I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.
Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks
You need to enable IP access on the device you intend to connect to. It's under the security settings in RustDesk.
I've been playing around with it. The iOS RustDesk app is nice, and I've been controlling my Mac Mini at home using my iPad Pro with a Magic Keyboard, and it's shockingly smooth!
Supports various video encoders, various bitrate settings, allows sharing clipboard (though still has an annoying bug where sometimes copying something new into the clipboard doesn't work and only 2nd attempt works) and the relay is also easy to setup and host, in addition to it being free!
Honestly my favorite software in this space since RealVNC decided they want to be greedy (and since VNC / RDP kinda sucks in my experience).
It's the year 2026 out there. Anything is better than VNC.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
And the ossification continues.
Classic. And this probably works do every complaint. You need an irritated executive.
TCP or TCP and UDP?
SSTP can work if they don't look at the traffic too hard.
Like, when in asia and the route is to europe, sometimes it adds weird hops, while when i use an exit-node in Japan, i know, i have perfect routing to Japan and from there perfect routing to europe.
But the Mullvad VPN exit nodes often runs into problems like cloudflare blocking. So i am looking for alternative, not well known providers for exit-nodes.
Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...
It's more work, but you can definitely do this. Inter-region traffic still carries egress charges though, so be aware of that in advance. This is a very common pattern in enterprise networking when building cloud-based SDWAN topologies: branch a,b,c connect to hub-1 in us-east-2; branch d,e,f connect to hub-2 in us-west-2; dc1 connects to hub-1 in us-east-2; dc2 connects to hub-2 in us-west-2; services in dc1 and dc2 can reach each other for DR and clients in branch f can reach services hosted in dc1.
Underlying all of these SDWAN technologies is essentially basic site-to-site VPN tunnels. Most still use IPSEC, although Wireguard is also used sometimes.
See: https://aws.amazon.com/blogs/networking-and-content-delivery...
Basically if you just link your VPCs in each region with the appropriate routing policies, you can just connect to your preferred VPN server in each region and ultimately get routed correctly. This is what companies with cloud-based SDWAN do for providing SASE services to end-user clients.
I'd bet you'd see a lot of blocking coming from AWS IP pools too.
I pay like 10 euro per month. For tailscale with Mullad VPN, which has like 50 countries setup with several exit-nodes in each country.
But with blocking. :)
Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
Plus, I have the option of spinning up a random EC2 box whenever I want and instantly joining it to the network with basically no fuss.
> WireGuard by itself is mostly the data plane. Tailscale adds the control plane on top: identity/SSO, peer discovery, NAT traversal coordination, ACL distribution, route distribution (including exit node default routes), MagicDNS, and fast device revocation.
I can completely understand using Tailscale for enterprise networks, but it seems very overengineered for my personal VPN needs.
I have a family of four. Plus a couple relatives who like having access to some of my self-hosted stuff. So, that's 6 people, each with at least one phone and one laptop, but probably an iPad too, or an extra work laptop, or something else random. Plus my youngest is addicted to buying old laptops on eBay and switching to them.
You made me curious, so I looked it up: I have 17 machines. Yeah... I'm not going back to plain WireGuard. :D
Yes, but I guess it depends on how much of an adoption barrier/pain you want to deal with. Tailscale's control plane is dead simple and they ship apps on basically every platform so its easy to onboard mobile devices in addition to anything else. I'm a literal former network engineer with over two decades of experience, and I tried Tailscale randomly one of the first few times it popped on HN and stuck with it precisely because of how easy it was and how trivial it was to verify the security of my tunnels. Doing this manually is definitely possible on devices you control, but it's not a fun time, and Tailscale is dead simple.
if my mobile provider blocked it as well it would have been completely useless
probably depends on your location a lot though
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.
I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.
https://github.com/juanfont/headscale
If you can be bothered running the headscale container, you generally don't need to pay for tailscale. It's been pretty well supported and widely used for a number of years at this point. Tailscale even permit their own engineers to contribute to headscale, as the company sees it as complimentary to the commercial offering.
I've been really happy with headscale, but I wouldn't call it a complete drop in replacement as I would with vaultwarden. Some features (e.g. Mullvad integration, ACL tests, etc) are missing.
Upgrading also requires upgrading every minor version or you run into db migration issues, but that comes with the territory of running your own instance.
I would recommend folks look up if headscale suits their needs (like it did for me for many years) before switching over.
Check out Nebula (created by Slack) - https://github.com/slackhq/nebula
Fundamentally very similar to Tailscale. I've been using it for years and it has been flawless. It doesn't have as many bells and whistles as Tailscale but it does what it does very well.
And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): https://tailscale.com/opensource#encouraging-headscale
I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
But, as you know, you can also manage this configuration yourself, either via traditional config mgmt tools, helpers like wg-meshconf, or even plain shell scripts, if you like. I'm aware this is a very HN-Dropboxy comment, but it's really not that complex[1], and is easily manageable for a small deployment.
Another VPN tool I used before WG gained momentum was tinc, which supports mesh networking out of the box. It's even easier to configure and maintain, and supports all platforms. It does run in userspace, which should make it slower than WG, but I found the performance acceptable for my modest use cases. Highly recommended.
[1]: https://www.procustodibus.com/blog/2020/11/wireguard-point-t... (this blog is a great WG resource!)
On one ISP inbound IPv6 was blocked at router, while on other IPv6 was fully allowed.
Tailscale detected this is automatically created the tunnel from the blocked one to the other.
I was super impressed, as this was handled automatically.
