I’ve read a lot of recommendations for tailscale and am on my way to try it out myself. Do you use Tailscale in the “normal” way or do you host your own Headscale server (as I’m planning to do)? Any pros and cons?
Tailscale is super simple. Install it on two computers you want to be able to talk to eachother, doesn’t matter where they are as long as they have internet access. Authenticate with Tailscale on both computers and you are done.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters | More Letters |
---|---|
DNS | Domain Name Service/System |
HTTP | Hypertext Transfer Protocol, the Web |
LXC | Linux Containers |
NAT | Network Address Translation |
SSH | Secure Shell for remote terminal access |
SSO | Single Sign-On |
VPN | Virtual Private Network |
VPS | Virtual Private Server (opposed to shared hosting) |
8 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.
[Thread #92 for this sub, first seen 30th Aug 2023, 12:35] [FAQ] [Full list] [Contact] [Source code]
I use Tailscale as is. Mainly to connect to my devices but also for fancy stuff like this:
Some of my servers are only available via Tailscale. They don’t have any open ports to the internet. Even authentication to these servers via SSH is handled by Tailscale SSH.
I have some SMB shares on my local server and I gave access to it to some friends via Tailscale by sharing said server and lock it down ACLs. So people that have “shared” access can only access the server via SMB’s ports.
One more thing I wanted to use but then stopped screwing around with it: Tailscale Funnel. I wanted to access some local webservices on my server via the internet without connecting to Tailscale first but also without opening ports on my local router. The downside of Funnel: no custom domains (yet). This means I would have to use their Tailnet name instead. Instead I went with Cloudflare Tunnel.
One more thing that was annoying with Funnel: I wanted to use tsnet for quick file shares via a very basic HTTP server. Tsnet created “virtual” machines within mail Tailnet which I could then funnel to the internet. Unfortunately, Tailnet DNS propagation is absurdly slow. It’s not really made for on-demand funnel usage. It would work just fine while being connected to the Tailnet via Tailscale, but not via Funnel over the internet.
All in all, I’m super happy with Tailscale. Setting things up was so absurdly easy and it just works.
I’m curious, what’s the benefit of using Tailscale over setting up Wireguard yourself? Is it just not having to do all of the setup? Or do I misunderstand what the main use of Tailscale is?
The main benefit of Tailscale are:
- It solves the key distribution problem. If you have multiple Wireguard hosts in a mesh infrastructure, it can be tricky to change or remove a key quickly and consistently. No benefit if it’s only a single tunnel between 2 hosts.
- It provides STUN/DERP services to connect hosts behind firewalls or NAT, without opening ports or redirections.
Tailscale also provides more advanced services or configuration helpers, such a file sharing (in alpha), ACLs…
Hmm, I guess my question would be how does this all work? I mean, is it not possible to configure STUN/DERP services yourself? Or add control lists yourself?
I’m curious as to how all of this is done, not just to see if it’s possible (even if it’d be a headache) but for confirmation. Granted, networking is my worse subject when it comes to any related to computers. For ACLs, I guess Apparmor and/or SELinux profiles would be configured? The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?
EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?
use installed on edgerouter-x, no problem, efficient and functional
I’m a newbie in self-hosting and Tailscale is super powerful for me. Everything at home is accessible on my phone, mainly music server and radarr/sonarr for watching show on the go. No need for subdomain or reverse proxy.