I love tailscale, but the performance overhead on file transfer (my primary use case for it) is very real.
Samba transfers take a 15 megabyte per second hit over tailscale even with a fairly fast CPU on both ends (Ryzen 3600 and Ryzen 7900X3D) on my local network
Try netbird, it's the same idea but with support for using kernel-mode WireGuard when one of the peers is able to connect to another one directly without doing NAT tricks (so either both peers are on the same subnet, or at least one of them has a public IP).
WG is quite fast. Can’t be the limiter. Like this guy I’ve driven 1 G easily on 7950 and Epyc 9654. I think I did 10 G but I can’t recall because at some point I just moved everything local and did 40 G. But I’m sure it would work on CPU on reasonable machine
A very likely culprit is the packet encapsulation changing things for the worse. An informative test would be to tcpdump (wireshark, etc) the packet stream with and without tailscale. Look at packet sizes, etc.
The overhead shouldn't be 15% but there could be some weird interaction with the link MTU for the VPN causing, e.g., smaller packets to be sent with more overhead.
15 MiB/s is trivially handled by any CPU you're likely to run. Indeed 100 MiB/s seems reasonable. 15 MiB/s cap seems either the protocol being used is doing too many round trips (assuming the machines you're testing with are far apart) or the network that's being set up requires routing through Tailscale's infra for hole punching.
It sounds like the traffic gets routed through a Tailscale relay because all attempts at direct connection failed. A direct connection would have been as fast as a direct connection.
Ok a 12% differential on a LAN is kind of surprising. I wonder what Tailscale could possibly doing that would be causing this issue because aside from the control plane I don't believe they're in the data path all that much. Maybe WireGuard on Windows isn't as optimized as it is on Linux?
IME it adds about (at least) 1ms of latency over local networks. You should be able to use a different dns suffix to use the LAN interface instead of Tailscale.
The features here seem to be fairly standard with most the WireGuard based VPNs these days. For example, I use Nord for my use-case which is very similar to the author's. This allows me to rsync my home directory between my laptop, tablet, phone's Termux env, and desktop (all running Linux) to maintain configuration parity and file locality regardless of where I turn these devices on, so long as they have internet.
Does Tailscale have features that set it apart now that other VPNs have gotten the private mesh thing down pretty well?
Sorry, I wasn't aware you had objections to proprietary products! After all, this was a thread about Tailscale and alternatives. :) Many people find it painful to setup a VPN network and prefer a managed solution (e.g. Tailscale instead of Wireguard.) Likewise, people have different understandings of what exactly FOSS means and I'm not deeply familiar with the BSL, so I'm not sure whether it would meet your needs.
Best of luck in your search! Maybe take a look at Tinc or Yggdrasil.
> Likewise, people have different understandings of what exactly FOSS means and I'm not deeply familiar with the BSL, so I'm not sure whether it would meet your needs.
I've tried Nebula before, admittedly a while ago, and it seemed interesting, but much less user friendly than Tailscale. But one of these days I would like to play around with defined.net just to see what other options are out there.
I also tried ZeroTier and was extremely unimpressed, although again that was a few years ago. The performance on single threaded systems was absolutely terrible, which suggests some deeply broken code and made it unusable with a cheap VPS. The paceof development was also pretty slow and the insistence on homebrew crypto was also not confidence inspiring compared to something that used a proven solution like Wireguard.
There's zerotier, nebula like others have managed and also a few more older and fringey ones like tinc and hamachi that basically invented the same concept 10+ years before the rest.
The beauty of it is that you control it. And even scale it to console stuff. For my use, that’s desirable.
That said, I can totally see where a less DIY solution. VPNs fundamentally aren’t novel and there’s nothing wrong with Nord and similar products. (Although I don’t put any stock in the no logging claims)
It just works, literally. I haven’t tried nord, but I’ve got clients on Mac, Linux, windows, rpis, it all just works. I used to run pivpn, but the key exchange magic Tailscale employs is so much simpler and it somehow works on networks blocking unknown packets like the pivpn I had set up on some random udp port.
I use it on android to talk to my synology and a proxmox server at my house from anywhere.
It comes in handy from time to time. I run a "public" subsonic server but I don't have most of my own productions on it, but I can open VLC on android and go to a bookmarked share and play it all there.
Also stuff like NVR camera feeda I can look at over tailscale, too. No "cloud" storage needed.
I wish there was an easy reliable way to do this that didn't involve a for-profit; but until awful things happen I am fine using this for low-friction, trivial network access.
I've used it on Android to stream the occasional video or song from my Jellyfin server while using mobile data. Not bad at all, plus they finally seem to have gotten their battery drain issues under control.
Recently, as I have been traveling through the Middle East and East Africa, I have also used Tailscale on my phone to protect myself on public wifis and to work around MitM attempts, see my other comment further up.
Maybe not if all you're doing is hooking some nodes together. That said, I have personally used these Tailscale features that with a quick glance I don't see Meshnet having:
- ephemeral nodes are super useful for things like attaching a GitHub action runner or a fly.io instance to your tailnet
- Tailscale's ACL system has a ton of capabilities
- getting corporate buy-in is possible, vs trying to get a business to buy into Nord meshnet for actual workloads
I was all on board with WireGuard myself but couldn’t get smb working reliably. Saw someone say they’re had better performance with tailscale and sure enough I can actually use it. It’s not perfect or anything but quite amazing considering it’s still just WireGuard under the hood. Whatever magic configs they have, good job
I was once in South Africa and needed to look up my prescriptions in the CVS app. I had lost my pills and needed to show a local pharmacist what I needed. CVS geoblocked me. Luckily I had a TailScale exit node running at home, which solved the problem.
Another data point: I was at Doha airport recently and logged into their public WiFi. Unfortunately, they seemed to be MitM'ing certain connections, mostly to well-known domains. To work around this, I tried setting up Mullvad (which I had used occasionally in the past) but they downgraded Mullvad.net to HTTP, too. Thankfully, I had Tailscale already set up and I could easily book their Mullvad package and add Mullvad as an exit node to my Tailnet. Problem solved.
I was on a cruise ship a few weeks ago and realized that, instead of being throttled, a lot of sites were completely blocked. Very irritating. They also do DPI on the cruise ship network so that VPN clients like OpenVPN are blocked regardless of port.
Without a laptop handy, I had to use my iPhone to set up a droplet running Ubuntu, then install vray onto it and configure it to run on port 443. vray uses "standard" SSL to tunnel connections, so to DPI it just looks like normal HTTPS traffic and I was able to pass traffic through the firewall when I needed to access something that was blocked. It makes me wonder if TailScale would also bypass their analysis, or if it would be blocked as well.
(I didn't abuse this to the detriment of the network, and I did pay for the "streaming package" on sea days when I had a lot of traffic to run)
Wireguard is easy to block. Some VPN providers do implement an obfuscation layer for it, but Tailscale uses plain WG, so if WG is blocked, you will get no connection. Control plane would still work, though.
Intriguingly, my work network (both guest and employee networks) blocks OpenVPN, commercial VPN (Proton I use, plus a couple of others I tried just as an experiment), and Tailscale authentication, but if the device is already authenticated to the tailnet, it will continue to work. Turns out that work uses the same ISP my home does, so perhaps that's part of it, but I have another TS exit node running at my in-laws' house (so I can remotely maintain their network, and so I can get out to the Internet via TS even if my home is down), and they're in another state with a different ISP.
I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.
It's easy to block the control plane because Tailscale has endpoints listing all current control and DERP servers. On Linux you can use a SOCKS proxy for control plane traffic, if connections still work. Some firewalls are really restrictive.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.
My residential ISP does not block it. My issue with work isn’t that they block it on employee WiFi, it’s that they block it on the guest network too. Our nanny software is rather extreme - blocks, for example, alcohol-related sites. Which in a sense is fine, because I don’t need to read up on whiskey at work, but it also often blocks restaurant sites.
I've run a SSH server on port 443 to bypass blocking before. Probably wouldn't work if they are _actually_ doing DPI, but a surprising number of networks don't - just have blocklists and only support port 80 and 443 access.
I'm pretty sure it would work. From my testing, Tailscale works where Shadowsocks, plain Wireguard and any other VPN don't. And it also works to pierce through the great F*W, which was actually really surprising. I suppose Tailscale has DERP and other nodes in Cn too?
Other replies explained the why, though cgnat wouldn’t be a problem if you also had ipv6.
Luckily for me I have a regular ip4 address but if that ever changed I’d be out of luck unless my isp (quantum fibre) implemented a proper ipv6 solution.
That uses 6rd which is typically slow (since it basically proxies through an ipv4->6 bridge), and in my case it worked on their provided router but not with opnsense.
I used Tailscale the other week to solve a problem where a government website was blocking me from scraping it from GitHub Actions... so I ran an exit node on an Apple TV on my homework and configure the GitHub Actions worker to use that instead. Worked great! https://til.simonwillison.net/tailscale/tailscale-github-act...
I have nothing but performance issues with tailscale. On both my iPhone and my iPad it _destroys_ my battery. It uses some 40+ hours of background time in just a few days. On my PC whenever I come back home and tailscale was running, everything is out of memory and not running correctly.
> On both my iPhone and my iPad it _destroys_ my battery.
On my iPhone, I've not even noticed any battery problems whilst running Tailscale 24/7. Are you running it with an exit node that funnels all traffic? I've just got it active for my nodes which might be why it's basically doing nothing.
Just checked on my phone - for the last 24 hours, Tailscale has 5m screen, 22h 45m background for less than 1% of battery usage (as in it shows "-" below the 1% entries.)
Can't remember what the default install is - do you have "VPN On Demand" turned on? That should keep it mostly idle unless you're actually talking to one of your nodes, I think?
I think for simple cases, it's great. If you have remote boxes somewhere that needs administration, it's awesome.
If you have more complex cases, the IPTables/Netfilter rules make it vastly more difficult to manage, particularly if you're running docker-compose (or anything using IPTables rules) on the same box and trying to troubleshoot the packets coming out of docker and going into tailscale.
And then trying to figure out what tailscale is doing with your packets is not great as well. They've also broken features I relied upon with a minor release.
Their nat traversal doesn't always work, as sometimes I get connected to a DERP server, so that limits the network speeds across the internet.
I blame CG-NAT quite a bit -- it's really why we can't have nice things these days -- and I get tailscale is trying to fix a bunch of that. But the reality is, I just want an interface just like eth0 or wl0, not an IT infrastructure to move my packets across.
I remember XBConnect and GameSpy for playing Xbox Halo 1 over the internet. I think a couple were invented for every big game or console before 2010 or so.
Tailscale doesn't really address connecting to strangers, though.
Yes, XBConnect! Nevermind that you threw a grenade in Halo a whole 2 seconds after you pressed the button, you were playing with your friends! Good times.
The Hamachi UI and UX were great. I was very sad when it got bloated and then killed like a beached whale. I just looked and I guess it lives on as a whalezombie at https://vpn.net/.
Hamachi was amazing, one of the best, most focused apps I've ever used. We were kids but it was still easy to use.
Then they were bought by LogMeIn and was killed unceremoniously.
The tailscale.com/tsnet package in Go [1] is really useful if you've not looked at it before: you can make single binary HTTP or whatever servers that are only exposed inside your tailnet.
Their golink project [2] is a good example (and useful itself), but I've used it to build "peer to peer" comms for one application, and to host an API and Svelte SPA to control some other things in a tailnet.
How difficult it is to use? Right now I’m working on orchestrating dev-local service clusters here I bind plenty of hosts to mimick real world. I’m using proxy tunneling to punch in but I’d love to have Tailscale endpoint which I could use to connect external devices (like mobile clients or non-technical stakeholders for show and tell).
It’s pretty simple, I’ve not updated my package version in a while but iirc you give it a state directory, an auth key, and you get a Dial-like interface you can use with the stdlib http libraries
I've been using Tailscale for awhile now and even developed a few internal apps using tsnet as well but I had no idea about golink and it's awesome. Thanks for sharing that!
If you're a rust fan we make a similar library, that's all-in on "p2p-QUIC", with pre-baked protocols to import on top: https://github.com/n0-computer/iroh
That’s super cool, I was going to say “nat punching and public relays are a requirement for me” but you already do that! Definitely filing this away for future projects.
For replacing port forwarding, OpenZiti definitely works. zrok, which is built on top of OpenZiti, could also be a great option for sharing resources - https://zrok.io/
You don't actually need tsnet for that. tailscale cli itself running the subcommand serve will allow you to share a specific port on your machine either with your tailnet or use funnel and share it out to the internet.
I pulled tsnet out of my go application and switched entirely to `tailscale serve` and just use the header that adds to auth my family into apps I write. I love it.
funnel and serve are also awesome, but in this case the use case necessitated a single binary that worked without the full package installed/didn’t touch the routing table or tun device
Absolutely. You can run a go process that becomes a Tailscale client without any other dependencies. This is what I use it for issuing JWT for service authentication: https://github.com/AltaCoda/tailbone
I've been using tailscale/tailscale-caddy[1] successfully to serve applications only on my tailnet. It says highly experimental, but it's worked just fine for me.
Check out OpenZiti - https://openziti.io/. It looks like Tailscale but is open source, takes zero trust principles to its logical conclusion, and includes a whole suite of SDKs (alongside host based tunnelers and VMs) making it super easy to embed private, obsfucated, secure connectivity directly into your apps. Heck, you don't even need listening ports on the host OS network, therefore you app cannot be found or attacked from network/IP. Here is a good blog using Go SDK as an example - https://blog.openziti.io/go-is-amazing-for-zero-trust
I'm curious to hear well-informed reasons from this crowd for why we can trust Tailscale given the non-self-hosted part of the architecture? Does it come down to Tailnet locks [1], not worrying that Tailscale will be compromised, not worrying that your home network is worth compromising, or something else?
What are the primary downsides of self-hosting this? The top issues that come to mind:
1. Maintaining high availability
2. Dealing with patches/upgrades
But I'm also really curious how likely a self-hosted instance is to be an attack vector potentially more dangerous than using something like Tailscale.
You own your attack surface at that point. Tailscale/Headscale is a matchmaker and key broker for the most part, the clients almost always (barring NAT issues) connect directly to one another. The normal security considerations apply as with running any service.
In my experience as a poor sysadmin (as in, bad), you don't /need/ HA for Headscale because the clients are pretty resilient. I've had my instance go down for a little bit and it's fine. Stale and new connections aren't, obviously, but it will work well enough that you won't realize Headscale itself has gone down until a while after it did.
My experience has been the opposite: I have to restart headscale at night because a significant %age of the time when I do, the tailnet goes down. I'd say maybe 30% of the time, maybe more. I'm talking about when I update ACLs and OS updates. I run a single instance, and I will say it's been reliable over ~2 years. For the record, I just rebooted that node for OS updates and the tailnet stayed up.
Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".
So while also implementing Tailnet locks and other security measures to constrict traffic flow, I'd also consider going a step further by only permitting server or resource access based on client certificate validation (in other words, a client that's missing a trusted certificate is rejected from even attempting to initiate AuthN); that way even if your Tailscale network is compromised somehow, untrusted clients and endpoints can't make inroads into your infrastructure as easily.
Is that a gigantic PITA to implement? Oh heck, you betcha it is, and I doubt 99% of folks need to go that far with their homelabs or home services. Still, that'd be my approach to zero trust - trusting Tailscale only so far as enabling virtual networking, but not blindly trusting traffic coming over that network at any point.
I feel like a lot of hype around Tailscale is because it vastly simplifies VPNs and their associated networking, especially for businesses, startups, or homelabs where the focus might be elsewhere or specific talent is unavailable. The problem arises when folks don't quite understand why specific decisions are being made, or use the product in nonstandard (or even negative) ways. I've seen stories of folks deploying Tailscale on every machine in their LAN, thinking that secures their traffic; using it to cross boundaries in the firewall or router between secure and insecure VLANs; and using it to connect to servers in lieu of a proper router or firewall with appropriate ACLs.
Tailscale is an excellent piece of software, provided it's implemented in a way to emphasize security, and not weaken it. In OPs case, being used as an accessibility aide to a system that couldn't be secured any other way while preserving external access (in their case due to CGNAT) was an excellent use of Tailscale.
> I do think this simplicity is exactly what contributes to those weird and non-standard configurations.
This is why I am confident I will always have employment in IT. As I make things simpler for others to use, they in turn will find new and innovative ways of making my eyes bleed from cursed workflows that once again require professional intervention for simplicity, efficiency, and security.
> I feel like a lot of hype around Tailscale is because it vastly simplifies VPNs and their associated networking
Tailscale is based on Wire Guard, isn’t it? Now there’s a piece of software that truly made VPNs simple. I have a tunnel back into my LAN by way of an EC2 instance and all it took was two super simple config files on each machine.
Wireguard vastly simplifies the transport level, and attains high performance because it runs in the kernel.
Tailscale simplifies: authentication (including OIDC), authorization (via ACLs), DNS, NAT piercing. All of that is not obvious or easy for someone without deeper expertise.
They have nice clients (e.g. for MacOS, Tizen). Ofc headscale is a thing, but if you have a company, it's also nice to have someone to yell at if your mission-critical tailnet suddenly b0rks.
Imo they don't charge all that much relative to their value, depending on who you're asking.
I mean, yes? It's why Zero Trust is growing as an operations model. Supply chain attacks, vendor hostility, zero days being hoarded by nations and bad actors for exploit, the list goes on.
You emphatically cannot trust vendors, suppliers, users, software, systems, or governments. Ergo, your infrastructure should be built with an appropriate risk assessment in mind, and have proper safeguards in place where feasible. That's just good OpSec.
Not the same. In particular you don’t need to accept software updates from software suppliers and you can also require source code or use open source.
This stuff was obvious and standard in the 80s-2000s. It’s only in the last 15-20 years that it became acceptable to get updates shoved down your throat.
Service providers can cut off your access any day.
Software providers cannot unless you’ve given them a live update channel direct to your env.
Definitely not true. You can audit software (it could be not easy, but ultimately doable) and skip the updates until you have capacity to audit those. You can't audit a third-party service, no matter what you do.
> Is that a gigantic PITA to implement? Oh heck, you betcha it is
I use my own self-hosted Wireguard VPN server. I agree with a lot of what you were saying about client certificates etc. And I plan to eventually do that sort of thing on some of my services in my own Wireguard VPN too.
But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?
Setting up a Wireguard server is super simple. The only couple of things that complicate it a tiny bit is opening up a port for it for inbound connections if you host it from your home connection rather than a rented server, and managing the Wireguard public keys that are allowed to connect.
But if you are going to do a whole client certificate setup on top anyway, the work of setting up your own Wireguard VPN is small in comparison.
> But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?
Already do! I tried Tailscale initially, but ultimately decided to put in the effort of a proper Wireguard setup. It's how my personal devices always get back to my home LAN, and then exit to the internet; it's also how I make sure every DNS lookup hits the Pi-Hole, for domain blocking wherever I am.
I emphatically recommend learning WireGuard (and to a lesser degree, VPN Concentration) when practical and possible. Until then, Tailscale is an excellent product.
How is this a good solution, when traffic is decrypted in the cloud, all traffic goes through one node, there is no ACL, key distribution, static IP, …?
I guess I'm not clear what "when traffic is decrypted in the cloud" means but, here's how it works...public traffic comes in on port 80 to the VPS, Wireguard is configured to route it over the VPN to a VM on my home machine. I control the VPS and the peer receiving the traffic.
No. I was talking specifically about the case where you want to host the Wireguard VPN server at home.
See earlier in the comment where I said:
> opening up a port for it for inbound connections if you host it from your home connection rather than a rented server
Although I can see how it might not be clear that in the end where I’m mentioning CGNAT I am still specifically talking about hosting the VPN server from your home connection.
> Call me Cappy Paranoid, but I fall into the camp of "You should never trust a service provider, ever," and build infrastructure accordingly; I believe this falls into an extreme interpretation of "zero trust".
…which is why I qualified it with the phrase, “extreme interpretation of”, and made sure to encapsulate “Zero trust” in quotes to make it clear I wasn’t being technically literal in my description. Grammar and punctuation matter when you’re deliberately misusing a known term as a metaphor to make a point.
That being said, the core concept of ZTA is that no user or device should be trusted by default. So yes, my statement is still generally correct even if it’s not how the term is often or commonly used.
> I'd also consider going a step further by only permitting server or resource access based on client certificate validation
This is where I'm the most curious on what Tailscale will do next. So far all their products seem to contrast at the IP level, but for enterprise use cases there's a real need for application level protections as well. Cloudflare Access is a great example of what I mean.
Particularly as it does not include its own PKI, so E2EE is done by MITM your IdP (OICD/SAML etc) and therefore, under court order Tailscale can decrypt your traffic.
We took the opposite approach with NetFoundry. (1) We open sourced the code (https://openziti.io/), (2) we built in PKI with private keys generated at source and destination so that even if traversing NF hosted data plane, we CANNOT decrypt traffic, (3) mTLS everywhere, (4) ability to bring your own PKI, and more.
First of all, a node added to tailnet doesn’t not have the ability to decrypt the traffic in tailnet. All it can do to contact other nodes, decrypt traffic users sent to that hidden node, or modify settings in admin console. Furthermore, with tail lock, the coordination server should not be able to add nodes from outside.
Even if an attacker such as the government runs the coordination and relay servers, and the IdP, they will not be able to decrypt any traffic in tailnet.
The secret keys remain on device, and traffic is end to end encrypted. There is no mechanism in
the client agents to send out the secret keys. The coordination server receives the public keys and metadata.
I see I did have a misunderstanding. I believe there is still the meta data angle, but yes, private keys on endpoints would ensure E2EE. I will update my comment.
> Yeah, I don't understand how it is so prevalent in the self-hosted community.
Not just CGNAT but not having _any_ external ports open can be a beautiful thing. I used to have an ssh port (not on the standard 22) and the amount of auth attempts back then was insane. I now have a full firewall zero open ports but, thanks to tailscale, I can still safely access my machines while not being at home with zero unauthorized attempts.
And since I am a security person, I use the tailscale lock feature so not even tailscale themselves can add nodes to my network. Even if they had a breach.
If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...
Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I think tailscale also doesn't provide transient quantum resistance. Wireguard traffic can be made quantum resistant with a PSK. I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
> If you're a security person, can you explain why a centralized key exchange server is needed at all? If you care about security you have to verify every nodes key anyway...
I do verify every node’s key. That’s kind of the point of tailscale lock unless I am missing something.
> Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I don’t understand what censorship has to do with a personal home network?
Privacy on the other hand, is fair. For my usecase this is a home network I am not that concerned that they know what devices talk to what devices. Yes they know my ip address but that’s not valuable since it’s all defended by the tailnet lock.
> I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
Direct access to my network being limited behind tailscale with a requirement to be part of my tailscale network signature satisfies my requirements for no one else’s access to my network at all. And only if I am away from home does any of my traffic pass through a relay.
Tailscale has more device support than any wireguard apps than I know of. I don’t believe wireguard has Apple TV support, but tailscale does.
I am not the only member of my family either, including them in this network with the simplicity of tailscale’s apps is also important.
Wireguard, unlike SSH, behaves like a closed port unless the client successfully authenticates. As far as an unauthenticated client is concerned, you don't have a listening service ("opened port") at all.
I mean, yeah, if you unfortunately have to deal with CGNAT, then you gotta do what you gotta do. But other than that, what's the issue with self-hosting Wireguard?
> But other than that, what's the issue with self-hosting Wireguard?
User simplicity. I am not the only one on my home network which I want to be able to access some parts of the things I build.
Device support. I appreciate that tailscale has gone out of their way to bring tailscale to even more devices than even wireguard supports. Namely apple tv, wireguard does support iOS but doesn't seem to currently support apple tv or maybe just my version of apple tv.
I trust Tailscale with my network traffic. I also trust a $50 cheap chinese 10G switch that I bought off amazon with a terrible and surely insecure management interface. Which is to say - I don't, but I don't need to trust it far.
I do have enough trust in their client that's installed on my machine to believe that it's not actively malicious. I do trust that I can find my other devices, and trust tailscale to keep a list of them, and not randomly add other devices that I don't know, but I don't have perfect trust of that. All my internal services are still E2E encrypted over the Wireguard link; They run HTTPS with an internal cert authority. There's not ports open on them that shouldn't be, and while it's possible that one of them still gets popped, it's much less likely.
I don't really understand this though.. The key exchange is perhaps the most important aspect.
Just hypothetically, what if an intelligence service records your encrypted traffic and also happened to get AWS to mitm your communication with the tailscale key distribution server?
Doesn't really matter if most of your traffic doesn't use their infrastructure if the most important parts of it do.
> Using Tailscale introduces a dependency on Tailscale’s security. Using WireGuard directly does not. It is important to note that a device’s private key never leaves the device and thus Tailscale cannot decrypt network traffic. Our client code is open source, so you can confirm that yourself.
My understanding is that (in theory) the only way this is possible is if the attacker introduces a new node and then connected to other nodes that are in the tailnet. What you're suggesting is that a single node that is connected to the other nodes gets compromised, but this isn't possible without already being able to compromise that specific node. Alternatively, if someone hacks Tailscale itself, the only way they could get access to any nodes would be to add their own node, but if you have alerting set up you would know and you could shut down the attacker.
> Everything on my home network is set up as if it were public-facing.
That's Wireguard, I have the same, just Wireguard + VPS, everything I want available that is. I don't put every PC on my home network on the VPN, I could though, pretty easily.
By locked down I mean everything requires authentication (and authorization), everything is containerized, and I have fairly strict firewall defaults.
Let me explain what I mean by low maintenance...
I was a very early containerization adopter and set up a company and also my home network using Docker around 10 years ago. I chose Docker because I thought it was reasonably polished and was the future of deployment. Even though the landscape keeps moving with changes in Kubernetes, Helm, Rancher and stuff like that, the actual Docker part hasn't changed in 10+ years so I haven't had to change my setup for a decade. Low maintenance for me is software that can be left mostly untouched (except for minor updates) for a long time and I judge that based on the project's future, which for me is partly judged from a project's polish.
Every time I tried WireGuard in the past, it didn't seem so polished. I don't want to waste time learning something that could go away. On the other hand, not only did Tailscale look pretty well set up, it was pretty much click and run which means that even if it were to fail, I would have not lost any time learning much about it.
So low maintenance for me is "get the most out of as little work as possible" and choosing Tailscale was the decision to achieve that. So given that I've been using Tailscale for 1.5 years with near 0 amount of configuration and so far, no real downtime, it is adequately low maintenance.
I think it's interesting that they support Kubernetes connections as well, so you can access the control plane, or send data in or out of an environment via Tailscale. I don't have a use for it myself, but it does seem useful.
I still find SSH adequate for connecting to a home server remotely. I don't have the CGNAT terrible problem but I also don't do any port forwarding on my home router.
Instead, I have a VM running on a cloud provider that I SSH to from an OpenBSD box inside my home network. The SSH connection establishes a reverse SSH tunnel. This opens a port on the cloud VM to tunnel to my OpenBSD sshd port.
With the reverse proxy to my home OpenBSD box established, I can use the SSH jump box option, -J. I connect to the cloud VM and "jump" through the tunnel to the OpenBSD box at home. You can even specify multiple jumps if I need to connect to another machine in my home.
I can also set up a local tunnel through that jump for things like connecting to my Home Assistant server from my remote laptop or phone.
If I'm understanding correctly, this will break whenever the IP address of your tunnel changes. You'll have to reestablish all of your connections.
My use case for tailscale: have an SSH (or other) connection to my home server while working from home. Drive to a coffee shop, register on their network, and continue using the same connection. (Or hotspot, if I'm somewhere without Wifi.)
The IP address of my server does not change. When at home, the packets do not leave my home network. When out and about, they do.
It's magic to me. I set up a sophisticated (read: overkill) SSH tunneling setup previously, using Match rules in .ssh/config to autodetect the network I was on so that `ssh myserver` would always go via the correct route. But my connections were still interrupted broke when I switched, and I'm not good enough at networking to do any better.
(I guess this is what Wireguard is for? I could access my server via a fixed IP address on my machine that goes to a tun device, and that would send the packets to the actual server if nearby otherwise hand off to the carrier pigeons? Is that what the tailnet is doing? I don't understand how packets get intercepted by tailscaled, though I do see a tailscale0 device. Is that just a vanity license plate version of tun0? Why does `ip route show` give me only routes through my actual devices, then? Never mind, this isn't a helpdesk. I'm just getting old and stupid, I think.)
> If I'm understanding correctly, this will break whenever the IP address of your tunnel changes. You'll have to reestablish all of your connections.
The tunnel is on localhost only. The VM has a static IPv4/IPv6 with DNS.
Connecting the SSH tunnel from my home is stable as well as connecting to the VM remotely.
I do appreciate Tailscale and Wireguard. I was more responding to the fact that I don't have to trust any provider here, other than the one keeping my VM running.
In other words (they do get to this point right away), port forwarding is pretty useful, and most of us don't have it anymore.
I'm sick and tired of the way ISPs treat us. It's literally written into my lease what company I will pay for internet, and how much I will pay them. It is not, however, written in my lease how fast the connection will be. Not only am I unable to forward ports, I can't even change my own WiFi password! Sure, I could make a fuss and probably obtain access to my router, but it isn't worth the hassle.
But why is there a hassle to begin with? How in the hell is it in anyone's interest to keep me from configuring my own router? I can come up with plenty of authoritative bullshit answers to this question, but they are all authoritative bullshit. I think that's the real answer: we have systemically built our society to operate on authoritative bullshit. sigh
Tailscale is a usable workaround, but it shouldn't exist. It shouldn't need to exit. I just want to be able to host a server. Is that really so much to ask?
The authoritative bullshit isn't what society is running on, it's what society is giving as an excuse for enshittification that enriches interested parties.
Your landlord (I'm guessing based on having seen it before) gets kickbacks from the ISP to force all tenants onto a specific (probably overpriced) Internet plan. The interest in keeping you from configuring your own router is in allowing the ISP's enshittifying further monetization tactics to proceed unopposed. The two big ones I've seen in this kind of setup are:
Using DNS enforced by the router to gather data and place ads on any 404 error.
Sharing their WiFi network that you lease with the ISP's other customers nearby.
I'm not even confident they get kickbacks. They probably just believe that either negotiating service details or providing infrastructure for competitive options would require more work from them. They are probably right about that: I'm not hassling them over it. I'm really not in a good position to anyway. As much as I would like to attribute malice to this behavior, it's most likely to be no more than laziness.
If I moved into a house, I could get 1gbit symmetric from Google Fiber or UTOPIA at half the price. But that doesn't matter because I cannot remotely afford a mortgage.
The real problem is Monopoly. Not the market dominance kind: the no one gets to compete kind. We have it in real estate, where every piece of the market is overvalued so far that very few individual people can meaningfully participate. We have it with ISPs who get to literally own the last mile infrastructure, so their customers can't physically connect to a competitor.
The number of users who even understand why they might want to do that aren't a consideration when they build such a service/agreement. It's only considering what the average tenant is looking for, which is more akin to "water comes out of the pipes when I move in" than "do I get to mess with the plumbing?".
> Not only am I unable to forward ports, I can't even change my own WiFi password!
You can't BYOD? I got a lot of info out of the install techs when my home fiber was installed, including the router password, because they saw my setup and said "whoa... this is not a normal person setup". I said no, it isn't, you want me to walk you through what I've got? They did.
I ended up putting their device to DMZ all traffic to my device and turning off its radios (I have multiple AP's with wired backend). Technically double NAT, but in the first step all ports were forwarded, so it didn't affect anything. It took me a while to have a weekend where my wife was gone and I could risk breaking things for a few hours, but after that I was able to remove their device entirely. Turns out it uses a VLAN on the outgoing connection, so I had to figure out how to set that up on my router.
Anything that's more effort than using tailscale isn't worth it to me. I just treat it like public Wi-Fi that no one but me uses.
My frustration is that it's difficult in the first place. I shouldn't need to call someone (and hope they both comprehend and help) just to configure a device inside my home. It's absurd, and everything that led us to this point deserves criticism.
Sorry for the late reply, just wanted to say I have felt your pain starting a long time ago, and I agree it's absurd. I don't even do this as a job. I'm just out there trying to make sure that my wife and I have functional internet at our house and her parents' house as a layman with a modicum of experience.
If your Internet provider and your mobile provider is the same company, they could put all your connected devices in the same IP block within the CGNAT IP range.
Now, not only you can access your device at home while away using your cellphone, you can also connect to your partner's phone with the same IP address at (or away from) home.
Some Internet providers in China very recently started providing this service, e.g. https://www.chiphell.com/thread-2666772-1-1.html (in Chinese). In addition to the convenience of accessing your home server while on the go, they also make the traffic within the CGNAT free.
Lol I will be seriously surprised if at&t offers this, but I can see the tmo starlink thing potentially doing it.
I signed up for the tmo beta even though I am not a tmo subscriber. Now I have a cool thing to test, can I access my behind-starlink stuff from my cellphone?
Easier than asking family members to install a new software, then ask them to share their "node" to you.
Imagine you can remote desktop connect to your parents' computer after their phone call.
The data cap is on your cell service (the US also has that). Net neutrality is debatable given the traffic is between my own devices so presumably no one gets hurt (think of accessing and streaming from your NAS at home).
> Easier than asking family members to install a new software, then ask them to share their "node" to you.
Right, but not easier than static IP (or dyn dns), both of which require technical knowledge and procedure to set up. I really don’t see the great simplification here. Plus you’d still have firewalls and it’d stop working as soon as you (the client) leave your company’s garden (eg at work). To be fair, static IPs also wouldn’t work when your parents (the server) move their device.
> The data cap is on your cell service (the US also has that). Net neutrality is debatable given the traffic is between my own devices so presumably no one gets hurt (think of accessing and streaming from your NAS at home).
Fair enough. That I don’t mind. I really dislike configuring multiple devices for an ISP, that’s consumer lock in imo. The provider can simply implement hairpinning on their infrastructure and the traffic won’t leave their network anyway.
I've harped on some Tailscale implementations before for what I perceived to be nonsensical or bad approaches, but this one is an excellent example of its capabilities. In no particular order:
* It's not reliant on port forwarding at your firewall
* It can get around bad ISP habits, like CGNAT or a lack of IPv6 (or IPv4)
* As the OP points out, it's broadly compatible with various forms of exit nodes
I use tailscale to build my personal podcast that include local weather and stocks I interested in. Running the whole pipeline on a steamdeck and use tailscale to securely delivery the generated podcast to my phone.
Is there an alternative to Tailscale with a lower memory footprint? I wanted to run Tailscale on a small router, but it failed due to out-of-memory (OOM) issues.
I wasn't sure and still am not what your statement means, I checked Google, their AI tool offered this:
"Yes, WireGuard does support NAT traversal, though it doesn't handle it natively; it relies on techniques like UDP hole punching to establish connections between peers behind NATs."
That makes no sense to me, I have my peers talking to each other on the Wireguard VPN behind my ISP NAT. I do have one UDP port open on the VPS that they all talk to. Is that what you mean by, "Wireguard doesn't do NAT traversal on its own, which is, IMHO, the killer feature of Tailscale."?
If so, how does not having to open one UDP port which can't really be detected anyway, justify having all your traffic controlled by a third party through servers (I forget what Tailscale called them) you don't own?
How low do you need the footprint? At firezone.dev, we also build a ZT product and our headless-client and Gateway are in Rust and use around 15-30 MB of RAM. Could likely be tuned further down if you need it :)
Tailscale also allows you to issue valid TLS certificates (`tailscale cert`), which is crazy useful for certain local development tasks, EG developing SSO for a mobile application where the SSO provider mandates TLS and the mobile devices dont easily allow you to bypass self-signed certificates. They keep piling on awesome features, big fan.
I use these certificates for almost any management UI of internal services that would go unencrypted for convenience otherwise, even for Postgres servers. It’s really versatile.
or one of the many alternatives - https://github.com/anderspitman/awesome-tunneling. I will advocate for zrok.io as I work on its parent project, OpenZiti. zrok is open source and has a free (more generous and capable) SaaS than ngrok.
For simple problems use simple tools. I believe the simplest tunneling tool out there is https://pinggy.io . Tailscale is for a different use case. Not just exposing one port to the interenet.
Also, their building up on top of a 'platform' is wonderful: funnel, exit nodes, sharing, ssh, drive etc.
I wonder if they can figure out a way to distribute compute eventually via their network (not just clunky ssh): 'my' storage is already shared with 'my' nodes, why not 'my' compute? :)
That was actually something we debated launching before Tailscale SSH but ended up doing Tailscale SSH first because the state problem for compute was annoying and we'd seen the App Engine etc progression through the problem space and knew it could be a time suck.
I still want to do it and we continue to brainstorm on the problem of state management and how to do it in an HA way, so you can run services where the compute bounces around some node in a set that's up and reachable on the tailnet but the state is durable and in sync between the nodes. It's a fun problem.
Looks like the layers are there for a Tailscale API: I could imagine writing a platform-independent Go 'app' that uses funnel+drive that could 'float' around the nodes.
Anyway, a fun problem (or worse, a solution looking for a problem as I couldn't immediately think of a problem that would require it just yet. May be distributed training and such)
> I have used Tailscale only for personal reasons so far, using the free tier; they have enterprise plans for enterprise use cases that I have no idea about.
Does anybody know of any good materials on the enterprise use cases and configs? e.g. blogs, screencasts, etc.
- My home PC, my laptop, and my phone are the participants.
- My home PC is connected to a GPU, and runs a colab runtime, SSHD, as well as a simple http file server in $HOME (actually, C:/Users/username, its windows)
- My laptop doesn't have an NVIDIA GPU, so it just runs SSHD and a file server.
- My phone serves nothing, but has an SSH client, and a http client obviously.
There is simple hostname based DNS setup by tailscale automatically, so I can just go to http://laptop:8000 to access all my files, or just ssh to username@computer
Accessing everything from everywhere is absolutely great. And this is all on their free tier.
Unrelated to tailscale, I use parsec for a similar solution for remote desktop, their "machine level user" feature allows me to initiate remote desktop from certain client devices directly.
418 comments
[ 0.17 ms ] story [ 502 ms ] threadSamba transfers take a 15 megabyte per second hit over tailscale even with a fairly fast CPU on both ends (Ryzen 3600 and Ryzen 7900X3D) on my local network
https://old.reddit.com/r/mikrotik/comments/112mo4v/is_there_...
The overhead shouldn't be 15% but there could be some weird interaction with the link MTU for the VPN causing, e.g., smaller packets to be sent with more overhead.
These are on my local network, connected to my switch over 1gig Ethernet.
https://www.reddit.com/r/linux/comments/9bnowo/wireguard_ben... from 7 years ago is about trying to get it running at 10Gbps speeds.
Now I mount the NAS volumes to a host at the same location and sftp to it. It’s still dog slow at 30MB/s but that’s the NAS limitation.
Direct access to the NAS can also be achieved via Subnet Routers
https://tailscale.com/kb/1019/subnets
Does Tailscale have features that set it apart now that other VPNs have gotten the private mesh thing down pretty well?
Also, ZeroTier is "open-source ish." They use the BSL license for most of their code (https://www.zerotier.com/blog/on-the-gpl-to-bsl-transition/) and I believe you can self-host (https://docs.zerotier.com/selfhost/)
My one objection to Nebula is that its Android app is proprietary, and your response is to plug the even more proprietary way to run it?
> Also, ZeroTier is "open-source ish."
So it's not FOSS.
Best of luck in your search! Maybe take a look at Tinc or Yggdrasil.
https://mariadb.com/bsl11/
> The Business Source License (this document, or the “License”) is not an Open Source license.
I'm gonna take them at their word.
> Best of luck in your search! Maybe take a look at Tinc or Yggdrasil.
I did, but thanks:)
I also tried ZeroTier and was extremely unimpressed, although again that was a few years ago. The performance on single threaded systems was absolutely terrible, which suggests some deeply broken code and made it unusable with a cheap VPS. The paceof development was also pretty slow and the insistence on homebrew crypto was also not confidence inspiring compared to something that used a proven solution like Wireguard.
[1]: https://github.com/gsliepen/tinc
That said, I can totally see where a less DIY solution. VPNs fundamentally aren’t novel and there’s nothing wrong with Nord and similar products. (Although I don’t put any stock in the no logging claims)
It comes in handy from time to time. I run a "public" subsonic server but I don't have most of my own productions on it, but I can open VLC on android and go to a bookmarked share and play it all there.
Also stuff like NVR camera feeda I can look at over tailscale, too. No "cloud" storage needed.
I wish there was an easy reliable way to do this that didn't involve a for-profit; but until awful things happen I am fine using this for low-friction, trivial network access.
Recently, as I have been traveling through the Middle East and East Africa, I have also used Tailscale on my phone to protect myself on public wifis and to work around MitM attempts, see my other comment further up.
- ephemeral nodes are super useful for things like attaching a GitHub action runner or a fly.io instance to your tailnet
- Tailscale's ACL system has a ton of capabilities
- getting corporate buy-in is possible, vs trying to get a business to buy into Nord meshnet for actual workloads
Tunnelling into my home machine I was able to access the account and transfer money I needed.
Sure a VPN might be able to do this too but it’s nice being able to exit via a connection you control.
I can also watch Plex movies without exposing ports.
Honestly I would suggest wireguard on your router before openvpn.
https://tailscale.com/kb/1097/install-opnsense
I'm not sure about the performance yet, however.
Without a laptop handy, I had to use my iPhone to set up a droplet running Ubuntu, then install vray onto it and configure it to run on port 443. vray uses "standard" SSL to tunnel connections, so to DPI it just looks like normal HTTPS traffic and I was able to pass traffic through the firewall when I needed to access something that was blocked. It makes me wonder if TailScale would also bypass their analysis, or if it would be blocked as well.
(I didn't abuse this to the detriment of the network, and I did pay for the "streaming package" on sea days when I had a lot of traffic to run)
I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.
as someone who does publicly expose services that have auth, why does CGNAT make exposing ports publicly bad?
Tailscale is a better idea.
Tailscale is great but direct is always better IMHO.
Luckily for me I have a regular ip4 address but if that ever changed I’d be out of luck unless my isp (quantum fibre) implemented a proper ipv6 solution.
That's my experience. I wish it was better.
On my iPhone, I've not even noticed any battery problems whilst running Tailscale 24/7. Are you running it with an exit node that funnels all traffic? I've just got it active for my nodes which might be why it's basically doing nothing.
Can't remember what the default install is - do you have "VPN On Demand" turned on? That should keep it mostly idle unless you're actually talking to one of your nodes, I think?
If you have more complex cases, the IPTables/Netfilter rules make it vastly more difficult to manage, particularly if you're running docker-compose (or anything using IPTables rules) on the same box and trying to troubleshoot the packets coming out of docker and going into tailscale.
And then trying to figure out what tailscale is doing with your packets is not great as well. They've also broken features I relied upon with a minor release.
Their nat traversal doesn't always work, as sometimes I get connected to a DERP server, so that limits the network speeds across the internet.
I blame CG-NAT quite a bit -- it's really why we can't have nice things these days -- and I get tailscale is trying to fix a bunch of that. But the reality is, I just want an interface just like eth0 or wl0, not an IT infrastructure to move my packets across.
Tailscale doesn't really address connecting to strangers, though.
Also, it's old but not 90s old: https://swapped.cc/#!/hamachi released in 2004 actually.
This allowed us to play Warcraft II with random strangers: RTS games over the Internet... Felt like the future!
Their golink project [2] is a good example (and useful itself), but I've used it to build "peer to peer" comms for one application, and to host an API and Svelte SPA to control some other things in a tailnet.
[1] https://pkg.go.dev/tailscale.com/tsnet
[2] https://github.com/tailscale/golink
I pulled tsnet out of my go application and switched entirely to `tailscale serve` and just use the header that adds to auth my family into apps I write. I love it.
I had some issues with builds every once in a while, which is another reason I switched to using tailscale serve instead.
[1] https://github.com/tailscale/caddy-tailscale
https://github.com/almeidapaulopt/tsdproxy
[1]: https://tailscale.com/kb/1226/tailnet-lock
1. Maintaining high availability
2. Dealing with patches/upgrades
But I'm also really curious how likely a self-hosted instance is to be an attack vector potentially more dangerous than using something like Tailscale.
In my experience as a poor sysadmin (as in, bad), you don't /need/ HA for Headscale because the clients are pretty resilient. I've had my instance go down for a little bit and it's fine. Stale and new connections aren't, obviously, but it will work well enough that you won't realize Headscale itself has gone down until a while after it did.
So while also implementing Tailnet locks and other security measures to constrict traffic flow, I'd also consider going a step further by only permitting server or resource access based on client certificate validation (in other words, a client that's missing a trusted certificate is rejected from even attempting to initiate AuthN); that way even if your Tailscale network is compromised somehow, untrusted clients and endpoints can't make inroads into your infrastructure as easily.
Is that a gigantic PITA to implement? Oh heck, you betcha it is, and I doubt 99% of folks need to go that far with their homelabs or home services. Still, that'd be my approach to zero trust - trusting Tailscale only so far as enabling virtual networking, but not blindly trusting traffic coming over that network at any point.
There is slacks nebula and other options that are completely self-hosted from the start.
Feels like such a weird hype around tailscale.
Tailscale is an excellent piece of software, provided it's implemented in a way to emphasize security, and not weaken it. In OPs case, being used as an accessibility aide to a system that couldn't be secured any other way while preserving external access (in their case due to CGNAT) was an excellent use of Tailscale.
I do think this simplicity is exactly what contributes to those weird and non-standard configurations.
This is why I am confident I will always have employment in IT. As I make things simpler for others to use, they in turn will find new and innovative ways of making my eyes bleed from cursed workflows that once again require professional intervention for simplicity, efficiency, and security.
Tailscale is based on Wire Guard, isn’t it? Now there’s a piece of software that truly made VPNs simple. I have a tunnel back into my LAN by way of an EC2 instance and all it took was two super simple config files on each machine.
Tailscale simplifies: authentication (including OIDC), authorization (via ACLs), DNS, NAT piercing. All of that is not obvious or easy for someone without deeper expertise.
Of course there are tons of alternatives even if you are behind CGNAT. Nebula is but one.
Imo they don't charge all that much relative to their value, depending on who you're asking.
[0]: https://github.com/juanfont/headscale
You emphatically cannot trust vendors, suppliers, users, software, systems, or governments. Ergo, your infrastructure should be built with an appropriate risk assessment in mind, and have proper safeguards in place where feasible. That's just good OpSec.
This stuff was obvious and standard in the 80s-2000s. It’s only in the last 15-20 years that it became acceptable to get updates shoved down your throat.
Service providers can cut off your access any day.
Software providers cannot unless you’ve given them a live update channel direct to your env.
I use my own self-hosted Wireguard VPN server. I agree with a lot of what you were saying about client certificates etc. And I plan to eventually do that sort of thing on some of my services in my own Wireguard VPN too.
But in terms of Tailscale, if you are going to set up all kinds of client certificate things that will take a lot of time and effort, why not self-host Wireguard also?
Setting up a Wireguard server is super simple. The only couple of things that complicate it a tiny bit is opening up a port for it for inbound connections if you host it from your home connection rather than a rented server, and managing the Wireguard public keys that are allowed to connect.
But if you are going to do a whole client certificate setup on top anyway, the work of setting up your own Wireguard VPN is small in comparison.
Unless like OP your ISP has put CGNAT on you.
Already do! I tried Tailscale initially, but ultimately decided to put in the effort of a proper Wireguard setup. It's how my personal devices always get back to my home LAN, and then exit to the internet; it's also how I make sure every DNS lookup hits the Pi-Hole, for domain blocking wherever I am.
I emphatically recommend learning WireGuard (and to a lesser degree, VPN Concentration) when practical and possible. Until then, Tailscale is an excellent product.
I run Wireguard on a VPS and route public traffic with it over Wireguard to my home machine.
Are you saying my ISP must not be CGNAT or else it wouldn't work?
Tailscale addressed those issues.
It’s encrypted from client to VPS, then from VPS to home. The VPS sees the traffic inside of tunnel. That’s the first problem.
See earlier in the comment where I said:
> opening up a port for it for inbound connections if you host it from your home connection rather than a rented server
Although I can see how it might not be clear that in the end where I’m mentioning CGNAT I am still specifically talking about hosting the VPN server from your home connection.
That's not what Zero Trust means, at all.
That being said, the core concept of ZTA is that no user or device should be trusted by default. So yes, my statement is still generally correct even if it’s not how the term is often or commonly used.
This is where I'm the most curious on what Tailscale will do next. So far all their products seem to contrast at the IP level, but for enterprise use cases there's a real need for application level protections as well. Cloudflare Access is a great example of what I mean.
We took the opposite approach with NetFoundry. (1) We open sourced the code (https://openziti.io/), (2) we built in PKI with private keys generated at source and destination so that even if traversing NF hosted data plane, we CANNOT decrypt traffic, (3) mTLS everywhere, (4) ability to bring your own PKI, and more.
Can you clarify?
Even if an attacker such as the government runs the coordination and relay servers, and the IdP, they will not be able to decrypt any traffic in tailnet.
The secret keys remain on device, and traffic is end to end encrypted. There is no mechanism in the client agents to send out the secret keys. The coordination server receives the public keys and metadata.
Please clarify or revise your comment!
edit: okay, CGNAT
Not just CGNAT but not having _any_ external ports open can be a beautiful thing. I used to have an ssh port (not on the standard 22) and the amount of auth attempts back then was insane. I now have a full firewall zero open ports but, thanks to tailscale, I can still safely access my machines while not being at home with zero unauthorized attempts.
And since I am a security person, I use the tailscale lock feature so not even tailscale themselves can add nodes to my network. Even if they had a breach.
I am a very happy customer.
See xz vulnerability for more details. It’s about not trusting people with any of my ports/software (directly).
> I use the tailscale lock feature so not even tailscale themselves can add nodes to my network.
https://tailscale.com/blog/tailnet-lock
https://tailscale.com/kb/1226/tailnet-lock
Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I think tailscale also doesn't provide transient quantum resistance. Wireguard traffic can be made quantum resistant with a PSK. I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn.
I do verify every node’s key. That’s kind of the point of tailscale lock unless I am missing something.
> Also, it seems their infrastructure runs on AWS, not exactly confidence inspiring from a censorship/privacy risk standpoint.
I don’t understand what censorship has to do with a personal home network?
Privacy on the other hand, is fair. For my usecase this is a home network I am not that concerned that they know what devices talk to what devices. Yes they know my ip address but that’s not valuable since it’s all defended by the tailnet lock.
> I fail to see why one would use Tailscale over just wireguard other than for "convenience" reasons which are almost never good reasons if security and privacy also matter. Please correct me if I'm wrong with anything, I'm happy to learn. Direct access to my network being limited behind tailscale with a requirement to be part of my tailscale network signature satisfies my requirements for no one else’s access to my network at all. And only if I am away from home does any of my traffic pass through a relay.
Tailscale has more device support than any wireguard apps than I know of. I don’t believe wireguard has Apple TV support, but tailscale does.
I am not the only member of my family either, including them in this network with the simplicity of tailscale’s apps is also important.
I mean, yeah, if you unfortunately have to deal with CGNAT, then you gotta do what you gotta do. But other than that, what's the issue with self-hosting Wireguard?
User simplicity. I am not the only one on my home network which I want to be able to access some parts of the things I build.
Device support. I appreciate that tailscale has gone out of their way to bring tailscale to even more devices than even wireguard supports. Namely apple tv, wireguard does support iOS but doesn't seem to currently support apple tv or maybe just my version of apple tv.
I do have enough trust in their client that's installed on my machine to believe that it's not actively malicious. I do trust that I can find my other devices, and trust tailscale to keep a list of them, and not randomly add other devices that I don't know, but I don't have perfect trust of that. All my internal services are still E2E encrypted over the Wireguard link; They run HTTPS with an internal cert authority. There's not ports open on them that shouldn't be, and while it's possible that one of them still gets popped, it's much less likely.
I basically just see Tailscale as an auth paradigm for managing wireguard keys.
Just hypothetically, what if an intelligence service records your encrypted traffic and also happened to get AWS to mitm your communication with the tailscale key distribution server?
Doesn't really matter if most of your traffic doesn't use their infrastructure if the most important parts of it do.
https://tailscale.com/compare/wireguard
My understanding is that (in theory) the only way this is possible is if the attacker introduces a new node and then connected to other nodes that are in the tailnet. What you're suggesting is that a single node that is connected to the other nodes gets compromised, but this isn't possible without already being able to compromise that specific node. Alternatively, if someone hacks Tailscale itself, the only way they could get access to any nodes would be to add their own node, but if you have alerting set up you would know and you could shut down the attacker.
Everything on my home network is set up as if it were public-facing.
That's Wireguard, I have the same, just Wireguard + VPS, everything I want available that is. I don't put every PC on my home network on the VPN, I could though, pretty easily.
By "as if it were public facing" I assume you mean locked down as much as possible using either router or host-based firewall rules?
Let me explain what I mean by low maintenance...
I was a very early containerization adopter and set up a company and also my home network using Docker around 10 years ago. I chose Docker because I thought it was reasonably polished and was the future of deployment. Even though the landscape keeps moving with changes in Kubernetes, Helm, Rancher and stuff like that, the actual Docker part hasn't changed in 10+ years so I haven't had to change my setup for a decade. Low maintenance for me is software that can be left mostly untouched (except for minor updates) for a long time and I judge that based on the project's future, which for me is partly judged from a project's polish.
Every time I tried WireGuard in the past, it didn't seem so polished. I don't want to waste time learning something that could go away. On the other hand, not only did Tailscale look pretty well set up, it was pretty much click and run which means that even if it were to fail, I would have not lost any time learning much about it.
So low maintenance for me is "get the most out of as little work as possible" and choosing Tailscale was the decision to achieve that. So given that I've been using Tailscale for 1.5 years with near 0 amount of configuration and so far, no real downtime, it is adequately low maintenance.
Instead, I have a VM running on a cloud provider that I SSH to from an OpenBSD box inside my home network. The SSH connection establishes a reverse SSH tunnel. This opens a port on the cloud VM to tunnel to my OpenBSD sshd port.
With the reverse proxy to my home OpenBSD box established, I can use the SSH jump box option, -J. I connect to the cloud VM and "jump" through the tunnel to the OpenBSD box at home. You can even specify multiple jumps if I need to connect to another machine in my home.
I can also set up a local tunnel through that jump for things like connecting to my Home Assistant server from my remote laptop or phone.
I only have to trust my cloud provider.
My use case for tailscale: have an SSH (or other) connection to my home server while working from home. Drive to a coffee shop, register on their network, and continue using the same connection. (Or hotspot, if I'm somewhere without Wifi.)
The IP address of my server does not change. When at home, the packets do not leave my home network. When out and about, they do.
It's magic to me. I set up a sophisticated (read: overkill) SSH tunneling setup previously, using Match rules in .ssh/config to autodetect the network I was on so that `ssh myserver` would always go via the correct route. But my connections were still interrupted broke when I switched, and I'm not good enough at networking to do any better.
(I guess this is what Wireguard is for? I could access my server via a fixed IP address on my machine that goes to a tun device, and that would send the packets to the actual server if nearby otherwise hand off to the carrier pigeons? Is that what the tailnet is doing? I don't understand how packets get intercepted by tailscaled, though I do see a tailscale0 device. Is that just a vanity license plate version of tun0? Why does `ip route show` give me only routes through my actual devices, then? Never mind, this isn't a helpdesk. I'm just getting old and stupid, I think.)
The tunnel is on localhost only. The VM has a static IPv4/IPv6 with DNS.
Connecting the SSH tunnel from my home is stable as well as connecting to the VM remotely.
I do appreciate Tailscale and Wireguard. I was more responding to the fact that I don't have to trust any provider here, other than the one keeping my VM running.
Also, there's tmux for preserving sessions.
I'm sick and tired of the way ISPs treat us. It's literally written into my lease what company I will pay for internet, and how much I will pay them. It is not, however, written in my lease how fast the connection will be. Not only am I unable to forward ports, I can't even change my own WiFi password! Sure, I could make a fuss and probably obtain access to my router, but it isn't worth the hassle.
But why is there a hassle to begin with? How in the hell is it in anyone's interest to keep me from configuring my own router? I can come up with plenty of authoritative bullshit answers to this question, but they are all authoritative bullshit. I think that's the real answer: we have systemically built our society to operate on authoritative bullshit. sigh
Tailscale is a usable workaround, but it shouldn't exist. It shouldn't need to exit. I just want to be able to host a server. Is that really so much to ask?
Your landlord (I'm guessing based on having seen it before) gets kickbacks from the ISP to force all tenants onto a specific (probably overpriced) Internet plan. The interest in keeping you from configuring your own router is in allowing the ISP's enshittifying further monetization tactics to proceed unopposed. The two big ones I've seen in this kind of setup are:
Using DNS enforced by the router to gather data and place ads on any 404 error.
Sharing their WiFi network that you lease with the ISP's other customers nearby.
If I moved into a house, I could get 1gbit symmetric from Google Fiber or UTOPIA at half the price. But that doesn't matter because I cannot remotely afford a mortgage.
The real problem is Monopoly. Not the market dominance kind: the no one gets to compete kind. We have it in real estate, where every piece of the market is overvalued so far that very few individual people can meaningfully participate. We have it with ISPs who get to literally own the last mile infrastructure, so their customers can't physically connect to a competitor.
You can't BYOD? I got a lot of info out of the install techs when my home fiber was installed, including the router password, because they saw my setup and said "whoa... this is not a normal person setup". I said no, it isn't, you want me to walk you through what I've got? They did.
I ended up putting their device to DMZ all traffic to my device and turning off its radios (I have multiple AP's with wired backend). Technically double NAT, but in the first step all ports were forwarded, so it didn't affect anything. It took me a while to have a weekend where my wife was gone and I could risk breaking things for a few hours, but after that I was able to remove their device entirely. Turns out it uses a VLAN on the outgoing connection, so I had to figure out how to set that up on my router.
I live in an apartment. The router was here before me.
I’m sure you have tried these, just spitballing about how I would try to deal with that…
My frustration is that it's difficult in the first place. I shouldn't need to call someone (and hope they both comprehend and help) just to configure a device inside my home. It's absurd, and everything that led us to this point deserves criticism.
If your Internet provider and your mobile provider is the same company, they could put all your connected devices in the same IP block within the CGNAT IP range.
Now, not only you can access your device at home while away using your cellphone, you can also connect to your partner's phone with the same IP address at (or away from) home.
Some Internet providers in China very recently started providing this service, e.g. https://www.chiphell.com/thread-2666772-1-1.html (in Chinese). In addition to the convenience of accessing your home server while on the go, they also make the traffic within the CGNAT free.
I signed up for the tmo beta even though I am not a tmo subscriber. Now I have a cool thing to test, can I access my behind-starlink stuff from my cellphone?
> they also make the traffic within the CGNAT free
So.. both data caps and breaking the principle of net neutrality?
Imagine you can remote desktop connect to your parents' computer after their phone call.
The data cap is on your cell service (the US also has that). Net neutrality is debatable given the traffic is between my own devices so presumably no one gets hurt (think of accessing and streaming from your NAS at home).
Right, but not easier than static IP (or dyn dns), both of which require technical knowledge and procedure to set up. I really don’t see the great simplification here. Plus you’d still have firewalls and it’d stop working as soon as you (the client) leave your company’s garden (eg at work). To be fair, static IPs also wouldn’t work when your parents (the server) move their device.
> The data cap is on your cell service (the US also has that). Net neutrality is debatable given the traffic is between my own devices so presumably no one gets hurt (think of accessing and streaming from your NAS at home).
Fair enough. That I don’t mind. I really dislike configuring multiple devices for an ISP, that’s consumer lock in imo. The provider can simply implement hairpinning on their infrastructure and the traffic won’t leave their network anyway.
* It's not reliant on port forwarding at your firewall
* It can get around bad ISP habits, like CGNAT or a lack of IPv6 (or IPv4)
* As the OP points out, it's broadly compatible with various forms of exit nodes
Straightforward and to-the-point. Great writeup.
Use jupyter notebook to fetch the stock and weather info and feed that into a local LLM and convert that to speech using opensource TTS.
https://github.com/smy20011/MorningRadio
https://github.com/smy20011/MorningRadio
But you can proxy traffic using a VPS really easily, which is basically the reverse of exit nodes.
Fair enough if you're stuck behind a CGNAT though.
"Yes, WireGuard does support NAT traversal, though it doesn't handle it natively; it relies on techniques like UDP hole punching to establish connections between peers behind NATs."
That makes no sense to me, I have my peers talking to each other on the Wireguard VPN behind my ISP NAT. I do have one UDP port open on the VPS that they all talk to. Is that what you mean by, "Wireguard doesn't do NAT traversal on its own, which is, IMHO, the killer feature of Tailscale."?
If so, how does not having to open one UDP port which can't really be detected anyway, justify having all your traffic controlled by a third party through servers (I forget what Tailscale called them) you don't own?
[1] https://nebula.defined.net/docs/config/punchy/
The Tailscale k8s operator is also great.
I wonder if they can figure out a way to distribute compute eventually via their network (not just clunky ssh): 'my' storage is already shared with 'my' nodes, why not 'my' compute? :)
Seems like a great company/business.
I still want to do it and we continue to brainstorm on the problem of state management and how to do it in an HA way, so you can run services where the compute bounces around some node in a set that's up and reachable on the tailnet but the state is durable and in sync between the nodes. It's a fun problem.
Anyway, a fun problem (or worse, a solution looking for a problem as I couldn't immediately think of a problem that would require it just yet. May be distributed training and such)
Cool to see a bradfitz reply though!
Does anybody know of any good materials on the enterprise use cases and configs? e.g. blogs, screencasts, etc.
- My home PC, my laptop, and my phone are the participants.
- My home PC is connected to a GPU, and runs a colab runtime, SSHD, as well as a simple http file server in $HOME (actually, C:/Users/username, its windows)
- My laptop doesn't have an NVIDIA GPU, so it just runs SSHD and a file server.
- My phone serves nothing, but has an SSH client, and a http client obviously.
There is simple hostname based DNS setup by tailscale automatically, so I can just go to http://laptop:8000 to access all my files, or just ssh to username@computer
Accessing everything from everywhere is absolutely great. And this is all on their free tier.
Unrelated to tailscale, I use parsec for a similar solution for remote desktop, their "machine level user" feature allows me to initiate remote desktop from certain client devices directly.
Too smooth.
I was even able to stream my games through the tunnel with a (decent enough) latency of 27ms with variance of 2ms.
Admittedly, I could buy a gaming laptop, but I don't want to carry a heavy laptop 4 times a month :P