2 comments

[ 3.0 ms ] story [ 15.9 ms ] thread
The primary reason why I haven't started using Tailscale yet is there was no easy way to enable one-way connectivity on some machines without paying for ACLs ($20/mo minimum).

For example, I want my primary PC to be able to access all remote Tailscale servers, but I don't want any of them to be able to access my PC. It's now possible. From their newsletter I just got:

Tailscale v0.99 & Shields Up About a week ago we released Tailscale v0.99 (full release notes). v0.99 includes more bug fixes and a new feature we’ve been calling “shields up.”

Tailscale can be used many ways, but it’s commonly used to connect to web servers, Raspberry Pis, build servers, or other headless “utility” devices.

You want to connect to these devices, but just because they're on your network doesn't mean you don't want to let these devices connect to you.

This new feature lets any device put its “shields up” and reject all incoming connections over Tailscale. Outgoing connections will still work fine, so your personal computer can continue to SSH to your servers who don't have their shields up, but all incoming connections will be blocked.

You can enable this feature from Tailscale's menu bar icon, or by using --shields-up flag on Linux.

Read more about “shields up” here

(Network admins can enforce network-wide connection restriction, including blocking specific ports or allowing particular user groups with our ACL features)

https://github.com/tailscale/tailscale/releases/tag/v0.99.0

https://tailscale.com/kb/1072/incoming-connections

https://tailscale.com/kb/1018/acls

What's wrong with using vanilla WireGuard? I tried this Tailscale recently and it was a huge mess. It destroyed WireGuard's throughput compared to the kernel implementation and the CPU usage was like I am running a game along with the excessive logging in systemd. One of the worst software I've ever installed on linux.