What does it give you that Wireguard doesn't (or OpenVPN)? Just easier to configure + setup + a nice UI? Just making sure I'm not missing something, not trying to knock Tailscale.
Do the "minimalist" people have good reason to prefer "anything-else" other than "heavy feature-rich Tailscale"?
Yeah, I think "Just" is doing a lot of heavy lifting in that question :)
I've never configured Wireguard from scratch but I have managed an OpenVPN deployment in the past. One of the most fabulous aspects of Tailscale is that it's very self-served; we configured our Tailscale account to allow email addresses from our main domain name with O365 integration. When someone wants to bring a new node online, they log in with their O365 credentials and magically new keys are assigned to the node and associated with the user who created them. In the past with the OpenVPN deployment, it would usually take me 15-30 minutes to get a new node online (generating keys, getting them handed off to the user, helping them debug, etc); now it takes me 0 minutes because the user can just generate their own keys and I can be completely hands off, while still having a nice view that I can use to revoke keys if needed.
To be fair, Wireguard is incredibly easier to setup and maintain than OpenVPN, pretty much not comparable. I don't know how easy it is with Tailscale though so I can't comment as to how much harder Wireguard is compared to it.
In comparison here's the Tailscale setup instructions: https://tailscale.com/download/linux. If you're into running shell scripts that you pull with curl, you can set up Tailscale on a new node with:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
This will present you with a login link that you can open with a browser on another machine (I frequently install Tailscale on embedded systems), log in with your company SSO, and the node magically comes up. No server access required, no public/private keys need to get copied anywhere, it Just Works.
I will probably try playing with naked Wireguard at some point for my own home network (since the Tailscale client doesn't seem to handle two orgs at the same time very well).
Certainly, don't use OpenVPN in 2023 if you can avoid it. WireGuard is much faster and more secure, and significantly easier to set up.
If you're a home user, the advantage to Tailscale is that it's going to "just work", with a couple clicks, on any supported device (of which there are lots). There's no configuration to get started and, for a lot of users, no configuration ever after that. The onboarding experience is spooky; it's upsettingly good.
If you're a corporate user, the advantages are drastically greater: you get SSO integration (this is historically one of the annoying pain points of corporate access VPNs, to the point where a significant fraction of pre-Tailscale netsec teams just punted on this problem and hand-provisioned VPN creds for people, which is a nightmare) and trivially simple group-based access control.
The combination of 'it just works' and 'SSO integration' is a killer.
To be honest, in 20+ years of working in IT, I never understood the point of the latter until recently, on a gig salvaging systems for a client with ~650 users after their sole IT guy unexpectedly resigned after 20 years and left for the mountains.
IRL, SSO is gold. Many hackers, like me, underestimate it.
And not just SSO, but OIDC. You don't even have to be an admin on your domain to set it up. If you have a Gmail or Office 365 e-mail address @mycorp.com, you can set up SSO for it on your tailnet in seconds. Your team members authenticating for the same domain will join your tailnet automatically.
And that's for the free and cheap tier. If you want the fancy stuff (like SAML and automatic user provisioning / filtering), they've apparently got that, too, but it's in the more expensive tiers.
SSO is basically tablestakes for compliance: customers would ask about your access control (or just if you have _that_ audit report, which has a lot of questions about it).
And trying to do access control without SSO is crazy: you need to keep track of application and users and their interactions. I wouldn't run any team with more than 10 people without it.
Worth pointing out that "just use Wireguard" is way different than "just use Tailscale". The latter has solutions for common problems, the former is not even remotely comparable feature-wise to OpenVPN. If the only choice is between OpenVPN or Wireguard, often OpenVPN is the only acceptable option, because it has all the features you need.
>What does it give you that Wireguard doesn't (or OpenVPN)? Just easier to configure + setup + a nice UI? Just making sure I'm not missing something, not trying to knock Tailscale.
I personally haven't deployed it though I've toyed with it, but I think as well as UI and integrations a core topology differentiator is that, like Nebula, Tailscale does/can do meshing. Plain vanilla Wireguard is pure classic hub-and-spoke, which is 100% fine for a basic VPN use case like "I'm out somewhere on the WAN and want to talk to this LAN stuff" or "I want to tunnel some/all my traffic through some specific alternate exit".
But say you've got main site A which has a public static IP and is where support is for administrating others, site B which has a full backup server but no public IP, and then sites C/D/E/etc where people are doing work and having significant on-site storage and comms needs, all of which are behind typical ISP NAT from multiple different ISPs with no static IPs. Everyone wants to be able to do high bandwidth things like video chat directly together, or back up/restore to site B. Plain WG could do that, but would funnel it all through site A's link which isn't very scalable and likely to become a choke point in a hurry. A meshing VPN can let two private sites talk directly with a public address only serving to facilitate hole punching and setting up the connection each time. It's definitely of real value. Another thing would be not bandwidth but latency. If you're within a few hundred miles on land that probably is irrelevant. But if different sites/people are across continents adding an unnecessary extra hop may become a very big deal even for simple web apps. Resiliency also enters the equation, what if site A goes down? A mesh can help with those too.
Then Tailscale adds a lot of cool QoL on top. Meshing does raise new challenges in terms of access control vs when everything is funneled through a single convenient point. But regardless, other topologies can be of basic interest too even without extra sugar.
Not sure what you mean by "on top". All you need is to configure not just a single endpoint in each node's wireguard config, but all of them. That's still as vanilla and as "tested product" as it gets. It's just a regular wireguard configuration.
You can do any to any just fine [open NAT ports, run your own distributed fallback network of TURN/STUN relays, add the adequate routing entries to your routing tables on both sides, exchange certificates, all of this for every extra N connections], you just probably don't want to do (and then fix if it doesn't work or stops working) that if N is too big.
However, outside some well-connected datacenters with multiple peering exchanges, I have no clue where in the world you can run everything in IPv6 with even a single nine in availability.
On my home I would say assuming single nine availability of IPv6 traffic is too much availability - it's very common that IPv6 is borked for several months in a row.
It does OIDC integration out-of-the-box and for their free and cheap tiers. OIDC is like the "login with Google" stuff that doesn't require any setup. So I was able to have SSO setup immediately with our Office 365 domain without bothering to setup SAML or anything.
The VPN clients for Mac and iOS are on the App Store, which may not mean much, but having developed VPN apps for both, what it means is: it is far less likely break or muck with your OS's networking in practice because it's sandboxed and can only use Apple's SDK for interfacing with the OS. This is compared to every OpenVPN client I've used on various platforms, which must run as root and often is setting up and tearing things down with shell scripts that can get hairy as you add more complexity / moving parts.
(Note that this is also true for Wireguard's client, just not OpenVPN)
The first three users are always free, so we're able to demo it easily. It's also listed on AWS marketplace, so as we move to start buying some licenses, it's billed through our AWS bill (i.e. I don't need an act of Congress to get a credit card number entered and a new monthly invoice reconciled within my company).
You can configure how often it forces reauthentication, which is probably the biggest benefit over vanilla Wireguard. Wireguard doesn't have mechanisms for expiring and replacing keys, so it solves that.
There's also an open source implementation of the master service (called headscale) that you can run on your own, and I was able to fairly easily set it up and get the existing Tailscale apps from the App Store to be reconfigured to utilize.
Honestly it's the cleanest VPN experience I've had if you need to deal with any kind of SSO and/or dynamic user/client provisioning. If you're just setting up point-to-point between a few of your own servers and clients that won't change, maybe just stick to Wireguard. But once you start needing anything more than that--I'd give Tailscale a shot first.
We also just adopted Tailscale for our org and I can answer that one:
SSO for Auth: before we had to go through the key exchange process for every employee and then manually update the Gateways wg conf. Now it’s just: login here with your work account and you’re done.
Authorization config: I like the ACL abstractions on top of Wireguard. It’s a part is completely missing and building it yourself would be a nightmare. I also don’t want to manage iptables for every device.
At work, I have used Tailscale in my Kubernetes clusters to allow devs to get into the private subnets, so that is awesome, and way better than trying to give a group wireguard key pairs.
Yes, the battery drain on iOS is also the thing stopping me from having it on my iPhone. Wireguard is way better in that regard, but has other issues (e.g. no split dns, no dns re-resolve for dyndns or for network changes).
Other than that tailscale is really great. It just works.
Yep, I have my Wireguard client connect when I am off my network and I split DNS so I can continue to use my ad blocker when off my network and on the macro network. For that it is perfect.
You can set it up on most of your devices, including mobile, with a couple clicks/taps, and not having to read any manpages. You can achieve having e.g. an Apple TV as a VPN network gateway with similar ease.
A technical person who’s familiar with what a VPN is and does but has never configured one can have it working on a bunch of their devices in like 30 minutes flat, with no notable ongoing maintenance to worry about.
If you’re already configuring your home networking with Ansible or Helm or something, it’s probably not a win.
Here is what I will say. I manually setup wireguard for my home network, it was annoying but doable. Then when tailscale started to get interesting I just decided try it out using a free account and rolled back my wireguard configuration... and never went back. It's so much less fiddly.
Tailscale is basically automation and authentication/authorization and UI on top of Wireguard. You could do it all manually, but you'll need to know the details of how to configure raw wireguard exactly how you need it, which for many people is above their heads. There are a lot of things that tailscale automates, so you have to know a great deal in order to configure a wireguard net yourself to the equivalent
Do the "minimalist" people have good reason to prefer "anything-else" other than "heavy feature-rich Tailscale"?