build "peer to peer" comms for one application, and to host an API and Svelte SPA to control some other things in a tailnet.
b_fiive
If you're a rust fan we make a similar library, that's all-in on "p2p-QUIC", with pre-baked protocols to import on top: https://github.com/n0-computer/iroh
tsujamin
That’s super cool, I was going to say “nat punching and public relays are a requirement for me” but you already do that! Definitely filing this away for future projects.
mafro
I've been using tailscale/tailscale-caddy[1] successfully to serve applications only on my tailnet. It says highly experimental, but it's worked just fine for me.
ksajadi
Absolutely. You can run a go process that becomes a Tailscale client without any other dependencies. This is what I use it for issuing JWT for service authentication: https://github.com/AltaCoda/tailbone
xlii
How difficult it is to use? Right now I’m working on orchestrating dev-local service clusters here I bind plenty of hosts to mimick real world. I’m using proxy tunneling to punch in but I’d love to have Tailscale endpoint which I could use to connect external devices (like mobile clients or non-technical stakeholders for show and tell).
tsujamin
It’s pretty simple, I’ve not updated my package version in a while but iirc you give it a state directory, an auth key, and you get a Dial-like interface you can use with the stdlib http libraries
aranw
I've been using Tailscale for awhile now and even developed a few internal apps using tsnet as well but I had no idea about golink and it's awesome. Thanks for sharing that!
gabeio
You don't actually need tsnet for that. tailscale cli itself running the subcommand serve will allow you to share a specific port on your machine either with your tailnet or use funnel and share it out to the internet.
I pulled tsnet out of my go application and switched entirely to `tailscale serve` and just use the header that adds to auth my family into apps I write. I love it.
tsujamin
funnel and serve are also awesome, but in this case the use case necessitated a single binary that worked without the full package installed/didn’t touch the routing table or tun device
gabeio
Ah if you truly need a single binary, yes it is nice.
I had some issues with builds every once in a while, which is another reason I switched to using tailscale serve instead.
apitman
See also OpenZiti: https://openziti.io/
Trumpi
I was once in South Africa and needed to look up my prescriptions in the CVS app. I had lost my pills and needed to show a local pharmacist what I needed. CVS geoblocked me. Luckily I had a TailScale exit node running at home, which solved the problem.
danudey
I was on a cruise ship a few weeks ago and realized that, instead of being throttled, a lot of sites were completely blocked. Very irritating. They also do DPI on the cruise ship network so that VPN clients like OpenVPN are blocked regardless of port.
Without a laptop handy, I had to use my iPhone to set up a droplet running Ubuntu, then install vray onto it and configure it to run on port 443. vray uses "standard" SSL to tunnel connections, so to DPI it just looks like normal HTTPS traffic and I was able to pass traffic through the firewall when I needed to access something that was blocked. It makes me wonder if TailScale would also bypass their analysis, or if it would be blocked as well.
(I didn't abuse this to the detriment of the network, and I did pay for the "streaming package" on sea days when I had a lot of traffic to run)
kdmtctl
Wireguard is easy to block. Some VPN providers do implement an obfuscation layer for it, but Tailscale uses plain WG, so if WG is blocked, you will get no connection. Control plane would still work, though.
devilbunny
Intriguingly, my work network (both guest and employee networks) blocks OpenVPN, commercial VPN (Proton I use, plus a couple of others I tried just as an experiment), and Tailscale authentication, but if the device is already authenticated to the tailnet, it will continue to work. Turns out that work uses the same ISP my home does, so perhaps that's part of it, but I have another TS exit node running at my in-laws' house (so I can remotely maintain their network, and so I can get out to the Internet via TS even if my home is down), and they're in another state with a different ISP.
I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.
nl
I've run a SSH server on port 443 to bypass blocking before. Probably wouldn't work if they are _actually_ doing DPI, but a surprising number of networks don't - just have blocklists and only support port 80 and 443 access.
abdullahkhalids
Tor Browser should have worked with the right bridge or proxy.
deadbabe
Why not just use shadowsocks
deuschelandian
When I was in Germany - Capital One blocked access to my account unless I confirmed via SMS or tapping my card. Both of which I didn’t have with me.
Tunnelling into my home machine I was able to access the account and transfer money I needed.
Sure a VPN might be able to do this too but it’s nice being able to exit via a connection you control.
I can also watch Plex movies without exposing ports.
codethief
Another data point: I was at Doha airport recently and logged into their public WiFi. Unfortunately, they seemed to be MitM'ing certain connections, mostly to well-known domains. To work around this, I tried setting up Mullvad (which I had used occasionally in the past) but they downgraded Mullvad.net to HTTP, too. Thankfully, I had Tailscale already set up and I could easily book their Mullvad package and add Mullvad as an exit node to my Tailnet. Problem solved.
HPsquared
Alternative: OpenVPN server on your router.
gabeio
> OpenVPN server on your router.
Honestly I would suggest wireguard on your router before openvpn.
deuschelandian
That’s all Tailscale is really.
import
10 times slower than Wireguard
vermilingua
miyuru
Thanks, I am also getting this unusual error on blog.6nok.org.
"This Deployment is paused by the owner.
Your connection is working correctly.
Vercel is working correctly."
tills13
Maybe a cost based trigger on the vercel project?
frontsideair
Exactly, I had a spend limit since I didn’t want to break the bank. It’s back up now.
o1o1o1
I'd be very interested, is there someone who could elaborate please?
I'm terrified using a service like Vercel because I heard about the massive cost trap that can hit you hard and I don't know if there is any alternative for (easily & quickly) hosting NextJS apps.
simonw
I used Tailscale the other week to solve a problem where a government website was blocking me from scraping it from GitHub Actions... so I ran an exit node on an Apple TV on my homework and configure the GitHub Actions worker to use that instead. Worked great! https://til.simonwillison.net/tailscale/tailscale-github-act...
EVa5I7bHFq9mnYK
I remember Hamachi did the same as Tailscale in the 90s, we used it to play virtual LAN DOOM. Greed killed it.
adamors
Hamachi was amazing, one of the best, most focused apps I've ever used. We were kids but it was still easy to use. Then they were bought by LogMeIn and was killed unceremoniously.
Also, it's old but not 90s old: https://swapped.cc/#!/hamachi released in 2004 actually.
dugmartin
The Hamachi UI and UX were great. I was very sad when it got bloated and then killed like a beached whale. I just looked and I guess it lives on as a whalezombie at https://vpn.net/.
kdmtctl
This is ZeroTier territory. Not as polished as Tailscale, but provides L2 like Himachi and has been bulletproof for years already.
pushcx
I remember XBConnect and GameSpy for playing Xbox Halo 1 over the internet. I think a couple were invented for every big game or console before 2010 or so.
Tailscale doesn't really address connecting to strangers, though.
xyst
I completely forgot about Hamachi. Remember using this as a teenager for creating private xbox lobbies over the internet
TacticalCoder
Not identical but in the 90s to play Windows games that only had a LAN mode over the Internet, we were using Kali in the 90s: https://en.wikipedia.org/wiki/Kali_(software)
This allowed us to play Warcraft II with random strangers: RTS games over the Internet... Felt like the future!
rrrx3
So many good memories from Kali!
9dev
We’re using Tailscale for our internal network, and it’s amazing. We’re a team distributed across multiple countries, and with Tailscale, it’s like we’re sitting in a single office, connected to the same router. And on top of that, we get centrally managed ACLs for everyone, TLS certificates, and SSO with Microsoft accounts. Amazing stuff!
My main gripe, though, is DNS. It’s great to be able to reach prod-db-1, prod-db-2, and prod-db-3, tag them as „db“ and create a rule to allow TCP on db:5432. however, it’s annoying that all of this is supported, but not the obvious extension - DNS records for the tags, so I can point apps to a group of servers belonging to the same tag.
rudasn
I don't get it. `db` should resolve to all host ips? Wouldnt a load balancer make more sense in that scenario?
9dev
Consider `db` resolves to multiple A records:
db. IN A 100.64.123.1 # prod-db-1.
db. IN A 100.64.123.2 # prod-db-2.
db. IN A 100.64.123.3 # prod-db-3.
In a usual setup, the problem is that if a host goes down, clients will still try to reach it because it's still in the DNS record; but with Tailscale, the "DNS" is generated by the local Tailscale daemon on the fly, so you get a live view, and if this was implemented, it would be possible to only return available servers for tag queries.
bcye
I noticed that limitation quickly too. My solution was to just point A records on my domain to the tailscale internal ip and use the let's encrypt wildcard certificate my registrar (porkbun) provides out of the box.
vluft
yup, I ended up implementing that myself via a coredns extension that does DNS for both tags and hosts. obviously not zero effort, but it ended up being quite straightforward, and has been working flawlessly since then.
cess11
Similar to how you would use keepalived to get a virtual IP and broker between addresses under it?
9dev
Yes, but with all the benefits of Tailscale nodes—automatic DNS resolution, ACLs, and TLS certificates out of the box, and so on. The building blocks are all there, it’s just that nobody has built the feature yet.
melson
We can also try to selfhost this https://github.com/openp2p-cn/openp2p
stego-tech
I've harped on some Tailscale implementations before for what I perceived to be nonsensical or bad approaches, but this one is an excellent example of its capabilities. In no particular order:
* It's not reliant on port forwarding at your firewall
* It can get around bad ISP habits, like CGNAT or a lack of IPv6 (or IPv4)
* As the OP points out, it's broadly compatible with various forms of exit nodes
Straightforward and to-the-point. Great writeup.
smackeyacky
My favourite use of tailscale:
I have a bluetooth gateway (Cassia X1000) in my workshop where I normally develop. I was at home doing some Android work at one point rather than at the workshop and needed to test some new Cassia functionality.
Tailscale exit node in the workshop.
Tailscale client on my linux dev laptop at home.
Started up the android emulator via Android Studio, connected to the Cassia via the app being debugged, debugged what I needed to, shipped it.
At the time it seemed like actual magic had happened.
Tailscale is one of my favorite companies. They're clearly on to something. Here's a great post by their CTO explaining a lot of the motivation and vision behind it: https://crawshaw.io/blog/remembering-the-lan
IMO the main outstanding questions/concerns are:
* Is the VPN model really the way to go? If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid. Tunneling services[0] are more of a Zero Trust approach, but they can't match the seamlessness of Tailscale once a node is connected to the tailnet.
* Can it expand into the layman market? I wonder if the average person will ever be willing to install a VPN app on all their devices. On the flipside, I could see TS partnering with someone like Google to integrate TS tightly with Android and set up a private network between all your Google-signed-in devices.
* The relay system - DERP is nice, but it's primarily intended for signaling/fallback. It feels like CGNAT adoption is growing faster than IPv6 is, and I wouldn't be surprised if fewer and fewer p2p connections succeed over time[1]. DERP forces everything over a single TCP connection (HOL blocking), and I'm not sure it even has any flow control.
* Use in web browsers - They got a demo of this working, but it's pretty involved. You have to compile the entire Tailscale Golang library to WebAssembly which is a large artifact, and it's DERP-exclusive.
* Portability in general - Depending on WireGuard, as awesome as it is, is fairly limiting. You either need admin privileges to create the TUN device, or you need to run an entire TCP stack in userspace alongside your own WireGuard implementation. I'd be interested to see something like Tailscale implemented on top of WebTransport.
[0]: https://github.com/anderspitman/awesome-tunneling
[1]: https://tailscale.com/blog/how-nat-traversal-works