Recommendation: Tailscale VPN

slip, 11 months ago

I was using tailscale to transport files between devices quickly but I got an email about a vulnerability that leaked some info. I don’t even use it for the vpn part so I just made a protal on a vps that I use now for file transfer. Tailscale was pretty fast at that though, and they were open about the exploit, so I think they’re pretty cool.

lom, 11 months ago

Isn’t tailscale just a company abstracting over a more barebones VPN? I haven’t looked into it, but want to operate a VPN into my home network in the future.

Why would I choose tailscale over just selfhosting wireguard?

Dark_Arc, 11 months ago

I prefer ZeroTier, I’m not sure why Tailscale has taken off so much in recent years (perhaps just the cleaner UI and better marketing).

snailtrail, 11 months ago

I run a single headscale node on one of my free Oracle OCI instances, and connect about a dozen devices to it. No fear of adding friends either, since it’s free.

redcalcium, 11 months ago

One common criticism about Tailscale is it has too many features for a networking product, which increase the likelihood of bugs that can lead to security compromise (e.g. Tailscale SSH ), especially when compromised tailscale network means the malicious actors have full access to your internal network.

benjacoblee, 11 months ago

I like it, but it consumes copious amounts of battery on my Android phone. I only use it for 1) ssh and 2) services that I don’t want / need to be accessible over the Internet

EchoVerse, 11 months ago

I have the same issue with 1.1.1.1 and cloudflare tunnels. It really kills my battery

picklestehbutt, 11 months ago

It does. I only turn it on when I need it.

slip, 11 months ago

you use tailscale for ssh instead of termux?

benjacoblee, 11 months ago

I didn’t know what Termux was before this

But if it’s ssh on Android, I use Termius (which I haven’t used all that much tbh)

daph, 11 months ago

I'm sat behind a CGNAT for my home internet, so I can't really forward ports in. Tailscale has been great as a free thing to let me get a quick-and-easy VPN set up so I can remote into my network reliably.

TheLazurus, 11 months ago

I was using this for a bit actually, only reason I stopped was the network filters at work broke it...but I might try headscale down the road to see what that does....

mfat, 11 months ago

It’s not self-hosted but it’s incredibly useful for self-hosting as it makes public access to locally hosted services a breeze. It’s user-friendly, feature-rich and scalable.

death916, 11 months ago

U can use headscale and make it pretty much 100% self hosted

mfat, 11 months ago

I hope it becomes easier to deploy for less techie users.

lemming007, 11 months ago

It’s not self-hosted, I refuse to use anything that relies on any third party

lckdscl, 11 months ago

Check out Headscale, pretty stable on my end

hoodlem, 11 months ago

What is the benefit of this over just running Wireguard?

jmshrv, 11 months ago

It’s a mesh network unlike plain Wireguard, and it’s much easier to set up (with the caveat that there’s a third party involved to coordinate connections and stuff)

redcalcium, 11 months ago

The main benefit is it can punch thorough double NATs. Can’t use wireguard if you can’t even see your wireguard server when you have a shitty ISP that put their customers behind CGNAT.

porksandwich9113, 11 months ago

Not trying to defend CGNAT because I hate it, but as someone who works for what most of you would consider a “good ISP”, we use it simply because don’t have enough IP addresses to do 1:1 NAT for every connection, and buying the amount of IP addresses required to do so would literally cost us somewhere in the neighborhood of ~4 million dollars - on top of the headache that we don’t know the history of these IP addresses which could cause issues if they are on blacklists, etc.

redcalcium, 11 months ago

I understand if it’s due to inability to procure more ipv4 blocks as long as the ISP also supports ipv6 properly. Many of those shitty ISPs do not even have that option though.

porksandwich9113, 11 months ago

Yeah, we have a full IPv6 deployment on our entire network and have for a many years now. We’re a small rural regional coop so we make an effort to do right by our members the best we can. And for the members who really need a rout-able IPv4 IP, we do have limited blocks we can assign to interfaces if they request it.

redcalcium, 11 months ago

Then it’s not a shitty ISP. My precious ISP not only put that customer behind CGNAT, the CGNAT’s IP addresses they use have poor reputation too so their customers sometimes get caught in captcha hell (very annoying when cloudflare doesn’t like you because every other sites are behind cloudflare now), doesn’t provide static IP address even when I asked to pay for it, and don’t even provides IPv6. The only saving grace was 1:1 download/upload ratio, and they implemented government-mandated block list half-assedly (Reddit is banned in my country) so it’s easy to circumvent. Once another ISP covered my area, I immediately jumped ship.

The new ISP also has problem with IPv4 allocation. Sometimes I got assigned behind a CGNAT, but restarting the modern is usually enough to get assigned into a publicly routable IPv4. And they actually have IPv6 so the CGNAT isn’t as much of an issue. The drawback is asymmetric download/upload speed, and they implemented the government-mandated block list more competently (transparently hijacking all DNS requests, throttling DoH, ip-blocking some blocked websites, sniffing http host header and block it if the website is banned, etc) so I have a bit harder time to unblock everything.

porksandwich9113, 11 months ago

Wow, that sounds like pretty awful internet conditions. What country do you live in if you don’t mind me asking?

mfat, 11 months ago

Elegant, easy to use web based admin panel. Google authentication. Exit nodes (routing all traffic through a peer). Subnet routes. Funnels. It’s the best tech I’ve used lately.

Melco, 11 months ago

deleted_by_author

m0nky, 11 months ago

No, it isn’t. But there is a self hosted Foss version of it (headscale) that the developers actively support.

emhl, 11 months ago

The clients are open source, the coordination server isn’t

Xirup, 11 months ago

I took a quick look and it says it has a free option for individuals with practically everything unlocked, what’s the point of that? It’s a trick I guess?

picklestehbutt, 11 months ago

You only get 3 users with the free version

d4nm3d, 11 months ago

how many do you want? I only use 1 and have 4 networks with multiple subnet routers in failover in each network.

picklestehbutt, 11 months ago

Anyone like me, one or two is fine. If you’re a business, that won’t be sufficient.

d4nm3d, 11 months ago

Fair enough.

m0nky, 11 months ago

It’s not a trick at all. They want personal users to use it on the chance they then introduce it to work.

They are a very positive company that supports the FOSS community. It is a great product.

bookworm, 11 months ago

According to them it’s a way to get individual enthusiasts on board who will then get their workplaces to adopt Tailscale.

“In capitalism we call this a win/win deal. You get free stuff. You enjoy it. You tell your boss. Your boss gives us money (eventually). And nobody’s personal information got misplaced along the way. You did pay us—by talking about us.” tailscale.com/blog/free-plan/

julesiecoolsie, 11 months ago

This looks like a paid business vpn… are you even hosting it? I don’t get it

picklestehbutt, 11 months ago

It’s free for personal use, although they offer paid versions for enterprise. It’s built using Wireguard, so there is a coordination server that’s accessed using the web app, but all the traffic is encrypted from client to client.

bookworm, 11 months ago

The free license is so generous that a home user really should have no reason to ever pay for it.

are you even hosting it

No but as andrew mentions below you CAN self host it.