I've run into a few odd instances of headscale not working where I'd expect it to and I don't understand how it's failing.
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network.
About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that.
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.
I've run into a few odd instances of headscale not working where I'd expect it to and I don't understand how it's failing.
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
Would you mind revealing which one is banned? I wonder what they are using to make that determination.
They are most likely referring to tailscale in my opinion.
Yes.
Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network.
About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that.
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.
7 replies →
Exactly.
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.