7 comments

[ 3.0 ms ] story [ 32.0 ms ] thread
A few problems I’ve had with WireGuard:

- it’s very obvious and easily blocked

- requires a server with a public IP (unless you use something like tailscale but then they can see your traffic)

I’ve been thinking about using STUN discovery servers (or syncthing’s) to negotiate a tunnel between two devices inside a NAT and run v2ray over that. In China, there was a short period where the city I was in blocked all traffic out the country (e.g. even example.com was blocked). In such scenarios, it should be possible to abuse syncthing relays to hop to a less restrictive environment (say to another province that doesn’t have as heavy censorship. Been trying to hack something together but would love it if something already exists (lmk)

I thought tailscale could not see your traffic -- that they essentially functioned as a known "reachable" address that keeps track of the current addresses for your devices, and when you connect they help point your devices at each other, which then blindly fire UDP at each other, which opens up your firewall for incoming replies, allowing your devices to connect directly.

So in short, I thought they basically just helped your devices find each other (and connect to each other directly), not currying any of your traffic. Which is how they can give people so many free devices (100 currently) -- because it doesn't really cost them any work / network load.

Also your devices connect directly over your LAN if possible, which goes against traffic flowing through them.

Please let me know if my mental model is wrong here, I'm certainly no network engineer.

You are correct. Your traffic is routed peer to peer (There are relay nodes available in case your devices fail to find each other. You can disable these in the config if you wish to do so.). All tailscale provides is an api to let your nodes find each other. However, the concern of the community is that tailscale generates an knows all your wg keys. In theory they could look at your traffic. Personally, I use tailscale happily.
You mean Tailscale generates a hidden master key to which all traffic is encrypted?

This would be a joke back door!

Any link to discussions around this?

The tailscale client generates WireGuard key pairs, but only sends public keys to the control plane. The private keys remain on the device only. With only the public keys, tailscale control plane cannot snoop on your traffic.
scrollbar-width: none;

I do not like that web pages can hide the browser's controls.

Like most tutorials I've seen this lacks on the AllowedIPs part on the client's peer. First of all it creates routes on the client side and secondly you can configure this quite a lot by giving it a comma separated list of networks or giving it a route-all by using 0.0.0.0/0

Not that is configured on the client side, if you don't want the client to mess around in your server's network beyond certain IPs, then you need to add a firewall on the server.