I've been using Tailscale for a couple of personal use cases and it has become one of my favorite products. It really simplified my setup and it "just works".
That said, I share OP's concerns as someone who has been evaluating alternatives to Google Workspace and Office 365. It is understandable that they may be prioritizing a B2B model, a decision which may be at odds users like OP and myself. That said, I still recommend it to teams/people who do not share this concern.
I hesitate investing further than my current setup because of this reason and I've been investigating whether Headscale/ZeroTier fit the bill. It is a shame because it is such a great product and it has been a while since I last had an equivalent experience using software.
I share the same concerns. They also had some bizarre and worrying behaviour where anyone signing up with the same domain would automatically be joined to your account, seemingly without any approval steps.
This was ostensibly to allow “corporate” accounts to easily group all users together, but the behaviour relies in the backend on a manually maintained (by Tailscale) list of “shared” domains where this auto joining behaviour would be bypassed (eg. @gmail.com) to prevent say all Gmail users being grouped into the same account.
Of course this manual list missed some obscure shared email domains and there were users complaining on GitHub that they were unexpectedly seeing other users/machines in their account.
I hope this terrible design decision has now been fixed in some way but it adds to my slight unease at the authentication model being used (along with the OP’s concerns).
Aside from this Tailscale is a great product, but for something focussed on security these sorts of things need to be given a high priority (if they’re not already).
Oh, I wasn't aware of that. That's certainly worrisome considering Tailscale's default configuration for the ACL and authenticating new machines. Fortunately I updated my settings to change the default ACL policy and to manually approve any new machines.
I don’t use Tailscale, I use a competing and currently arguably better product (Netmaker).
Imagine you’re a business building XYZ software product. You build a k8s cluster in one region, but now you need your system also to exist simultaneously in another region for failover reasons. Now you need region A to be able to have replicas in region B in real-time amongst many other requirements and those two networks from each region need to be able to understand and talk to each other with minimal setup and headache. Perhaps network A is set up on DigitalOcean and network B is on AWS or GKE for financial or technical reasons. Example: it’s cheaper to have surplus machine needs on AWS/GKE but you don’t want machines running there all the time because it’s expensive.
Enter Wireguard mesh networking. Ever since kernel Wireguard made it into Linux this is where the endgame has been for cloud deployments. It’s a huge improvement over the previous solutions. Netmaker and Tailscale are two offerings of that solution.
Note that I’m not affiliated with Netmaker at all. Just a quite happy customer.
Interesting. How hard would it t build you own Tailscale implementation then? Does Tailscale just mostly provide a nice UX and provisioning on top of wireguard-go?
All of these are assuming that at least one end of the tunnel has a (somewhat) static IP and the ability to open an IPv4 port for incoming UDP connections.
If that‘s you, you probably don‘t need Tailscale.
But if your scenario is e.g. SSHing from your phone to a Raspberry PI behind a carrier-grade NAT, it‘s definitely worth a look.
> 2. Open the WireGuard port to the Internet (don't worry, it's invisible)
Not quite the same. Opening a Wireguard port to the Internet doesn't help if the port is unreachable due to weird NATting.
My home ISP puts me on CGNAT so I have no IPv4 access to my network. If I'm out and on a v4-only network, I can't connect to that Wireguard instance without going through other hoops (like a "bastion" Wireguard peer on a dual-stack host, for instance). With Tailscale, it Just Works.
You're likely going through a Tailscale relay when you're out of your house too. It's still an extra hop through their servers, but yes it "just works".
According to them, not necessarily [0]. They do have relay servers (they call them DERPs) [1] but they're only used in rare situations where UDP is blocked entirely.
I admit I wasn't able to understand most of those explanations so I could be wrong. :)
Yeah, definitely worth mentioning that Wireguard is actually super easy to manually configure, especially if you don't have a bazillion hosts or need to integrate with auth domains. I think a lot of the stuff individuals end up setting up Tailscale/Zerotier for (they obviously have a lot of other stuff going on, but the relevance to individual/small group users may be limited) would be equally well-served by plain old Wireguard.
>"Open the WireGuard port to the Internet (don't worry, it's invisible)"
Thanks. Can you elaborate on how it's invisible? I was looking at the docs and it looks like it defaults to UDP port 51820. Certainly that's visible no?
Wireguard does not reply to invalid connection attempts that don't have an authorized key, so it depends on what your system does for closed ports. If it (as often default) responds with an ICMP message, then the lack of such response will reveal that there is something there, whereas if your default is to silently drop packets to closed UDP ports it can't really be detected.
Since a WireGuard peer only responds to cryptographically authenticated packets and UDP is connectionless — you don't get confirmation at the transport layer by way of a handshake or anything — WireGuard ports are invisible to you unless you own a private key whose corresponding public key is already approved by the peer.
- Ditch my previous VPS + Wireguard setup which I had to maintain
- Easily add/remove my own exit nodes as I wish/need (either using my own devices or any VPS)
- Use my beefy desktop as a remote development setup
- Running syncthing/rclone across all of my devices without relying on relay nodes or whatever
- Accessing all of my devices remotely
They just make it dead simple to run your network without worrying as much about opening yourself to the internet. I know you can achieve this without Tailscale but they just make it so easy. Their ACL system is pretty easy to configure and you can even add assertions to it.
I use it to replace ssh tunnels. I used to have a couple of ports open on my office router I would ssh through. I closed those off and use tailscale on a single machine in my office as a subnet router.
Now when I am at home or travelling, I have direct access to my test database, VMs and remote desktops without having to tunnel those ports.
When they say zero conf they mean it. Truly impressive product. I could get away with the free version but I paid for it I was so impressed.
Can it really work if the server doesn't have a public IP? It works if the server blocks all incoming traffic, but doesn't it have to be routable? It can of course work via DHCP, but I would consider my devices at home still to have a public IP, even if they share it.
As I wrote, I'd consider being behind a NAT still having a public IP. It's a shared one but any web page will be able to see a public IP associated with this machine. That's different from servers that have no public IP and must route all traffic through a proxy.
If you consider devices behind a NAT to have a public IP than yes it needs a public IP. Really, it needs to just be routable to the internet. Tailscale handles the NAT busting and p2p handshake, while the nodes directly talk to each other (over WireGuard)
Maybe you can. My partner, who'd just like to look at the cute kitten pictures I added to our shared photo album, definitely can't. My dad who just wants to throw a genealogy file on my fileserver can't, either.
Yes, and anytime someone points out that existing tech works, someone pulls out the Dropbox comment as if it proves that every new shiny is better than the existing options.
In any event, if you're working with people who are technical enough to handle Tailscale, you can stick the ssh one-liner in a script file and tell them to double-click it to launch the tunnel. Or use a graphical SSH client with a port-forwarding profile, if that's you like. Tailscale has real advantages, but I'm skeptical of ease of use really being one.
You didn't point out that "existing tech works". You pointed out that you can achieve a rough facsimile with existing tech, provided you're willing to invest significantly more energy. That is the essence of the dropbox comment. Of course you can solve it with existing tech, but it takes a bunch of effort and is by far not as smooth. The achievement is not the technology itself.
You can be skeptical about ease of use all you want, "Log in with a IdP you already log in to, and then just open the site" is miles easier than "just launch the tunnel via script" and all the debug steps that come invariably when the tunnel malfunctions.
I know this is hard to see when to you, running an ssh tunnel is second nature. But if I gave my family a "graphical SSH client with a port-forwarding profile", they'd rightfully yell at me. These are steps they neither want to nor need to be comfortable with. And, heck, it's easier for me too. One less thing to worry about.
Somebody is running a whole bunch of infra for me, and has spent a whole lot of time addressing all the edge cases that "one-liner script" doesn't address. I happily pay money for that, any time.
> you can stick the ssh one-liner in a script file
Which ssh one-liner? You can't ssh into a machine that's not publicly reachable without some more hoops. I thought that was one of the points of Tailscale, taking care of the Wireguard "advanced" setup.
Having to use Google or GitHub to log into Tailscale definitely gave me pause when I was signing up. I actually pumped the brakes for a few months when I first encountered that, but eventually relented and chose GitHub.
I don't particularly _want_ another login, but I also don't cherish the thought of losing access to Service A because of the actions of Service B.
Same here, for something that they pitch as being so self hosted signing up without using your own email was really weird to me. Still haven't signed up....
Yes, that works fine. All non-Workspace services continue to work that way. I discovered it accidentally and I am quite glad that I do not have to migrate many SSO accounts created with Google Apps / G Suite / Workspace over the last decade. The deprecation definitely taught me a lesson in avoiding vendor lockins.
I'd like to offer Netmaker as an alternative. Caveat, I'm one of the creators so grain of salt, etc.
It's completely self-hosted, so none of your traffic will go through our servers. You can also use basic auth by default (though there is also OAuth). Finally, as a bonus, it's much faster because you can use kernel WireGuard.
I won't claim it's as user-friendly as Tailscale (yet). It definitely requires more technical knowledge to set up, especially considering it's not a SaaS. But if you're willing to get through the initial setup (Day 0 / Day 1), you should be golden.
We don't have our own mobile client yet, so right now we rely on the WireGuard app. You configure a gateway, and then generate raw WireGuard configs + QR codes which hook them into the network: https://docs.netmaker.org/external-clients.html
I like how "I’m not sure if they realize it yet, but Tailscale seems to work extremely well for polycules." is thrown in, as if its usual for any company to know what a "polycule" is.
A romantic network, or a particular subset of relationships within a romantic network, whose members are closely connected. They can be intimate, familiar, romantic, or sexual in nature , but not limited to. The polycule created is unique to the people involved and the variations, they create.
It is specifically addressing the GPs statement "as if its usual for any company to know what a 'polycule' is."
It is usual for a large number of companies (and tech folks) to know what that means, but disproportionately so for the Bay area. The blog poster certainly works for a company I'd call Bay adjacent, so they wrote in a language familiar to them.
It has nothing to do with "only place that matters", but simply explaining that given the context of the writer, it's a high likelihood they assume general familiarity.
There are alternative solutions available for those that don't like the Tailscale authentication model, including using Wireguard directly.
Tailscale does not need to be all things to all people, and especially not at the free tier for personal use. Adding extra complexity to the product would mean that it would no longer be the easy to use tool that it currently is.
It's maybe clearer to say, Google enables any company's Google Workspace administrator to do high-touch account management, and/or to set up tricky things with accounts.
There's BeyondCorp; there's two-way SAML directory binding (i.e. Google can be your enterprise's IdP for other service, or you can use your enterprise's IdP to sign into Google!); there's GCP Application Default Credentials; MFA device bindings; "application passwords" to pass through 2FA requirements; the ability to tell the auth layer to temporarily disable a user's password prompts via the admin dashboard; Google Take-out; Workspace account data export for terminated users; detachable adjunct accounts (e.g. Youtube channels); etc x1000.
Did you know that tucked away within every Google account is a set of AWS-looking credentials, that exist only to allow object-storage clients that only speak the de-facto "S3-compatible" object-storage API, to interact with Google Cloud Storage, authed as a given user? That's the kind of thing that using Google as your IdP gets you.
Github, meanwhile... if you're not using Github Enterprise, you can't even sync team memberships from your enterprise directory, so you have to grant your HR people org admin(!) access, so that they can grant and revoke team memberships during employee onboarding/offboarding.
If you're an oppressed freedom fighter you have to self-host everything. No aaS will ever pass your risk management and they especially can't afford to do so on the free plan.
If you don't want your technology to have a proprietary stack, then definitely checkout Nebula[1]. It's very easy to setup and works very well in my experience.
Did the OP get bumped or something? I could have sworn that I read these exact comments the other day, and hn.algolia.com says it was posted 2 days ago[1], along with the comments. Am I having a stroke?
You're definitely not having a stroke. Here is another thread discussing the same thing. I specifically remember the 'polycule' comments. It was my first time learning about that word.
I have not tried ZeroTier yet but have come across it quite a bit lately. What advantages if any would you say it has compared to just running a simple Wireguard VPN into your remote network?
It very much needs an identity provider, only they implement it themselves instead of outsourcing it to Google/MS.
On Tailscale you also need to whitelist machines in the web console. There's probably an automated way to do it as well but I haven't looked into it since I only use it for a few static hosts.
I've migrated from ZT to TS about a year ago because ZT was much slower (network bandwidth-wise) and CPU-intensive than Tailscale on my setup. YMMV.
You can self-host the ZeroTier controller which is the identity provider and you an do so without breaking interoperability with the rest of the network.
Yeah. What tailscale is doing here seems like a great way to make networking even more fragile than it already is. I've checked out tailscale on occasion but always return to zerotier. I personally run my own zerotier infra. And standing up roots is relatively easy after you get through it once.
What’s a polycule in this context? Apparently it’s a polyamorous relationship group but I don’t see how Tailscale is particularly useful there so it must mean something else.
I actually don't think it does mean something else. iliana is quite technical; I would imagine that they relate to other technical folk. I have little network services I've shared with friends before, perhaps they do something similar.
I believe that the author is literally polyamorous, has a community of romantic partners that they refer to as a "polycule", and wishes to operate a VPN exclusively for members of that community.
Haha well, in defence of the site, it’s literally just me who got it wrong. Other people downvoted my initial comment because it must have been obvious to them.
I have to say I was a little afraid at the end that I might have inadvertently offended someone.
Headscale isn't really anywhere near as useful until there's an ios client. Even one you have to compile yourself and use a developer key to load would be better than none at all.
I've seen HN do this once before. It took a post from a day ago and changed all the timestamps to be "current time minus a few minutes". It was this thread [1], specifically the first two comments in this subthread [2] had their timestamps faked. The third comment is from after it had been resurrected with the fake timestamps.
On both threads it says 4 hours ago. I thought I was going insane because I remember googling Netmaker at the time, and it definitely wasn't today. Clicking into their profile shows the comment '1 day ago'
It is not obvious to somebody trying it out that even if they switch up to a paid subscription, they would still depend on dodgy third parties to authenticate.
That said, I share OP's concerns as someone who has been evaluating alternatives to Google Workspace and Office 365. It is understandable that they may be prioritizing a B2B model, a decision which may be at odds users like OP and myself. That said, I still recommend it to teams/people who do not share this concern.
I hesitate investing further than my current setup because of this reason and I've been investigating whether Headscale/ZeroTier fit the bill. It is a shame because it is such a great product and it has been a while since I last had an equivalent experience using software.