undefined | Better HN

0 pointsjohnisgood2mo ago0 comments

Tailscale does not solve the "falling behind on updates" problem, it just moves the perimeter. Your services are still vulnerable if unpatched: the attacker now needs tailnet access first (compromised device, account, or Tailscale itself).

You have also added attack surface: Tailscale client, coordination plane, DERP relays. If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

WireGuard gives you the same "no exposed ports except VPN" model without the third-party dependency.

The tradeoff is convenience, not security.

BTW, why are people acting like accessing a server from a phone is a 2025 innovation?

SSH clients on Android/iOS have existed for 15 years. Termux, Prompt, Blink, JuiceSSH, pick one. Port N, key auth, done. You can run Mosh if you want session persistence across network changes. The "unlock" here is NAT traversal with a nice UI, not a new capability.

0 comments

Galanwe2mo ago

> BTW, why are people acting like accessing a server from a phone is a 2025 innovation?

> SSH clients on Android/iOS have existed for 15 years

That is not the point, Tailscale is not just about having a network connection, it's everything that goes with. I used to have OpenVPN, and there's a world of difference.

- The tailscale client is much nicer and convenient to use on Android than anything I have seen.

- The auth plane is simpler, especially for non tech users (parents, wife) whom I wish to access my photo album. They are basically independent with tailscale.

- The simplicity also allows me to recommend it to friends and we can link between our tailnet, e.g. to cross backup our NAS.

- Tailscale can terminate SSH publicly, so I can selectively expose services on the internet (e.g. VaultWarden) without exposing my server and hosting a reverse proxy.

- ACLs are simple and user friendly.

johnisgoodOP2mo ago

You are listing conveniences, which is fair. I said the tradeoff is convenience, not security.

> "Tailscale can terminate SSH publicly"

You are now exposing services via Tailscale's infrastructure instead of your own reverse proxy. The attack surface moved, it did not shrink.

twelvedogs2mo ago

> Tailscale does not solve the "falling behind on updates" problem, it just moves the perimeter.

nothing 100% fixes zero days either, you are just adding layers that all have to fail at the same time

> You have also added attack surface: Tailscale client, coordination plane, DERP relays. If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

you still have to have a vulnerable service after that. in your scenario you'd need an exploitable attack on wireguard or one of tailscale's modifications to it and an exploitable service on your network

that's extra difficulty not less

johnisgoodOP2mo ago

The "layers" argument applies equally to WireGuard without Tailscale. Attacker still needs VPN exploit + vulnerable service.

The difference: Tailscale adds attack vectors that do not exist with self-hosted WireGuard: account compromise, coordination plane, client supply chain, other devices on your tailnet. Those are not layers to bypass, they are additional entry points.

Regardless, it is still for convenience, not security.

twelvedogs2mo ago

yeah i agree, it's less secure than just wireguard + self hosted, to be honest i didn't thoroughly read your original comment

j / k navigate · click thread line to collapse

0 pointsjohnisgood2mo ago0 comments

You have also added attack surface: Tailscale client, coordination plane, DERP relays. If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

WireGuard gives you the same "no exposed ports except VPN" model without the third-party dependency.

The tradeoff is convenience, not security.

BTW, why are people acting like accessing a server from a phone is a 2025 innovation?

0 comments

Galanwe2mo ago

> BTW, why are people acting like accessing a server from a phone is a 2025 innovation?

> SSH clients on Android/iOS have existed for 15 years

That is not the point, Tailscale is not just about having a network connection, it's everything that goes with. I used to have OpenVPN, and there's a world of difference.

- The tailscale client is much nicer and convenient to use on Android than anything I have seen.

- The auth plane is simpler, especially for non tech users (parents, wife) whom I wish to access my photo album. They are basically independent with tailscale.

- The simplicity also allows me to recommend it to friends and we can link between our tailnet, e.g. to cross backup our NAS.

- Tailscale can terminate SSH publicly, so I can selectively expose services on the internet (e.g. VaultWarden) without exposing my server and hosting a reverse proxy.

- ACLs are simple and user friendly.

johnisgoodOP2mo ago

You are listing conveniences, which is fair. I said the tradeoff is convenience, not security.

> "Tailscale can terminate SSH publicly"

You are now exposing services via Tailscale's infrastructure instead of your own reverse proxy. The attack surface moved, it did not shrink.

twelvedogs2mo ago

> Tailscale does not solve the "falling behind on updates" problem, it just moves the perimeter.

nothing 100% fixes zero days either, you are just adding layers that all have to fail at the same time

that's extra difficulty not less

johnisgoodOP2mo ago

The "layers" argument applies equally to WireGuard without Tailscale. Attacker still needs VPN exploit + vulnerable service.

Regardless, it is still for convenience, not security.

twelvedogs2mo ago

yeah i agree, it's less secure than just wireguard + self hosted, to be honest i didn't thoroughly read your original comment

j / k navigate · click thread line to collapse