I love Tailscale posts, but I don't feel like the slide -> blog conversion has gone very well here. It reads more like a Twitter thread. In one of the slides, they even admit the imagery is sloppy, but do nothing to supplement it with a better one.
Love both Tailscale and Xe's writing as well, and indeed, all these (rather irrelevant) images are just breaking the flow of reading/skimming the content. I guess I'll just watch the video instead.
I see a lot of mention of folks of using tailscale for their friend group to access stuff.. but the free plan seems to max out at 3 users, with an exception for foss projects.
What am I missing? How do I use tailscale for my 10ish friends and me to play minecraft without paying hundreds a year?
Tailscalar/talk author here. Set up a GitHub org. That has a 25 user limit for free. That's what my husband and I use (our tailnet predates the new free plan details here: https://tailscale.com/blog/pricing-v3/).
I’ve been playing with Netbird lately and it’s been working well. They have a free plan for up to 20 nodes, and a self hosted option if you want to eject from their cloud offering.
Yeah having all my users have to be on github or sign up for a third service is a non-starter, but plain wireguard is just a bit much. Netbird looks like a good path.
Could be I'm old, but I read the beginning, recognized the problem like YES that is hard... and then ended up reading about solutions that just made it all even more complicated?
An interesting article overall, but I think authenticating a user based on their IP address is probably the worst security advice I've seen. It's probably ripe for attack with ARP poisoning, IP spoofing, etc.
It only authenticates it _after_ all the WireGuard bits. So it's not really auth by IP address, but auth by wireguard key identity, from which we know your identity. There's no IP spoofing possible. And ARP isn't even in the picture for an L3 protocol.
You can configure ACLs. By default devices that aren’t tagged with an ACL tag are available to other devices authenticated by the same user. If you tag a device, you have to write explicit ACLs to permit access from other users/devices.
23 comments
[ 3.8 ms ] story [ 92.7 ms ] threadWhat am I missing? How do I use tailscale for my 10ish friends and me to play minecraft without paying hundreds a year?
Yeah having all my users have to be on github or sign up for a third service is a non-starter, but plain wireguard is just a bit much. Netbird looks like a good path.
All: please focus on the content now. (See https://news.ycombinator.com/newsguidelines.html re "tangential annoyances—e.g. article or website formats [etc.].")
Edit: looks like that's now the version at the official URL so I will cause this comment to plummet to the depths.
It only authenticates it _after_ all the WireGuard bits. So it's not really auth by IP address, but auth by wireguard key identity, from which we know your identity. There's no IP spoofing possible. And ARP isn't even in the picture for an L3 protocol.
A malicious game on my phone can't ssh to my server if I do normal authentication, but with this IP/WG authentication it can...