I have been using Tailscale VPN with my servers for about 6 months now and I would recommend it to anyone.
I’m running it on both of my Proxmox machines, my laptop, a raspberry pi, and my Android phone. It makes it super easy and secure to access my local services while away from my house.
Very simple set up, minimal initial configuration, and versatile.
There are apps for Linux, Windows, Mac, Android, and iOS.
Is anyone else currently using Tailscale? I’d like to hear what you all think.
One common criticism about Tailscale is it has too many features for a networking product, which increase the likelihood of bugs that can lead to security compromise (e.g. Tailscale SSH ), especially when compromised tailscale network means the malicious actors have full access to your internal network.
It’s not self-hosted, I refuse to use anything that relies on any third party
Does using headscale reduce the available functionality in any way? I read Tailscale’s AMAZING article on NAT traversal and was wondering if that was impacted by moving to headscale in any way. Does headscale replace DERP too?
Does heads ale replace DERP too?
Headscale does have a built-in DERP server, and you can run standalone instances using code from tailscale (there are a bunch of docker images you can find on docker hub, or you can build one yourself), which you then have to include in Headscale’s config. I’ve done this for a while, but I was running into connectivity issues when on the go using a mobile connection, so I’ve been falling back on Tailscale’s instances for now. I should try again sometime.
You could checkout a very similar product, ZeroTier (Open Source Community Edition) assuming your use case is non-commercial.
… if you’re willing to use an older release, you could potentially do whatever you want as the software uses a BSL license with a change date fallback license of Apache 2.0.
What is the benefit of this over just running Wireguard?
It’s a mesh network unlike plain Wireguard, and it’s much easier to set up (with the caveat that there’s a third party involved to coordinate connections and stuff)
I still don’t fully understand the benefit over plain WireGuard for a home lab use case…
I set up wg-easy (WireGuard socket container with built in web interface to easily generate certs for clients) in about 5 minutes on an odroid (like a raspberry pi). Opened a single port on my router. Generated certs for my phone and laptop using the web interface in about 30 seconds. Changed one line in my client configs to only route network on my home’s IP range over the VPN so I can connect without disrupting my internet connection. Then I just activate the VPN and I can access all of my home services. (writing all that out kind of makes it sound complicated but literally this was done in like 10 minutes total and never had to touch it again except to log into the web admin to make certs for new clients occasionally)
Since Tailscale is a mesh VPN like Nebula, wouldn’t I need to install and set it up on all of my servers and VMs instead of just one to access everything? And then every new VM I make I would have to manually set that up too? Wouldn’t that be harder to setup over all than a single wg-easy container?
I feel like maybe I don’t fully understand how Tailscale works because it never seemed more convenient or better than vanilla WireGuard and it just uses WG protocol under the hood anyway but with the added dependency of a 3rd party service I have to trust and that can go down disabling my access to my home network…
For Tailscale you just have to install it, start the service, and log in. If you want to install it on just one server and have it act as a gateway to the rest of your network, you can use subnet routers.
The main benefit is it can punch thorough double NATs. Can’t use wireguard if you can’t even see your wireguard server when you have a shitty ISP that put their customers behind CGNAT.
Not trying to defend CGNAT because I hate it, but as someone who works for what most of you would consider a “good ISP”, we use it simply because don’t have enough IP addresses to do 1:1 NAT for every connection, and buying the amount of IP addresses required to do so would literally cost us somewhere in the neighborhood of ~4 million dollars - on top of the headache that we don’t know the history of these IP addresses which could cause issues if they are on blacklists, etc.
I understand if it’s due to inability to procure more ipv4 blocks as long as the ISP also supports ipv6 properly. Many of those shitty ISPs do not even have that option though.
It’s not self-hosted but it’s incredibly useful for self-hosting as it makes public access to locally hosted services a breeze. It’s user-friendly, feature-rich and scalable.
