I am one of those users who have asked, but how can I trust that the Tailscale coordination server will not inject hidden public keys to my network.
This feature is a very good step forward in security. I will take a look and if the implementation is sound, I am going to use Tailscale (namely if the Tailscale is compromised, I will not be automatically compromised, unless I manually accept external public keys, or install a bad update).
The problem with malicious updates can be addressed by providing as easy way to check the code signature. With a standalone infrequently updated app such as an AppImage app, this can be easily done by verifying the GPG signature upon download.
If you don't want to trust the Tailscale coordination server, and decide that tailnet lock is not for you, have you taken a look at Headscale? https://github.com/juanfont/headscale
How can I trust that I can log in and administer my network when Google kills my Google Account login or Microsoft kills my GitHub Account?
Big tech surveillance orgs being the SSO is an SPoF for the administration of the network. For something as critical as L3, I can't accept that.
I just use Nebula instead. It doesn't have a spiffy web interface or ssh auth chrome bolted on, but it works great for my purposes and it doesn't involve Google or Microsoft at any point.
IdP trust is on the list. There are some "easy" things we can do that help on the surface but make life harder for users. And there are some not-so-easy things we are researching. I hope to have answers in 2023.
I totally empathize. I waffled on Tailscale for a long time, and was convinced I'd roll my own for everything.
But goddamn if that spiffy web interface is not just the bees knees. I relented and put in a Google account that I don't use very often for identity--no idea if that makes it more or less like to be arbitrarily banned by Google--and accepted the fact that access to Tailscale wasn't so critical for me that I needed to be worried about it.
But in production, I totally get it. But I'd probably still just pay for Tailscale's SAML and use Okta or something...
One option is don't. Run tailscaled inside a container with host network access, that way you can connect to the host, but it doesn't have the ability (unless it escapes the container) to write (ssh) keys.
I think y’all are talking about different things; the parent comment seems to be talking about injecting additional keys into the tailnet (basically, letting other devices communicate inside your Wireguard VPN).
It still makes me jittery how much stuff they've packed into the client. The RCE vulnerability in their windows client is pretty strong indicator that things are moving a bit too fast for comfort.
My fortinet footprint would like to assure you that stuff which moves slowly also has problems. I try not to hold a CVE against anyone unless they are extremely stupid and reveal a lack of any technical controls.
wireguard is a linux-first solution and all of the windows stuff for it is subgrade, and probably will continue to be for awhile. Still selling plenty of anyconnect/globalprotect have a stranglehold on windowsland and probably will for a long time.
To be fair, the exploit chain was rather complex. Had it been more straight forward I'd be worried, but with the amount of pivoting required to make the exploit work it seems more like something even a security conscious developer could miss.
Agreed: I do feel the Windows client in particular is a little scary. In general, Tailscale clients feel reasonable, if light; but the Windows client is kind of iffy. There's a bug that I believe still exists where on some machines, it will crash on startup most of the time, seemingly the result of a race condition or other bug where GetLastError returns something unexpected, in a not-very-well maintained Win32 API wrapping library for Go. This is mostly benign (although annoying) but the contrast in how competent Tailscale seems to be about the core guts vs the clients feels a little jarring at times! Still love it though.
For personal stuff, it feels totally new. It's like having your own intranet. It's like being on LAN with all of your personal devices, plus any bridged into your tailnet, at all times, anywhere on earth. You can route your internet traffic through another machine, or not (default.) It has built-in basic file transfer, and a nice little SSH bridge.
Technologically, it's based on Wireguard. Wireguard is fast; really fast, especially compared to OpenVPN. Using cutting edge cryptography and a new UDP protocol, Wireguard connections feel roughly zero-overhead (they're not, of course.) Connections are peer-to-peer and you usually will get pretty close to the fastest reasonable route between any two devices, whether you're on LAN or overseas, whether there's a strong NAT in front or not.
They've also engineered a lot of things carefully, instead of just cobbling together existing end-user tools in Rube Goldberg arrangements. (Not saying there isn't use of existing code; there totally is. But it's all very nicely integrated from what I can see.) Doing things "the hard way" can lead to more complicated software, but the way they've architected things makes the possibilities for expanding the utility of Tailscale to be nearly limitless. It's also amazingly entertaining to read about. Seriously, just read about how their web browser SSH client works:
Historically you had enterprise-grade VPNs that cost a lot of money, or OpenVPN. Both ran over IPSec or SSL, and neither were super straightforward to config/maintain, nor were they particularly performant.
Then came wireguard, which is awesome, but wireguard is just a transport. It doesn't have all the UX niceties built on top of it, like registering clients or generating / distributing keys. Tailscale does a lot of that lifting for you, so you can easily and quickly get a working VPN, at a low cost, with good performance.
Personally I manage wireguard myself, but I also self-host my own VMs, storage server, applications, etc.
Tailscale is like taking your car in for an oil change instead of doing it yourself, plenty of people find that worth it.
Tailscale is a zero-friction VPN. You just install it on every machine, login on every machine and you get your own private network that just works. When I click on one of the machines in the admin console, I get a list of things it takes care of: "Varies" (Whether the machine is behind a difficult NAT that varies the machine’s IP address depending on the destination), Hairpinning, IPv6, UDP, UPnP, PCP, NAT-PMP. I don't even know what some of them mean, I thought PCP was something to get high on.
I run it on every device I own, plus a few at my parents' place. This way I can access my PC and my NAS from my phone, and my NAS from my PC, even though the NAS is behind my home router and the PC and the phone can be connected to a bunch of different networks.
I really like their engineering blog. They aren’t afraid to share they they actually did and what results they saw, even if the “common wisdom” was against it, like, IIRC, they were using SQLite as their database for a while.
For basic tunneling into home servers, is Tailnet.. overkill? Ie i could expose my IP via Dyn DNS, or i could use something like Cloudflare or Tailnet to tunnel into the network. However.. i'm not sure what the right fit is. Would you recommend Tailnet for someone who just wants to expose some internal IPs to the public in a safe way?
Tunneling compared to Dyn DNS at least has the advantage of more security via reduced access to ports. So maybe that alone is worth $5/m. .. well, $10/m, since i have two users. $10/m seems a bit steep just for some small access to my internal network for things like Camera Feeds, etc.
Dyn DNS + some safe self hosted VPN might be more affordable and just as safe compared to Tailscale.
.. thoughts on the best service to price ratio for my needs?
Depends on whether you're talking about stuff that you actually want to be "exposed to the public" (i.e. can receive traffic from any IP) or just "accessible from outside the LAN."
If the former, Tailscale isn't really a good fit since it only permits access to authenticated devices.
If the latter, Tailscale is perfect. It's a VPN in the original sense of the world, "private" being the operative term - your devices can communicate as if they were all on the same LAN, without worrying about their traffic being eavesdropped.
As for the pricing, I'm fairly confident that Tailscale won't mind if you're sharing a free plan (so single-user) across e.g. your laptop and your wife's, even though there are technically two "users" there. They've made it pretty clear that the divide they care about is "personal use free, company use paid."
On the note of free plan. It's actually a bit of a shame.. i want to pay, i like $5/m, but it looks like $5/m is less devices than if i used free?
Though i just noticed that the Personal Pro plan works with up to 100 devices for $4/m. Might give that a try. I really like paying.. as i hate free VC services.
edit: Wow, the signup requirement is bizarre though. I don't have or want Google or Microsoft.. i do have a Github, which i guess i'll have to use... but what the hell? So odd that i can't just signup with my email.
Dynamic DNS with wireguard works great, especially for a small footprint (sounds like you only have one LAN you want to access remotely, not multiple sites). It'll be free, and you won't have any cloud centralized service you're dependant on.
Personally I host both of these services (dynamic DNS client, wireguard server) right on my WAN edge router, but you could also run it on a host (e.g., VM or raspberry pi) inside the LAN.
An interesting collab between cloudflare and tailscale could be to add cloudflare tunnel as a tailnet node to proxy public traffic into your private tailnet (with acls managed by your tailnet) as an alternative to opening ports on your firewall. This would give you true public access (if that's what you want) but also hide your ip and protect you from ddos etc. https://www.cloudflare.com/products/tunnel/
> For basic tunneling into home servers, is Tailnet.. overkill
It's a service. You just pay money and they take care of it, instead of running this all by yourself.
> thoughts on the best service to price ratio for my needs?
You can buy VPS for $14/3m = $4.66/m and configure Headscale or whatever on it. Fixed public IP, no need for DynDNS, no user/$ limit except CPU/RAM - you can have whatever you want on it.
EDIT: found out they even have a $11/3m plan = $3.66/m.
I found the blog post slightly confusing because it never explicitly spells out that endorsing a new node is a manual operation that the administrator has to perform from one of the trusted nodes. Of course this is what you'd want, anything automatic would ruin the purpose of tailnet lock. But still not seeing it mentioned, neither in the text nor in the pictures, made me wonder what I had missed, until I watched the video which features that very step as part of the demo.
I had the same issue. I think the idea is that you build something yourself on a trusted node that decides whether or not to endorse a new node.
Off the top of my head I'd do something dead simple like verify the user account matches our domain and then also query an inventory system to verify it is indeed a device we manage through MDM (though I'm not sure how this will work for mobile devices. We don't MDM those).
When a new device attempts to join you should have some data on it via the API (User, OS, Tailscale version, source IP, machine name). You could use that data to decide to endorse it or not.
You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)
Thanks for the feedback!! Writing the documentation for how this worked was a challenge, and its good to hear what pieces we need to call out more strongly in the future.
I have little to no idea what Tailscale does. Is it a VPN like Mullvad? What makes it so special?
Ive heard a bit about tailscale networks connecting devices together easily. Is it for your own network only, or can other people access your tailscale devices directly as well?
Ie, I host a minecraft server on my linux desktop. Can tailscale help me in the use case of providing an IP to people to connect to it? Or am I just back to regular old port forwading and my external IP?
Tailscale is just fancy software that creates peer to peer encrypted tunnels between your devices using wireguard.
You can think of it as a LAN for all your devices regardless of what network they’re physically connected to.
The default use case of Tailscale is to have a private LAN, just for you, not your friends. This is changing now, though.
Tailscale does as of recently have the ability to do what you’re saying for Minecraft. It’s called Tailscale Funnel. This lets you expose a port on any of your devices to the public internet with a TLS enabled host name.
Another option for your Minecraft server is to use Cloudflare Tunnel. Works great for this kind of thing and is pretty much functionally equivalent to Tailscale Funnel.
I recommend against using Funnel for this use case (because it exposes your server to everyone in the world, not just your trusted users). Tailscale node sharing is free and secure for private networks of friends, and there are lots of people using it with Minecraft: https://tailscale.com/kb/1084/sharing/
To answer the question in another thread, node sharing also works with UDP. (Funnel is TCP-only due to the vagaries of IP addresses and TLS certificates when facing the outside world, sigh.)
Does either Funnel or Tunnel allow this use case for old UDP-based games like Quake etc?
I would like to just be able to send strangers a temporary permalink to my server for a one-off session, then turn it off or have it expire automatically once we're finished. This would not be feasible if I have to also ask whomever I come across to install clients, as opposed to just connecting from within the game.
If you want to host a Minecraft server, ZeroTier is probably better. It has a couple of options that make it easier for third parties to be able to connect including automatically authorizing new connecting nodes, or an option where if you connect to a particular ZeroTier network, anyone with your ZeroTier IPv6 can connect to the corresponding port (I forget their exact name, but it's pretty slick).
Wow, I was advocating for switching to Tailscale (from just manual SSH key management) and was asked if we could do pretty much exactly this. Great to see such quick progress.
Readit News
This feature is a very good step forward in security. I will take a look and if the implementation is sound, I am going to use Tailscale (namely if the Tailscale is compromised, I will not be automatically compromised, unless I manually accept external public keys, or install a bad update).
The problem with malicious updates can be addressed by providing as easy way to check the code signature. With a standalone infrequently updated app such as an AppImage app, this can be easily done by verifying the GPG signature upon download.
Big tech surveillance orgs being the SSO is an SPoF for the administration of the network. For something as critical as L3, I can't accept that.
I just use Nebula instead. It doesn't have a spiffy web interface or ssh auth chrome bolted on, but it works great for my purposes and it doesn't involve Google or Microsoft at any point.
IdP trust is on the list. There are some "easy" things we can do that help on the surface but make life harder for users. And there are some not-so-easy things we are researching. I hope to have answers in 2023.
But goddamn if that spiffy web interface is not just the bees knees. I relented and put in a Google account that I don't use very often for identity--no idea if that makes it more or less like to be arbitrarily banned by Google--and accepted the fact that access to Tailscale wasn't so critical for me that I needed to be worried about it.
But in production, I totally get it. But I'd probably still just pay for Tailscale's SAML and use Okta or something...
wireguard is a linux-first solution and all of the windows stuff for it is subgrade, and probably will continue to be for awhile. Still selling plenty of anyconnect/globalprotect have a stranglehold on windowsland and probably will for a long time.
Technologically, it's based on Wireguard. Wireguard is fast; really fast, especially compared to OpenVPN. Using cutting edge cryptography and a new UDP protocol, Wireguard connections feel roughly zero-overhead (they're not, of course.) Connections are peer-to-peer and you usually will get pretty close to the fastest reasonable route between any two devices, whether you're on LAN or overseas, whether there's a strong NAT in front or not.
They've also engineered a lot of things carefully, instead of just cobbling together existing end-user tools in Rube Goldberg arrangements. (Not saying there isn't use of existing code; there totally is. But it's all very nicely integrated from what I can see.) Doing things "the hard way" can lead to more complicated software, but the way they've architected things makes the possibilities for expanding the utility of Tailscale to be nearly limitless. It's also amazingly entertaining to read about. Seriously, just read about how their web browser SSH client works:
https://tailscale.com/blog/ssh-console/
Historically you had enterprise-grade VPNs that cost a lot of money, or OpenVPN. Both ran over IPSec or SSL, and neither were super straightforward to config/maintain, nor were they particularly performant.
Then came wireguard, which is awesome, but wireguard is just a transport. It doesn't have all the UX niceties built on top of it, like registering clients or generating / distributing keys. Tailscale does a lot of that lifting for you, so you can easily and quickly get a working VPN, at a low cost, with good performance.
Personally I manage wireguard myself, but I also self-host my own VMs, storage server, applications, etc.
Tailscale is like taking your car in for an oil change instead of doing it yourself, plenty of people find that worth it.
I run it on every device I own, plus a few at my parents' place. This way I can access my PC and my NAS from my phone, and my NAS from my PC, even though the NAS is behind my home router and the PC and the phone can be connected to a bunch of different networks.
Tunneling compared to Dyn DNS at least has the advantage of more security via reduced access to ports. So maybe that alone is worth $5/m. .. well, $10/m, since i have two users. $10/m seems a bit steep just for some small access to my internal network for things like Camera Feeds, etc.
Dyn DNS + some safe self hosted VPN might be more affordable and just as safe compared to Tailscale.
.. thoughts on the best service to price ratio for my needs?
If the former, Tailscale isn't really a good fit since it only permits access to authenticated devices.
If the latter, Tailscale is perfect. It's a VPN in the original sense of the world, "private" being the operative term - your devices can communicate as if they were all on the same LAN, without worrying about their traffic being eavesdropped.
As for the pricing, I'm fairly confident that Tailscale won't mind if you're sharing a free plan (so single-user) across e.g. your laptop and your wife's, even though there are technically two "users" there. They've made it pretty clear that the divide they care about is "personal use free, company use paid."
Though i just noticed that the Personal Pro plan works with up to 100 devices for $4/m. Might give that a try. I really like paying.. as i hate free VC services.
edit: Wow, the signup requirement is bizarre though. I don't have or want Google or Microsoft.. i do have a Github, which i guess i'll have to use... but what the hell? So odd that i can't just signup with my email.
Personally I host both of these services (dynamic DNS client, wireguard server) right on my WAN edge router, but you could also run it on a host (e.g., VM or raspberry pi) inside the LAN.
While i like free (selfhosting), my gut says $5/m would be worth having Tailscale manage security for me to ensure it's done right.
Not if your IP is behind CGNAT or the like.
> $10/m seems a bit steep
They have a free multi-user plan but it's in small print on the pricing page and requires use of Github for user management.
That works if your IP is globally reachable.
> For basic tunneling into home servers, is Tailnet.. overkill
It's a service. You just pay money and they take care of it, instead of running this all by yourself.
> thoughts on the best service to price ratio for my needs?
You can buy VPS for $14/3m = $4.66/m and configure Headscale or whatever on it. Fixed public IP, no need for DynDNS, no user/$ limit except CPU/RAM - you can have whatever you want on it.
EDIT: found out they even have a $11/3m plan = $3.66/m.
Off the top of my head I'd do something dead simple like verify the user account matches our domain and then also query an inventory system to verify it is indeed a device we manage through MDM (though I'm not sure how this will work for mobile devices. We don't MDM those).
When a new device attempts to join you should have some data on it via the API (User, OS, Tailscale version, source IP, machine name). You could use that data to decide to endorse it or not.
If you're okay with trusting Tailscale's control plane, we have a feature for exactly this use case! Its called Device Authorization: https://tailscale.com/kb/1099/device-authorization/
You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)
Thanks for the feedback!! Writing the documentation for how this worked was a challenge, and its good to hear what pieces we need to call out more strongly in the future.
If you're interested in gory details around tailnet lock internals, we have the beginnings of a whitepaper here: https://tailscale.com/kb/1230/tailnet-lock-whitepaper/
Ive heard a bit about tailscale networks connecting devices together easily. Is it for your own network only, or can other people access your tailscale devices directly as well?
Ie, I host a minecraft server on my linux desktop. Can tailscale help me in the use case of providing an IP to people to connect to it? Or am I just back to regular old port forwading and my external IP?
You can think of it as a LAN for all your devices regardless of what network they’re physically connected to.
The default use case of Tailscale is to have a private LAN, just for you, not your friends. This is changing now, though.
Tailscale does as of recently have the ability to do what you’re saying for Minecraft. It’s called Tailscale Funnel. This lets you expose a port on any of your devices to the public internet with a TLS enabled host name.
Another option for your Minecraft server is to use Cloudflare Tunnel. Works great for this kind of thing and is pretty much functionally equivalent to Tailscale Funnel.
To answer the question in another thread, node sharing also works with UDP. (Funnel is TCP-only due to the vagaries of IP addresses and TLS certificates when facing the outside world, sigh.)
I would like to just be able to send strangers a temporary permalink to my server for a one-off session, then turn it off or have it expire automatically once we're finished. This would not be feasible if I have to also ask whomever I come across to install clients, as opposed to just connecting from within the game.