undefined | Better HN

0 pointsmiki1232111y ago0 comments

Even better, set up Tailscale.

It's far easier to set up, is much more reliable (e.g. when devices are behind firewalls), and uses direct (encrypted) connections when possible.

You can get it to do what you want with just a few clicks. Things like exposing a IoT VLAN on your Tailnet or setting up an exit node to tunnel all internet traffic through your home are super easy. You can even share specific devices with friends, which is super useful. If you have anything particularly sensitive (e.g. a notes app that you wouldn't want your children / partner to have access to), you can limit access to specific users / devices on the TS side, without bothering with implementing auth.

I think there's even a way to look up the user and device based on their IP, which is one way to add painless authentication to your apps. There are reverse proxies that do it and inject the info as HTTP headers.

If you aren't comfortable with trusting them with control over your network, you can always host your own Headscale server.

0 comments

23 comments · 7 top-level

nine_k1y ago· 5 in thread

What makes Tailscale more secure, or more reliable, than just a direct Wireguard tunnel?

Tailscale's complexity and features make sense when you have 200 nodes, or maybe 20 nodes at least. When you have 3-5 nodes, I think it's overkill, and a bunch of extra dependencies which may fail, and lock you out of your private nodes when you need it most.

supermatt1y ago

The benefit of Tailscale is that it gives you “lots” of wireguard tunnels that work through NAT with near zero configuration and a central admin interface.

I use a personal plan and have multiple nodes. Desktop, laptop, tablet, phones, docker containers just for me and a couple of raspberry Pis on my families home networks.

Only once have I been “locked out” of a node and that was due to an expired key.

Sure, for just connecting one node to another with a known IP and accessible port it’s overkill, but for anything more complex it an awful lot of awesome for very little effort.

wltr1y ago

I second this, and want to highlight that only recently I learned about this similar project called netbird. I tried it, and it looks and works very similarly from the first glance. However, Magic DNS like feature did not work for me, for some reason. Maybe I need to do something, e.g. to enable it. More likely there are others, similar projects, but I’m not aware of them. By this point I stayed with Tailscale, but in any case, I see such project as of tremendous help for a self-hoster.

pcpuser1y ago

NAT busting, and no key management. What extra dependencies does Tailscale have?

akerl_1y ago

Well, the dependency on Tailscale's servers, for one. You're getting that NAT-busting because Tailscale is running servers to handle that for you, and you're getting around key management by having them manage your keys and overlay their own auth layer for you.

3 more replies

nine_k1y ago

How do you identify yourself to Tailscale?

2 more replies

rtrgrd1y ago· 5 in thread

Or, for those who are paranoid about relying on a company, setting up headscake is relatively quick and painless too - currently using it to sync between devices across multiple cities.

GCUMstlyHarmls1y ago

headscale*

https://headscale.net/stable/

https://github.com/juanfont/headscale

rtrgrd1y ago

Thanks for picking that up - fat fingers

krick1y ago

Should I be paranoid? I never tried Tailscale, and the idea of trusting 3rd party with managing access to my network does give me chills. But IDK, honestly, maybe it's silly? Is it in all honesty less likely that I'll fuck things up setting my own Headscale server, than that Tailscale™ will (consciously or otherwise) fuck me up?

simplesocieties1y ago

Tailscale has made all of their client source code available for anyone to view so if you want to confirm that you’re not sending unencrypted data or keys through their servers you’re more than free to do so.

https://github.com/tailscale/tailscale

I think there is some merit to setting up wireguard (e.g. you want more devices than what Tailscale offers for free, or their servers become unreliable for some reason)

But people who push the “scarey boogeyman will look at your data” with Tailscale are either technically illiterate or overly-paranoid.

2 more replies

spookie1y ago

If you got yourself into self hosting, you might as well go fully independent. You have already taken care of the most complicated part anyways.

dankebitte1y ago· 4 in thread

> If you aren't comfortable with trusting them with control over your network

Wrt the possibility of Tailscale being compromised, there's the in-beta tailnet lock feature:

> Tailnet lock lets you verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can't send or receive traffic in your tailnet. [1]

[1] https://tailscale.com/kb/1226/tailnet-lock

cypherpunks011y ago

Thanks for the tip!

I've had the Device approval setting on, and wished there were more robust lock features, but not enough to want to run my own coordinator. So Tailnet lock seems like a good security upgrade.

ra1y ago

The pricing page suggests this is only for the "enterprise" plan.

dankebitte1y ago

Not sure which page you're referencing, but the linked page states it's available for Personal (free) as well:

> Tailnet lock is available for the Personal, Personal Plus, and Enterprise plans.

supermatt1y ago

It is definitely on personal as I use it myself.

ycombinatrix1y ago· 1 in thread

Tailscale is a VPN, how is it "better" than using a VPN?

newdee1y ago

Tailscale is more than just a VPN. It has a number of features and capabilities which make it more like a private overlay network that just seems to work wherever and whenever. Some of those features; WireGuard (the VPN bit), NAT punching, automatic key distribution, ACLs, split or full tunnel routing to internet resources, SSO. Just to name a few.

throaway9201811y ago· 1 in thread

For the most part I like Tailscale, but there's weirdness on Android with their app + Private DNS.

midasz1y ago

This is also my big frustration. I've set it to an Adguard instance that's also on tailscale and the app keeps getting into a faulty state. I've been looking into hosting the Adguard instance on the open web and securing it another way but bit short on time lately.

theshrike791y ago

Unraid added native Tailscale support in 7.0, now you can just add an "app" (a docker container) and tick a checkbox and it'll appear in your tailnet directly.

airtonix1y ago

or zerotier

j / k navigate · click thread line to collapse

0 comments

23 comments · 7 top-level

nine_k1y ago· 5 in thread

What makes Tailscale more secure, or more reliable, than just a direct Wireguard tunnel?

supermatt1y ago

The benefit of Tailscale is that it gives you “lots” of wireguard tunnels that work through NAT with near zero configuration and a central admin interface.

I use a personal plan and have multiple nodes. Desktop, laptop, tablet, phones, docker containers just for me and a couple of raspberry Pis on my families home networks.

Only once have I been “locked out” of a node and that was due to an expired key.

Sure, for just connecting one node to another with a known IP and accessible port it’s overkill, but for anything more complex it an awful lot of awesome for very little effort.

wltr1y ago

pcpuser1y ago

NAT busting, and no key management. What extra dependencies does Tailscale have?

akerl_1y ago

3 more replies

nine_k1y ago

How do you identify yourself to Tailscale?

2 more replies

rtrgrd1y ago· 5 in thread

Or, for those who are paranoid about relying on a company, setting up headscake is relatively quick and painless too - currently using it to sync between devices across multiple cities.

GCUMstlyHarmls1y ago

headscale*

https://headscale.net/stable/

https://github.com/juanfont/headscale

rtrgrd1y ago

Thanks for picking that up - fat fingers

krick1y ago

simplesocieties1y ago

https://github.com/tailscale/tailscale

I think there is some merit to setting up wireguard (e.g. you want more devices than what Tailscale offers for free, or their servers become unreliable for some reason)

But people who push the “scarey boogeyman will look at your data” with Tailscale are either technically illiterate or overly-paranoid.

2 more replies

spookie1y ago

If you got yourself into self hosting, you might as well go fully independent. You have already taken care of the most complicated part anyways.

dankebitte1y ago· 4 in thread

> If you aren't comfortable with trusting them with control over your network

Wrt the possibility of Tailscale being compromised, there's the in-beta tailnet lock feature:

[1] https://tailscale.com/kb/1226/tailnet-lock

cypherpunks011y ago

Thanks for the tip!

I've had the Device approval setting on, and wished there were more robust lock features, but not enough to want to run my own coordinator. So Tailnet lock seems like a good security upgrade.

ra1y ago

The pricing page suggests this is only for the "enterprise" plan.

dankebitte1y ago

Not sure which page you're referencing, but the linked page states it's available for Personal (free) as well:

> Tailnet lock is available for the Personal, Personal Plus, and Enterprise plans.

supermatt1y ago

It is definitely on personal as I use it myself.

ycombinatrix1y ago· 1 in thread

Tailscale is a VPN, how is it "better" than using a VPN?

newdee1y ago

throaway9201811y ago· 1 in thread

For the most part I like Tailscale, but there's weirdness on Android with their app + Private DNS.

midasz1y ago

theshrike791y ago

Unraid added native Tailscale support in 7.0, now you can just add an "app" (a docker container) and tick a checkbox and it'll appear in your tailnet directly.

airtonix1y ago

or zerotier

j / k navigate · click thread line to collapse