I’ve read a lot of recommendations for tailscale and am on my way to try it out myself. Do you use Tailscale in the “normal” way or do you host your own Headscale server (as I’m planning to do)? Any pros and cons?

  • @sn0opy
    link
    English
    5
    edit-2
    1 year ago

    I use Tailscale as is. Mainly to connect to my devices but also for fancy stuff like this:

    Some of my servers are only available via Tailscale. They don’t have any open ports to the internet. Even authentication to these servers via SSH is handled by Tailscale SSH.

    I have some SMB shares on my local server and I gave access to it to some friends via Tailscale by sharing said server and lock it down ACLs. So people that have “shared” access can only access the server via SMB’s ports.

    One more thing I wanted to use but then stopped screwing around with it: Tailscale Funnel. I wanted to access some local webservices on my server via the internet without connecting to Tailscale first but also without opening ports on my local router. The downside of Funnel: no custom domains (yet). This means I would have to use their Tailnet name instead. Instead I went with Cloudflare Tunnel.

    One more thing that was annoying with Funnel: I wanted to use tsnet for quick file shares via a very basic HTTP server. Tsnet created “virtual” machines within mail Tailnet which I could then funnel to the internet. Unfortunately, Tailnet DNS propagation is absurdly slow. It’s not really made for on-demand funnel usage. It would work just fine while being connected to the Tailnet via Tailscale, but not via Funnel over the internet.

    All in all, I’m super happy with Tailscale. Setting things up was so absurdly easy and it just works.

    • @AlecStewart1st
      link
      English
      21 year ago

      I’m curious, what’s the benefit of using Tailscale over setting up Wireguard yourself? Is it just not having to do all of the setup? Or do I misunderstand what the main use of Tailscale is?

      • Bilbo
        link
        fedilink
        English
        21 year ago

        The main benefit of Tailscale are:

        • It solves the key distribution problem. If you have multiple Wireguard hosts in a mesh infrastructure, it can be tricky to change or remove a key quickly and consistently. No benefit if it’s only a single tunnel between 2 hosts.
        • It provides STUN/DERP services to connect hosts behind firewalls or NAT, without opening ports or redirections.

        Tailscale also provides more advanced services or configuration helpers, such a file sharing (in alpha), ACLs…

        • @AlecStewart1st
          link
          English
          2
          edit-2
          1 year ago

          Hmm, I guess my question would be how does this all work? I mean, is it not possible to configure STUN/DERP services yourself? Or add control lists yourself?

          I’m curious as to how all of this is done, not just to see if it’s possible (even if it’d be a headache) but for confirmation. Granted, networking is my worse subject when it comes to any related to computers. For ACLs, I guess Apparmor and/or SELinux profiles would be configured? The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?

          EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?

          • Bilbo
            link
            fedilink
            English
            2
            edit-2
            1 year ago

            DISCLAIMER: I never used Tailscale. All I know about Tailscale I learned reading their “How it works” blogpost and documentation, because I wanted to understand the hype.

            Since nobody answered your questions, I’ll try my best. Just trust that I spent most of the last 25 years configuring security systems, including but not limited to VPNs.

            Hmm, I guess my question would be how does this all work?

            See my 2 links above.

            I mean, is it not possible to configure STUN/DERP services yourself?

            Of course it is, but it will be additional work, that most users are not willing/confident to do and Tailscale provides this service.

            Or add control lists yourself? […] For ACLs, I guess Apparmor and/or SELinux profiles would be configured?

            Deploying network ACLs on your hosts indeed does not require you to use Tailscale. However they provide an centralised way to manage and deploy them, without worrying about the underlying OS and ACL system. Or even requiring you to have access to the host, it could be an authorised user trying to access your Tailscale network.

            Note: AppArmor/SELinux are more “system/process ACLs”, not directly related to network ACLs. I’m oversimplifying a lot, they’re difficult to describe without knowing your sysadmin skills.

            The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?

            Simple: they ask you to run an agent on all of your Tailscale hosts and connect to their centralised platform. To paraphrase their blogpost: config management is centralized, but that doesn’t matter because it carries virtually no traffic. It just exchanges a few tiny encryption keys and sets policies. The VPNs and their traffic are a distributed mesh.

            EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?

            I’m not sure to understand this question, so I’ll make an asumption: you’re asking what happens if you run Tailscale on a host that already has a VPN configured to access the Internet.

            Tailscale (and Wireguard under it) is already a VPN solution, and tunneling a VPN inside another VPN is generally discouraged. But as Tailscale is providing STUN/DERP, if they manage correctly the MTU issues and things like that, I don’t see an immediate reason why it should not work at all.

            You can configure Tailscale or Wireguard to create a VPN to access the Internet though.

            Once again, if you try to understand how Tailscale works, please read the links at the start of this post. RTFM, kids!

            On a more personal opinion, I find their solution clever and elegant. If I have the need for a distributed VPN solution in the near future, I will definitively consider it (or Headscale’s). For the moment, I’m fine with all my hosts connecting to my homelab, configuring a Wireguard tunnel for each roaming host, and opening ports and creating rules on my firewall. Compared to IPSec or OpenVPN tunnels, it seems almost too easy each time.

            • @AlecStewart1st
              link
              English
              21 year ago

              Interesting, thank you for your response!

              I don’t know why I didn’t think about the fact of having network specific ACLs is probably something we’ve developed since the dawn of the internet.

              Also it makes sense that the configurations would be hosted in one place, and I see what Headscale is for now.

              Maybe I’ll dump my VPN provider for Tailscale or setup a Headscale instance on a VPS some day. I also saw Netbird, which their $8/month plan gives unlimited users. Seems slightly similar to Tailscale.

      • @sn0opy
        link
        English
        2
        edit-2
        1 year ago

        Pretty much that. I don’t want to host „mission critical“ stuff by myself nor do I want to care about backups. With Tailscale I’m just a sign-in away to be able to access all devices connected to it