10 comments

[ 4.3 ms ] story [ 27.9 ms ] thread
Interesting article; do you have any details on the performance differences?
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.

The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.

Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.

Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.

I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.

Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal? I've never used Tailscale, but I have a Wiregaurd setup on my home server for the same purpose as described in the article, and I've never had any issues with it.

Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.

> Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal?

Yes, but I guess it depends on how much of an adoption barrier/pain you want to deal with. Tailscale's control plane is dead simple and they ship apps on basically every platform so its easy to onboard mobile devices in addition to anything else. I'm a literal former network engineer with over two decades of experience, and I tried Tailscale randomly one of the first few times it popped on HN and stuck with it precisely because of how easy it was and how trivial it was to verify the security of my tunnels. Doing this manually is definitely possible on devices you control, but it's not a fun time, and Tailscale is dead simple.

Tailscale tangential use case! :)

I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.

Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks

The only other thing I can add is - with very little configuration, you can allow direct routing to your entire local lan. If anyone is interested, I’ll document it. I’ve set it up in an lxc container on my Proxmox home server and am very happy with it. Allows direct access to all my VMs on the go!
I noticed the same, I had nodes on 2 different ISPs.

On one ISP inbound IPv6 was blocked at router, while on other IPv6 was fully allowed.

Tailscale detected this is automatically created the tunnel from the blocked one to the other.

I was super impressed, as this was handled automatically.

I use tailscale and mullvad vpn for a list of exit nodes i can choose from to work around restrictions, but also bad routing.

Like, when in asia and the route is to europe, sometimes it adds weird hops, while when i use an exit-node in Japan, i know, i have perfect routing to Japan and from there perfect routing to europe.

But the Mullvad VPN exit nodes often runs into problems like cloudflare blocking. So i am looking for alternative, not well known providers for exit-nodes.

Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...

> Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...

It's more work, but you can definitely do this. Inter-region traffic still carries egress charges though, so be aware of that in advance. This is a very common pattern in enterprise networking when building cloud-based SDWAN topologies: branch a,b,c connect to hub-1 in us-east-2; branch d,e,f connect to hub-2 in us-west-2; dc1 connects to hub-1 in us-east-2; dc2 connects to hub-2 in us-west-2; services in dc1 and dc2 can reach each other for DR and clients in branch f can reach services hosted in dc1.

Underlying all of these SDWAN technologies is essentially basic site-to-site VPN tunnels. Most still use IPSEC, although Wireguard is also used sometimes.