Maybe I have a fundamental misunderstanding of how Tailscale works, but I always feel like there is a disconnect in how it is received on HN.
Usually people are pretty critical/cynical of sending sensitive data to a closed source third party server, no matter how strong their claims of 'being the good guys' are (eg see Telegram).
But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
And even if everything is secure right now, you cannot guarantee this stays the case in the future. By using the "tailscale ecosystem" you are locking yourself into a provider that can change the ecosystem (clients, services, servers) or put things behind a paywalls anytime. Or create add-ons that are useful and no longer privacy-preserving. The fact that they are a VC-funded business makes me believe this is how the company will end up: Customer data will be monetized in one way or another. How else are going to create returns for shareholders that justify their valuation? Certainly not by open sourcing stuff and not looking at your data. We've seen these VC incentives play out again and again in other companies.
Not really true, tailscale clients do allow you to point to different control servers and open source implementations do exist[1] and are thriving. The clients are also open source and you can even create one yourself if you are willing to.
The thing is, what makes tailscale works really well as a "central" control server is that it makes a lot easier to connect your personal machines. You don't need to deploy your own server, or mess with networking stuff. You just download it, log-in and there you go. I myself have invited some non-tech friends to my network for playing lan games from time time and they find pretty easy to setup tailscale on their side.
For us. For the folks who browse HN all day, yeah. But have you tried getting a non-technologist to use it? I set a friend up with Tailscale between her Synology and laptop and it was a breeze - something I could do over the phone. For me getting Wireguard set up wasn't tricky, but I definitely leaned on Google some, and I would argue I know what I'm doing.
I would love for a company to release bridge as open source that I could deploy on a VM somewhere but still have it be Tailscale easy for normal folks, but there's no money in that model.
I fail to see how that is any different to other modern network control solutions out there? Every major network vendor is moving towards a cloud control service of some kind.
Further, Honestly at this point I would trust TailScale over say OpenVPN, or Cisco, or .....
Road 1: Sale to usual suspects like Palo Alto (though that window is closing due to raising $100M) or Cisco (that window may close if they raise again?). It is basically modern vpn, though will be years with a big enterprise culture reset & a consumer tier for that to become true. They will run out of acquirers soon who would have the incentive to overpay, eg, if they raise more and narrows down to say oracle, ms, apple, and google, not sure why any would buy vs build. Hopefully they will not dip much into the funds so they can cleanly exit without forcing an acquirer to screw over their users. (See: Evernote)
Road 2: IPO and become a platform for bigger stuff... Like end-user-friendly VPN. Who knows, but good luck! Flipping to 'real' enterprise sales and figuring out the consumer tiers are big culture shifts, but luckily... Hireable.
Meanwhile, growing just with more niche/skilled Linux power user teams gets them far -- the compliance checkbox is huge for growth, see Drata and Vanta -- so am not worried :)
Agreed with the OSS concern so we decided against putting them in the critical path of our enterprise offering (a shame!), but as an internal tool, it looks great!
In many situations it's not just hard, it's outright impossible.
For example, how would you connect two Raspberry Pis between two CG-NATted internet connections using Wireguard, without resorting to setting up a publicly reachable VPN server?
If you have a public and at least semi-stable IPv4 address and control your firewall/NAT, great. But unfortunately less and less people do, these days.
I love WG and use it extensively, but the attraction of Tailscale (and why I use it) is that it takes disparate concepts and gives you a nice visual control panel to manage them and see the status of all your devices in one place.
Nothing. Absolutely nothing exists for Wireguard that does even some of that, which doesn't also cost money.
I don't think Wireguard is even capable of the 'DERP' server concept to get around NAT limitations.
So no, you can't 'just use Wireguard' to accomplish what Tailscale does.
Spoken like somebody who has never had a "Can you help me get my microsoft wifi [Spectrum cable internet] to make sure my gmail [person@icloud.com] doesn't send my retirement [tax refund] to the hackers" type call.
>And even if everything is secure right now, you cannot guarantee this stays the case in the future. By using the "tailscale ecosystem" you are locking yourself into a provider that can change the ecosystem (clients, services, servers) or put things behind a paywalls anytime.
I can't (and refuse) to live my lie by "what ifs." If they do any of those things, it's easy enough to pivot to the 3 or 4 other providers our there, like ZeroTier, who offer the same thing.
My hope is if they do, the FOSS community will have gotten their act together and built a capable replacement, which is usually the case.
At this point you could stir up hysteria over anything. Your cloud provider, ISP, operating system support team, XYZ SaaS provider could also just invent a new billing policy to screw the customer over.
At the same time, ^ the big providers have profitable revenue streams, so they don't have much incentive to change their billing. VC startups of course on growing instead of verifying that their business model actually works, and end up either:
- locking the software behind a paywall
- locking the software behind a paywall
- inventing a proprietary + open-source + pay us royalties license
- pretending that their software is free whilst employing a proprietary + pay us royalties for anything bigger than a hobby project license
I remember reading that Tailscale is "helping out" [1] development of Headscale [2], an open-source re-implementation of their command server so that the two remain compatible as new features are added to the official one.
Leaving aside adoption, there is a degree to which HN is impressed that Tailscale has taken a set of technical problems that have caused many of us pain over the years and that drive some less than ideal setups and just made them go away. They are magically taken care of behind an easy to use setup that Just Works. There's basically none of the "you have to tweak this setting under this circumstance" needed to get it working. That is difficult engineering requiring people who understand the problem domain and have a clear picture of the right architecture, as well as good product engineering.
I agree it's not ideal, but I can tell you why I'm excited about things like[0] Tailscale, Cloudflare Tunnel, ngrok, etc.
They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. It's a step in the right direction, back towards the initial intent of the internet, but also forward with the lessons we've learned in the real world.
The reality today is that selfhosting is way too hard[1]. It shouldn't be any more complicated or less secure than running an app on your phone.
I think services like Tailscale are going to enable the first generation of selfhosting that approaches that level of simplicity. Once the market is proven, the second generation is going be designed for selfhosters and have features like end-to-end encryption, domain name integration, and simple GUI interfaces.
The other key pieces are strong sandboxing, which is now possible on all major desktop OSes through virtualization (mobile is coming[2]), and dead-simple cloud backups.
The technology for all these things exists, it just hasn't been integrated yet.
> They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control.
How is trusting your network entry point to Cloudflare (or whoever) any better than having it at a VPS? At least with the VPS you know what's happening inside the box.
Here's a better solution: Get a free/cheap VPS. Setup a Wireguard tunnel from your home server to it. Slap a reverse proxy on the VPS that forwards internet traffic through the tunnel to your home server.
Strong sandboxing, yes. But I'd especially appreciate it if it was wrapped up in an interface like Sandstorm.io.
I want to teach something like Tailscale about my contacts, so they are allowed to communicate with my services (through their services).
Then I want to run an app inside a strong sanbox that has capability-based APIs to do things kind of like ZeroMQ for sending messages TO THE CONTACTS. I don't want the API to look like a tcp/ip or udp connection. I want the app to think it's sending a message to a contact I've given it permission to talk to.
If this was running in a strong sandbox, I think this would be an awesome way to develop and use simple federated apps. If something like Mastodon existed on top of this, I'd think it would be really secure and much easier to tell people to stand up their own node...
Honestly, I hate the idea of having a middle man, but having tried and researched extensively how to make something like a direct tunnel between two clients over the internet it just doesn't always work.
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.
Their middle man in the data plane handles encrypted packets so that's not the problem here.
The problem is their control plane that controls the encryption keys. A malicious admin inside TS (or a hack) could grant itself membership in any of their customer's networks. (Or at least this is the worry I read from GP)
That I don't do, because the coordination server, the relay system (which you can also self-host), and the server side UI are really good.
And also the public behaviour of the persons working at Tailscale as well as Tailscale's approach towards FOSS generally increase my level of trust in them. IOW they strike me as Nice Folks(TM), and if Nice Folks(TM) don't inspire confidence to you then you probably want to run the whole thing as described above.
I mean, please read this in its entirety. They even have a "Encouraging Headscale" section.
I've had the same thought re: iOS/macOS clients. Oh how I would love to dive into those small codebases and add some simple QOL stuff. I've been watching but they don't seem to be adding any Apple-platforms focused roles/people, which is fine, but I wanna work at Tailscale…
I think that by the sheer nature of Wireguard, it doesn't matter much. We don't send any readable data to Tailscale, they, for the greater part, handle plumbing between nodes. What goes in the pipes remains unnoticed and unknown to them.
Their MagicDNS feature may raise different concerns though, but I'll let others comment on it.
This new service allows them (or if they’re hacked - anyone)… to MitM your connections - they state themselves they could ssl terminate the connections as they own the ts.net level, they say they don’t but that’s now…
Why depend on Tailscale when you can go 100% open source and use slack's nebula or plain old wireguard or one of those open source wireguard manager apps.
Nebula seems to be under Defined Networking (https://www.defined.net/) now. It lacks the ease and tooling of the multitude of others that emerged in the space. My gut is that it's usable for the clever home user but meant for a professional IT dept with the ability/desire to build their own tooling and automation around it. The spartan mobile app is a sign of such. Tailscale is probably more easily usable for the average user than nebula or even vanilla wireguard.
>But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
Yes, Tailscale is THAT good this tradeoff is worth it.
This is huge. One of the last major missing features from Tailscale IMO. I maintain a list of tunneling solutions[0]. Personally, I think the future of p2p networking and selfhosting may be through tunneled, SNI-routed TLS connections (exactly what Tailscale just announced). It solves IP exhaustion, NAT, and IP privacy at the cost of an extra hop and no UDP.
The big question is going to be pricing. The current top player in this space is Cloudflare Tunnel, which is a loss-leader product that technically forbids selfhosting anything other than HTML sites.
Selfhosting media can use tons of bandwidth. Any service that doesn't charge per GB is incentivized to limit your speeds.
> It solves IP exhaustion, NAT, and IP privacy at the cost of an extra hop and no UDP.
That is awfully expensive for something ipv6 already solves minus the privacy part. I don't see how it can be considered "huge". A slight convenience maybe?
Also, routing everything through a 3rd party is a massive downside.
IPv6 the technology solves it, IPv6 as it exists in the real world does not. Even if we got 100% IPv6 adoption overnight, you would still not have a universally adopted API for punching holes through router firewalls for p2p applications.
So basically that would mean a cloudflare for P2P, though maintaining data privacy at least.
It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
BTW this maintains data privacy but you can still tell a whole whole lot from metadata.
On the flip side it would prevent the kind of “griefing” with DDOS that happens every once in a while with self hosted and P2P things. It’s not that common unless you are engaging with certain communities but it is an inherent Internet architectural flaw that this kind of works around (at a cost).
I envision something more decentralized than Cloudflare[0]. I think you could have local companies in every major city that would own a block of IP addresses and provide tunneling services with SNI routing for people in the same region. They can also provide more expensive services like DDoS protection and caching for popular sites or even on-demand when your mom blog goes viral.
> It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
I just don't see ISPs ever implementing IPv6 without governments forcing them to. It enables p2p which increases upload bandwidth requirements and cuts into their bottom line. And even if we get IPv6 you still need the ability to open firewall ports in a way the average user can understand. Not hard technically but that's another standard that everyone is going to have to agree on and implement.
[0]: Which I know you can appreciate. "Decentralize until it hurts; centralize until it works" is still one of my mottoes.
Agreed, this is awesome! I've been using Cloudflare Tunnel for local dev, but the fact that it seems to be coupled to their CDN product with no way to permanently turn off the CDN functionality has caused quite a few headaches lately (though it's possible to turn off temporarily using "Development Mode").
Would love to give this a try, though from the post it's not clear if we could use our own custom domains instead of the provided ts.net ones? This is a necessity for my use case where I need to be able to handle wildcard subdomains.
Where do you see Cloudflare Tunnel T&C? Their help documentation seems to promote Tunnel/Access apps in every possible scenario:
> Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server running your data center. Tunnel does not programmatically enforce any throughput limitations.
> If you are hosting a Tunnel in GCP, AWS, or Azure you can view our deployment guides which are more prescriptive in assigning minimum system requirements.
Tailscale and the people building it continue to blow me away. The ingenuity, reliability, polish, and speed of feature delivery are unparalleled in software.
I'm eager to get rid of needing DDNS and open ports just for web hooks. And I can "flatten" my stack by cutting out a reverse proxy / weird port forwarding stuff.
Sure. I don't think tailscale does anything that's impossible through other means (cue comments about how anyone can recreate Dropbox with an FTP server, svn, and a fuse file system). IMO whats great about it is that it's easy to set up and is incredibly low maintenance (at least they way I use it).
I've been using tailscale in my home setup for a while and really appreciate the simplicity. It has just worked in my experience. Before taking the leap for tailscale I was semi-struggling with a vault + wireguard + consul-template approach which was pretty cool and fun to setup but a bit unnerving to be unsure if I got anything wrong and the chances of me being exposed.
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?
I went all-in on Tailscale couple of years ago but slowly (and painfully) moving away from it.
It's a fantastic service but with a big flaw: its iOS app eats battery like crazy. I didn't know about it until I accidentally saw it one day: IIRC, it had consumed 20-25% battery averaged out over 10 days. (I used to keep it running in the background all the time, only to route DNS requests to pihole on a home server.) When I googled, it seems like a known problem on their forums for a long time.
At first it felt ‘magical’ being able to reach self-hosted services from my phone regardless of my location, but I quickly noticed the battery drain as well. I believe it has to do with an always-on ‘VPN’ and I don’t expect any improvements soon.
I’ve decided that Tailscale works perfect for all my computers (e.g., Raspberry Pi, Synology NAS, laptop and VPS), but not for my mobile devices. To mitigate this I use cloudflared on my VPS to route internet traffic over tailscale to any internal services that I often use on my phone.
Cloudflared has good options for securing a tunnel by using MFA methods, for example Google authentication.
For the rare occasion that I need to access something else I can always temporary join the Tailscale network from my phone.
It also eats a lot of data, I recently had around 3gb eaten in a day just for maintaining the connection. On a metered mobile connection with 6gb/month a tad too much.
I‘d really like to use it, but in this state it’s really unusable for me.
For that they need a certificate. They have two options of obtaining that:
a) They request one from a CA. This will be logged in Certificate Transparency logs, and thus you could detect it by comparing the certs logged with the ones your local machine generated
b) they could have their software upload the certificate from your machine. That would need effort to detect (deeply inspecting the software and/or its traffic), but if a whiff of such a "feature" were to be found by anyone it couldn't really be explained away. (and aren't their clients app open-source? then at least it'd be reduced to source inspection and compiling yourself, which makes hiding stuff harder)
If I CNAME my domain to my assigned ts.net then I'm guessing funnel won't work because of the SNI lookup will it? Is that on the radar? Right now I'm using cloudflared but if I can get rid of it in favor of this that would be one less daemon to worry about. Wouldn't be able to do esni though. sooo, how about a vanity .ts.net I get to choose?
It's very nice that it doesn't do TLS termination, but it seems to rely on SNI. That's cool, but it probably precludes SNI encryption in the future. Is there a plan around this? Maybe in the IPv6 world, it becomes a non-issue... But I wonder what comes first: the push for ESNI everywhere, or actually substantial IPv6 adoption.
(Edit; though come to think of it, in practice, if the IP address each host resolved to was unique, it wouldn't really matter very much from a security/privacy standpoint, so I guess it's probably not important...)
Author here. This shouldn't preclude doing us Encrypted ClientHello in the future. We control the DNS for *.ts.net so we can publish our public key for browsers/etc to encrypt the ClientHello to, if I'm remembering the latest encrypted SNI spec(s)?
Is there any updates on being able to use the IOS app for self hosted tailscale? Also what is the status of fully self hosted tailscale in general?
I just don't trust my VPN to be managed by a 3rd party like this. I'm willing to pay money even (though I don't have much) for hobby use - but I don't like the possibility of exposing network devices like this. To be honest I'm a bit surprised seemingly everyone else is.
In addition to your points, we over here also have our own reasons for self-hosting everything (for example, to protect ourselves from being cancelled at any moment for being forced into a citizenship you didn't ask for by being born at the wrong place).
Readit News
Usually people are pretty critical/cynical of sending sensitive data to a closed source third party server, no matter how strong their claims of 'being the good guys' are (eg see Telegram).
But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
Just use wireguard. It really isn't that hard.
The thing is, what makes tailscale works really well as a "central" control server is that it makes a lot easier to connect your personal machines. You don't need to deploy your own server, or mess with networking stuff. You just download it, log-in and there you go. I myself have invited some non-tech friends to my network for playing lan games from time time and they find pretty easy to setup tailscale on their side.
[1]: https://github.com/juanfont/headscale
For us. For the folks who browse HN all day, yeah. But have you tried getting a non-technologist to use it? I set a friend up with Tailscale between her Synology and laptop and it was a breeze - something I could do over the phone. For me getting Wireguard set up wasn't tricky, but I definitely leaned on Google some, and I would argue I know what I'm doing.
I would love for a company to release bridge as open source that I could deploy on a VM somewhere but still have it be Tailscale easy for normal folks, but there's no money in that model.
Further, Honestly at this point I would trust TailScale over say OpenVPN, or Cisco, or .....
Road 1: Sale to usual suspects like Palo Alto (though that window is closing due to raising $100M) or Cisco (that window may close if they raise again?). It is basically modern vpn, though will be years with a big enterprise culture reset & a consumer tier for that to become true. They will run out of acquirers soon who would have the incentive to overpay, eg, if they raise more and narrows down to say oracle, ms, apple, and google, not sure why any would buy vs build. Hopefully they will not dip much into the funds so they can cleanly exit without forcing an acquirer to screw over their users. (See: Evernote)
Road 2: IPO and become a platform for bigger stuff... Like end-user-friendly VPN. Who knows, but good luck! Flipping to 'real' enterprise sales and figuring out the consumer tiers are big culture shifts, but luckily... Hireable.
Meanwhile, growing just with more niche/skilled Linux power user teams gets them far -- the compliance checkbox is huge for growth, see Drata and Vanta -- so am not worried :)
Agreed with the OSS concern so we decided against putting them in the critical path of our enterprise offering (a shame!), but as an internal tool, it looks great!
In many situations it's not just hard, it's outright impossible.
For example, how would you connect two Raspberry Pis between two CG-NATted internet connections using Wireguard, without resorting to setting up a publicly reachable VPN server?
If you have a public and at least semi-stable IPv4 address and control your firewall/NAT, great. But unfortunately less and less people do, these days.
I love WG and use it extensively, but the attraction of Tailscale (and why I use it) is that it takes disparate concepts and gives you a nice visual control panel to manage them and see the status of all your devices in one place.
Nothing. Absolutely nothing exists for Wireguard that does even some of that, which doesn't also cost money.
I don't think Wireguard is even capable of the 'DERP' server concept to get around NAT limitations.
So no, you can't 'just use Wireguard' to accomplish what Tailscale does.
I can't (and refuse) to live my lie by "what ifs." If they do any of those things, it's easy enough to pivot to the 3 or 4 other providers our there, like ZeroTier, who offer the same thing.
My hope is if they do, the FOSS community will have gotten their act together and built a capable replacement, which is usually the case.
- locking the software behind a paywall
- locking the software behind a paywall
- inventing a proprietary + open-source + pay us royalties license
- pretending that their software is free whilst employing a proprietary + pay us royalties for anything bigger than a hobby project license
- going bust
[1]: https://tailscale.com/opensource/
[2]: https://github.com/juanfont/headscale
They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. It's a step in the right direction, back towards the initial intent of the internet, but also forward with the lessons we've learned in the real world.
The reality today is that selfhosting is way too hard[1]. It shouldn't be any more complicated or less secure than running an app on your phone.
I think services like Tailscale are going to enable the first generation of selfhosting that approaches that level of simplicity. Once the market is proven, the second generation is going be designed for selfhosters and have features like end-to-end encryption, domain name integration, and simple GUI interfaces.
The other key pieces are strong sandboxing, which is now possible on all major desktop OSes through virtualization (mobile is coming[2]), and dead-simple cloud backups.
The technology for all these things exists, it just hasn't been integrated yet.
[0]: https://github.com/anderspitman/awesome-tunneling
[1]: https://moxie.org/2022/01/07/web3-first-impressions.html
[2]: https://twitter.com/kdrag0n/status/1584017653269958656?lang=...
[4]: I concede that the network upload connection is likely much slower, but expect that to improve over time.
How is trusting your network entry point to Cloudflare (or whoever) any better than having it at a VPS? At least with the VPS you know what's happening inside the box.
Here's a better solution: Get a free/cheap VPS. Setup a Wireguard tunnel from your home server to it. Slap a reverse proxy on the VPS that forwards internet traffic through the tunnel to your home server.
I want to teach something like Tailscale about my contacts, so they are allowed to communicate with my services (through their services).
Then I want to run an app inside a strong sanbox that has capability-based APIs to do things kind of like ZeroMQ for sending messages TO THE CONTACTS. I don't want the API to look like a tcp/ip or udp connection. I want the app to think it's sending a message to a contact I've given it permission to talk to.
If this was running in a strong sandbox, I think this would be an awesome way to develop and use simple federated apps. If something like Mastodon existed on top of this, I'd think it would be really secure and much easier to tell people to stand up their own node...
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.
The problem is their control plane that controls the encryption keys. A malicious admin inside TS (or a hack) could grant itself membership in any of their customer's networks. (Or at least this is the worry I read from GP)
For some weird reason the GUI clients for Windows, macOS and iOS are closed-source.
I never understood exactly why that is, considering that the Linux and Android ones are fully open.
The fact that there isn't a reason documented anywhere certainly worries me.
https://github.com/tailscale/tailscale/wiki/Tailscaled-on-ma...
I do that mostly because it's running as a LaunchDaemon.
> Forget the server
Pop the headscale server in and you get a fully FOSS system.
https://github.com/juanfont/headscale
That I don't do, because the coordination server, the relay system (which you can also self-host), and the server side UI are really good.
And also the public behaviour of the persons working at Tailscale as well as Tailscale's approach towards FOSS generally increase my level of trust in them. IOW they strike me as Nice Folks(TM), and if Nice Folks(TM) don't inspire confidence to you then you probably want to run the whole thing as described above.
I mean, please read this in its entirety. They even have a "Encouraging Headscale" section.
https://tailscale.com/opensource/
https://tailscale.com/opensource/
Their MagicDNS feature may raise different concerns though, but I'll let others comment on it.
In my mind wireguard was still the new kid on the block.
Technology moves so fast.
Yes, Tailscale is THAT good this tradeoff is worth it.
Deleted Comment
Deleted Comment
The big question is going to be pricing. The current top player in this space is Cloudflare Tunnel, which is a loss-leader product that technically forbids selfhosting anything other than HTML sites.
Selfhosting media can use tons of bandwidth. Any service that doesn't charge per GB is incentivized to limit your speeds.
[0]: https://github.com/anderspitman/awesome-tunneling
That is awfully expensive for something ipv6 already solves minus the privacy part. I don't see how it can be considered "huge". A slight convenience maybe?
Also, routing everything through a 3rd party is a massive downside.
It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
BTW this maintains data privacy but you can still tell a whole whole lot from metadata.
On the flip side it would prevent the kind of “griefing” with DDOS that happens every once in a while with self hosted and P2P things. It’s not that common unless you are engaging with certain communities but it is an inherent Internet architectural flaw that this kind of works around (at a cost).
> It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
I just don't see ISPs ever implementing IPv6 without governments forcing them to. It enables p2p which increases upload bandwidth requirements and cuts into their bottom line. And even if we get IPv6 you still need the ability to open firewall ports in a way the average user can understand. Not hard technically but that's another standard that everyone is going to have to agree on and implement.
[0]: Which I know you can appreciate. "Decentralize until it hurts; centralize until it works" is still one of my mottoes.
Would love to give this a try, though from the post it's not clear if we could use our own custom domains instead of the provided ts.net ones? This is a necessity for my use case where I need to be able to handle wildcard subdomains.
> Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server running your data center. Tunnel does not programmatically enforce any throughput limitations.
> If you are hosting a Tunnel in GCP, AWS, or Azure you can view our deployment guides which are more prescriptive in assigning minimum system requirements.
https://developers.cloudflare.com/cloudflare-one/connections...
This explains so much of what I’ve seen added to their codebase recently
I'm eager to get rid of needing DDNS and open ports just for web hooks. And I can "flatten" my stack by cutting out a reverse proxy / weird port forwarding stuff.
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?
It's a fantastic service but with a big flaw: its iOS app eats battery like crazy. I didn't know about it until I accidentally saw it one day: IIRC, it had consumed 20-25% battery averaged out over 10 days. (I used to keep it running in the background all the time, only to route DNS requests to pihole on a home server.) When I googled, it seems like a known problem on their forums for a long time.
So, beware if you are an iOS user.
I’ve decided that Tailscale works perfect for all my computers (e.g., Raspberry Pi, Synology NAS, laptop and VPS), but not for my mobile devices. To mitigate this I use cloudflared on my VPS to route internet traffic over tailscale to any internal services that I often use on my phone.
Cloudflared has good options for securing a tunnel by using MFA methods, for example Google authentication.
For the rare occasion that I need to access something else I can always temporary join the Tailscale network from my phone.
Shame though, cause I was also wanting to use it to funnel DNS. I’ve somewhat given up there. I hope they fix their app.
I‘d really like to use it, but in this state it’s really unusable for me.
For that they need a certificate. They have two options of obtaining that:
a) They request one from a CA. This will be logged in Certificate Transparency logs, and thus you could detect it by comparing the certs logged with the ones your local machine generated
b) they could have their software upload the certificate from your machine. That would need effort to detect (deeply inspecting the software and/or its traffic), but if a whiff of such a "feature" were to be found by anyone it couldn't really be explained away. (and aren't their clients app open-source? then at least it'd be reduced to source inspection and compiling yourself, which makes hiding stuff harder)
Only for Linux.
(On macOS I think the core CLI part is open source as well, but that's not what most people use I think.)
(Edit; though come to think of it, in practice, if the IP address each host resolved to was unique, it wouldn't really matter very much from a security/privacy standpoint, so I guess it's probably not important...)
I just don't trust my VPN to be managed by a 3rd party like this. I'm willing to pay money even (though I don't have much) for hobby use - but I don't like the possibility of exposing network devices like this. To be honest I'm a bit surprised seemingly everyone else is.
https://github.com/juanfont/headscale
In addition to your points, we over here also have our own reasons for self-hosting everything (for example, to protect ourselves from being cancelled at any moment for being forced into a citizenship you didn't ask for by being born at the wrong place).
Deleted Comment
Tailscale crew: I know y'all read HN, so I say to you: keep up the good work and innovation!