Comment by jatone
3 years ago
not sure where you're getting the idea you need admin intervention for tailscale. I've never needed to do anything beyond authenticate the machine with my account. tailscale has NAT traversal built into it.
If your network firewall is preventing the tunneling process, then that's on you. and if its not on you and its a company decision then its VERY unlikely they'd be okay with cloudflare's publicly exposed ports.
tailscale user here.
the tailscale devices you see are only accessible by other devices on the same tailscale network.
S/he's talking about accessing those machines from OUTSIDE that network. That's what would require admin intervention. So for example if I have a webserver on my home LAN that has Tailscale installed and authenticated, then sure, I can access that webserver from any of my other Tailscale devices from anywhere. But if I want a friend to be able to access that webserver without first being authenticated to the Tailscale network... Do you see the problem, yet?
I clearly understand that problem. but I'm just going to assert its not what you actually want. nor is it related to accessing ssh where you most definitely don't want to expose the port.
for starters, what you're describing is a load balancer. those already exist and are trivial to setup.
I'm talking about the one-time initial setup of the Tailscale client software.
Can you download and run Tailscale on a Windows client without Administrative access to install the software (setup the virtual NIC)? An SSH client is just a user-space app.
no but you also wouldn't want to allow that. just like you wouldn't want to expose a SSH socket to the world in most cases.
I have explained why I stated that 'setup of [Tailscale] typically requires administrative intervention'.
I appreciate that your approach is the more secure standard practice, yet want to make others aware of the edge cases here on a site called Hacker News rather than something like StackOverflow, where 'this is the way' reigns supreme.