Comment by tw04
3 years ago
On its face, this is really cool and being a user of both tailscale and mullvad this is awesome.
My primary concern though: will this lead to potential privacy leaks? Can a government agency shakedown Tailscale now to trace your Mullvad ID/connection to your Tailscale account?
That's exactly what they address here under "Private and (mostly) anonymous ": https://tailscale.com/blog/mullvad-integration/
tl;dr: As always, it depends on your threat model.
That doesn't really answer my question at all, at least not thoroughly in plain english.
The question is: if a government agency goes to tailscale and says: "we're looking for Mullvad user 912830193276163872" - does tailscale log that, can they provide it, will they provide it?
Tailscale needs to know information about your Mullvad license in order to authenticate you with the exit nodes. So it's theoretically possible for a government to ask Tailscale to correlate the data they've collected about you (like a client IP) with an authorized Mullvad license. Which, of course, they'd need to know represents your traffic from talking to Mullvad, which means you're not really placing any extra trust in Tailscale.
I would assume that Headscale could also support this functionality in the future if you trusted Mullvad but not Tailscale.
1 reply →
if your threat model really needs to consider this, not answering it in plain english is an answer.
they're not making a promise to not log that.