tailscale.com

I have been using Tailscale VPN with my servers for about 6 months now and I would recommend it to anyone.

I’m running it on both of my Proxmox machines, my laptop, a raspberry pi, and my Android phone. It makes it super easy and secure to access my local services while away from my house.

Very simple set up, minimal initial configuration, and versatile.

There are apps for Linux, Windows, Mac, Android, and iOS.

Is anyone else currently using Tailscale? I’d like to hear what you all think.

  • redcalcium@c.calciumlabs.com
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    One common criticism about Tailscale is it has too many features for a networking product, which increase the likelihood of bugs that can lead to security compromise (e.g. Tailscale SSH ), especially when compromised tailscale network means the malicious actors have full access to your internal network.

    • m0nky@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      No, it isn’t. But there is a self hosted Foss version of it (headscale) that the developers actively support.

    • jmshrv@feddit.uk
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      It’s a mesh network unlike plain Wireguard, and it’s much easier to set up (with the caveat that there’s a third party involved to coordinate connections and stuff)

      • einsteinx2@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        1 year ago

        I still don’t fully understand the benefit over plain WireGuard for a home lab use case…

        I set up wg-easy (WireGuard socket container with built in web interface to easily generate certs for clients) in about 5 minutes on an odroid (like a raspberry pi). Opened a single port on my router. Generated certs for my phone and laptop using the web interface in about 30 seconds. Changed one line in my client configs to only route network on my home’s IP range over the VPN so I can connect without disrupting my internet connection. Then I just activate the VPN and I can access all of my home services. (writing all that out kind of makes it sound complicated but literally this was done in like 10 minutes total and never had to touch it again except to log into the web admin to make certs for new clients occasionally)

        Since Tailscale is a mesh VPN like Nebula, wouldn’t I need to install and set it up on all of my servers and VMs instead of just one to access everything? And then every new VM I make I would have to manually set that up too? Wouldn’t that be harder to setup over all than a single wg-easy container?

        I feel like maybe I don’t fully understand how Tailscale works because it never seemed more convenient or better than vanilla WireGuard and it just uses WG protocol under the hood anyway but with the added dependency of a 3rd party service I have to trust and that can go down disabling my access to my home network…

        • jmshrv@feddit.uk
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          For Tailscale you just have to install it, start the service, and log in. If you want to install it on just one server and have it act as a gateway to the rest of your network, you can use subnet routers.

          • einsteinx2@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Interesting… I also saw some people post about the self hostable open source version Headscale, so I’m going to play around with it. Tailscale gets recommended so often there must be something to it, I was just always put off by having to rely on a company to access my personal stuff which is sort of the whole reason I self host in the first place… but if I can self host the Tailscale coordinator that changes things.

            I’ve been happy with vanilla WireGuard for my use case but it’s always nice to learn about other options.

        • einsteinx2@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          I don’t think I can edit comments, but I meant to say we-easy is a WireGuard docker container, not a “socket” container lol

    • mFat@lemdro.id
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Elegant, easy to use web based admin panel. Google authentication. Exit nodes (routing all traffic through a peer). Subnet routes. Funnels. It’s the best tech I’ve used lately.

    • redcalcium@c.calciumlabs.com
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      The main benefit is it can punch thorough double NATs. Can’t use wireguard if you can’t even see your wireguard server when you have a shitty ISP that put their customers behind CGNAT.

      • porksandwich9113@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Not trying to defend CGNAT because I hate it, but as someone who works for what most of you would consider a “good ISP”, we use it simply because don’t have enough IP addresses to do 1:1 NAT for every connection, and buying the amount of IP addresses required to do so would literally cost us somewhere in the neighborhood of ~4 million dollars - on top of the headache that we don’t know the history of these IP addresses which could cause issues if they are on blacklists, etc.

        • redcalcium@c.calciumlabs.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          1 year ago

          I understand if it’s due to inability to procure more ipv4 blocks as long as the ISP also supports ipv6 properly. Many of those shitty ISPs do not even have that option though.

          • porksandwich9113@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            Yeah, we have a full IPv6 deployment on our entire network and have for a many years now. We’re a small rural regional coop so we make an effort to do right by our members the best we can. And for the members who really need a rout-able IPv4 IP, we do have limited blocks we can assign to interfaces if they request it.

            • redcalcium@c.calciumlabs.com
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Then it’s not a shitty ISP. My precious ISP not only put that customer behind CGNAT, the CGNAT’s IP addresses they use have poor reputation too so their customers sometimes get caught in captcha hell (very annoying when cloudflare doesn’t like you because every other sites are behind cloudflare now), doesn’t provide static IP address even when I asked to pay for it, and don’t even provides IPv6. The only saving grace was 1:1 download/upload ratio, and they implemented government-mandated block list half-assedly (Reddit is banned in my country) so it’s easy to circumvent. Once another ISP covered my area, I immediately jumped ship.

              The new ISP also has problem with IPv4 allocation. Sometimes I got assigned behind a CGNAT, but restarting the modern is usually enough to get assigned into a publicly routable IPv4. And they actually have IPv6 so the CGNAT isn’t as much of an issue. The drawback is asymmetric download/upload speed, and they implemented the government-mandated block list more competently (transparently hijacking all DNS requests, throttling DoH, ip-blocking some blocked websites, sniffing http host header and block it if the website is banned, etc) so I have a bit harder time to unblock everything.

  • lemming007@lemm.ee
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    8
    ·
    1 year ago

    It’s not self-hosted, I refuse to use anything that relies on any third party

      • maiskanzler@feddit.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Does using headscale reduce the available functionality in any way? I read Tailscale’s AMAZING article on NAT traversal and was wondering if that was impacted by moving to headscale in any way. Does headscale replace DERP too?

        • stefanA
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Does heads ale replace DERP too?

          Headscale does have a built-in DERP server, and you can run standalone instances using code from tailscale (there are a bunch of docker images you can find on docker hub, or you can build one yourself), which you then have to include in Headscale’s config. I’ve done this for a while, but I was running into connectivity issues when on the go using a mobile connection, so I’ve been falling back on Tailscale’s instances for now. I should try again sometime.

        • lckdscl [they/them]@whiskers.bim.boats
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I don’t know the technicals that well, but I can see relays working if I run tailscale status. You don’t get some enterprise/business features like access control, but I can be wrong.

    • Dark Arc@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      1 year ago

      You could checkout a very similar product, ZeroTier (Open Source Community Edition) assuming your use case is non-commercial.

      … if you’re willing to use an older release, you could potentially do whatever you want as the software uses a BSL license with a change date fallback license of Apache 2.0.

  • mFat@lemdro.id
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    2
    ·
    1 year ago

    It’s not self-hosted but it’s incredibly useful for self-hosting as it makes public access to locally hosted services a breeze. It’s user-friendly, feature-rich and scalable.

  • GreenDot 💚@le.fduck.net
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    I tried it, its great if you want to get started. or you want to run a vpn on a server that doesnt support wireguard. My main gripe with the client is that it can’t do high speeds, it’s just too cpu bound. Like going close to a gigabit transfer.

    With wireguard I was able to get to 98% gigabit transfer. It was fine for a month I was using it, in the end I just setup a wireguard mesh with Netmaker.

    There is headscale where you can run your own hosted central server, so you’re not using the tailscale one.

    In the end netmaker did what I wanted, however they tend to introduce bit of changes in their releases, so if you’re not super technical it might pose a challenege with upgrading until they reach a super stable version. Like jump from 0.10.X to 0.20 had some big changes for the whole netmaker internals. Bit that does not impact wireguard connectivity.

  • bnjmn@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    I like it, but it consumes copious amounts of battery on my Android phone. I only use it for 1) ssh and 2) services that I don’t want / need to be accessible over the Internet

    • dartanjinn@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I run pivpn with wireguard alongside tailscale for this exact reason. Wireguard in the phone, tailscale on PCs.

      • einsteinx2@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If you already have to setup and maintain WireGuard, what’s the added benefit of Tailscale for your use case?

        • dartanjinn@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          In all honesty I ran both because I hadn’t yet discovered route advertisement on tailscale. Now that I’ve discovered that feature, I really only use wireguard for the phone due to battery drain with tailscale. Also, I can’t use wireguard on my work PC because the firewall drops all VPN traffic and tailscale gets around that. I’m not gonna pretend to know how it gets around that cause I haven’t bothered to learn it that deeply yet but it works and I like it.

          I guess the TL;DR is tailscale bypasses firewall restrictions and wireguard doesn’t drain my phone battery.

          • einsteinx2@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I have an issue with my cell carrier blocking traffic to my home WireGuard server. It works from everywhere else and other cell services so I know it’s them. I’m definitely gonna try out Tailscale to see if it’ll get around it. Thanks for the tip. Too bad about the battery drain but I’m usually only hopping on for a minute to run a few commands over ssh or whatever so shouldn’t be a big deal.

            • dartanjinn@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Yeah tailscale is definitely useable on the phone if you toggle it only when you’re gonna use it. I keep it on because I have piHole as the VPN DNS so I get adblocking everywhere I go wether I’m on public wifi or cellular. So I need something that doesn’t drink battery juice. Wireguard ftw.

      • bnjmn@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I didn’t know what Termux was before this

        But if it’s ssh on Android, I use Termius (which I haven’t used all that much tbh)

    • bookworm@feddit.nl
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      The free license is so generous that a home user really should have no reason to ever pay for it.

      are you even hosting it

      No but as andrew mentions below you CAN self host it.

    • picklestehbutt@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      It’s free for personal use, although they offer paid versions for enterprise. It’s built using Wireguard, so there is a coordination server that’s accessed using the web app, but all the traffic is encrypted from client to client.

  • Xirup@lemmy.one
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    I took a quick look and it says it has a free option for individuals with practically everything unlocked, what’s the point of that? It’s a trick I guess?

    • m0nky@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      ·
      1 year ago

      It’s not a trick at all. They want personal users to use it on the chance they then introduce it to work.

      They are a very positive company that supports the FOSS community. It is a great product.

    • bookworm@feddit.nl
      link
      fedilink
      English
      arrow-up
      13
      ·
      edit-2
      1 year ago

      According to them it’s a way to get individual enthusiasts on board who will then get their workplaces to adopt Tailscale.

      “In capitalism we call this a win/win deal. You get free stuff. You enjoy it. You tell your boss. Your boss gives us money (eventually). And nobody’s personal information got misplaced along the way. You did pay us—by talking about us.” https://tailscale.com/blog/free-plan/

  • daph@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    I’m sat behind a CGNAT for my home internet, so I can’t really forward ports in. Tailscale has been great as a free thing to let me get a quick-and-easy VPN set up so I can remote into my network reliably.

  • aedyr@lemmy.ca
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    That’s awesome to hear. I’m looking to set up some self-hosted stuff, and I see a lot of recommendations for Tailscale for the VPN element.

  • snailtrail@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I run a single headscale node on one of my free Oracle OCI instances, and connect about a dozen devices to it. No fear of adding friends either, since it’s free.

  • TheLazurus@kbin.social
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    I was using this for a bit actually, only reason I stopped was the network filters at work broke it…but I might try headscale down the road to see what that does…

  • lom@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Isn’t tailscale just a company abstracting over a more barebones VPN? I haven’t looked into it, but want to operate a VPN into my home network in the future.

    Why would I choose tailscale over just selfhosting wireguard?

  • Dark Arc@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I prefer ZeroTier, I’m not sure why Tailscale has taken off so much in recent years (perhaps just the cleaner UI and better marketing).