It's a wrapper around Wireguard that lets you use common SSO providers (Apple ID, Google, etc) to manage access.

It also handles looking up the IP address of your "nodes" through their servers, so you don't need to host a domain/dns to find the WAN IP of your home network when you're external to it (this is assuming you don't pay for a fixed IP).

Most people put an instance of it on a home server or NAS, and then they can use the very well designed and easy to use iOS/mac/etc client to access their home network when away.

You can route all traffic through it, so basically your device operates as if you're on your home network.

You can accomplish all of this stuff (setting up a VPN to your home network, DNS lookup to your home network) without Tailscale, but it makes it so much easier.

Basic version is it's a sort of developer focused zero trust network service.

Encrypted overlay network based on wireguard tunnels, with network ACLs based around identity, and with lots of nice quality-of-life features, like DNS that just works and a bunch of other stuff.

(Other stuff = internet egress from your tailscale network ('tailnet') through any chosen node, or feeding inbound traffic from a public IP to a chosen node, SSH tied into the network authentication.

There is also https://github.com/juanfont/headscale - which is a open source implementation of some of tailscale's server side stuff, compatible with the normal tailscale clients.

(And there are clients for a very wide range of stuff).

Basically it is managed Wireguard. Tailscale does say it, but it is buried under marketing speak.

Not sure if anybody gives you the answer to "what is tailscale?". So, this is my answer (hopefully it's correct and simple enough to understand).

Tailscale allows devices that can access the Internet (no matter how they access the Internet) to see each other.

To do that, you create a tailscale network for yourself, then connect your devices to that network, then your devices can see each other. Other devices that are connecting to the Internet but not to our tailscale network won't see your devices.

AI might explain it better :-) Don't know why I wanted to explain it.

I don't think you need to pay $6 a month to try it out.

Install it on all the machines you want. When you are running it on the machine, it is networked to the other machines that are running it. Now make an 'exit node' on one of those machines by selecting it in the UI, and all your gear can access the internet via that exit node. Your phone can run it. Your apple tv can run it. You can have multiple exit nodes. So you can have a worldwide network and not once did you have to open ports in firewalls etc.

Sign up for free using Google Sign In.

Install the tailscale client on each of your devices.

Each device will get an IP address from Tailscale. Think about that like a new LAN address.

When you're away from home, you can access your home devices using the Tailscale IP addresses.

A system by wich you can expose things on your private network (e.g. your home lan) so you can selectively and securely make them accesible from other places (e.g. over the Internet). You can do all this without tailscale by just configuring secure encrypted tunnels (wireshark, traefic, ...) yourself, but services like tailscale provide you with easy gui configuration for that.

I personally use Pangolin, which is similar https://github.com/fosrl/pangolin

For me: it's a way to access services I host on my homelab LAN from 3000 miles away. Having a router that automatically logs into that and routes TS addresses properly allows you to use all your devices connected to that router to access TS services with no further configuration. I host Kiwix, Copyparty, Llama.cpp, FreshRSS, and a bunch of other services on my homelab, and being able to access all of those remotely is convenient.

Extending the question:

In my mind Tailscale was primarily to expose local services but answers here sound a bit as if people used it as a VpN replacement.

If I do not want to expose local services but only protect me and hide from untrusted WiFi, would I better use a traditional VPN or Tailscale?

My thinking is that Tailscale could be the better VPN because they have a clean business model while pure VPN companies are all shady.

It's a virtual network switch/router with DHCP, DNS, and lots more enterprisey features on top. You 'plug' devices into it using a VPN connection.

Also the free tier is sufficient for basically anything non power-user or enterprice.

It's a cryptographic key exchange system that allows nodes to open Wireguard tunnels between each other. They have a nice product, but I don't like how it spies on your “private” network by default: https://tailscale.com/kb/1011/log-mesh-traffic

If you want to self-host, use NetBird instead.

they have an excellent set of short intro videos [0] on youtube, that's what I used to get an overview and get set up.

[0] https://youtu.be/sPdvyR7bLqI?si=2kIpHtNuJ52jEdmm

You don't need to get too far down the page to see "VPN", which is what it is. But on top of that primitive, it's also a bunch of software and networking niceties.

It just virtual private network.

It’s a point to point vpn that works between devices even without a direct network connection.

Their personal free plan is more than enough.

I did the same thing recently while visiting family in SE Asia. I wanted to watch my team's bowl game but American college football is unknown in that part of the world. A Wireguard connection back to my home router gave me the ESPN access I pay for in the US.

A few services didn't work because they required my mobile device's location services (which still showed my in Asia). I'm sure I could have found a workaround for that but wasn't properly motivated to put in the effort for a short visit.

In a similar vein, I was able to troubleshoot a problem with our NAS from a cellular connection on a boat near Bali a couple years ago. My son needed access to some files for his college homework but couldn't access it remotely. I was able to access it and reconfigure a setting that had changed during an update and restore his access.

The internet feels like magic sometimes.

I disagree. DNS is generally unencrypted and leaking that over whatever open wifi you're on is generally worse from a privacy perspective than the latency you add bouncing through your home where you probably have encrypted DNS setup.

Even if you don't visit any http sites, you never know what might phone home over http, so an OS level VPN provides foolproof privacy at the cost of a tiny bit of latency.

If Tailscale is installed on your router, then any client will also be able to connect to Tailscale networks.

Fo example, if you have a default route back to your home network on the router, any client will also connect through that tunnel back through your home. This assumes you are using your travel router to connect your laptop as opposed to say the hotel wifi. (In this scenario, your travel router is connected to both the hotel wifi as an uplink and Tailscale.)

For what it's worth, you get 100 devices total, regardless of number of user accounts. If you don't need the permissions granularity that individual accounts have, consider only having an "admin" and "untrusted" account... or a single account, and pinky promise your family not to play with it.

I’m using a GLinet GL-XE3000 for that and it’s great. Initial setup of the 5G eSIM on a physical SIM took a little searching but it’s been rock solid and having consistent access on the road and hotels has been great for family travel. It has a built-in battery, but I’ve never really tested the duration (I suspect it’s 3-6 hours) as I put it on its AC adapter in the hotel and the n a cigarette lighter adapter in the car, so the battery gets used 15-45 minutes at a time to bridge between those two places.

I like it enough that I might buy a second, more compact unit for when space is more a premium, but I’ve been really happy with this one.

If my phone has a VPN to my home server, then it should all be encrypted.

s/Wireshark/wireguard

Hotels in Las Vegas typically charge around $15/day per connected device. Want to download a new book on your Kobo and play Diablo for a few minutes? That’ll be $30, please!

That’s the real win of a travel router, IMO.

Most newer (or at least new + expensive) phones can share their wifi connection via hotspot. 2.4gh only though I think.

Yes, it has actually worked starting with the Pixel 3.

It's called Dual-Band Simultaneous or "STA+AP" (Station + Access Point) concurrency that can bridge an existing wifi connection to an access point to other devices via a hotspot.

Yes it works. Now you can also tether via USB. Both of them have worked flawlessly for me recently.

It seems to be only on certain devices feature(?): on my Pixel it worked, Samsung phone just says "sorry, can't do that".

Works fine, yup.

Ditto, the TP-Link's Archer A7 firmware is a security nightmare [1] but with DD-WRT installed it is very stable and reliable.

[1] Daughter invited ~10 classmates to prepare for a science competition, and one of them had a virus (I assume) that hacked TP-Link's firmware to draft it into a botnet. WAN connection would drop every hour for a few minutes, plus unexplained internet traffic while nobody was using it. Resetting firmware did not help, installing DD-WRT fixed it once and for all.

I think I actually retired an Archer C7 for this. The goal was something 2.5G ready because the city has systematically rolled out fibre to every neghbourhood around here and I'm just waiting for the knock.

Honestly if you're not invested in maybe Ruckus or Aruba, I don't think there's much better than OpenWRT on a decently supported AP. I had a bunch of the C7s with OpenWRT and they've been totally bulletproof. I only upgraded to R650s recently and it's not clear beyond maybe the antenna setup and the fact that it's ax now that it's much better.

My wife’s work WiFi is handled by a gl.inet 150 (https://www.gl-inet.com/products/gl-ar150/) which is tucked behind her desk since at least 2019. Vanilla openwrt on it, provides WiFi from an Ethernet slot in the wall.

Uptime is in years, it’s invisible and chugs along without visible power draw. All her devices connect to it, including her Cisco voip phone. It autossh to my ovh server with remote port forward for remote admin. Cost me 15€ in 2016.

Readers of HN will value flexibility and extensibility, but the other 99% of the folks there are fine with totally locked-down devices because it’s the only thing they know of. The lack of extensibility likely doesn’t affect sales/profit in any significant proportion.

I can’t put a SIM in my ereader or Switch or iPad.

Changing countries a lot reduces this option a bit.

I’m sure I could find a good all Europe card, but I need my number for work calls.

Convenient to connect all devices to one WiFi. E.g. baby camera is on same WiFi as laptop etc.

How’s that access control handled? Very easy to spoof the MAC of the TV or setup some SNI spoofing proxy server, NGFWs with TLS Active Probing are probably harder to deal with but do hotels really have that?

I've read the GL.inet can easily clone the TV Mac, pretty cool.

> Run one wireguard server in your home and one client instance on this router and now all of your devices can share the same residential VPN connection.

You don't need a "travel router" for this. My phone is permanently connected to my server via Wireguard (so that I can access my files from anywhere). Adding another device just requires adding a peer in the server's config file and can be accomplished very quickly. It's not clear what problem the travel router solves, unless perhaps you travel with dozens of devices.

> no million suspicious login detected from all your social accounts,

I can personally do without those.

They're suggesting just running off your data plan which works for domestic travel (at least to urban areas with good cell service) and can work for international if you go through getting a data eSim.

GL.iNet routers don't even need this. It has an option to pass through captive portals. So you connect to your GL.iNet AP, then you set it up for the hotel WiFi, tick the option for passing through (it essentially disables VPN, AdGuard Home and other things if enabled), it will then link you to the captive portal where you can log in as you would otherwise.

Once the internet is active, the GL.iNet router will then re-enable things like VPN and AdGuard Home.

Since these devices are OpenWrt underneath with a pretier ui, I presume this is all possible on any OpenWrt device.

Is this an annoying amount of steps? And do you have to do this on every expiry of your session on the portal?

Thanks! Thats helpful.

> For me, I can't remember the last time I used a hotel TV. When I travel, I want to do stuff at the place I'm visiting, the hotel room is just a place to sleep and shower.

Again, really depends on what kind of travel you’re doing. What you’re describing sounds like leisure travel, which is awesome. But travel for work is often very different. You’re exhausted from a days work and you’re also often staying in very uninspiring places with little to explore.

If your home WiFi uses PSK auth like 99.223% of all homes, you can get to 0 setups by using the same WiFi SSID+PSK on your travel router as the one on your home network.

Sounds interesting but I assume only if you have an iPhone and both are tied to an account?

If I'm traveling for work, I'm working all day. At the end of the day I often just want to rest in the hotel room, especially if I take my dinner in a restaurant.

Typically I don't watch the hotel TV though, as I don't want to figure out what channels are on it and I probably wouldn't want to watch them anyway. If I watch anything it will be on my iPad.

I’m with you, I just turn on Bloomberg and leave it there. When I travel for work, I work all day (some client meetings ant night) and either work out at night or in the morning depending on time zone. Then I enjoy just walking around the city a bit and then sleep.

It really depends. I have a friend who works in hospitality. She travels to some of the nicest hotels in world-class cities. Most of my friends who travel for work are staying in a chain hotel near an office park 25 miles outside the core city they are ostensibly traveling to.

Completely different experiences when it comes to experiencing/exploring the city.

Yeah same. It is borring, yet unfamiliar enough to chill. Same thing kind of applies to eating out for every meal.

I’m really struggling to understand the SIM side, the page talks about 5G while tethered to a phone?

This is incorrect. No sim support here, and no cellular modem either :-)

Ok Lol but they got arrested for stealing others people data not for making a wifi on the flight. That's different.

These travel routers have an option to impersonate the device you are using to get round this.

Why? Because Starlink. Starlink requires airlines to offer it for free (apparently, for now), and the airlines that have started offering it are making a big deal out of it because it's actually usable compared to a lot of the LEO- or ground-based offerings before.

United was looking to have its regional fleet done by end of this week, Qatar has finished their 777s; Hawaiian's entire fleet is done, so is airBaltic's. WestJet are also close.

British Airways is starting the rollout now, so are SAS, Air France and a few others.

Delta and America already are offering free wi-fi on most domestic routes.

I installed another app on my S10 to enable this. It's called "Wi-Fi Hotspot" and it works pretty well

Not that surprising. Unless you’re going to sell access to that hotspot and give Apple a 30% cut, it really wouldn’t interest Tim Cook.

Is it? I can’t picture a real situation where other devices would prefer connecting to mine, running down its battery, instead of directly to the wifi it’s broadcasting.

Besides, at least where I live, 5G/4G is often faster than shared wifi. I’d be surprised if this is used by more than 0.1% of all users.

Tailscale running in subnet router mode on a GL.iNet router comes close. You can setup Tailscale through the GL.iNet GUI but to have it also route traffic for everything over to your Tailnet you need to flip one setting via an ssh command.

Not as convenient as this travel router sounds though, but comes close-ish for techies. (wish it didn't require that tweak via SSH. Maybe it'll be added)

Although it does sound really nice from a user experience perspective I'm really hesitant with carrying a device with me that without any (additional) authentication would gain access to my home network wherever you plug it in. Would hate losing it or have it be taken from me.

Why do you think this would be difficult to do using openwrt? Wouldn't you just set up the travel router to have the same ssid and password as your home network and configure a wireguard tunnel from the travel router to your home network (that is if you want to be in your home network)

> presents to your devices as part of your home WiFi

That will be fun for browser geolocation based on WiFi name.

It probably needs a panic/border mode to disable all home access in the event of an emergency. You don't want to be crossing borders and give customs officials full access to your home network.

But Unifi should be able to implement this with zero extra hardware, just with VPN-style clients on phones and laptops?

I'm just surprised this needs an extra device. It would make sense if the device provided its own connectivity (with global wireless service, say), but this doesn't seem to be the case here. It still needs an uplink.

Not serious, and you got it.

Obligatory: https://news.ycombinator.com/item?id=9224

The catch is figuring out what's going to stick around and what won't.

I have a Ubiquiti EdgeRouter Lite that's a little over ten years old. At the time, it was revolutionary in its ability to pump a whole lot of data over a cheap device with a lot of features - but a lot of those features weren't available in the GUI at all; you had to go CLI and learn Vyatta (of which it was a fork) to do them. It's been updated over the years and is now much easier to use as the web interface exposes a lot more functionality, but it's not part of Unifi (and never will be).

Early on, I looked at and even tried one of their AP's. 100 Mbps wired uplinks for N wireless? No thanks. Even the one that I got to test with had absolutely abysmal range. Say what you will about TP-LINK generally, but their Omada unified control system had AP's that actually worked in my house. So the early Unifi stuff wasn't anything special, and based on how they had dropped the ball on so much of their early hardware (the EdgeRouter Lite had its software on an internal USB drive that, out of warranty, failed in a way that I was only able to diagnose with a serial console cable - at least it had a port so I could monitor it during boot, and searching for the error messages found a way to replace the thumbdrive and reload the software) I had no reason to go with them.

If I were setting someone up today, with all new gear, I might go Unifi, but I have no reason to spend any time at all replacing a system that works just fine.

Time is your most precious commodity.

Sure but you need a device on the local network to run Tailscale so it routes to that subnet no?

Problem is that I think my Apple TV goes into some sort of deep idle mode where tailscale stops working. So it’s been effectively useless for me when I travel.

That’s a lot of power for a radio you’re right next to. You don’t need 100W to stream Netflix.

2 - without prior config only a bunch can do it, like pixels 3 - there's a difference - you can configure wg/ts on a single device(router) and it's done, or you need to do it on 5X+ devices, phones and laptops and fix the configs on all if something changes

Yep, I have the same set up. Use GL router to connect to the hotel wifi, and all devices are automatically connected, without captive portal on each one.

Added bonus that I can use tailscale on the GL router to route remote traffic through my tailnet -- including devices where I can't install tailscale client (e.g. corp laptop).

This is a travel router without a modem. It would be super inconvenient if you bought an eSIM for a device that does not have a modem. You might as well by an eSIM for your toothbrush when you are traveling abroad, it would equally "convenient."

It’s also (I’d hope) modifying the ttl as that’s used to detect travel routers.

No it's provided as part of the Android OS. Very simple and intuitive to use and has been for the past 10 years since I started using it. The only thing that was annoying initially was that you couldn't pass through the WiFi that your phone is connected to but I think that was corrected in later versions of Android. For a time I was using one of my older Pixel phones as a WiFi extender to improve signal in my home's basement. Worked like a charm. I'm honestly surprised this isn't available on iOS.

You are in a hotel, you have a wife two kids. So assume 4 phones, 3 laptops, an ipad, and maybe a chromecast. It is faster and easier and more private to use a travel router, connect to wifi, and create a private network than tp connect and authenticate (and possible pay fees) for every device.