Comment by wateralien

It's a wrapper around Wireguard that lets you use common SSO providers (Apple ID, Google, etc) to manage access.

It also handles looking up the IP address of your "nodes" through their servers, so you don't need to host a domain/dns to find the WAN IP of your home network when you're external to it (this is assuming you don't pay for a fixed IP).

Most people put an instance of it on a home server or NAS, and then they can use the very well designed and easy to use iOS/mac/etc client to access their home network when away.

You can route all traffic through it, so basically your device operates as if you're on your home network.

You can accomplish all of this stuff (setting up a VPN to your home network, DNS lookup to your home network) without Tailscale, but it makes it so much easier.

Basic version is it's a sort of developer focused zero trust network service.

Encrypted overlay network based on wireguard tunnels, with network ACLs based around identity, and with lots of nice quality-of-life features, like DNS that just works and a bunch of other stuff.

(Other stuff = internet egress from your tailscale network ('tailnet') through any chosen node, or feeding inbound traffic from a public IP to a chosen node, SSH tied into the network authentication.

There is also https://github.com/juanfont/headscale - which is a open source implementation of some of tailscale's server side stuff, compatible with the normal tailscale clients.

(And there are clients for a very wide range of stuff).

Basically it is managed Wireguard. Tailscale does say it, but it is buried under marketing speak.

I don't think you need to pay $6 a month to try it out.

Install it on all the machines you want. When you are running it on the machine, it is networked to the other machines that are running it. Now make an 'exit node' on one of those machines by selecting it in the UI, and all your gear can access the internet via that exit node. Your phone can run it. Your apple tv can run it. You can have multiple exit nodes. So you can have a worldwide network and not once did you have to open ports in firewalls etc.

Sign up for free using Google Sign In.

Install the tailscale client on each of your devices.

Each device will get an IP address from Tailscale. Think about that like a new LAN address.

When you're away from home, you can access your home devices using the Tailscale IP addresses.

Not sure if anybody gives you the answer to "what is tailscale?". So, this is my answer (hopefully it's correct and simple enough to understand).

Tailscale allows devices that can access the Internet (no matter how they access the Internet) to see each other.

To do that, you create a tailscale network for yourself, then connect your devices to that network, then your devices can see each other. Other devices that are connecting to the Internet but not to our tailscale network won't see your devices.

AI might explain it better :-) Don't know why I wanted to explain it.

Extending the question:

In my mind Tailscale was primarily to expose local services but answers here sound a bit as if people used it as a VpN replacement.

If I do not want to expose local services but only protect me and hide from untrusted WiFi, would I better use a traditional VPN or Tailscale?

My thinking is that Tailscale could be the better VPN because they have a clean business model while pure VPN companies are all shady.

A system by wich you can expose things on your private network (e.g. your home lan) so you can selectively and securely make them accesible from other places (e.g. over the Internet). You can do all this without tailscale by just configuring secure encrypted tunnels (wireshark, traefic, ...) yourself, but services like tailscale provide you with easy gui configuration for that.

I personally use Pangolin, which is similar https://github.com/fosrl/pangolin

For me: it's a way to access services I host on my homelab LAN from 3000 miles away. Having a router that automatically logs into that and routes TS addresses properly allows you to use all your devices connected to that router to access TS services with no further configuration. I host Kiwix, Copyparty, Llama.cpp, FreshRSS, and a bunch of other services on my homelab, and being able to access all of those remotely is convenient.

It's a virtual network switch/router with DHCP, DNS, and lots more enterprisey features on top. You 'plug' devices into it using a VPN connection.

It's a cryptographic key exchange system that allows nodes to open Wireguard tunnels between each other. They have a nice product, but I don't like how it spies on your “private” network by default: https://tailscale.com/kb/1011/log-mesh-traffic

If you want to self-host, use NetBird instead.

they have an excellent set of short intro videos [0] on youtube, that's what I used to get an overview and get set up.

[0] https://youtu.be/sPdvyR7bLqI?si=2kIpHtNuJ52jEdmm

Also the free tier is sufficient for basically anything non power-user or enterprice.

You don't need to get too far down the page to see "VPN", which is what it is. But on top of that primitive, it's also a bunch of software and networking niceties.

It’s a point to point vpn that works between devices even without a direct network connection.

Their personal free plan is more than enough.

It’s Wireguard for lazy people

It just virtual private network.

Open their GitHub page?

I did the same thing recently while visiting family in SE Asia. I wanted to watch my team's bowl game but American college football is unknown in that part of the world. A Wireguard connection back to my home router gave me the ESPN access I pay for in the US.

A few services didn't work because they required my mobile device's location services (which still showed my in Asia). I'm sure I could have found a workaround for that but wasn't properly motivated to put in the effort for a short visit.

In a similar vein, I was able to troubleshoot a problem with our NAS from a cellular connection on a boat near Bali a couple years ago. My son needed access to some files for his college homework but couldn't access it remotely. I was able to access it and reconfigure a setting that had changed during an update and restore his access.

The internet feels like magic sometimes.

For what it's worth, you get 100 devices total, regardless of number of user accounts. If you don't need the permissions granularity that individual accounts have, consider only having an "admin" and "untrusted" account... or a single account, and pinky promise your family not to play with it.

If Tailscale is installed on your router, then any client will also be able to connect to Tailscale networks.

Fo example, if you have a default route back to your home network on the router, any client will also connect through that tunnel back through your home. This assumes you are using your travel router to connect your laptop as opposed to say the hotel wifi. (In this scenario, your travel router is connected to both the hotel wifi as an uplink and Tailscale.)

I’m using a GLinet GL-XE3000 for that and it’s great. Initial setup of the 5G eSIM on a physical SIM took a little searching but it’s been rock solid and having consistent access on the road and hotels has been great for family travel. It has a built-in battery, but I’ve never really tested the duration (I suspect it’s 3-6 hours) as I put it on its AC adapter in the hotel and the n a cigarette lighter adapter in the car, so the battery gets used 15-45 minutes at a time to bridge between those two places.

I like it enough that I might buy a second, more compact unit for when space is more a premium, but I’ve been really happy with this one.

I disagree. DNS is generally unencrypted and leaking that over whatever open wifi you're on is generally worse from a privacy perspective than the latency you add bouncing through your home where you probably have encrypted DNS setup.

Even if you don't visit any http sites, you never know what might phone home over http, so an OS level VPN provides foolproof privacy at the cost of a tiny bit of latency.

If my phone has a VPN to my home server, then it should all be encrypted.

s/Wireshark/wireguard

Most newer (or at least new + expensive) phones can share their wifi connection via hotspot. 2.4gh only though I think.

Yes, it has actually worked starting with the Pixel 3.

It's called Dual-Band Simultaneous or "STA+AP" (Station + Access Point) concurrency that can bridge an existing wifi connection to an access point to other devices via a hotspot.

Yes it works. Now you can also tether via USB. Both of them have worked flawlessly for me recently.

It seems to be only on certain devices feature(?): on my Pixel it worked, Samsung phone just says "sorry, can't do that".

Works fine, yup.

Hotels in Las Vegas typically charge around $15/day per connected device. Want to download a new book on your Kobo and play Diablo for a few minutes? That’ll be $30, please!

That’s the real win of a travel router, IMO.

My wife’s work WiFi is handled by a gl.inet 150 (https://www.gl-inet.com/products/gl-ar150/) which is tucked behind her desk since at least 2019. Vanilla openwrt on it, provides WiFi from an Ethernet slot in the wall.

Uptime is in years, it’s invisible and chugs along without visible power draw. All her devices connect to it, including her Cisco voip phone. It autossh to my ovh server with remote port forward for remote admin. Cost me 15€ in 2016.

Readers of HN will value flexibility and extensibility, but the other 99% of the folks there are fine with totally locked-down devices because it’s the only thing they know of. The lack of extensibility likely doesn’t affect sales/profit in any significant proportion.

I can’t put a SIM in my ereader or Switch or iPad.

Convenient to connect all devices to one WiFi. E.g. baby camera is on same WiFi as laptop etc.

Changing countries a lot reduces this option a bit.

I’m sure I could find a good all Europe card, but I need my number for work calls.

Ditto, the TP-Link's Archer A7 firmware is a security nightmare [1] but with DD-WRT installed it is very stable and reliable.

[1] Daughter invited ~10 classmates to prepare for a science competition, and one of them had a virus (I assume) that hacked TP-Link's firmware to draft it into a botnet. WAN connection would drop every hour for a few minutes, plus unexplained internet traffic while nobody was using it. Resetting firmware did not help, installing DD-WRT fixed it once and for all.

I think I actually retired an Archer C7 for this. The goal was something 2.5G ready because the city has systematically rolled out fibre to every neghbourhood around here and I'm just waiting for the knock.

Honestly if you're not invested in maybe Ruckus or Aruba, I don't think there's much better than OpenWRT on a decently supported AP. I had a bunch of the C7s with OpenWRT and they've been totally bulletproof. I only upgraded to R650s recently and it's not clear beyond maybe the antenna setup and the fact that it's ax now that it's much better.

How’s that access control handled? Very easy to spoof the MAC of the TV or setup some SNI spoofing proxy server, NGFWs with TLS Active Probing are probably harder to deal with but do hotels really have that?

I've read the GL.inet can easily clone the TV Mac, pretty cool.

> Run one wireguard server in your home and one client instance on this router and now all of your devices can share the same residential VPN connection.

You don't need a "travel router" for this. My phone is permanently connected to my server via Wireguard (so that I can access my files from anywhere). Adding another device just requires adding a peer in the server's config file and can be accomplished very quickly. It's not clear what problem the travel router solves, unless perhaps you travel with dozens of devices.

> no million suspicious login detected from all your social accounts,

I can personally do without those.

They're suggesting just running off your data plan which works for domestic travel (at least to urban areas with good cell service) and can work for international if you go through getting a data eSim.

GL.iNet routers don't even need this. It has an option to pass through captive portals. So you connect to your GL.iNet AP, then you set it up for the hotel WiFi, tick the option for passing through (it essentially disables VPN, AdGuard Home and other things if enabled), it will then link you to the captive portal where you can log in as you would otherwise.

Once the internet is active, the GL.iNet router will then re-enable things like VPN and AdGuard Home.

Since these devices are OpenWrt underneath with a pretier ui, I presume this is all possible on any OpenWrt device.

Is this an annoying amount of steps? And do you have to do this on every expiry of your session on the portal?

Thanks! Thats helpful.