VPN originally meant something quite different from the commercial consumer VPN product that mullvad represents, and was more like the encrypted overlay network provided by Tailscale. These are coming together again in this revolution of the wheel of reinvention. Not using "reinvention" in any negative way here, this is is good, I think.
For history and how some people (John Gilmore[1]) thought uniquitous interoperable VPN tech (using the IETF standardized IPSec) be used to end-to-end secure internet traffic generally, see eg this FreeS/WAN rationale from the 90s: http://web.archive.org/web/20210125023625/https://www.freesw...
Then in between then and now were the VPN dark ages where it was mostly only used as a tech to accesss old timey corporate "internal networks".
Don't forget that historically, a "half-measure" a lot of people used to use to get around regional blocking was "web proxies" like those linked to by proxy.org. I used to operate one as a young teen and I will say they are a security nightmare -- nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial.
Personally I used to run a domain parking service (back when I was a teen in the early 00s) that used the domains as web proxies and replaced all adsense blocks it could find in the content with my adsense code, and did a 50/50 split between my code and the domain owner's code. Google eventually became wise to this and banned that sort of thing but it was pretty cool while it lasted, and honestly I think it was super fair considering we didn't even add any ad blocks just re-used the existing ones already in the content.
With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.
I used to pay a small fee for a shell account by some UK provider so I could setup a SOCKS proxy over a SSH tunnel. I suppose they could have captured my egress traffic but I trusted them not to that. I was just using it to watch BBC iPlayer/Channel 4 from the US anyways. :)
The first VPNs I encountered were for bridging branch offices onto the corporate network.
It was only later when they made 'consumer' vpns where they became point-to-multipoint affairs, for bridging a single computer onto the network. I'm not really sure how that confusion happened. In that era they were glorified SSH tunnels.
Well they generally call the first type Site to Site VPN tunnels and the second client tunnels. Lots of different marketing from various companies makes it confusing since it's basically all the same oss under the hood.
What is with this tendency to want to gatekeep the term "VPN" away from consumer-oriented providers? The general term "VPN" means exactly the same thing now as it did 20 years ago.
Virtual means it doesn't correspond to a physical network interface. Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4. And they've always been network interfaces showing up on some node, regardless of whether that node might have been a vendor's proprietary black box.
Decades ago there were fewer uses/topologies, dedicated "routers" were more important, and people naively trusted infrastructure. Those are the differences that have evolved with time. Quick searches say OpenVPN was released in 2001, and tinc in 1998.
> Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4.
The common-sense meaning of "private network" was, and is, a network that is private. I had one with a bunch of my university friends - we ran our own network services that we wouldn't trust to the wider world, like we had back when we lived together and really did have our own private network.
A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.
I love tailscale's technology and their contributions to the security ecosystem, but I can't help but take a contrarian angle to many of the comments here...
This feels like a bad idea, and perhaps it signals defeat in the enterprise space (where the tech would provide the most value, imo). Tailscale raised $100M last year, surely based on a theory of growth upmarket. While this partnership surely provides value to personal consumers, it feels, at best, a distraction from the larger opportunity and, at worst, counterproductive to achieving it.
I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
Okay. But it does? Our stats continue to show that making nerds happy (we're also nerds) leads to more corporate sales. (https://tailscale.com/blog/free-plan/ etc)
So if we can make something that we want ourselves and our friends and fellow nerds also like, and that also then leads to more corporate sales... why not?
Anecdata: It directly lead us (Instacart) to try and then adopt Tailscale. Many of us had used it at home and were happy nerds. This gave it a huge initial leg up vs other "enterprisey" VPNs when we were in the evaluation stage.
Tailscale sold itself after that. The docs were excellent and it really is simple to use and run. I was able to do a full PoC in day and prove that I could join all of our environments and clouds into one VPN and have DNS resolving correctly everywhere.
I appreciate the response - great blog post. I don't doubt this works for certain companies and components of the ecosystem; it worked for Dropbox (at least for a long time).
Tailscale is clearly a superior product to it's competitors and I have regularly recommended colleagues and clients to evaluate whether it fits their needs. However, unfortunately, that is frequently not enough to "win" in the crowded and bureaucratic enterprise software space.
I would love to be proved wrong here and wish you the greatest success!
A lot of B2C VPNs position themselves as kinda sketchy and anti-corporate.
If the cops or the MPAA come calling, we'll tell them to go to hell. Netflix blocks our servers? We'll set up new ones. Accused of torrenting? We didn't see anything, and we don't know who you are either. We're incorporated in a jurisdiction that makes us almost impossible to sue. We've got 4 employees, and not a single clothes iron between us.
B2B VPN products often have the opposite market positioning - straight-laced, trustworthy stuff. Absolutely not claiming to be difficult to sue. We've got 50+ employees, all of them wear shirts and some even wear ties. And suppliers like cloudflare are more than happy to help you MITM all your employees' https traffic, in the name of "security".
These just seem like positions in the market that are very hard to reconcile.
A lot of the people making purchasing decisions to acquire products like Tailscale are in security departments and have a very low opinion of Mullvad (VPN of choice for all kinds of abusive/fraud/hacking traffic).
tailscale has many employees, adding a small patch to wireguard client programming and strapping in mullvad account provisioning seems like a very small amount of effort for a pretty cool feature that also earns some recurring money from the hitherto freeloading nerd customers.
Point well taken. My comment was primarily based on two other factors:
a) the strategic signal it sends re developer resource allocation and
b) the market signal it sends, selling a security solution while partnering with a company (not a knock - I've been a mullvad customer!) that provides solutions which are frequently used to bypass compliance/regulatory controls.
It doesn't sound like that's a big distraction for Mullvad as it seems most of the actual changes are done on the Tailscale side, enabling users to use Mullvad proxied through their setup.
Partnering with similarly aligned organizations like Tailscale and Tor seems like a good way of increasing the userbase without engaging in sketchy business models like the rest of the VPN competition.
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
This past summer I quit my job as Engr #3 of a startup. While there, I desperately tried to convince 1+2 that we should use tailscale instead of rolling our own VPN with wire guard and EC2. Couldn’t do it. The product was too magical and everyone was suspicious. I use it at home and tried very hard to make the case.
This feels more like a long term investment in breaking the “mesh” basis for their product. IMO it’s part of the magic and partially a problem. I couldn’t explain the security model for the mesh (as an outsider), and according to some comments it seems like it causes battery issues on mobile devices.
They've been, over the past year, putting a significant amount of work into fixing the battery life issues. It is largely resolved for me, and it seems according to a recent article the vast majority of their users.
This also has to be a nightmare for speed. Making two separate tunnels, then browsing the internet through them? Streaming or using virtually anything other than static HTML pages would be a pain.
Mullvad servers are fast enough. On some occasions, I can only connect to Mullvad through 3 hops. Me -> Chinese VPS -> DigitalOcean VPS -> Mullvad. I can still stream YouTube just fine (1MiB/s)
Context: during government meetings in a particular region, their network policies would become more restrictive so that it’s only possible to connect to Chinese IPs. Chinese VPSs are exempt but cannot connect to Mullvad directly due to a Fortinet rule. Connections are done with a mix of Trojan-gfw, xray, and WireGuard
Mullvad has been doing a lot recently and I'm really loving it. It kinda seems like they are building a decentralized open source ecosystem through partnerships with other companies that are seeking similar things. Which really seems like the "hacker"'s dream (people liking security, not crackers). I wonder if we'll see Matrix next or Signal? (highly doubt Signal, but one can dream that the ecosystem is moving speech will actually mean something). I'd love to see a world of open source open protocol products working all in harmony. I just never really expected to see that until we got relatively close to a post-scarce society.
Tailscaled runs as root. Is there a way to confine it, without losing functionality?
As it connects many devices in my network, a vulnerability in Tailscale will have a significant impact (they had recently a nearly 10 CVE). That’s not the case with the standard client server approach (clients can run user space Wireguard).
Even though I don’t open ports with Tailscale (more precisely, I outsource them to Tailscale), I still can’t sleep well at night!
Running Tailscale without privileges is a challenge because tailscaled needs to be able to configure your network, and if you enable Tailscale SSH it also needs to be able to create sessions for configured users. For people who dont need SSH and accept this challenge + maintenance burden, it is possible: https://tailscale.com/kb/1279/security-node-hardening/
On its face, this is really cool and being a user of both tailscale and mullvad this is awesome.
My primary concern though: will this lead to potential privacy leaks? Can a government agency shakedown Tailscale now to trace your Mullvad ID/connection to your Tailscale account?
That doesn't really answer my question at all, at least not thoroughly in plain english.
The question is: if a government agency goes to tailscale and says: "we're looking for Mullvad user 912830193276163872" - does tailscale log that, can they provide it, will they provide it?
Ah! This could have been great for me, except that Tailscale recently cut off access to Cuban nationals to their service (they have their reasons, I guess.) Still, I think that the service they're building, step by step, is fine actually.
While I don’t work for Tailscale and don’t know their specific reasons, I do know that US export controls and sanctions with respect to Cuba are quite complicated and are designed more due to historical & continuing political pressures than sensible policy.
I used to be involved in leading a US charitable nonprofit that, during the Obama years, once wanted to pay for someone to attend a technical conference in Cuba (or maybe it was to pay for a Cuban to attend a technical conference elsewhere - I forget). We did actually make it happen, but it involved consulting with lawyers, comparing the details of the situation against the applicable rules, and getting people to promise to stay within those rules.
My guess is that either Tailscale or one of the providers they depend on is cutting off Cubans as an attempt to comply with these Cuba-specific US legal obligations, or at least to reduce their risk of falling into non-compliance.
At the very least, GitHub has found ways to legally make most (not all) of their offerings available to Cubans / in Cuba despite the sanctions, except for more narrowly banned individuals and groups. So if you can obtain the open source code for Tailscale (client) and Headscale (server), you can at least use that to benefit from Tailscale’s software.
I believe Tailscale re-incorporated from a Canadian company into a US company for various compliance things being easier, but a consequence is that now they have to follow certain US obligations WRT Cuba, amongst others.
Exactly. I do believe that certain individuals and organizations might/should be excluded from service here; however, it seems like the only technical solution to regulations enforcement is to wholesale block a whole country.
If you're already a Mullvad customer, is there some way to integrate this into your account?
Right now, when I want to use Mullvad via my tailnet, I set the exit node to be a linux box at my house that is set to automatically send all traffic via Mullvad. That's free for me, since I already pay for Mullvad on that linux box at home.
Wouldn't it be more "efficient" networking if I could sometimes just use the mullvad app instead of tailscale > mullvad?
Either way it would be good to at least have the option to use an existing account. Maybe tailscale is taking a cut since mullvad dropped recurring sub support natively.
Well, if you want to use Mullvad outside of Tailscale, then it does matter: https://mastodon.online/@mullvadnet/111024772652906757 Seems like you won't be able to use your Mullvad account created via Tailscale for anything outside of Tailscale...
I pay for a year at a time for ease of use since they wouldn't save payment info when using port forwarding. And now since I last bought a years worth in May they turned off port forwarding and now make me drop the next 8 months of prepaid time if I'd want to use this feature (that I've been waiting for for years).
Can someone help me understand why VPN use seems to have exploded in recent years? I mean, I'm aware of the typical use-cases of corporate devices and such, but I doubt that's the major contributor here as those use-cases have existed for decades now. What's the impetus for what seems to be massive growth over the past 3+ years?
There's a fair amount of FUD tossed around in sponsored ad reads of a lot of independent creator content these days, so much now that the colloquial use of "VPN" these days for the masses is not "allow me to gain access to a network I control from anywhere" but "help me route my traffic to a specific geolocation".
Half truths are spouted about "securing your connection" and "preventing tracking" are provided, without the supplementary information that device and browser fingerprinting do more to identify you as a user than geolocation does. With HTTPS, traffic is already encrypted, and any DNS-over-HTTPS or TLS provider will also mask where you were headed to, leaving much of the supposed benefits to be mostly snake oil.
If, however, you want to use it to access geofenced content, or you employ an obscurity-in-depth strategy to anonymize your identity, then sure, go ham. But as to why usage has exploded by the masses, a healthy dose of paranoia and influencer marketing.
99.999% of airport wifi users don't know that their traffic is bridged. So unless WIFI-6 introduced some network segmentation features that I'm not aware of, it's still a good idea for Grandma and Grandpa Jo.
The reason it's ubiquitous on YouTube is because they are gouging the hell out of consumers. Honestly it should be provided by your ISP as a bundled service. Although then it's just Comcast gouging you instead...
Can confirm, it seems like every single YouTube channel I've watched in the past 2-3 years has had an ad for 3 or 4 VPN services. Plus, the internet is getting more segmented, when I send links to some US sites to my friends overseas they need a VPN to access it, which wasn't the case like 6-7 years ago.
there's still ISP domain level blocks (based on SNI) to contend with, even if they can't modify any content. Things such as court banned sites (pirating?), age restricted content, etc.
The VPN market has had considerable growth year-to-year since at least 2009. It's just that in the last few years that growth has added up to big absolute numbers.
Here's how I think about customer segments:
* Those interested in online privacy
* Those interested in circumventing censorship
* Those interested in a secure network channel from their machine to "The Internet", by which I mean secure from their local ISP eavesdropping on them.
* Those interested in circumventing geographical restrictions.
Due to the nature of the Internet and how its most important protocol (IP) works, changing your IP address is a necessary, but not necessarily sufficient, step in protecting your privacy online. This fact says something about the long term relevance of VPNs, Tor, and similar technologies.
Source: I'm one of the co-founders of Mullvad VPN.
In the age of wifi the man in the middle included someone sitting in the same coffee shop as you. ISPs turning into jerks came on the heels of that. Depending on where you got your news, it might have seemed like you heard about ISPs and hackers around the same time, but from my perspective the ISPs learned how to be bad from security experts explaining how much mischief a person could get up to and deciding that sounded like a swell idea.
VPNs of the Mullvad type (not them specifically): Mostly marketing to the ignorant, but also people in police states and people who are getting annoying letters about their torrenting.
VPNs of the Tailscale type: Mostly people who self host apps and want them to be available across their devices without opening them up to the internet, or be able to access their NAS from Starbucks.
For me, at least when it comes to Tailscale, it was Tailscale SSH and MagicDNS. I haven't had to touch `sshd` at all, and I get automatic HTTPS certificates for machines connected to my tailnet. Also, it's free.
I don't do anything sketchy online, but I use a VPN for the same reason I use HTTPS rather than HTTP, ssh rather than telnet, BTC/XMR rather than my credit card (when possible), and LUKS FDE rather than nothing. I value my privacy, and I want to fight the false perception that privacy-enhancing tools are only for shady usage by shady people.
Use a VPN for the same reason you close the stall door in a public restroom.
(I'm not necessarily agreeing with your premise that VPN usage has recently grown; I don't know that to be the case.)
what does "VPN use seems to have exploded in recent years" mean? I mean, what have you observed? "VPN" means lots of different things.
VPN to company is much more popular with businesses because of WFH and Covid.
consumer VPNs to random providers that advertise on podcasts are way up because of different countries having different video streaming service catalogs and because in the US consumer ISPs are increasingly privacy- and reliability-hostile. there's also a big marketing buzz because scaring people over these things was good for signups, so consumer VPN providers chose to advertise a lot.
Tailscale on the other hand is a way to re-create an actually flatly routable Internet, for myself, but with 2023 security levels.
Mostly because geofencing is getting much more widespread for various legit reasons (security, anti spam, licensing restrictions, etc) and very annoying for end users.
"Security" is not a legitimate application of geofencing, in my view.
Any attacker can trivially use a VPN to defeat it, yet legitimate users are massively inconvenienced by it. I've had too many accounts (bank and otherwise) locked for the crime of trying to access them while traveling internationally.
Generally it's to guard against ISP spying. In the case of your personal devices that you walk around with at work, the "ISP" is "your employer". Employer IT pride themselves on being far more nosy than your run-of-the-mill ISP.
Just my 2cents that I wrote about here[0]. It boils down to:
1. Ease of use for non technical folks (my dad in the post)
2. The dangers of having an exposed ssh port (even on non standard ports)
I just don't have the time or compute to constantly tweak my security settings for a publicly exposed port, so the easiest way to solve the problem is to not have the port publicly exposed
It feels like you may be solved a problem that didn't need solving? If you fully disabled password authentication, there's nothing to tweak; you can just ignore the log spam and not block the IP addresses and ignore it and it'll be fine.
I use a VPN anytime I leave my house (although it's not a commercial "service"), because network-based telemetry is on the rise and companies that offer free WiFi as well as our telcos are basically out to get us. See https://www.wired.com/story/verizon-user-privacy-settings/ as one example.
I don't want to "opt-out" and hope companies actually follow their policies, or assume their policies are sufficient when I "opt-out". So I ensure all of my network traffic is routed through my home no matter where I'm at or which device I'm using, and then from my home I ensure all my network traffic is routed through a business-grade connection that is offered under standard contract terms that preclude the type of fuckery that every ISP in America seems to think is acceptable to do to consumers.
That's why I use a VPN, and I'm pretty sure a lot of people who use a commercial VPN service do it for very similar reasons and don't have the technical know-how or wherewithal to set something like I have up for themselves.
For VPN in the Corporate network sense, it's for easy access to your computers. You don't want to have to open ports on your router or hope that whatever world-accessible service you throw out there is secure - instead, Tailscale handles authentication, authorization (if you'd like to set up ACLs), and it handles NAT traversal without any open ports.
I think a primary reason is "more privacy" (Mainstream VPNs actually reduce privacy) closely followed by bypassing regional restrictions (like blackouts during sports games, using Pornhub in Utah or Alabama, or looking up clinics that perform abortions in Texas) followed by bypassing ISP restrictions.
For me the fact is there are really easy to use user interfaces for VPNs now. They are very performant and low latency as well, so they're practical for everyday browsing on the modern web and even for gaming and streaming.
Also, geographical blocks on content such as Netflix and BBC etc
Aside from "Privacy VPN" usage, there are other reasons to have VPN server (including tailscaled) at home. Some home network connection doesn't offer public IPv4. People want to avoid exposing any port to the internet.
I can't speak for everyone, but technologies like WireGuard, Tailscale, and Nebula are not merely VPN solutions. They're SDN solutions that incorporate VPN capabilities, WireGuard (and thus Tailscale... in most cases) being unique that they're incorporated at the kernel level. Having a single overlay network for my cloud host, home servers, cell phone, and personal computers allows me to construct my own private cloud of sorts.
Mh interesting, I've wrote a while ago a script to start on connection in order to have mullvad coexist with tailscale, if anyone is interested, I also have one for NVPN
DOMAINS=(login controlplane log derp1-all derp2-all derp3-all derp4-all derp5-all derp6-all derp7-all derp8-all derp9-all derp10-all derp11-all derp12-all derp13-all derp14-all derp15-all derp16-all derp17-all derp18-all derp19-all derp20-all derp21-all derp22-all derp23-all derp24-all)
FWMARK=$(wg show $1 fwmark)
for d in ${DOMAINS[@]}; do
IPS=$(dig +answer -4 $d.tailscale.com +short)
for IP in ${IPS[@]}; do
iptables -I INPUT --in-interface tailscale0 -j MARK --set-mark $FWMARK
iptables -I OUTPUT --out-interface tailscale0 -j MARK --set-mark $FWMARK
iptables -I INPUT -d $IP/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -s $IP/32 -j MARK --set-mark $FWMARK
iptables -I OUTPUT -d $IP/32 -j MARK --set-mark $FWMARK
done;
done;
iptables -I OUTPUT -d 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I OUTPUT -s 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -d 100.100.100.100/32 -j MARK --set-mark $FWMARK
iptables -I INPUT -s 100.100.100.100/32 -j MARK --set-mark $FWMARK
Excellent, I'm finally able to retire the NixOS module I wrote to replace Tailscale to fix this exact problem [1]. It was certainly imperfect and overengineered, but it has worked for my use cases pretty well.
I'm still not sure if I like the login situation for Tailscale (allowing only 3rd party auth) but I understand why they do it.
EDIT: Turns out I can't use it yet since you have to buy Mullvad through Tailscale. I bought a year of Mullvad in May (they can't save payment info for port forwarding) and in the 4 months since they've removed port forwarding[2] and won't let me use my remaining credit for this integration.
So it’s $5 for 5 devices? I was expecting to see an option for existing mullvad customers to enter their credentials instead of buying a new subscription but may not be the same thing
As someone that already has a subscription to a VPN service (not mullvad), I’m wondering what this would get me for end devices, vs just using my vpn provider as I’m already doing
Oohh, this is exactly why you can't. I just commented similarly, but yours made me realise - this must be an agreement between the companies, Mullvad doesn't want you to fairly easily have all devices on the same tailnet, single exit node using 1/5 keys on Mullvad. Without Tailscale, if you configured them all separately, it'd use as many keys as you had devices.
You can similarly bypass it without Tailscale, the same way you had to do it in Tailscale before this announcement, with everything egressing via a server which is the single Mullvad client. But it makes sense with the built-in solution (with probably better latency etc.) that they wouldn't want that.
I recently (just earlier this week in fact) had to spend a few days on fast-but-restricted "guest" WiFi and was struggling with this very thing: I needed to use a tailnet to access my servers for vscode remote development, but also needed a VPN since the WiFi was blocking harmless stuff like duckduckgo.com
In the end I was able to do a split-vpn config to allow VScode to bypass the VPN and leave the browser to use the VPN. Having tailscale just handle it would have been handy, and reading the docs today I found out that I could have just used a machine on my home network as the exitnode as well, which would have worked great too I expect.
Have to say though that this was the first time I had used tailscale "in anger" for any serious period of time away from my home network. It was superb and (apart from the VPN issue) just worked exactly as advertised and I was able to access all the stuff on my NATed home network as if I was in my home office. Brilliant product - thanks to all the tailscale folks ("tailers"?) on here for the product!
This tailscale press release claims you can forward nonstandard ports with this configuration. Who knows what that means or even if the copy was just approved six months ago or what.
Yeah, thanks for the suggestion; i do have an intel nuc hidden away somewhere that runs an exit node. I'm looking for the reverse basically, having my entire home network use another exit node somewhere else, to access regionally restricted content...
Why would I use Tailscale over OpenVPN, for example? OpenVPN is supported by my router OOTB and the config was incredibly straightforward. It sounds like Mullvad adds a layer of privacy into a Tailscale network if I’m understanding it correctly. But Mullvad aside, I don’t get what separates Tailscale from something like OpenVPN.
Huh. Well in my case I flipped the feature on in my Asus router, installed the OpenVPN client on my iPhone and imported the config file my router generated for me and that was it. Took like 2 minutes to do.
You cannot hide from governments. If they want you badly enough they can track you anywhere. So, don't do anything illegal and expect any VPN to protect you because paid in cash! Remember, all governments have secret national security laws to surveil all data all the time and almost all governments' (even supposed enemies) secret national security agencies cooperate if they badly want to catch someone.
You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.
Almost all traffic (apps and websites) are encrypted via TLS (https, for example). So, even if you are on an insecure network, unless your OS's TLS certificate store is compromised, your communications are encrypted and protected against snooping from that insecure network.
Also, even on open wifi networks, today, it is very unlikely that the wifi is running without at least WPA2 encryption. Most modern airports run secure wifi. (But they also monitor all traffic metadata for illegal activities).
So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.
Remember, all ISPs are heavily regulated by governments and can be asked to mirror specific customer's traffic for analysis. I would be very surprised if they don't proactively do it for all VPN operator nodes by default.
That said, I don't know if Mullvad is good or evil, but one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.
This "our servers have no disks" thing is kind of thing is marketing. It is meant to imply something that it doesn't actually demonstrate. Who cares if there are local disks? It doesn't change the threat model at all, it's mostly to convince people who don't know very much about claims which are basically impossible to prove. It's the higher-tier version of "we use military grade encryption."
Lawful Intercept on the public internet does not rely on local hard drives on any node in the network and has not since the 90s, as a specific example of how meaningless this is.
They practice what they preach. The recently stopped selling recurring subscriptions, and most likely threw away a big chunk of money, because there was no way to support them in an anonymous way.
they take privacy extremely seriously, by trying to reduce the amount of data they even have that can get subpoenaed (no logs, no accounts, accept payment by cash) and appear to have not yet fucked up.
So tailscale makes it super simple to create your little network, sorta like hamachi used to, but what's the point of mullvad in this equation - can someone explain it to me a little more clearly like im 5 (ELI5)?
Nice! Presently maintaining this hackily myself with an exit node running in Fly.io that reaches the internet via Mullvad, I'll be glad to simplify it and maintain less.
I'm a bit confused about the payment section though - I have to pay for Mullvad via Tailscale now? Can't I just use the peer keys I've registered in my own account?
Can anyone comment on whether it's possible to use something like NextDNS in conjunction with Tailscale and Mullvad?
Edit: to clarify, I'm aware of the existing NextDNS integration with Tailscale - I was wondering if this (or other third party DNS) works specifically with these new Mullvad exit nodes...
first result on google for "tailscale nextdns" explains how to - for some reason - leak all your dns queries to some random company you don't pay money to: https://tailscale.com/kb/1218/nextdns/
Are you talking about the metadata collection by nextdns itself ? It's not some random company and again you can disable it pretty easily. Afaik the metadata is mainly used to classify requests per device and show some stats
I've never used Tailscale or Mullvad, I do use a VPS and Wireguard that I configured and run. I'm wondering if people working at Tailscale or Mullvad could snoop on the traffic passing through their servers?
Can I connect a device which is not capable of running custom software, i. e. the router my ISP gives me, but which is able to connect to WireGuard, be used to connect into an existing tailnet?
Mullvad is impressive; however, the issue with Mullvad ID persists. The proposed solution is a Zero-Knowledge Proof Authentication system. With this approach, Mullvad will retain your public key but will not possess information regarding the association of specific sessions with individual Mullvad IDs.
if you're going to go to some random thread and post about your slightly related hobbyhorse, at least provide a link to some information about whatever you're upset about.
It sounds great. But their banner is showing that my ip address is from Mumbai, whereas I’m actually in Bengaluru, India. That’s not really re-assuring. Maybe it’s just apple relay on my device that’s obfuscating my details.
edit: my bad, hit me bit late that it’s the intended behaviour.
Headscale is a FOSS replacement for Tailscale's closed source coordination server. It is compatible with Tailscale's client apps, which are FOSS for Linux and Android, and partially closed source for macOS and Windows (https://tailscale.com/opensource/).
This partnership makes me want to remove tailscale from my stack and instead use wireguard directly. Leaves a bad impression. Fighting against my instinct and telling myself I'm irrational. Tailscale is one of the first things I install on every machine. It's so good. But this partnership erodes trust, doesn't build it.
mullvad has one of the best reputations in the entire consumer vpn space. they were one of if not the very first businesses to accept bitcoin back in 2010 when no one knew what bitcoin was and before the word crytpo existed or anyone was in it to make money. they were one of the early funders and supporters of wireguard itself before it was merged into linux(and before anyone cared about it). they are working in cooperation with firefox to run their vpn system. they require no email address or personally identifiable information at all to use them. they don't do scammy sponsorships on podcasts or youtube channels to mislead people into thinking that their service or vpns in general solve problems they don't actually solve.
and at the end of the day if you think consumer vpns are stupid you can always just not use it. i don't think that them teaming up with mullvad implies anything bad or suspect about either of them. this type of a service is something that is really important and useful to a certain subset of users, and if they were going to wind up teaming up with a consumer vpn provider this is probably the least shady and most principled one they could have done it with.
I personally think all of the VPN providers are essentially selling snake oil. In addition, I think there are better tools for the job. If you want anonymity, use Tor. If you want to bypass geo-restricted content, use Bittorrent.
From a strategy standpoint, I am not sure how this helps Tailscale at all. It changes how I view them and not in a good way.
VPN originally meant something quite different from the commercial consumer VPN product that mullvad represents, and was more like the encrypted overlay network provided by Tailscale. These are coming together again in this revolution of the wheel of reinvention. Not using "reinvention" in any negative way here, this is is good, I think.
For history and how some people (John Gilmore[1]) thought uniquitous interoperable VPN tech (using the IETF standardized IPSec) be used to end-to-end secure internet traffic generally, see eg this FreeS/WAN rationale from the 90s: http://web.archive.org/web/20210125023625/https://www.freesw...
Then in between then and now were the VPN dark ages where it was mostly only used as a tech to accesss old timey corporate "internal networks".
[1] https://en.wikipedia.org/wiki/John_Gilmore_(activist)
Don't forget that historically, a "half-measure" a lot of people used to use to get around regional blocking was "web proxies" like those linked to by proxy.org. I used to operate one as a young teen and I will say they are a security nightmare -- nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial.
Personally I used to run a domain parking service (back when I was a teen in the early 00s) that used the domains as web proxies and replaced all adsense blocks it could find in the content with my adsense code, and did a 50/50 split between my code and the domain owner's code. Google eventually became wise to this and banned that sort of thing but it was pretty cool while it lasted, and honestly I think it was super fair considering we didn't even add any ad blocks just re-used the existing ones already in the content.
With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.
39 replies →
> nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial
That's why you go through seven proxies.
4 replies →
I used to pay a small fee for a shell account by some UK provider so I could setup a SOCKS proxy over a SSH tunnel. I suppose they could have captured my egress traffic but I trusted them not to that. I was just using it to watch BBC iPlayer/Channel 4 from the US anyways. :)
The first VPNs I encountered were for bridging branch offices onto the corporate network.
It was only later when they made 'consumer' vpns where they became point-to-multipoint affairs, for bridging a single computer onto the network. I'm not really sure how that confusion happened. In that era they were glorified SSH tunnels.
Well they generally call the first type Site to Site VPN tunnels and the second client tunnels. Lots of different marketing from various companies makes it confusing since it's basically all the same oss under the hood.
Presumably via corporate 'single computer onto the network', basically as soon as laptops became commonly issued.
Not "originally" but still, site to site VPNs are widely used.
Technically, mullvad's VPN is also site to site, except the remote site is the internet.
I regularly used similar VPNs to connect entire segments of my home LAN to the internet.
The main difference is how you setup the client end because almost always, the other end is a network instead of a host.
What is with this tendency to want to gatekeep the term "VPN" away from consumer-oriented providers? The general term "VPN" means exactly the same thing now as it did 20 years ago.
Virtual means it doesn't correspond to a physical network interface. Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4. And they've always been network interfaces showing up on some node, regardless of whether that node might have been a vendor's proprietary black box.
Decades ago there were fewer uses/topologies, dedicated "routers" were more important, and people naively trusted infrastructure. Those are the differences that have evolved with time. Quick searches say OpenVPN was released in 2001, and tinc in 1998.
> Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4.
The common-sense meaning of "private network" was, and is, a network that is private. I had one with a bunch of my university friends - we ran our own network services that we wouldn't trust to the wider world, like we had back when we lived together and really did have our own private network.
A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.
4 replies →
I love tailscale's technology and their contributions to the security ecosystem, but I can't help but take a contrarian angle to many of the comments here...
This feels like a bad idea, and perhaps it signals defeat in the enterprise space (where the tech would provide the most value, imo). Tailscale raised $100M last year, surely based on a theory of growth upmarket. While this partnership surely provides value to personal consumers, it feels, at best, a distraction from the larger opportunity and, at worst, counterproductive to achieving it.
I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
Okay. But it does? Our stats continue to show that making nerds happy (we're also nerds) leads to more corporate sales. (https://tailscale.com/blog/free-plan/ etc)
So if we can make something that we want ourselves and our friends and fellow nerds also like, and that also then leads to more corporate sales... why not?
Anecdata: It directly lead us (Instacart) to try and then adopt Tailscale. Many of us had used it at home and were happy nerds. This gave it a huge initial leg up vs other "enterprisey" VPNs when we were in the evaluation stage.
Tailscale sold itself after that. The docs were excellent and it really is simple to use and run. I was able to do a full PoC in day and prove that I could join all of our environments and clouds into one VPN and have DNS resolving correctly everywhere.
2 replies →
I appreciate the response - great blog post. I don't doubt this works for certain companies and components of the ecosystem; it worked for Dropbox (at least for a long time).
Tailscale is clearly a superior product to it's competitors and I have regularly recommended colleagues and clients to evaluate whether it fits their needs. However, unfortunately, that is frequently not enough to "win" in the crowded and bureaucratic enterprise software space.
I would love to be proved wrong here and wish you the greatest success!
9 replies →
A lot of B2C VPNs position themselves as kinda sketchy and anti-corporate.
If the cops or the MPAA come calling, we'll tell them to go to hell. Netflix blocks our servers? We'll set up new ones. Accused of torrenting? We didn't see anything, and we don't know who you are either. We're incorporated in a jurisdiction that makes us almost impossible to sue. We've got 4 employees, and not a single clothes iron between us.
B2B VPN products often have the opposite market positioning - straight-laced, trustworthy stuff. Absolutely not claiming to be difficult to sue. We've got 50+ employees, all of them wear shirts and some even wear ties. And suppliers like cloudflare are more than happy to help you MITM all your employees' https traffic, in the name of "security".
These just seem like positions in the market that are very hard to reconcile.
3 replies →
This is a pretty tried and true process historically as well, just… “ask your developer.”
A lot of the people making purchasing decisions to acquire products like Tailscale are in security departments and have a very low opinion of Mullvad (VPN of choice for all kinds of abusive/fraud/hacking traffic).
9 replies →
tailscale has many employees, adding a small patch to wireguard client programming and strapping in mullvad account provisioning seems like a very small amount of effort for a pretty cool feature that also earns some recurring money from the hitherto freeloading nerd customers.
Point well taken. My comment was primarily based on two other factors:
a) the strategic signal it sends re developer resource allocation and b) the market signal it sends, selling a security solution while partnering with a company (not a knock - I've been a mullvad customer!) that provides solutions which are frequently used to bypass compliance/regulatory controls.
1 reply →
It doesn't sound like that's a big distraction for Mullvad as it seems most of the actual changes are done on the Tailscale side, enabling users to use Mullvad proxied through their setup.
Partnering with similarly aligned organizations like Tailscale and Tor seems like a good way of increasing the userbase without engaging in sketchy business models like the rest of the VPN competition.
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
This past summer I quit my job as Engr #3 of a startup. While there, I desperately tried to convince 1+2 that we should use tailscale instead of rolling our own VPN with wire guard and EC2. Couldn’t do it. The product was too magical and everyone was suspicious. I use it at home and tried very hard to make the case.
This feels more like a long term investment in breaking the “mesh” basis for their product. IMO it’s part of the magic and partially a problem. I couldn’t explain the security model for the mesh (as an outsider), and according to some comments it seems like it causes battery issues on mobile devices.
They've been, over the past year, putting a significant amount of work into fixing the battery life issues. It is largely resolved for me, and it seems according to a recent article the vast majority of their users.
https://tailscale.dev/blog/battery-life
* 2% still affected according to https://tailscale.com/blog/reimagining-tailscale-for-ios/
This also has to be a nightmare for speed. Making two separate tunnels, then browsing the internet through them? Streaming or using virtually anything other than static HTML pages would be a pain.
Mullvad servers are fast enough. On some occasions, I can only connect to Mullvad through 3 hops. Me -> Chinese VPS -> DigitalOcean VPS -> Mullvad. I can still stream YouTube just fine (1MiB/s)
Context: during government meetings in a particular region, their network policies would become more restrictive so that it’s only possible to connect to Chinese IPs. Chinese VPSs are exempt but cannot connect to Mullvad directly due to a Fortinet rule. Connections are done with a mix of Trojan-gfw, xray, and WireGuard
Mullvad has been doing a lot recently and I'm really loving it. It kinda seems like they are building a decentralized open source ecosystem through partnerships with other companies that are seeking similar things. Which really seems like the "hacker"'s dream (people liking security, not crackers). I wonder if we'll see Matrix next or Signal? (highly doubt Signal, but one can dream that the ecosystem is moving speech will actually mean something). I'd love to see a world of open source open protocol products working all in harmony. I just never really expected to see that until we got relatively close to a post-scarce society.
Tailscaled runs as root. Is there a way to confine it, without losing functionality?
As it connects many devices in my network, a vulnerability in Tailscale will have a significant impact (they had recently a nearly 10 CVE). That’s not the case with the standard client server approach (clients can run user space Wireguard).
Even though I don’t open ports with Tailscale (more precisely, I outsource them to Tailscale), I still can’t sleep well at night!
Userspace mode might be an option (runs without a TUN or doing any system network wiring, at the expense of performance): https://tailscale.com/kb/1112/userspace-networking/
Running Tailscale without privileges is a challenge because tailscaled needs to be able to configure your network, and if you enable Tailscale SSH it also needs to be able to create sessions for configured users. For people who dont need SSH and accept this challenge + maintenance burden, it is possible: https://tailscale.com/kb/1279/security-node-hardening/
Thanks!
I assume for DNS it also needs to modify resolv.conf as root when needed.
1 reply →
There's a userspace networking mode that pulls it out of the kernel?
https://tailscale.com/kb/1112/userspace-networking/
Could be wrong here but I believe you only need to run as root once for setup. The daemon can be run as a non-root user just fine
Source: that's how I run it on Arch
Are you sure? I set up tailscale recently on Arch and the daemon is definitely running via a systemd system service (not a user service).
2 replies →
On its face, this is really cool and being a user of both tailscale and mullvad this is awesome.
My primary concern though: will this lead to potential privacy leaks? Can a government agency shakedown Tailscale now to trace your Mullvad ID/connection to your Tailscale account?
That's exactly what they address here under "Private and (mostly) anonymous ": https://tailscale.com/blog/mullvad-integration/
tl;dr: As always, it depends on your threat model.
That doesn't really answer my question at all, at least not thoroughly in plain english.
The question is: if a government agency goes to tailscale and says: "we're looking for Mullvad user 912830193276163872" - does tailscale log that, can they provide it, will they provide it?
3 replies →
Ah! This could have been great for me, except that Tailscale recently cut off access to Cuban nationals to their service (they have their reasons, I guess.) Still, I think that the service they're building, step by step, is fine actually.
While I don’t work for Tailscale and don’t know their specific reasons, I do know that US export controls and sanctions with respect to Cuba are quite complicated and are designed more due to historical & continuing political pressures than sensible policy.
I used to be involved in leading a US charitable nonprofit that, during the Obama years, once wanted to pay for someone to attend a technical conference in Cuba (or maybe it was to pay for a Cuban to attend a technical conference elsewhere - I forget). We did actually make it happen, but it involved consulting with lawyers, comparing the details of the situation against the applicable rules, and getting people to promise to stay within those rules.
My guess is that either Tailscale or one of the providers they depend on is cutting off Cubans as an attempt to comply with these Cuba-specific US legal obligations, or at least to reduce their risk of falling into non-compliance.
At the very least, GitHub has found ways to legally make most (not all) of their offerings available to Cubans / in Cuba despite the sanctions, except for more narrowly banned individuals and groups. So if you can obtain the open source code for Tailscale (client) and Headscale (server), you can at least use that to benefit from Tailscale’s software.
I believe Tailscale re-incorporated from a Canadian company into a US company for various compliance things being easier, but a consequence is that now they have to follow certain US obligations WRT Cuba, amongst others.
Small / medium compagnies prefer to play it safe and don't really have the resources to deal with what the Department of State says.
Even Google follow some of those: https://support.google.com/google-ads/answer/6163740?hl=en
If Tailscale uses services from any of the big hyperscaler cloud providers then they haven't been given a choice.
Any sort of export control/embargo that cuts off specifically VPN access to foreign nationals is supremely stupid imo
then talk to the US government about their very fucking dumb failed sanctions regime against Cuba?
13 replies →
Exactly. I do believe that certain individuals and organizations might/should be excluded from service here; however, it seems like the only technical solution to regulations enforcement is to wholesale block a whole country.
Should they sell VPN services to North Korea? What might the reasons be on the "no" side?
4 replies →
You can run your own "head scale" control server and use their clients with it: https://github.com/juanfont/headscale
Requires a lot more setup, but it is an option. I've been self-hosting headscale for some time and it is quite stable.
Other side (probably should merge): https://news.ycombinator.com/item?id=37420382
If you're already a Mullvad customer, is there some way to integrate this into your account?
Right now, when I want to use Mullvad via my tailnet, I set the exit node to be a linux box at my house that is set to automatically send all traffic via Mullvad. That's free for me, since I already pay for Mullvad on that linux box at home.
https://twitter.com/bradfitz/status/1699806137661726790
fortunately it doesn't matter at all unless you've stacked up a lot of prepaid months at Mullvad.
Wouldn't it be more "efficient" networking if I could sometimes just use the mullvad app instead of tailscale > mullvad?
Either way it would be good to at least have the option to use an existing account. Maybe tailscale is taking a cut since mullvad dropped recurring sub support natively.
2 replies →
Well, if you want to use Mullvad outside of Tailscale, then it does matter: https://mastodon.online/@mullvadnet/111024772652906757 Seems like you won't be able to use your Mullvad account created via Tailscale for anything outside of Tailscale...
Wow, that's really annoying.
I pay for a year at a time for ease of use since they wouldn't save payment info when using port forwarding. And now since I last bought a years worth in May they turned off port forwarding and now make me drop the next 8 months of prepaid time if I'd want to use this feature (that I've been waiting for for years).
Can someone help me understand why VPN use seems to have exploded in recent years? I mean, I'm aware of the typical use-cases of corporate devices and such, but I doubt that's the major contributor here as those use-cases have existed for decades now. What's the impetus for what seems to be massive growth over the past 3+ years?
There's a fair amount of FUD tossed around in sponsored ad reads of a lot of independent creator content these days, so much now that the colloquial use of "VPN" these days for the masses is not "allow me to gain access to a network I control from anywhere" but "help me route my traffic to a specific geolocation".
Half truths are spouted about "securing your connection" and "preventing tracking" are provided, without the supplementary information that device and browser fingerprinting do more to identify you as a user than geolocation does. With HTTPS, traffic is already encrypted, and any DNS-over-HTTPS or TLS provider will also mask where you were headed to, leaving much of the supposed benefits to be mostly snake oil.
If, however, you want to use it to access geofenced content, or you employ an obscurity-in-depth strategy to anonymize your identity, then sure, go ham. But as to why usage has exploded by the masses, a healthy dose of paranoia and influencer marketing.
It's not a terrible result tbqh.
99.999% of airport wifi users don't know that their traffic is bridged. So unless WIFI-6 introduced some network segmentation features that I'm not aware of, it's still a good idea for Grandma and Grandpa Jo.
The reason it's ubiquitous on YouTube is because they are gouging the hell out of consumers. Honestly it should be provided by your ISP as a bundled service. Although then it's just Comcast gouging you instead...
Can confirm, it seems like every single YouTube channel I've watched in the past 2-3 years has had an ad for 3 or 4 VPN services. Plus, the internet is getting more segmented, when I send links to some US sites to my friends overseas they need a VPN to access it, which wasn't the case like 6-7 years ago.
there's still ISP domain level blocks (based on SNI) to contend with, even if they can't modify any content. Things such as court banned sites (pirating?), age restricted content, etc.
Somehow my ISP can see what I’m downloading even though I use https etc and has sent nastygrams a few times when they didn’t like what they saw.
6 replies →
The VPN market has had considerable growth year-to-year since at least 2009. It's just that in the last few years that growth has added up to big absolute numbers.
Here's how I think about customer segments:
* Those interested in online privacy
* Those interested in circumventing censorship
* Those interested in a secure network channel from their machine to "The Internet", by which I mean secure from their local ISP eavesdropping on them.
* Those interested in circumventing geographical restrictions.
Due to the nature of the Internet and how its most important protocol (IP) works, changing your IP address is a necessary, but not necessarily sufficient, step in protecting your privacy online. This fact says something about the long term relevance of VPNs, Tor, and similar technologies.
Source: I'm one of the co-founders of Mullvad VPN.
In the age of wifi the man in the middle included someone sitting in the same coffee shop as you. ISPs turning into jerks came on the heels of that. Depending on where you got your news, it might have seemed like you heard about ISPs and hackers around the same time, but from my perspective the ISPs learned how to be bad from security experts explaining how much mischief a person could get up to and deciding that sounded like a swell idea.
2 replies →
VPNs of the Mullvad type (not them specifically): Mostly marketing to the ignorant, but also people in police states and people who are getting annoying letters about their torrenting.
VPNs of the Tailscale type: Mostly people who self host apps and want them to be available across their devices without opening them up to the internet, or be able to access their NAS from Starbucks.
For me, at least when it comes to Tailscale, it was Tailscale SSH and MagicDNS. I haven't had to touch `sshd` at all, and I get automatic HTTPS certificates for machines connected to my tailnet. Also, it's free.
[1] https://tailscale.com/tailscale-ssh/ [2] https://tailscale.com/kb/1081/magicdns/
I don't do anything sketchy online, but I use a VPN for the same reason I use HTTPS rather than HTTP, ssh rather than telnet, BTC/XMR rather than my credit card (when possible), and LUKS FDE rather than nothing. I value my privacy, and I want to fight the false perception that privacy-enhancing tools are only for shady usage by shady people.
Use a VPN for the same reason you close the stall door in a public restroom.
(I'm not necessarily agreeing with your premise that VPN usage has recently grown; I don't know that to be the case.)
A VPN only makes sense if you trust the VPN provider more than your ISP, if not you're only making things worse.
6 replies →
what does "VPN use seems to have exploded in recent years" mean? I mean, what have you observed? "VPN" means lots of different things.
VPN to company is much more popular with businesses because of WFH and Covid.
consumer VPNs to random providers that advertise on podcasts are way up because of different countries having different video streaming service catalogs and because in the US consumer ISPs are increasingly privacy- and reliability-hostile. there's also a big marketing buzz because scaring people over these things was good for signups, so consumer VPN providers chose to advertise a lot.
Tailscale on the other hand is a way to re-create an actually flatly routable Internet, for myself, but with 2023 security levels.
Mostly because geofencing is getting much more widespread for various legit reasons (security, anti spam, licensing restrictions, etc) and very annoying for end users.
> various legit reasons (security [...])
"Security" is not a legitimate application of geofencing, in my view.
Any attacker can trivially use a VPN to defeat it, yet legitimate users are massively inconvenienced by it. I've had too many accounts (bank and otherwise) locked for the crime of trying to access them while traveling internationally.
Netflix. Their library varies significantly by country
True but Netflix is at total war against VPNs. Entire blocks of IPs that these VPNs use are completely blocked.
Vpn hasn’t worked with them for years unless you get lucky for a bit.
Generally it's to guard against ISP spying. In the case of your personal devices that you walk around with at work, the "ISP" is "your employer". Employer IT pride themselves on being far more nosy than your run-of-the-mill ISP.
Just my 2cents that I wrote about here[0]. It boils down to:
1. Ease of use for non technical folks (my dad in the post)
2. The dangers of having an exposed ssh port (even on non standard ports)
I just don't have the time or compute to constantly tweak my security settings for a publicly exposed port, so the easiest way to solve the problem is to not have the port publicly exposed
---
0: https://blog.imraniqbal.org/tailscale/
It feels like you may be solved a problem that didn't need solving? If you fully disabled password authentication, there's nothing to tweak; you can just ignore the log spam and not block the IP addresses and ignore it and it'll be fine.
1 reply →
I use a VPN anytime I leave my house (although it's not a commercial "service"), because network-based telemetry is on the rise and companies that offer free WiFi as well as our telcos are basically out to get us. See https://www.wired.com/story/verizon-user-privacy-settings/ as one example.
I don't want to "opt-out" and hope companies actually follow their policies, or assume their policies are sufficient when I "opt-out". So I ensure all of my network traffic is routed through my home no matter where I'm at or which device I'm using, and then from my home I ensure all my network traffic is routed through a business-grade connection that is offered under standard contract terms that preclude the type of fuckery that every ISP in America seems to think is acceptable to do to consumers.
That's why I use a VPN, and I'm pretty sure a lot of people who use a commercial VPN service do it for very similar reasons and don't have the technical know-how or wherewithal to set something like I have up for themselves.
A lot is driven by torrenting. Exposing your real IP will get you sued or banned by your ISP.
Private trackers are the solution to this problem
For VPN in the Corporate network sense, it's for easy access to your computers. You don't want to have to open ports on your router or hope that whatever world-accessible service you throw out there is secure - instead, Tailscale handles authentication, authorization (if you'd like to set up ACLs), and it handles NAT traversal without any open ports.
I think the parent is talking about consumer VPNs which using VPN protocols to implement a proxy service, providing very little of a private network.
Privacy and tracking prevention. It can get you access to stuff that's not in your country, depending on the service you're trying to get.
I think a primary reason is "more privacy" (Mainstream VPNs actually reduce privacy) closely followed by bypassing regional restrictions (like blackouts during sports games, using Pornhub in Utah or Alabama, or looking up clinics that perform abortions in Texas) followed by bypassing ISP restrictions.
>Mainstream VPNs actually reduce privacy
They help to mitigate IP based tracking.
For me the fact is there are really easy to use user interfaces for VPNs now. They are very performant and low latency as well, so they're practical for everyday browsing on the modern web and even for gaming and streaming.
Also, geographical blocks on content such as Netflix and BBC etc
Aside from "Privacy VPN" usage, there are other reasons to have VPN server (including tailscaled) at home. Some home network connection doesn't offer public IPv4. People want to avoid exposing any port to the internet.
States attempting to pass age-verification laws, and large streamers trying to fuck over customers by locking their account access to their home IP.
I can't speak for everyone, but technologies like WireGuard, Tailscale, and Nebula are not merely VPN solutions. They're SDN solutions that incorporate VPN capabilities, WireGuard (and thus Tailscale... in most cases) being unique that they're incorporated at the kernel level. Having a single overlay network for my cloud host, home servers, cell phone, and personal computers allows me to construct my own private cloud of sorts.
Here's a visual: https://mermaid.live/edit#pako:eNptUstugzAQ_BXL5_ADHHqBSjlUJ...
* fud from youtube sponsorships
* circumvention of geoblocking
Mh interesting, I've wrote a while ago a script to start on connection in order to have mullvad coexist with tailscale, if anyone is interested, I also have one for NVPN
Side note: you can simplify the first line like this:
Thank you!
What is the $1 in `wg show $1` work and how/when do you run this script?
Ah yeah so $1 is the mullvad interface name, and you run it by placing it in the mullvad's wg conf file as
Code blocks are done on here by indenting with 2 spaces, not with ```
Ah nice thank you
Excellent, I'm finally able to retire the NixOS module I wrote to replace Tailscale to fix this exact problem [1]. It was certainly imperfect and overengineered, but it has worked for my use cases pretty well.
I'm still not sure if I like the login situation for Tailscale (allowing only 3rd party auth) but I understand why they do it.
EDIT: Turns out I can't use it yet since you have to buy Mullvad through Tailscale. I bought a year of Mullvad in May (they can't save payment info for port forwarding) and in the 4 months since they've removed port forwarding[2] and won't let me use my remaining credit for this integration.
[1] https://news.ycombinator.com/item?id=36113215
Custom OIDC providers are supported to mostly address your 3rd party auth concerns.
https://tailscale.com/kb/1240/sso-custom-oidc/
So it’s $5 for 5 devices? I was expecting to see an option for existing mullvad customers to enter their credentials instead of buying a new subscription but may not be the same thing
As someone that already has a subscription to a VPN service (not mullvad), I’m wondering what this would get me for end devices, vs just using my vpn provider as I’m already doing
Oohh, this is exactly why you can't. I just commented similarly, but yours made me realise - this must be an agreement between the companies, Mullvad doesn't want you to fairly easily have all devices on the same tailnet, single exit node using 1/5 keys on Mullvad. Without Tailscale, if you configured them all separately, it'd use as many keys as you had devices.
You can similarly bypass it without Tailscale, the same way you had to do it in Tailscale before this announcement, with everything egressing via a server which is the single Mullvad client. But it makes sense with the built-in solution (with probably better latency etc.) that they wouldn't want that.
Yep, disappointing that I can't bring my Mullvad credentials over and have to pay for a new account.
I recently (just earlier this week in fact) had to spend a few days on fast-but-restricted "guest" WiFi and was struggling with this very thing: I needed to use a tailnet to access my servers for vscode remote development, but also needed a VPN since the WiFi was blocking harmless stuff like duckduckgo.com
In the end I was able to do a split-vpn config to allow VScode to bypass the VPN and leave the browser to use the VPN. Having tailscale just handle it would have been handy, and reading the docs today I found out that I could have just used a machine on my home network as the exitnode as well, which would have worked great too I expect.
Have to say though that this was the first time I had used tailscale "in anger" for any serious period of time away from my home network. It was superb and (apart from the VPN issue) just worked exactly as advertised and I was able to access all the stuff on my NATed home network as if I was in my home office. Brilliant product - thanks to all the tailscale folks ("tailers"?) on here for the product!
Mullvad is such a good vpn. Too bad they disabled port forwarding. Does anyone know of a vpn that's anywhere near as good but allows it?
If you're researching vpns, maybe consider how they are related to media companies as part of your evaluation:
2023 Paid VPN Relationship and Corporate VPN Ownership Map
https://news.ycombinator.com/item?id=37324202
This tailscale press release claims you can forward nonstandard ports with this configuration. Who knows what that means or even if the copy was just approved six months ago or what.
Ivacy has been around a long time and allows it [0].
[0] https://www.ivacy.com/port-forwarding/
(They're based in Singapore)
picking a VPN based on extreme privacy demands that's domiciled in Singapore seems pretty courageous
1 reply →
I went over to https://airvpn.org/, so far so good.
I switched to airvpn and have been happy
ovpn and azirevpn come to mind.
Fantastic! Now all I need is a router that puts my entire home network - apple tv, internet of shit devices, everything - on tailscale...
You can do it at the router level, or you can just have a device in your house (even a Raspberry PI) running an exit node.
Then anybody using your tailnet can use it as an exit node, and route all traffic via your home connection.
Yeah, thanks for the suggestion; i do have an intel nuc hidden away somewhere that runs an exit node. I'm looking for the reverse basically, having my entire home network use another exit node somewhere else, to access regionally restricted content...
If subnet routers within Tailscale don't address your needs, GL.inet devices are beginning to add support for Tailscale exit nodes!
german avm coporation has the "fritzbox" router lineup which can do ipsec and wireguard with normie gui.
openwrt surely will do the job on many aio or a old laptop.
Honest question, what would you achieve with that?
An easy button in the tailscale/mullvad gui to get region-restricted content on all (my kids) devices.
2 replies →
Shame you have to pay double if you want to use Mullvad inside and outside Tailscale.
I hope they work on integrating the services both ways so I can bring my Mullvad account number over.
why would tailscale want to eliminate you paying them for this nice feature
Two excellent products merging to solve an immediate issue I have. That is amazing!
*collaboration, not merging, which is a good thing :)
Can I get a cut?
> (to tailscale Mar 16, 2022) Hey can you also make a Tailscale browser in the same vein as the Tor browser? Random thought.
Why would I use Tailscale over OpenVPN, for example? OpenVPN is supported by my router OOTB and the config was incredibly straightforward. It sounds like Mullvad adds a layer of privacy into a Tailscale network if I’m understanding it correctly. But Mullvad aside, I don’t get what separates Tailscale from something like OpenVPN.
We have an article that tries to provide a detailed answer to this question! https://tailscale.com/compare/openvpn/
Cool thank you will give that a read.
Significant ease of use.
i believe wireguard is far more performant for one thing. i find the config files a million times more readable too but that's subjective
Huh. Well in my case I flipped the feature on in my Asus router, installed the OpenVPN client on my iPhone and imported the config file my router generated for me and that was it. Took like 2 minutes to do.
1 reply →
What's the unique selling point of Mullvad?
You can pay for the service by mailing them cash: https://mullvad.net/en/pricing
They run servers with no hard drives: https://mullvad.net/en/blog/2022/8/1/expanding-diskless-infr...
You cannot hide from governments. If they want you badly enough they can track you anywhere. So, don't do anything illegal and expect any VPN to protect you because paid in cash! Remember, all governments have secret national security laws to surveil all data all the time and almost all governments' (even supposed enemies) secret national security agencies cooperate if they badly want to catch someone.
You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.
Almost all traffic (apps and websites) are encrypted via TLS (https, for example). So, even if you are on an insecure network, unless your OS's TLS certificate store is compromised, your communications are encrypted and protected against snooping from that insecure network.
Also, even on open wifi networks, today, it is very unlikely that the wifi is running without at least WPA2 encryption. Most modern airports run secure wifi. (But they also monitor all traffic metadata for illegal activities).
So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.
Remember, all ISPs are heavily regulated by governments and can be asked to mirror specific customer's traffic for analysis. I would be very surprised if they don't proactively do it for all VPN operator nodes by default.
10 replies →
Not just no drives but, but also no logs, and per their last audit they're working towards no administrator access to the shell.
5 replies →
The cash thing is awesome and good for them.
That said, I don't know if Mullvad is good or evil, but one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.
This "our servers have no disks" thing is kind of thing is marketing. It is meant to imply something that it doesn't actually demonstrate. Who cares if there are local disks? It doesn't change the threat model at all, it's mostly to convince people who don't know very much about claims which are basically impossible to prove. It's the higher-tier version of "we use military grade encryption."
Lawful Intercept on the public internet does not rely on local hard drives on any node in the network and has not since the 90s, as a specific example of how meaningless this is.
12 replies →
You can mail in cash for ivpn too
They practice what they preach. The recently stopped selling recurring subscriptions, and most likely threw away a big chunk of money, because there was no way to support them in an anonymous way.
I'm glad I have a grandfathered subscription, because that seems like a usability nightmare
1 reply →
Trustworthy audits: https://mullvad.net/en/blog/tag/audits/
they take privacy extremely seriously, by trying to reduce the amount of data they even have that can get subpoenaed (no logs, no accounts, accept payment by cash) and appear to have not yet fucked up.
trustworthiness
So tailscale makes it super simple to create your little network, sorta like hamachi used to, but what's the point of mullvad in this equation - can someone explain it to me a little more clearly like im 5 (ELI5)?
Tailscale creates a mesh network between your devices.
In addition, you can tell it to tell some or all of your devices to use another device as an exit node for traffic heading to the Internet.
Today they added the option to use Mullvad's VPN nodes to do that instead.
Probably access to their customer base.
if that's the case then long gone are the days where Mullvad was the "send me cash in a snail-mail envelop and we'll let you in" provider
2 replies →
Nice! Presently maintaining this hackily myself with an exit node running in Fly.io that reaches the internet via Mullvad, I'll be glad to simplify it and maintain less.
I'm a bit confused about the payment section though - I have to pay for Mullvad via Tailscale now? Can't I just use the peer keys I've registered in my own account?
Fuck this is good, I've been manually maintaining NAT instances for each country with Mullvad on them, it was awful
This seems like a really smart move.
Can anyone comment on whether it's possible to use something like NextDNS in conjunction with Tailscale and Mullvad?
Edit: to clarify, I'm aware of the existing NextDNS integration with Tailscale - I was wondering if this (or other third party DNS) works specifically with these new Mullvad exit nodes...
first result on google for "tailscale nextdns" explains how to - for some reason - leak all your dns queries to some random company you don't pay money to: https://tailscale.com/kb/1218/nextdns/
Are you talking about the metadata collection by nextdns itself ? It's not some random company and again you can disable it pretty easily. Afaik the metadata is mainly used to classify requests per device and show some stats
Err what? NextDNS is not free, you do pay them money every year to use it.
2 replies →
Tailscale supports using NextDNS as a nameserver: https://tailscale.com/kb/1218/nextdns/
Did not know that, thanks for mentioning. This fixes probably a big problem for me.
I've never used Tailscale or Mullvad, I do use a VPS and Wireguard that I configured and run. I'm wondering if people working at Tailscale or Mullvad could snoop on the traffic passing through their servers?
Tailscalar here: Tailscale servers never see your traffic in plain text.
In the integration with Mullvad in particular, WireGuard connections are always direct from your device to the selected Mullvad exit node.
Any way to expose ports using this integration (for Plex remote access etc.)?
Tailscale Funnel is the already existing feature for exposing ports.
Can I connect a device which is not capable of running custom software, i. e. the router my ISP gives me, but which is able to connect to WireGuard, be used to connect into an existing tailnet?
This looks great, it's a shame that you have to go all the way through the payment process to see "Not available in your country (Australia)" though..
Why is this only available in certain countries?
It doesn't make sense that this isn't available in countries where both Tailscale and Mullvad are available, like here in Norway.
This is awesome. Just yesterday I was thinking about how nice it would be if I could just connect to Mullvad directly from Tailscale. Great work!
Mullvad is what Mozilla VPN uses underneath as a while label VPN. I guess this parnership does not apply to those licenses.
As a personal user of Mullvad and a professional (solo dev) user of Tailscale, I hope this goes well.
First Mullvad Browser, now this. Mullvad's been making moves. Love to see it.
Mullvad is impressive; however, the issue with Mullvad ID persists. The proposed solution is a Zero-Knowledge Proof Authentication system. With this approach, Mullvad will retain your public key but will not possess information regarding the association of specific sessions with individual Mullvad IDs.
if you're going to go to some random thread and post about your slightly related hobbyhorse, at least provide a link to some information about whatever you're upset about.
It sounds great. But their banner is showing that my ip address is from Mumbai, whereas I’m actually in Bengaluru, India. That’s not really re-assuring. Maybe it’s just apple relay on my device that’s obfuscating my details. edit: my bad, hit me bit late that it’s the intended behaviour.
...
why yes, the thing you turned on that explicitly says it will reroute your traffic elsewhere will reroute your traffic elsewhere.
yeah. my bad. Turning off relay, did show the right message. Thanks for that.
Good job! You outed yourself on social media.
Better move to Mumbai now to throw off the ipTrace.
Not supported in Australia yet, do we know when this will be available?
Too bad I can't pay Tailscale in cash like I can Mullvad.
Now if headscale could support thia that would be baller
An issue has been created to implement support Wireguard-only peers like Mullvad exit nodes in Headscale:
https://github.com/juanfont/headscale/issues/1545
Headscale is a FOSS replacement for Tailscale's closed source coordination server. It is compatible with Tailscale's client apps, which are FOSS for Linux and Android, and partially closed source for macOS and Windows (https://tailscale.com/opensource/).
Props to both companies, doing great work.
How do you use this with Tailnet lock?
what’s the easiest way to get this on my TV roku stick so i can watch the HBO that I pay for in French?
love Tailscale! hope it remains free
Finally, I can use Mullvad.
Did it just hand out free device connectivity on adding the add-on?
Why the downvote? !
I signed up for the addon and got 15 free devices. Curious if others see this too...
seems this is related to a legacy setup and is a temporary good faith offer.
This partnership makes me want to remove tailscale from my stack and instead use wireguard directly. Leaves a bad impression. Fighting against my instinct and telling myself I'm irrational. Tailscale is one of the first things I install on every machine. It's so good. But this partnership erodes trust, doesn't build it.
Does Mullvad have a bad reputation? I genuinely don't understand why this partnership would erode trust? Can you elaborate?
mullvad has one of the best reputations in the entire consumer vpn space. they were one of if not the very first businesses to accept bitcoin back in 2010 when no one knew what bitcoin was and before the word crytpo existed or anyone was in it to make money. they were one of the early funders and supporters of wireguard itself before it was merged into linux(and before anyone cared about it). they are working in cooperation with firefox to run their vpn system. they require no email address or personally identifiable information at all to use them. they don't do scammy sponsorships on podcasts or youtube channels to mislead people into thinking that their service or vpns in general solve problems they don't actually solve.
and at the end of the day if you think consumer vpns are stupid you can always just not use it. i don't think that them teaming up with mullvad implies anything bad or suspect about either of them. this type of a service is something that is really important and useful to a certain subset of users, and if they were going to wind up teaming up with a consumer vpn provider this is probably the least shady and most principled one they could have done it with.
I personally think all of the VPN providers are essentially selling snake oil. In addition, I think there are better tools for the job. If you want anonymity, use Tor. If you want to bypass geo-restricted content, use Bittorrent.
From a strategy standpoint, I am not sure how this helps Tailscale at all. It changes how I view them and not in a good way.
6 replies →
Maybe try Nebula? https://github.com/slackhq/nebula Or Defined Networks: https://www.defined.net/
[flagged]