I've been using Tailscale for a couple of personal use cases and it has become one of my favorite products. It really simplified my setup and it "just works".
That said, I share OP's concerns as someone who has been evaluating alternatives to Google Workspace and Office 365. It is understandable that they may be prioritizing a B2B model, a decision which may be at odds users like OP and myself. That said, I still recommend it to teams/people who do not share this concern.
I hesitate investing further than my current setup because of this reason and I've been investigating whether Headscale/ZeroTier fit the bill. It is a shame because it is such a great product and it has been a while since I last had an equivalent experience using software.
I share the same concerns. They also had some bizarre and worrying behaviour where anyone signing up with the same domain would automatically be joined to your account, seemingly without any approval steps.
This was ostensibly to allow “corporate” accounts to easily group all users together, but the behaviour relies in the backend on a manually maintained (by Tailscale) list of “shared” domains where this auto joining behaviour would be bypassed (eg. @gmail.com) to prevent say all Gmail users being grouped into the same account.
Of course this manual list missed some obscure shared email domains and there were users complaining on GitHub that they were unexpectedly seeing other users/machines in their account.
I hope this terrible design decision has now been fixed in some way but it adds to my slight unease at the authentication model being used (along with the OP’s concerns).
Aside from this Tailscale is a great product, but for something focussed on security these sorts of things need to be given a high priority (if they’re not already).
Oh, I wasn't aware of that. That's certainly worrisome considering Tailscale's default configuration for the ACL and authenticating new machines. Fortunately I updated my settings to change the default ACL policy and to manually approve any new machines.
I don’t use Tailscale, I use a competing and currently arguably better product (Netmaker).
Imagine you’re a business building XYZ software product. You build a k8s cluster in one region, but now you need your system also to exist simultaneously in another region for failover reasons. Now you need region A to be able to have replicas in region B in real-time amongst many other requirements and those two networks from each region need to be able to understand and talk to each other with minimal setup and headache. Perhaps network A is set up on DigitalOcean and network B is on AWS or GKE for financial or technical reasons. Example: it’s cheaper to have surplus machine needs on AWS/GKE but you don’t want machines running there all the time because it’s expensive.
Enter Wireguard mesh networking. Ever since kernel Wireguard made it into Linux this is where the endgame has been for cloud deployments. It’s a huge improvement over the previous solutions. Netmaker and Tailscale are two offerings of that solution.
Note that I’m not affiliated with Netmaker at all. Just a quite happy customer.
Interesting. How hard would it t build you own Tailscale implementation then? Does Tailscale just mostly provide a nice UX and provisioning on top of wireguard-go?
All of these are assuming that at least one end of the tunnel has a (somewhat) static IP and the ability to open an IPv4 port for incoming UDP connections.
If that‘s you, you probably don‘t need Tailscale.
But if your scenario is e.g. SSHing from your phone to a Raspberry PI behind a carrier-grade NAT, it‘s definitely worth a look.
> 2. Open the WireGuard port to the Internet (don't worry, it's invisible)
Not quite the same. Opening a Wireguard port to the Internet doesn't help if the port is unreachable due to weird NATting.
My home ISP puts me on CGNAT so I have no IPv4 access to my network. If I'm out and on a v4-only network, I can't connect to that Wireguard instance without going through other hoops (like a "bastion" Wireguard peer on a dual-stack host, for instance). With Tailscale, it Just Works.
You're likely going through a Tailscale relay when you're out of your house too. It's still an extra hop through their servers, but yes it "just works".
According to them, not necessarily [0]. They do have relay servers (they call them DERPs) [1] but they're only used in rare situations where UDP is blocked entirely.
I admit I wasn't able to understand most of those explanations so I could be wrong. :)
Yeah, definitely worth mentioning that Wireguard is actually super easy to manually configure, especially if you don't have a bazillion hosts or need to integrate with auth domains. I think a lot of the stuff individuals end up setting up Tailscale/Zerotier for (they obviously have a lot of other stuff going on, but the relevance to individual/small group users may be limited) would be equally well-served by plain old Wireguard.
>"Open the WireGuard port to the Internet (don't worry, it's invisible)"
Thanks. Can you elaborate on how it's invisible? I was looking at the docs and it looks like it defaults to UDP port 51820. Certainly that's visible no?
Wireguard does not reply to invalid connection attempts that don't have an authorized key, so it depends on what your system does for closed ports. If it (as often default) responds with an ICMP message, then the lack of such response will reveal that there is something there, whereas if your default is to silently drop packets to closed UDP ports it can't really be detected.
Since a WireGuard peer only responds to cryptographically authenticated packets and UDP is connectionless — you don't get confirmation at the transport layer by way of a handshake or anything — WireGuard ports are invisible to you unless you own a private key whose corresponding public key is already approved by the peer.
- Ditch my previous VPS + Wireguard setup which I had to maintain
- Easily add/remove my own exit nodes as I wish/need (either using my own devices or any VPS)
- Use my beefy desktop as a remote development setup
- Running syncthing/rclone across all of my devices without relying on relay nodes or whatever
- Accessing all of my devices remotely
They just make it dead simple to run your network without worrying as much about opening yourself to the internet. I know you can achieve this without Tailscale but they just make it so easy. Their ACL system is pretty easy to configure and you can even add assertions to it.
I use it to replace ssh tunnels. I used to have a couple of ports open on my office router I would ssh through. I closed those off and use tailscale on a single machine in my office as a subnet router.
Now when I am at home or travelling, I have direct access to my test database, VMs and remote desktops without having to tunnel those ports.
When they say zero conf they mean it. Truly impressive product. I could get away with the free version but I paid for it I was so impressed.
Can it really work if the server doesn't have a public IP? It works if the server blocks all incoming traffic, but doesn't it have to be routable? It can of course work via DHCP, but I would consider my devices at home still to have a public IP, even if they share it.
As I wrote, I'd consider being behind a NAT still having a public IP. It's a shared one but any web page will be able to see a public IP associated with this machine. That's different from servers that have no public IP and must route all traffic through a proxy.
If you consider devices behind a NAT to have a public IP than yes it needs a public IP. Really, it needs to just be routable to the internet. Tailscale handles the NAT busting and p2p handshake, while the nodes directly talk to each other (over WireGuard)
Maybe you can. My partner, who'd just like to look at the cute kitten pictures I added to our shared photo album, definitely can't. My dad who just wants to throw a genealogy file on my fileserver can't, either.
Yes, and anytime someone points out that existing tech works, someone pulls out the Dropbox comment as if it proves that every new shiny is better than the existing options.
In any event, if you're working with people who are technical enough to handle Tailscale, you can stick the ssh one-liner in a script file and tell them to double-click it to launch the tunnel. Or use a graphical SSH client with a port-forwarding profile, if that's you like. Tailscale has real advantages, but I'm skeptical of ease of use really being one.
You didn't point out that "existing tech works". You pointed out that you can achieve a rough facsimile with existing tech, provided you're willing to invest significantly more energy. That is the essence of the dropbox comment. Of course you can solve it with existing tech, but it takes a bunch of effort and is by far not as smooth. The achievement is not the technology itself.
You can be skeptical about ease of use all you want, "Log in with a IdP you already log in to, and then just open the site" is miles easier than "just launch the tunnel via script" and all the debug steps that come invariably when the tunnel malfunctions.
I know this is hard to see when to you, running an ssh tunnel is second nature. But if I gave my family a "graphical SSH client with a port-forwarding profile", they'd rightfully yell at me. These are steps they neither want to nor need to be comfortable with. And, heck, it's easier for me too. One less thing to worry about.
Somebody is running a whole bunch of infra for me, and has spent a whole lot of time addressing all the edge cases that "one-liner script" doesn't address. I happily pay money for that, any time.
> you can stick the ssh one-liner in a script file
Which ssh one-liner? You can't ssh into a machine that's not publicly reachable without some more hoops. I thought that was one of the points of Tailscale, taking care of the Wireguard "advanced" setup.
That said, I share OP's concerns as someone who has been evaluating alternatives to Google Workspace and Office 365. It is understandable that they may be prioritizing a B2B model, a decision which may be at odds users like OP and myself. That said, I still recommend it to teams/people who do not share this concern.
I hesitate investing further than my current setup because of this reason and I've been investigating whether Headscale/ZeroTier fit the bill. It is a shame because it is such a great product and it has been a while since I last had an equivalent experience using software.