Comment by nine_k
2 months ago
What makes Tailscale more secure, or more reliable, than just a direct Wireguard tunnel?
Tailscale's complexity and features make sense when you have 200 nodes, or maybe 20 nodes at least. When you have 3-5 nodes, I think it's overkill, and a bunch of extra dependencies which may fail, and lock you out of your private nodes when you need it most.
The benefit of Tailscale is that it gives you “lots” of wireguard tunnels that work through NAT with near zero configuration and a central admin interface.
I use a personal plan and have multiple nodes. Desktop, laptop, tablet, phones, docker containers just for me and a couple of raspberry Pis on my families home networks.
Only once have I been “locked out” of a node and that was due to an expired key.
Sure, for just connecting one node to another with a known IP and accessible port it’s overkill, but for anything more complex it an awful lot of awesome for very little effort.
I second this, and want to highlight that only recently I learned about this similar project called netbird. I tried it, and it looks and works very similarly from the first glance. However, Magic DNS like feature did not work for me, for some reason. Maybe I need to do something, e.g. to enable it. More likely there are others, similar projects, but I’m not aware of them. By this point I stayed with Tailscale, but in any case, I see such project as of tremendous help for a self-hoster.
NAT busting, and no key management. What extra dependencies does Tailscale have?
Well, the dependency on Tailscale's servers, for one. You're getting that NAT-busting because Tailscale is running servers to handle that for you, and you're getting around key management by having them manage your keys and overlay their own auth layer for you.
You can always run Headscale: https://tailscale.com/opensource#encouraging-headscale
> Headscale is a re-implemented version of the Tailscale coordination server, developed independently and completely separate from Tailscale. Headscale is a project that complements Tailscale — with its own independent community of users and developers. Tailscale does not set Headscale’s product direction or manage the community, and neither prohibits nor requires employees from contributing to Headscale.
I had a Headscale server running for a few years with no hiccups. Setup was easy, it's not too resource intensive, and you can use the normal Tailscale client.
So Tailscale has "extra dependencies" on Tailscale. Gotcha.
1 reply →
How do you identify yourself to Tailscale?
Google auth but you can run your OIDC provider if you're into that: https://tailscale.com/kb/1240/sso-custom-oidc.
My nodes identify themselves with keys signed by the other nodes as per tailnet lock: https://tailscale.com/kb/1226/tailnet-lock