Another similar project to Tailscale, for those in the market:<p><a href="https://github.com/slackhq/nebula" rel="nofollow">https://github.com/slackhq/nebula</a><p>Crazy simple, fully open source, trivial to self-host. Maybe not as featureful as Tailscale, but imo that can be a feature unto itself.
The ZeroTier ecosystem has a number of open source self-hosted controller projects for those who want unlimited members/networks/admins.<p>- <a href="https://github.com/key-networks/ztncui" rel="nofollow">https://github.com/key-networks/ztncui</a> (the most popular one, GUI)<p>- <a href="https://github.com/dec0dOS/zero-ui" rel="nofollow">https://github.com/dec0dOS/zero-ui</a> (GUI)<p>- <a href="https://github.com/thedunston/bash_cli_zt" rel="nofollow">https://github.com/thedunston/bash_cli_zt</a> (CLI)
Not sure what I think about this.<p>I don't use Tailscale because I don't trust their key distribution, and this open source project would solve that, but it might undermine Tailscale's sustainability.<p>This would be a shame because Tailscale is working well with the open source community: open source clients, working well with distros, working well with Linux DNS stack, supporting a more P2P secure Internet, and documenting their well through it.
Can someone shed some light on the full use-case of Tailscale/Zerotier/Nebula please? I may be not getting something fully.<p>The question is this. Say, I use one of the above to form a private mesh network for the nodes that an organization needs to have access to. So far so good. But on the machine side I would still want to have key (ideally certificate) based authentication, and some user management, such that access can be revoked. Is this an anti-pattern? Or do people use something like Go Teleport in combination with a zero trust mesh network?
so this whole zerocorp/zerotier/encrypted-mesh networking approach is pretty cool, but every time i see it i ask myself: how do you monitor for malicious nodes? in old setups, typically there would be some sort of passive monitoring system that would monitor the traffic between hosts and could be used for forensics/malicious traffic identification. but if you're encrypting traffic at each node for each other node, then only the participant nodes are privy to the traffic. if one or both are compromised, how would you ever know? sure you can run userland security agents on them that collect data, but if the machines are actually compromised, you can't really trust what they say, right? (that's the whole reason why you use a third system for monitoring!)
Is there anything among these that incorporates a basic configurable firewall policy?<p>In the more distant past, I used sshuttle to create “one way” poor man’s VPN; it is slow, but it was enough to saturate the remote connections I had at the time; and —- unlike many other systems at the time —- I knew I could trust the cryptography and key distribution, which piggybacks ssh.<p>At the minimum,I want to have connections going only one way between sine hosts, or no way in the case of two edge devices - and possibly also list specific ports and protocols. Sshuttle only provided directionality - and not intentionally either…<p>Sshuttle was conceived and written by Avery Pennarun, who later went to co-create … tailscale.
No one mentioned yet Netmaker[1]<p>It's a fully meshed network based on wireguard, it's open source including the web ui<p>[1]: <a href="https://github.com/gravitl/netmaker" rel="nofollow">https://github.com/gravitl/netmaker</a>
I saw this a while ago but had not realized it was feature complete now. Fantastic work. I look forward to moving from pure-wireguard to Headscale/Tailscale soon.
With nearly all websites running https now, is it safe enough to surf without vpn these days.<p>Adding dns-over-https so your ISP can not collect where you're going.<p>As far as google etc collecting your info, it will work the same as long as you're using their service, with/without VPN.<p>I do use VPN(tailscale) for work so I can access corporate internal network, but for general surfing purpose, do I really need vpn these days.
While this is great, of course, it's definitely not feature parity with Tailscale, which currently allows me to have <i>nothing</i> listening on the opening internet and still form a private network spanning hosts all over the world, share resources within that network with 3rd parties trivially and send files across my network, android/iOS apps, etc.<p>I still posit the alternative to Tailscale is simply just wireguard. I don't see huge value in hosting my own Tailscale over just using Tailscale.