Comment by miki123211
17 hours ago
Even better, set up Tailscale.
It's far easier to set up, is much more reliable (e.g. when devices are behind firewalls), and uses direct (encrypted) connections when possible.
You can get it to do what you want with just a few clicks. Things like exposing a IoT VLAN on your Tailnet or setting up an exit node to tunnel all internet traffic through your home are super easy. You can even share specific devices with friends, which is super useful. If you have anything particularly sensitive (e.g. a notes app that you wouldn't want your children / partner to have access to), you can limit access to specific users / devices on the TS side, without bothering with implementing auth.
I think there's even a way to look up the user and device based on their IP, which is one way to add painless authentication to your apps. There are reverse proxies that do it and inject the info as HTTP headers.
If you aren't comfortable with trusting them with control over your network, you can always host your own Headscale server.
What makes Tailscale more secure, or more reliable, than just a direct Wireguard tunnel?
Tailscale's complexity and features make sense when you have 200 nodes, or maybe 20 nodes at least. When you have 3-5 nodes, I think it's overkill, and a bunch of extra dependencies which may fail, and lock you out of your private nodes when you need it most.
The benefit of Tailscale is that it gives you “lots” of wireguard tunnels that work through NAT with near zero configuration and a central admin interface.
I use a personal plan and have multiple nodes. Desktop, laptop, tablet, phones, docker containers just for me and a couple of raspberry Pis on my families home networks.
Only once have I been “locked out” of a node and that was due to an expired key.
Sure, for just connecting one node to another with a known IP and accessible port it’s overkill, but for anything more complex it an awful lot of awesome for very little effort.
NAT busting, and no key management. What extra dependencies does Tailscale have?
Well, the dependency on Tailscale's servers, for one. You're getting that NAT-busting because Tailscale is running servers to handle that for you, and you're getting around key management by having them manage your keys and overlay their own auth layer for you.
2 replies →
How do you identify yourself to Tailscale?
1 reply →
> If you aren't comfortable with trusting them with control over your network
Wrt the possibility of Tailscale being compromised, there's the in-beta tailnet lock feature:
> Tailnet lock lets you verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can't send or receive traffic in your tailnet. [1]
[1] https://tailscale.com/kb/1226/tailnet-lock
Thanks for the tip!
I've had the Device approval setting on, and wished there were more robust lock features, but not enough to want to run my own coordinator. So Tailnet lock seems like a good security upgrade.
The pricing page suggests this is only for the "enterprise" plan.
Not sure which page you're referencing, but the linked page states it's available for Personal (free) as well:
> Tailnet lock is available for the Personal, Personal Plus, and Enterprise plans.
It is definitely on personal as I use it myself.
Or, for those who are paranoid about relying on a company, setting up headscake is relatively quick and painless too - currently using it to sync between devices across multiple cities.
headscale*
https://headscale.net/stable/
https://github.com/juanfont/headscale
Should I be paranoid? I never tried Tailscale, and the idea of trusting 3rd party with managing access to my network does give me chills. But IDK, honestly, maybe it's silly? Is it in all honesty less likely that I'll fuck things up setting my own Headscale server, than that Tailscale™ will (consciously or otherwise) fuck me up?
Tailscale has made all of their client source code available for anyone to view so if you want to confirm that you’re not sending unencrypted data or keys through their servers you’re more than free to do so.
https://github.com/tailscale/tailscale
I think there is some merit to setting up wireguard (e.g. you want more devices than what Tailscale offers for free, or their servers become unreliable for some reason)
But people who push the “scarey boogeyman will look at your data” with Tailscale are either technically illiterate or overly-paranoid.
1 reply →
If you got yourself into self hosting, you might as well go fully independent. You have already taken care of the most complicated part anyways.
Tailscale is a VPN, how is it "better" than using a VPN?
Tailscale is more than just a VPN. It has a number of features and capabilities which make it more like a private overlay network that just seems to work wherever and whenever. Some of those features; WireGuard (the VPN bit), NAT punching, automatic key distribution, ACLs, split or full tunnel routing to internet resources, SSO. Just to name a few.
Unraid added native Tailscale support in 7.0, now you can just add an "app" (a docker container) and tick a checkbox and it'll appear in your tailnet directly.
For the most part I like Tailscale, but there's weirdness on Android with their app + Private DNS.
This is also my big frustration. I've set it to an Adguard instance that's also on tailscale and the app keeps getting into a faulty state. I've been looking into hosting the Adguard instance on the open web and securing it another way but bit short on time lately.
or zerotier