Tailscale is one of my favorite companies. They're clearly on to something. Here's a great post by their CTO explaining a lot of the motivation and vision behind it: <a href="https://crawshaw.io/blog/remembering-the-lan" rel="nofollow">https://crawshaw.io/blog/remembering-the-lan</a><p>IMO the main outstanding questions/concerns are:<p>* Is the VPN model really the way to go? If someone gets their hands on one of your Tailscale nodes, they can access every service on your tailnet, which are likely running with reduced security since that's a huge part of the appeal. This is exactly the situation BeyondCorps/Zero Trust was created to avoid. Tunneling services[0] are more of a Zero Trust approach, but they can't match the seamlessness of Tailscale once a node is connected to the tailnet.<p>* Can it expand into the layman market? I wonder if the average person will ever be willing to install a VPN app on all their devices. On the flipside, I could see TS partnering with someone like Google to integrate TS tightly with Android and set up a private network between all your Google-signed-in devices.<p>* The relay system - DERP is nice, but it's primarily intended for signaling/fallback. It feels like CGNAT adoption is growing faster than IPv6 is, and I wouldn't be surprised if fewer and fewer p2p connections succeed over time[1]. DERP forces everything over a single TCP connection (HOL blocking), and I'm not sure it even has any flow control.<p>* Use in web browsers - They got a demo of this working, but it's pretty involved. You have to compile the entire Tailscale Golang library to WebAssembly which is a large artifact, and it's DERP-exclusive.<p>* Portability in general - Depending on WireGuard, as awesome as it is, is fairly limiting. You either need admin privileges to create the TUN device, or you need to run an entire TCP stack in userspace alongside your own WireGuard implementation. I'd be interested to see something like Tailscale implemented on top of WebTransport.<p>[0]: <a href="https://github.com/anderspitman/awesome-tunneling">https://github.com/anderspitman/awesome-tunneling</a><p>[1]: <a href="https://tailscale.com/blog/how-nat-traversal-works" rel="nofollow">https://tailscale.com/blog/how-nat-traversal-works</a>
I'm curious to hear well-informed reasons from this crowd for why we can trust Tailscale given the non-self-hosted part of the architecture? Does it come down to Tailnet locks [1], not worrying that Tailscale will be compromised, not worrying that your home network is worth compromising, or something else?<p>[1]: <a href="https://tailscale.com/kb/1226/tailnet-lock" rel="nofollow">https://tailscale.com/kb/1226/tailnet-lock</a>
The tailscale.com/tsnet package in Go [1] is really useful if you've not looked at it before: you can make single binary HTTP or whatever servers that are only exposed inside your tailnet.<p>Their golink project [2] is a good example (and useful itself), but I've used it to build "peer to peer" comms for one application, and to host an API and Svelte SPA to control some other things in a tailnet.<p>[1] <a href="https://pkg.go.dev/tailscale.com/tsnet" rel="nofollow">https://pkg.go.dev/tailscale.com/tsnet</a><p>[2] <a href="https://github.com/tailscale/golink">https://github.com/tailscale/golink</a>
I was once in South Africa and needed to look up my prescriptions in the CVS app. I had lost my pills and needed to show a local pharmacist what I needed. CVS geoblocked me. Luckily I had a TailScale exit node running at home, which solved the problem.
I used Tailscale the other week to solve a problem where a government website was blocking me from scraping it from GitHub Actions... so I ran an exit node on an Apple TV on my homework and configure the GitHub Actions worker to use that instead. Worked great! <a href="https://til.simonwillison.net/tailscale/tailscale-github-actions" rel="nofollow">https://til.simonwillison.net/tailscale/tailscale-github-act...</a>
Tailscale is not just a wrapper around Wireguard, as some people imply in the comments. The codebase is far bigger, and it does far more. They are different products.<p>What Tailscale does is difficult to do with Wireguard: Easy VPN, SSO with MFA, key distribution, static private IP for each node, peer to peer direct connectivity, split tunneling, fine grained access control rules down to per port and application, Wireguard over TCP, NAT transversal for devices behind firewall, central management, sharing nodes with others, DNS, file sending, routing rules (with exit nodes, subnet routers, “via”), key rotation, …<p>Wireguard connects peer A to peer B, and its simplicity stops there.<p>I found Tailscale to be a very good tool, that I extensively use.<p>My only concern is: what happens if their infrastructure is compromised at some point, like Okta’s? Assuming I have tail lock enabled.
We’re using Tailscale for our internal network, and it’s amazing. We’re a team distributed across multiple countries, and with Tailscale, it’s like we’re sitting in a single office, connected to the same router. And on top of that, we get centrally managed ACLs for everyone, TLS certificates, and SSO with Microsoft accounts. Amazing stuff!<p>My main gripe, though, is DNS. It’s great to be able to reach prod-db-1, prod-db-2, and prod-db-3, tag them as „db“ and create a rule to allow TCP on db:5432. however, it’s annoying that all of this is supported, but not the obvious extension - DNS records for the <i>tags</i>, so I can point apps to a group of servers belonging to the same tag.
I've harped on some Tailscale implementations before for what I perceived to be nonsensical or bad approaches, but this one is an excellent example of its capabilities. In no particular order:<p>* It's not reliant on port forwarding at your firewall<p>* It can get around bad ISP habits, like CGNAT or a lack of IPv6 (or IPv4)<p>* As the OP points out, it's broadly compatible with various forms of exit nodes<p>Straightforward and to-the-point. Great writeup.
Tailscale also allows you to issue valid TLS certificates (`tailscale cert`), which is crazy useful for certain local development tasks, EG developing SSO for a mobile application where the SSO provider mandates TLS and the mobile devices dont easily allow you to bypass self-signed certificates. They keep piling on awesome features, big fan.<p>The Tailscale k8s operator is also great.
My favourite use of tailscale:<p>I have a bluetooth gateway (Cassia X1000) in my workshop where I normally develop. I was at home doing some Android work at one point rather than at the workshop and needed to test some new Cassia functionality.<p>Tailscale exit node in the workshop.<p>Tailscale client on my linux dev laptop at home.<p>Started up the android emulator via Android Studio, connected to the Cassia via the app being debugged, debugged what I needed to, shipped it.<p>At the time it seemed like actual magic had happened.
The features here seem to be fairly standard with most the WireGuard based VPNs these days. For example, I use Nord for my use-case which is very similar to the author's. This allows me to rsync my home directory between my laptop, tablet, phone's Termux env, and desktop (all running Linux) to maintain configuration parity and file locality regardless of where I turn these devices on, so long as they have internet.<p>Does Tailscale have features that set it apart now that other VPNs have gotten the private mesh thing down pretty well?
Tailscale is becoming less useful as network providers become hostile to it.<p>Last week I noticed McDonalds guest wifi is blocking new connections over the tailscale control ports. It will pass wireguard mesh traffic for established sessions, but their firewall rules prevent you from establishing new ones.
Also check out zerotier. I've been using it because it has a lot more features that tailscale (although it's been 4-5 years that I have the zerotier network set up).<p>Pretty damn useful to connect to services in my internal network wherever I go. I have it set up on my router, so I don't need to install it on every single server in the house :D
Also, their building up on top of a 'platform' is wonderful: funnel, exit nodes, sharing, ssh, drive etc.<p>I wonder if they can figure out a way to distribute compute eventually via their network (not just clunky ssh): 'my' storage is already shared with 'my' nodes, why not 'my' compute? :)<p>Seems like a great company/business.
Is Tailscale useful if you <i>don't</i> have CGNAT? I solve the problem in the article using Wireguard on my router and a dyndns client.<p>In a way I think all these solutions just keep enabling IPv4 to continue and that sucks. Does Tailscale offer anything in an IPv6 world? Are they another company with an interest in stopping IPv6 progress?
I think for simple cases, it's great. If you have remote boxes somewhere that needs administration, it's awesome.<p>If you have more complex cases, the IPTables/Netfilter rules make it vastly more difficult to manage, particularly if you're running docker-compose (or anything using IPTables rules) on the same box and trying to troubleshoot the packets coming out of docker and going into tailscale.<p>And then trying to figure out what tailscale is doing with your packets is not great as well. They've also broken features I relied upon with a minor release.<p>Their nat traversal doesn't always work, as sometimes I get connected to a DERP server, so that limits the network speeds across the internet.<p>I blame CG-NAT quite a bit -- it's really why we can't have nice things these days -- and I get tailscale is trying to fix a bunch of that. But the reality is, I just want an interface just like eth0 or wl0, not an IT infrastructure to move my packets across.
I used to expose my workstation RDP directly but with a non-standard port. Then I became a "homelabber", and paranoid, and added a mix of nginx with basic auth in front of Guacamole. The UX in browser is so abysmal that I used it to configure direct RDP when I really needed to work remotely when traveling. Then I learned Tailscale and it is really liberating. Just direct RDP with negligible (for me) risks. I run OneDrive, JetBrains Toolbox, Podman just visible in the tray and what else as services, such as OpenVPN, etc. I keep Tailscale running only when I travel. I think paranoia should stop at some point, yet I still read the top comment about security/trust very attentively.
When reading about this kind o use cases, I'm always really glad my ISP gets me static and dedicated IPv4 and IPv6 addresses along with a good fiber connection to the internet for less than 30€/mo.
I use tailscale to build my personal podcast that include local weather and stocks I interested in. Running the whole pipeline on a steamdeck and use tailscale to securely delivery the generated podcast to my phone.
I tried using tailscale to share my hdhomerun prime tuners over the internet, but sadly, it doesn't seem to work due to Tailscale's lack of support for mDNS lookups[0][1]. You can't just forward the port b/c the hdhr device packets have a ttl of 1 hop (and, while you could change the ttl through iptables, that seems like a lot of trouble).<p>I can open a stream manually through <a href="http://192.168.1.189:5004/auto/v600" rel="nofollow">http://192.168.1.189:5004/auto/v600</a> while connected to tailscale (w/ my apple tv in-home as an exit node) on my laptop outside of the house, but when I open the HDHR/Channels apps, they can't detect the HDHR tuner itself.<p>Apparently this "just works" with openvpn, so I've been thinking about just switching back to that.<p>[0]: <a href="https://github.com/tailscale/tailscale/issues/1013">https://github.com/tailscale/tailscale/issues/1013</a><p>[1]: <a href="https://old.reddit.com/r/HDHR/comments/z8byns/watching_remotely_with_hdhomerun_and_tailscale/" rel="nofollow">https://old.reddit.com/r/HDHR/comments/z8byns/watching_remot...</a>
VPNs are complicated and its rarely a case of one is better than another.<p>Tools for the job, should be our watchword ... phrase 8)<p>IPSEC is somewhat old school but very solid - if you can do opportunistic IPSEC via DNS etc it can be rather nifty. You can also use FRRRRRRRRRRRR to do it routed. IPSEC with BINAT can be used to avoid issues involving duplicate network addressing.<p>I default to IPSEC for site to site links.<p>OpenVPN is more TCP/IP related compared to IPSEC - that's very simplified. You can easily set an IP address for a client and other niceties.<p>OpenVPN is superb for massive client deployment. If you have a central CA and can deploy certs on all devices eg via MS AD CA then you can use a single config file for all clients, which is a doddle to deploy via GPO.<p>Tailscale is the new kid on the block. As with all new kids you need to examine what works for you and you could be one person or an entire multi national.<p>The real world is rather messy. For example your home/office/corp network will almost certainly have a MTU of 1500 bytes. When you hit the internets it gets really messy. Some British Telecom links (for example) will support mini jumbo frames and some won't and the real world continues to get more and more complicated.
Does anyone have some insight why installing security/tailscale on freebsd is installing security/ca_root_nss which contains a very scary message?<p><a href="https://github.com/freebsd/freebsd-ports/blob/ec981e26cd312887c3888afa567130c044790252/security/ca_root_nss/files/pkg-message.in">https://github.com/freebsd/freebsd-ports/blob/ec981e26cd3128...</a>
I previously used WireGuard and for a bit tried just having an SSH tunnel with autossh, but in the end just settled on using Tailscale, because it doesn’t ask me to manually manage the keys and also doesn’t drop around every 30 minutes for a bit and doesn’t need weird hacks to expose ports for my Docked network traffic.<p>That said, what messed with me greatly was the fact that Tailscale seems to have an MTU of 1280 whereas Docker by default had 1500 which lead to inexplicably dropped overlay traffic with nonsensical log messages in my reverse proxy web server.<p>Basically, I had to delete docker_gwbridge and recreate it with some specific options: <a href="https://docs.docker.com/engine/swarm/networking/#customize-the-docker_gwbridge" rel="nofollow">https://docs.docker.com/engine/swarm/networking/#customize-t...</a><p>It was quite the mess. I have no idea why Docker couldn’t just figure out that it needs the smaller MTU by itself, cause it listens for the Swarm on an interface that’s related to Tailscale and it can see what MTU that has.<p>Still, Tailscale in of itself is pretty nice.
I selfhost tailscale with headscale, I used a helm chart in a k8s cluster, works great.<p>I ran into a corporate network recently that blocked the Tailscale DERP servers.
I'm thinking about exposing some services outside of my LAN, and wondering whether it would be better to go with Tailscale or Cloudflare Tunnel. [1]. At a high-level both solutions seems pretty similar, with a client service running on the machine you want to share.<p>My sense is that tailscale makes sense for a more locked-down service that is not accessible to the general public (although they do have a way to open up access to the world [4], it felt like more of a temporary thing than a permanent solution when I was looking into it).<p>And Cloudflare is more for exposing a service to the world, with support for a custom domain name, DDoS protection and other IP blocking feaures, etc. Cloudflare does have a "Zero Trust Network Access" product that I <i>think</i> might offer similar functionality to Tailscale, but honestly pretty hard to tell what it does from their website or how hard it would be to set up.<p>They both have free tiers that are pretty generous for "homelab" use cases. [2][3]<p>Does that sound pretty much correct? Are Tailscale and Cloudflare competitors with a lot of overlapping functionality? Or are they mostly distinct products serving different use cases/markets?<p>[1] <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/" rel="nofollow">https://developers.cloudflare.com/cloudflare-one/connections...</a><p>[2] <a href="https://tailscale.com/pricing" rel="nofollow">https://tailscale.com/pricing</a><p>[3] <a href="https://www.cloudflare.com/plans/" rel="nofollow">https://www.cloudflare.com/plans/</a><p>[4] <a href="https://tailscale.com/kb/1223/funnel" rel="nofollow">https://tailscale.com/kb/1223/funnel</a>
Tailscale is also crazy unreliable in my experience, at least on Android. It had to be force quit and restarted every day, and even outside of that apps would randomly get connection errors. And they don't seem to care about bug reports. I ended up switching to regular Wireguard, which has since been perfectly reliable.
I have nothing but performance issues with tailscale. On both my iPhone and my iPad it _destroys_ my battery. It uses some 40+ hours of background time in just a few days. On my PC whenever I come back home and tailscale was running, everything is out of memory and not running correctly.<p>That's my experience. I wish it was better.
Tailscale is great but one thing i dont like about it is that i cannot re-use ip addresses.
This feature is offered by ZeroTier it can be very useful if for some reason you have to format and re-install os and everything..
Unfortunately, i cannot use zerotier because the speed i get over it is terrible
I use it extensively as well.<p>- My home PC, my laptop, and my phone are the participants.<p>- My home PC is connected to a GPU, and runs a colab runtime, SSHD, as well as a simple http file server in $HOME (actually, C:/Users/username, its windows)<p>- My laptop doesn't have an NVIDIA GPU, so it just runs SSHD and a file server.<p>- My phone serves nothing, but has an SSH client, and a http client obviously.<p>There is simple hostname based DNS setup by tailscale automatically, so I can just go to <a href="http://laptop:8000" rel="nofollow">http://laptop:8000</a> to access all my files, or just ssh to username@computer<p>Accessing everything from everywhere is absolutely great. And this is all on their free tier.<p>Unrelated to tailscale, I use parsec for a similar solution for remote desktop, their "machine level user" feature allows me to initiate remote desktop from certain client devices directly.<p>Too smooth.
CGNAT _can_ make it easier to access your server.<p>If your Internet provider and your mobile provider is the same company, they could put all your connected devices in the same IP block within the CGNAT IP range.<p>Now, not only you can access your device at home while away using your cellphone, you can also connect to your partner's phone with the same IP address at (or away from) home.<p>Some Internet providers in China very recently started providing this service, e.g. <a href="https://www.chiphell.com/thread-2666772-1-1.html" rel="nofollow">https://www.chiphell.com/thread-2666772-1-1.html</a> (in Chinese). In addition to the convenience of accessing your home server while on the go, they also make the traffic within the CGNAT free.
Is there any simple FOSS alternative to tailscale that you can self-host?<p>The only thing I need is to simply connect to the home network and I dont want to need to open and forward ports etc in routers and firewalls for it to work, just something simple plug and play and is secure.
I have to point out that their online videos are amazing to leaen how to quickly set up certain features like SSH. In less than 5 minutes I had VSCode on a Macbook Air connected to my desktop machine running Linux on a completely different network.
Tailscale is great. I put my whole company on it shortly after joining (we had some servers with RDP exposed to the internet...). It has had ~0 problems in the last year, and non-technical people are able to use it with ease.
Networking SmartFriends: Is port forwarding intrinsically a bad idea (as compared to using Tailscale Funnel) from a security perspective if I want to expose, say, a Plex server running on my NAS to the outside world?
The main advantage of Tailscale for most is it allows to avoid having a fixed IP address/DNS, and keep all ports closed.<p>As long as you trust them this really give you a lot of security at a very low cost.
- Install & authenticate on all your machines<p>- Boom, everything works<p>- Internet? feels like local-net<p>This is just brilliant tech. Thank you so much for building this guys and the amazing effort that goes behind it everyday
I love tailscale! I am now on vacation and all my devices can still use pihole running on a raspberry pi at home on the other side of the world. And it was trivial to set up!
In other words (they do get to this point right away), port forwarding is pretty useful, and most of us don't have it anymore.<p>I'm sick and tired of the way ISPs treat us. It's literally written into my lease what company I will pay for internet, and how much I will pay them. It is <i>not</i>, however, written in my lease <i>how fast the connection will be</i>. Not only am I unable to forward ports, I can't even change my own WiFi password! Sure, I could make a fuss and probably obtain access to my router, but it isn't worth the hassle.<p>But why is there a hassle to begin with? How in the hell is it in anyone's interest to keep me from configuring my own router? I can come up with plenty of authoritative bullshit answers to this question, but they are all authoritative bullshit. I think that's the real answer: we have systemically built our society to operate on authoritative bullshit. <i>sigh</i><p>Tailscale is a usable workaround, but it shouldn't exist. It shouldn't <i>need to</i> exit. I just want to be able to host a server. Is that really so much to ask?
We recently did a pretty big rollout of Tailscale and tbh I am presently surprised with how well it works. Between subnet routing to our bare metal stuff and the Kubernetes operator, especially the ability to expose services to the Tailnet has been a big win.<p>I was a doubter a bit as to how it would work at a bigger org but so far rock solid, easy to setup and great user experience.
super useful, at airgarage we have a network of license plate readers deployed around the country and tailscale is a game changer for remote access and debugging. <a href="https://www.airgarage.com/capabilities/license-plate-recognition" rel="nofollow">https://www.airgarage.com/capabilities/license-plate-recogni...</a>
I really love tailscales offering but the performance was just significantly worse compared to cloudflare.one to the level of switching back and biting the bitter pill of fully depending on orange cloud for everything as well as having sub par usability compared to tailscale or even the rest of cloudflare.
I set up a Wireguard tunnel into my home network years ago, before Tailscale was really a thing, and I always wonder if I should switch, but I can never make the effort worth it in my head. If I was starting all over, I'd go Tailscale for sure, but a single tunnel really gets me 99% of the way there.
I don’t understand why one would use Tailscale over WireGuard. Is it because it’s easier to setup sort of like how Dropbox was? I’m primarily wary of the rug being pulled out and Tailscale suddenly costing me a lot of money whereas my WireGuard setup seems more stable in the long term.<p>Or is there more to it that I’m missing?
Tailscale is super awesome, I was amazed when I first set it up that it just worked out of the box. It can be set up by everyone without having to expose ports on the router (something that is often not even possible anymore due to CGNAT), so you get a lot of convenience without giving up security
I work +1000km away from home, and I work by shifts, tailscale has helped me a lot on running stuff back at home.<p>I was even able to stream my games through the tunnel with a (decent enough) latency of 27ms with variance of 2ms.<p>Admittedly, I could buy a gaming laptop, but I don't want to carry a heavy laptop 4 times a month :P
> I know its local IP address and can ssh into it easily when I’m home, but when I’m outside, that’s not possible as it’s not exposed to the internet.<p>I never understood this problem. I just create a Tor hidden service when I want to ssh into a machine behind a firewall.
Been using it since the early days and it has become a core tool in my arsenal. Tailscale along with 5G and RDP or Parsec means I have access to my powerful home server and primary dev machine no matter where I am. Can even access it on my iPhone (only RDP).
I kind of have a mental block around Tailscale even though it would be useful in some cases for me, because the name "Tailscale" instantly trips all my snake oil trauma responses. Can't they call it "Weyergourd" or something?
> I have used Tailscale only for personal reasons so far, using the free tier; they have enterprise plans for enterprise use cases that I have no idea about.<p>Does anybody know of any good materials on the enterprise use cases and configs? e.g. blogs, screencasts, etc.
I love tailscale, but the performance overhead on file transfer (my primary use case for it) is very real.<p>Samba transfers take a 15 megabyte per second hit over tailscale even with a fairly fast CPU on both ends (Ryzen 3600 and Ryzen 7900X3D) on my local network
It is one of the tools I use as well and I pay for it. It makes life so much easier. At work we have to test a lot of country dependent settings and with TS and Mullvad is is very simple. I can also access my home network easily.
For those using WireGuard directly: What techniques do you use to establish connections when behind network infrastructure that blocks all UDP traffic?
We can also try to selfhost this
<a href="https://github.com/openp2p-cn/openp2p">https://github.com/openp2p-cn/openp2p</a>
Is there an alternative to Tailscale with a lower memory footprint? I wanted to run Tailscale on a small router, but it failed due to out-of-memory (OOM) issues.
> it’s no longer possible thanks to a cursed thing called CGNAT<p>as someone who does publicly expose services that have auth, why does CGNAT make exposing ports publicly bad?
I like tailscale as a replacement for the dogshit enterprise VPNs I have had to use in the past (looking at you, ZScaler). But for personal/single home use it’s overkill.<p>I used to run a WireGuard server on a raspberry pi with ddns to update dns record on an as needed basis.<p>Eventually replaced it with my gateways built in WireGuard server which also has ddns enabled<p>The use cases described by the author are taken care of with a simple wg server. Sure you don’t get the distributed peer network of tailscale but I can live without that.
> But my old Raspberry Pi was too weak to run it, so I ended up uninstalling it, and unrelatedly my pet project grew out and has its place in the cloud now.<p>It’s incredible how shitty modern software is that a raspberry pi couldn’t run a basic VPN.<p>If any tailscale devs see this you should try to reproduce this issue and use it as an opportunity to clean up a bunch of dumb assumptions that likely hurt real users as well, just through less direct means like battery consumption and slower overall performance.
See also Nebula:<p><a href="https://nebula.defined.net/docs/" rel="nofollow">https://nebula.defined.net/docs/</a><p><a href="https://nebula.defined.net/docs/guides/quick-start/" rel="nofollow">https://nebula.defined.net/docs/guides/quick-start/</a><p>...I believe 100% open source. You can basically hub between different devices (including iOS/Android) that are identified via certs. Recommended to have one or more public "lighthouses" so anything that can reach a lighthouse can reach any of your other servers (maybe kindof "syncthing for vpn/overlay-network?").<p>I've dorked around with it a little bit, but it's rare enough that I need access to my home network while out that I haven't doubled down on proper cert, key management, rotation, etc.