3 hours ago
Tailscale tangential use case! :)
I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.
Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks
6 hours ago
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
6 hours ago
While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
5 hours ago
This may very well be the system in use.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
5 hours ago
I suspect there's less thought put into it than that.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
4 hours ago
Well, yeah, they didn't roll their own. Offhand, I forget the product, but it's definitely off the shelf.
My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.
3 hours ago
> I'm not going to raise the issue either way.
Except, you kinda just did
2 hours ago
Not to them, in a way they can’t just ignore. I could be anyone here on HN.
an hour ago
That's why I said kinda.
It'd be funny if someone working there was a visitor here...and it doesn't matter who you are. I was thinking of them closing the loophole
15 minutes ago
I understand your point better now, but if that was really a risk I cared about, I wouldn’t have put it on the public Internet to begin with.
The worst they can do to me is make me tether, and my iPad will never hit that allotment.
6 hours ago
Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?
5 hours ago
Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
3 hours ago
I think this is mostly a Wireguard thing and not specifically a Tailscale thing. Wireguard does what they call "cryptokey routing" where if you prove you possess a key that the other peer knows, you get the traffic (subject to firewall, allowed IPs list, etc etc). Wireguard stores the most recent address:port that it heard from a particular cryptokey on, but it natively lets peers roam, as long as only one roams at a time.
5 hours ago
When I work at the local coffee shop I cannot SSH to my remote servers for work on their wifi, but if I connect to Tailscale and use my exit node at home I can. Lifesaver
5 hours ago
My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
And the ossification continues.
5 hours ago
A TCP over websockets VPN would be fairly simple to write, or ask an AI to write for you
3 hours ago
Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal? I've never used Tailscale, but I have a Wiregaurd setup on my home server for the same purpose as described in the article, and I've never had any issues with it.
Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
3 hours ago
If you're just doing hub-and-spoke anyway, yeah, you can do it yourself. I did for years. But holy smokes, is it a PITA to manually copy keys around to devices; especially when they might not even be yours. I have my Tailscale account hooked up to my self-hosted identity server and now it's just a matter of logging in on whatever device I want to be on the network.
Plus, I have the option of spinning up a random EC2 box whenever I want and instantly joining it to the network with basically no fuss.
an hour ago
I feel like articles like this do Tailscale a disservice to a certain degree. Most people know Tailscale helps with managing the mesh of connected devices. And as many people have said here you can do this manually with Wireguard, Netbird, Nebula, ZeroTier and many others. Why Tailscale is so helpful is the ACL system. I have about 40 devices connected to my Tailnet and depending on tags devices can or can't access direct communication and also certain exit node networks. Traditional VPNs generally suck because you dump out of a host and have flat access to everything. Tailscale allows you to segment access without disrupting general Internet access with minimal friction and ACLs allow segmentation to happen at the user / device level. Most people aren't using Tailscale ACLs, in fact I rarely hear it discussed. Also the article fails to mention Tailscale Peer Relays [0] which decreases the dependency on DERP relays significantly and are controlled by, you guessed it, ACLs.
3 hours ago
I have a phone and laptop; those are my only two "mobile" devices that I might ever use to access my home network remotely. I set them up once, it took a few minutes, and I won't have to do it again unless I replace one of them.
I can completely understand using Tailscale for enterprise networks, but it seems very overengineered for my personal VPN needs.
12 minutes ago
How do you handle home network IP changes?
3 hours ago
It has plenty of useful control plane features out of the box. Nothing much you _couldn’t_ do yourself but you don’t have to. Or with Headscale as the self-hosted open-source version
3 hours ago
Dynamic IP addresses.
3 hours ago
Update your DNS when it changes. Pretty trivial.
3 hours ago
Yeah I tried writing a script for that, but at a certain point using an off the shelf tool that does everything is easier.
6 hours ago
Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
5 hours ago
This is my question too... It's concerning to me that everyone one seems to be using tailscale (and maybe cloudflare access) and that I don't see mention of open source alternatives. I'm sure for some network experts the alternatives are obvious? Setup a server somewhere publically available that runs ??? and have it be your auth/rendezvous server.
people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.
I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.
5 hours ago
There is a well documented opensource alternative to Tailscale - Headscale. The tailscale client is already opensource, Headscale is opensource drop in replacement for the control server which isn't, and fully compatible with Tailscale clients:
https://github.com/juanfont/headscale
If you can be bothered running the headscale container, you generally don't need to pay for tailscale. It's been pretty well supported and widely used for a number of years at this point. Tailscale even permit their own engineers to contribute to headscale, as the company sees it as complimentary to the commercial offering.
4 hours ago
> Headscale is ... drop in replacement
I've been really happy with headscale, but I wouldn't call it a complete drop in replacement as I would with vaultwarden. Some features (e.g. Mullvad integration, ACL tests, etc) are missing.
Upgrading also requires upgrading every minor version or you run into db migration issues, but that comes with the territory of running your own instance.
I would recommend folks look up if headscale suits their needs (like it did for me for many years) before switching over.
3 hours ago
The headscale API is very different than the Tailscale API so if you're automating setting up clients it's not quite drop in. Once a client is up, though, from what I've heard it's seamless.
5 hours ago
The Tailscale client (non-GUI) is open source: https://github.com/tailscale/tailscale
And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): https://tailscale.com/opensource#encouraging-headscale
I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.
4 hours ago
Whether or not you're being overly paranoid depends on your needs.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
4 hours ago
You keep saying you don't mind timing and volume information known by Tailscale but much more concerningly compared to that is that they can add peers to your tailnet. In fact that's how their optional open-port scanner service discovery feature works. And even if you trust Tailscale, which I generally do, then there is the concern that they only support login through SSO via identity providers. You have to trust them as well.
2 hours ago
I have an iPhone. I pretty much have to trust Apple. If you took that over then yes, you could screw me over pretty hard.
And yes, they could add peers to my tailnet. That’s why every time I have talked about TS I say it’s about your threat model. I’m a home user, and while I wouldn’t just open up my network, there’s nothing here that will get me in prison or dead. If I had that kind of info it would never, ever meet the internet in any form.
I would be more cautious if I ran a large multinational corporation. I don’t. I think I can trust Tailscale not to be the operators of an enormous “residential IP VPN” botnet.
3 hours ago
> I don't see mention of open source alternatives
Check out Nebula (created by Slack) - https://github.com/slackhq/nebula
Fundamentally very similar to Tailscale. I've been using it for years and it has been flawless. It doesn't have as many bells and whistles as Tailscale but it does what it does very well.
4 hours ago
You can also build a mesh network using standard wireguard. While manual configuration requires exchanging keys and settings between devices, many ansible playbooks can automate this process with minimal effort.
4 hours ago
Tailscale is not different. It simply makes managing WG configuration easier, and adds some useful value-added features on top.
But, as you know, you can also manage this configuration yourself, either via traditional config mgmt tools, helpers like wg-meshconf, or even plain shell scripts, if you like. I'm aware this is a very HN-Dropboxy comment, but it's really not that complex[1], and is easily manageable for a small deployment.
Another VPN tool I used before WG gained momentum was tinc, which supports mesh networking out of the box. It's even easier to configure and maintain, and supports all platforms. It does run in userspace, which should make it slower than WG, but I found the performance acceptable for my modest use cases. Highly recommended.
[1]: https://www.procustodibus.com/blog/2020/11/wireguard-point-t... (this blog is a great WG resource!)
7 hours ago
Interesting article; do you have any details on the performance differences?
7 hours ago
Differences between openvpn and tailscale exit nodes? I can run some tests this weekend.