I’ve read a lot of recommendations for tailscale and am on my way to try it out myself. Do you use Tailscale in the “normal” way or do you host your own Headscale server (as I’m planning to do)? Any pros and cons?
Tailscale is super simple. Install it on two computers you want to be able to talk to eachother, doesn’t matter where they are as long as they have internet access. Authenticate with Tailscale on both computers and you are done.
I’m a newbie in self-hosting and Tailscale is super powerful for me. Everything at home is accessible on my phone, mainly music server and radarr/sonarr for watching show on the go. No need for subdomain or reverse proxy.
I use Tailscale as is. Mainly to connect to my devices but also for fancy stuff like this:
Some of my servers are only available via Tailscale. They don’t have any open ports to the internet. Even authentication to these servers via SSH is handled by Tailscale SSH.
I have some SMB shares on my local server and I gave access to it to some friends via Tailscale by sharing said server and lock it down ACLs. So people that have “shared” access can only access the server via SMB’s ports.
One more thing I wanted to use but then stopped screwing around with it: Tailscale Funnel. I wanted to access some local webservices on my server via the internet without connecting to Tailscale first but also without opening ports on my local router. The downside of Funnel: no custom domains (yet). This means I would have to use their Tailnet name instead. Instead I went with Cloudflare Tunnel.
One more thing that was annoying with Funnel: I wanted to use tsnet for quick file shares via a very basic HTTP server. Tsnet created “virtual” machines within mail Tailnet which I could then funnel to the internet. Unfortunately, Tailnet DNS propagation is absurdly slow. It’s not really made for on-demand funnel usage. It would work just fine while being connected to the Tailnet via Tailscale, but not via Funnel over the internet.
All in all, I’m super happy with Tailscale. Setting things up was so absurdly easy and it just works.
I’m curious, what’s the benefit of using Tailscale over setting up Wireguard yourself? Is it just not having to do all of the setup? Or do I misunderstand what the main use of Tailscale is?
It solves the key distribution problem. If you have multiple Wireguard hosts in a mesh infrastructure, it can be tricky to change or remove a key quickly and consistently. No benefit if it’s only a single tunnel between 2 hosts.
It provides STUN/DERP services to connect hosts behind firewalls or NAT, without opening ports or redirections.
Tailscale also provides more advanced services or configuration helpers, such a file sharing (in alpha), ACLs…
Hmm, I guess my question would be how does this all work? I mean, is it not possible to configure STUN/DERP services yourself? Or add control lists yourself?
I’m curious as to how all of this is done, not just to see if it’s possible (even if it’d be a headache) but for confirmation. Granted, networking is my worse subject when it comes to any related to computers. For ACLs, I guess Apparmor and/or SELinux profiles would be configured? The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?
EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?
DISCLAIMER: I never used Tailscale. All I know about Tailscale I learned reading their “How it works” blogpost and documentation, because I wanted to understand the hype.
Since nobody answered your questions, I’ll try my best. Just trust that I spent most of the last 25 years configuring security systems, including but not limited to VPNs.
Hmm, I guess my question would be how does this all work?
See my 2 links above.
I mean, is it not possible to configure STUN/DERP services yourself?
Of course it is, but it will be additional work, that most users are not willing/confident to do and Tailscale provides this service.
Or add control lists yourself?
[…]
For ACLs, I guess Apparmor and/or SELinux profiles would be configured?
Deploying network ACLs on your hosts indeed does not require you to use Tailscale. However they provide an centralised way to manage and deploy them, without worrying about the underlying OS and ACL system. Or even requiring you to have access to the host, it could be an authorised user trying to access your Tailscale network.
Note: AppArmor/SELinux are more “system/process ACLs”, not directly related to network ACLs. I’m oversimplifying a lot, they’re difficult to describe without knowing your sysadmin skills.
The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?
Simple: they ask you to run an agent on all of your Tailscale hosts and connect to their centralised platform. To paraphrase their blogpost: config management is centralized, but that doesn’t matter because it carries virtually no traffic. It just exchanges a few tiny encryption keys and sets policies. The VPNs and their traffic are a distributed mesh.
EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?
I’m not sure to understand this question, so I’ll make an asumption: you’re asking what happens if you run Tailscale on a host that already has a VPN configured to access the Internet.
Tailscale (and Wireguard under it) is already a VPN solution, and tunneling a VPN inside another VPN is generally discouraged. But as Tailscale is providing STUN/DERP, if they manage correctly the MTU issues and things like that, I don’t see an immediate reason why it should not work at all.
You can configure Tailscale or Wireguard to create a VPN to access the Internet though.
Once again, if you try to understand how Tailscale works, please read the links at the start of this post. RTFM, kids!
On a more personal opinion, I find their solution clever and elegant. If I have the need for a distributed VPN solution in the near future, I will definitively consider it (or Headscale’s). For the moment, I’m fine with all my hosts connecting to my homelab, configuring a Wireguard tunnel for each roaming host, and opening ports and creating rules on my firewall. Compared to IPSec or OpenVPN tunnels, it seems almost too easy each time.
I don’t know why I didn’t think about the fact of having network specific ACLs is probably something we’ve developed since the dawn of the internet.
Also it makes sense that the configurations would be hosted in one place, and I see what Headscale is for now.
Maybe I’ll dump my VPN provider for Tailscale or setup a Headscale instance on a VPS some day. I also saw Netbird, which their $8/month plan gives unlimited users. Seems slightly similar to Tailscale.
Pretty much that. I don’t want to host „mission critical“ stuff by myself nor do I want to care about backups. With Tailscale I’m just a sign-in away to be able to access all devices connected to it
Tailscale is great but I find it non trivial to run in conjunction with another VPN (Mullvad). Anyone have experience with this? Seems I can have only one or the other for iOS or macOS
There’s an open feature request to allow fo using another wireguard vpn as an exit node on tailscale. Currently you could rent a vps and install mullvad on it. Then select the vps as an tailscale exit node.
Neither Android nor iOS allow for multiple VPN connections at a time. But I’m surprised macOS is that limited in functionality as well.
I’m new with Tailscale. I understand that they don’t manage accounts and require another service like google or apple. That initially turned me off. Then I set up via my sso provider and works great.
I started out with WireGuard. As you said its a little finicky to get the config to work but after that it was great.
As long as it was just my devices this was fine and simple but as soon as you expand this service to family members or friends (including not-so-technical people) it gets too annoying to manually deal with the configs.
And that’s where Tailscale / Headscale comes in to save the day because now your workload as the admin is reduced to pointing their apps to the right server and having them enter their username and password.
Tailscale just works, I recently tried netbird and netmaker. I did not manage much with the first but netmaker instead seemed even easier to manage than tailscale, being faster at the same time. Unfortunately it failed with peers behin my corporate NATwhich tailscale can bypass with its own relays. But for others it can work very well.
You can set up relay nodes in the Netmaker config, and enable them only for those nodes behind NAT that need relaying. I’ve generally had good experience with Netmaker—when it works, it works—but several times it auto-updated and wiped my network config in the process.
Relays have become a pro feature in the last release. I tested them on netmaker.io SaaS version and they work but it defeats the purpose of selfhosting my VPN manager. You also need to have a good relay, for instance among GCP, Azure, Oracle and Vultr only the latter works because their VPS are not behind a NAT.
Netbird first of all is extremely resource hungry. In some occurrences completely hanged a 1 GB RAM VPS when I was testing. Even without trashing I had issues connecting many of my peers. It has to be said that it was surely my fault in some ways as netbird.io SaaS worked fine.
I use Headscale, but Tailscale is a great service and what I generally recommend to strangers who want to approximate my setup. The tradeoffs are pretty straightforward:
Tailscale is going to have better uptime than any single-machine Headscale setup, though not better uptime than the single-machine services I use it to access… so not a big deal to me either way.
Tailscale doesn’t require you to wrestle with certs or the networking setup required to do NAT traversal. And they do it well, you don’t have to wonder whether you’ve screwed something up that’s degrading NAT traversal only in certain conditions. It just works. That said, I’ve been through the wringer already on these topics so Headscale is not painful for me.
Headscale is self-hosted, for better and worse.
In the default config (and in any reasonable user-friendly, non professional config), Tailscale can inject a node into your network. They don’t and won’t. They can’t sniff your traffic without adding a node to your tailnet. But they do have the technical capability to join a node to your tailnet without your consent… their policy to not do that protects you… but their technology doesn’t. This isn’t some surveillance power grab though, it’s a risk that’s essential to the service they provide… which is determining what nodes can join your tailnet. IMO, the tailscale security architecture is strong. I’d have no qualms about trusting them with my network.
Beyond 3 devices users, Tailscale costs money… about $6 US in that geography. It’s a pretty reasonable cost for the service, and proportional in the grand scheme of what most self-hosters spend on their setups annually. IMO, it’s good value and I wouldn’t feel bad paying it.
Tailscale is great, and there’s no compelling reason that should prevent most self-hosters that want it from using it. I use Headscale because I can and I’m comfortable doing so… But they’re both awesome options.
Tailscale doesn’t require you to wrestle with certs or the networking setup required to do NAT traversal. And they do it well, you don’t have to wonder whether you’ve screwed something up that’s degrading NAT traversal only in certain conditions. It just works. That said, I’ve been through the wringer already on these topics so Headscale is not painful for me.
Does Headscale require additional work to deal with NAT traversal on clients? Or is it just for the controller node itself?
You connect to Headscale using the tailscale clients, and configuration is exactly the same irrespective of which control server you use… with the exception of having to configure the custom server url with Headscale (which requires navigating some hoops and poor docs for mobile/windows clients).
But to my knowledge there are no client-side configs related to NAT traversal (which is kind of the goal… to work seamlessly everywhere). The configs themselves on the headscale server aren’t so bad either, but the networking concepts involved are extremely advanced, so debugging if anything goes sideways or validating that your server-side NAT traversal setup is working as expected can be a deep dive. With Tailscale, you know any problems are client-side and can focus your attention accordingly… which simplifies initial debugging quite a lot.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
8 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.
[Thread #92 for this sub, first seen 30th Aug 2023, 12:35] [FAQ] [Full list] [Contact] [Source code]
I am using headscale without any issues
use installed on edgerouter-x, no problem, efficient and functional
deleted by creator
I’m using Headscale with minimal issues. It’s low on resource and the docs Tailscale provides applies to it which is neat.
Hosted headscale for quite a while, it works great and there is plenty of help in the discord if you need it.
Tailscale is super simple. Install it on two computers you want to be able to talk to eachother, doesn’t matter where they are as long as they have internet access. Authenticate with Tailscale on both computers and you are done.
I’m a newbie in self-hosting and Tailscale is super powerful for me. Everything at home is accessible on my phone, mainly music server and radarr/sonarr for watching show on the go. No need for subdomain or reverse proxy.
I use Tailscale as is. Mainly to connect to my devices but also for fancy stuff like this:
Some of my servers are only available via Tailscale. They don’t have any open ports to the internet. Even authentication to these servers via SSH is handled by Tailscale SSH.
I have some SMB shares on my local server and I gave access to it to some friends via Tailscale by sharing said server and lock it down ACLs. So people that have “shared” access can only access the server via SMB’s ports.
One more thing I wanted to use but then stopped screwing around with it: Tailscale Funnel. I wanted to access some local webservices on my server via the internet without connecting to Tailscale first but also without opening ports on my local router. The downside of Funnel: no custom domains (yet). This means I would have to use their Tailnet name instead. Instead I went with Cloudflare Tunnel.
One more thing that was annoying with Funnel: I wanted to use tsnet for quick file shares via a very basic HTTP server. Tsnet created “virtual” machines within mail Tailnet which I could then funnel to the internet. Unfortunately, Tailnet DNS propagation is absurdly slow. It’s not really made for on-demand funnel usage. It would work just fine while being connected to the Tailnet via Tailscale, but not via Funnel over the internet.
All in all, I’m super happy with Tailscale. Setting things up was so absurdly easy and it just works.
I’m curious, what’s the benefit of using Tailscale over setting up Wireguard yourself? Is it just not having to do all of the setup? Or do I misunderstand what the main use of Tailscale is?
The main benefit of Tailscale are:
Tailscale also provides more advanced services or configuration helpers, such a file sharing (in alpha), ACLs…
Hmm, I guess my question would be how does this all work? I mean, is it not possible to configure STUN/DERP services yourself? Or add control lists yourself?
I’m curious as to how all of this is done, not just to see if it’s possible (even if it’d be a headache) but for confirmation. Granted, networking is my worse subject when it comes to any related to computers. For ACLs, I guess Apparmor and/or SELinux profiles would be configured? The removing a key I can understand why it’s be a nightmare yourself, but how does Tailscale do it where it’s just so simple?
EDIT: Another question I have is how does Tailscale work when I have a VPN for securing network traffic when browsing the internet etc.? Or is that just seamless?
DISCLAIMER: I never used Tailscale. All I know about Tailscale I learned reading their “How it works” blogpost and documentation, because I wanted to understand the hype.
Since nobody answered your questions, I’ll try my best. Just trust that I spent most of the last 25 years configuring security systems, including but not limited to VPNs.
See my 2 links above.
Of course it is, but it will be additional work, that most users are not willing/confident to do and Tailscale provides this service.
Deploying network ACLs on your hosts indeed does not require you to use Tailscale. However they provide an centralised way to manage and deploy them, without worrying about the underlying OS and ACL system. Or even requiring you to have access to the host, it could be an authorised user trying to access your Tailscale network.
Note: AppArmor/SELinux are more “system/process ACLs”, not directly related to network ACLs. I’m oversimplifying a lot, they’re difficult to describe without knowing your sysadmin skills.
Simple: they ask you to run an agent on all of your Tailscale hosts and connect to their centralised platform. To paraphrase their blogpost: config management is centralized, but that doesn’t matter because it carries virtually no traffic. It just exchanges a few tiny encryption keys and sets policies. The VPNs and their traffic are a distributed mesh.
I’m not sure to understand this question, so I’ll make an asumption: you’re asking what happens if you run Tailscale on a host that already has a VPN configured to access the Internet.
Tailscale (and Wireguard under it) is already a VPN solution, and tunneling a VPN inside another VPN is generally discouraged. But as Tailscale is providing STUN/DERP, if they manage correctly the MTU issues and things like that, I don’t see an immediate reason why it should not work at all.
You can configure Tailscale or Wireguard to create a VPN to access the Internet though.
Once again, if you try to understand how Tailscale works, please read the links at the start of this post. RTFM, kids!
On a more personal opinion, I find their solution clever and elegant. If I have the need for a distributed VPN solution in the near future, I will definitively consider it (or Headscale’s). For the moment, I’m fine with all my hosts connecting to my homelab, configuring a Wireguard tunnel for each roaming host, and opening ports and creating rules on my firewall. Compared to IPSec or OpenVPN tunnels, it seems almost too easy each time.
Interesting, thank you for your response!
I don’t know why I didn’t think about the fact of having network specific ACLs is probably something we’ve developed since the dawn of the internet.
Also it makes sense that the configurations would be hosted in one place, and I see what Headscale is for now.
Maybe I’ll dump my VPN provider for Tailscale or setup a Headscale instance on a VPS some day. I also saw Netbird, which their $8/month plan gives unlimited users. Seems slightly similar to Tailscale.
Pretty much that. I don’t want to host „mission critical“ stuff by myself nor do I want to care about backups. With Tailscale I’m just a sign-in away to be able to access all devices connected to it
If you want to really get into it, you can just hose a wireguard instance in a LXC then use iptables for all your routing.
Relies only on FOSS software and gives you a pretty high level of control, but obviously is less intuitive
Tailscale is great but I find it non trivial to run in conjunction with another VPN (Mullvad). Anyone have experience with this? Seems I can have only one or the other for iOS or macOS
There’s an open feature request to allow fo using another wireguard vpn as an exit node on tailscale. Currently you could rent a vps and install mullvad on it. Then select the vps as an tailscale exit node.
Neither Android nor iOS allow for multiple VPN connections at a time. But I’m surprised macOS is that limited in functionality as well.
I think you will like this https://tailscale.com/blog/mullvad-integration/
I’m loving it but I can’t get it to work 😂
I’m new with Tailscale. I understand that they don’t manage accounts and require another service like google or apple. That initially turned me off. Then I set up via my sso provider and works great.
What SSO provider do you use?
Authentik. I really like it !
I started using my own WireGuard config instead of using tail scale. Works great for me, though it does take more work up front.
I started out with WireGuard. As you said its a little finicky to get the config to work but after that it was great.
As long as it was just my devices this was fine and simple but as soon as you expand this service to family members or friends (including not-so-technical people) it gets too annoying to manually deal with the configs.
And that’s where Tailscale / Headscale comes in to save the day because now your workload as the admin is reduced to pointing their apps to the right server and having them enter their username and password.
Tailscale just works, I recently tried netbird and netmaker. I did not manage much with the first but netmaker instead seemed even easier to manage than tailscale, being faster at the same time. Unfortunately it failed with peers behin my corporate NATwhich tailscale can bypass with its own relays. But for others it can work very well.
You can set up relay nodes in the Netmaker config, and enable them only for those nodes behind NAT that need relaying. I’ve generally had good experience with Netmaker—when it works, it works—but several times it auto-updated and wiped my network config in the process.
What is your experience with Netbird vs Netmaker?
Relays have become a pro feature in the last release. I tested them on netmaker.io SaaS version and they work but it defeats the purpose of selfhosting my VPN manager. You also need to have a good relay, for instance among GCP, Azure, Oracle and Vultr only the latter works because their VPS are not behind a NAT.
Netbird first of all is extremely resource hungry. In some occurrences completely hanged a 1 GB RAM VPS when I was testing. Even without trashing I had issues connecting many of my peers. It has to be said that it was surely my fault in some ways as netbird.io SaaS worked fine.
Thanks. I didn’t realise you can’t do relays anymore on the selfhosted version. That sucks…
I use Headscale, but Tailscale is a great service and what I generally recommend to strangers who want to approximate my setup. The tradeoffs are pretty straightforward:
devicesusers, Tailscale costs money… about $6 US in that geography. It’s a pretty reasonable cost for the service, and proportional in the grand scheme of what most self-hosters spend on their setups annually. IMO, it’s good value and I wouldn’t feel bad paying it.Tailscale is great, and there’s no compelling reason that should prevent most self-hosters that want it from using it. I use Headscale because I can and I’m comfortable doing so… But they’re both awesome options.
I think you mean beyond 3 users. You are allowed up to 100 devices in the free tier.
Yeah, misread the pricing page. Fixed the post, thanks for the correction.
Does Headscale require additional work to deal with NAT traversal on clients? Or is it just for the controller node itself?
You connect to Headscale using the tailscale clients, and configuration is exactly the same irrespective of which control server you use… with the exception of having to configure the custom server url with Headscale (which requires navigating some hoops and poor docs for mobile/windows clients).
But to my knowledge there are no client-side configs related to NAT traversal (which is kind of the goal… to work seamlessly everywhere). The configs themselves on the headscale server aren’t so bad either, but the networking concepts involved are extremely advanced, so debugging if anything goes sideways or validating that your server-side NAT traversal setup is working as expected can be a deep dive. With Tailscale, you know any problems are client-side and can focus your attention accordingly… which simplifies initial debugging quite a lot.