I wonder, does either have "magic DNS" where I can access machines by their hostname or hostname.local or hostname.intra.mydomain? Last I checked zerotier had added a push dns feature but not on linux which is a deal breaker.
Been using tailscale for over a year and a half to get access to HomeAssistant running on a box at home from my iPhone wherever I am. Works great, have never had any issues. The iPhone app connects quickly.
They jump through a lot of hoops to make the iOS app work (due to stricter resource restrictions on iOS). Shame it is closed source though, because following their network engine implementation that's open-source has been quite a learning experience.
Just set this up on my NAS, it’s so helpful. Really hope their business tier proves profitable, these free/easy features for personal account are great.
It’s also ludicrous how easy it is to setup. The website claims it takes minutes. It took minutes, but only because I sat there with it working trying to work out how I finished the config. After cursing the brevity of the documents I realised that they were complete and it was actually running. Total setup was less than 10 minutes, maybe even 5 minutes.
Tailscale without a central server is raw Wireguard, basically. You can do that but then you lose Tailscale's automatic NAT traversal and packet relay fallbacks for when UDP is blocked or NAT traversal fails.
You might want to consider innernet. It's still got a central server, but it's self-hosted and similarly easy to deploy. Check it out here: https://github.com/tonarino/innernet
tailscale is p2p. IIRC, centralization is mostly for the control-plane (dns configuration, network configuration, flow logs, authn) and to route around unyielding NATs (without compromising on WireGuard's crypto-key routing).
Also their blog post [1] explains issues around a truly mesh network, and how a centralized coordination point solves this issue with little disadvantages.
The most obvious use case is to replace absolutely anything you'd ever use OpenVPN or IPSEC for. Building on that, Tailscale is so simple that you consider things you wouldn't have before just because OpenVPN would have been so painful to set up. It has fine-grained access control and it integrates with SSO.
It's good for home use, but --- and I am bias I guess because of my background --- where it really shines is corporate connectivity. If I joined a company as a security person and it was running some horrible OpenVPN access VPN for its dev team right now, one of my top action items would be to replace it immediately with Tailscale.
Most use it to access their home server that are not directly internet facing. Like how you access work servers through VPN. Same purpose really. Files, medias, apps etc.
I'm wondering if there's any benefit to the average tech-savvy person to using Tailscale/ZeroTier as a VPN (with a VPS, say) vs. just using a consumer-facing VPN like Mullvad or whatever.
I'm currently looking into implementing a VPN setup on AWS to allow my team to access services in private subnets. Tailscale seems great but too pricey for our small company. I'm playing with Pritunl now, but looking for other suggestions. Ideally I want to have some SSO functionality so we don't have to manage users and the team can log in with their company Google account. Any suggestions for this type of setup?
WireGuard. Run it on a bastion box. There isn’t a batteries included tool I know that’s good at this. The WireGuard ecosystem means you gotta glue a lot of OSS stuff together.
tldr make sure the bastion box can reach the stuff you need it to reach as far as subnets and security groups go, ensure kernel will fwd traffic from WireGuard clients, run WireGuard daemon, and expose it to the outside world via eip. I’m oversimplifying (dns, sec groups, routing client traffic to other subnets) - but hopefully that explains the gist.
I have a small Python script that takes a XLSX file as input and populates a dir with config files and QR code images for each user.
Or you can check out some of the OSS ways to do self-service vpn mgmt with a web UI that authenticates against Google auth. I haven’t deployed this yet but it looks cool https://github.com/subspacecloud/subspace
If you know this sort of tech well it is not hard to deploy and manage yourself. But tailscale has a really killer clientside experience and “just works” so honestly it might be worth the $$$
I've looked into replacing my personal WireGuard setup with an innernet [0] managed network. You can throw it onto a generic VPS and make managing WireGuard peers super easy.
It's not unlike Tailscale and nebula (that others already mentioned) but I think it deserves to be mentioned.
Wireguard isn't so good for mesh networks because every new node requires reconfiguring all the others. Even with management utilities this is a pain, so instead I recommend something like nebula
https://github.com/slackhq/nebula
As other have suggested, Nebula (https://github.com/slackhq/nebula) is pretty elegant. It has groups-based access built in which is extremely convenient.
You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.
This is great! But now that I have family and friends network, and a work network - how do I easily switch from one to the other? As far as I can tell, one has to log out and back in via the "long" oauth route for every device (ie: phone and laptop for work from home)?
> This plan is also available to families and friends. Connect to your dad’s photo server, provide feedback on your daughter-in-law’s new app, and check in on your neighbor’s shared driveway webcam.
[+] [-] razemio|4 years ago|reply
EDIT: https://tailscale.com/kb/1139/tailscale-vs-zerotier/
That is a very fair writeup for a competing product. Nice!
[+] [-] joshxyz|4 years ago|reply
[+] [-] collegeburner|4 years ago|reply
[+] [-] kevinsundar|4 years ago|reply
[+] [-] ignoramous|4 years ago|reply
[+] [-] adammenges|4 years ago|reply
[+] [-] lostlogin|4 years ago|reply
The steps are basically:
“Step 1: Sign up for an account
Step 2: Add a machine to your network
Step 3: Add another machine to your network”
https://tailscale.com/kb/1017/install/
[+] [-] brunoqc|4 years ago|reply
[+] [-] bradfitz|4 years ago|reply
Or you can self-host Tailscale with https://github.com/juanfont/headscale if you want.
[+] [-] 1MachineElf|4 years ago|reply
[+] [-] ignoramous|4 years ago|reply
[+] [-] Anunayj|4 years ago|reply
[1] https://tailscale.com/blog/how-tailscale-works/
[+] [-] sockaddr|4 years ago|reply
[+] [-] josephcsible|4 years ago|reply
[+] [-] api|4 years ago|reply
[+] [-] nomdep|4 years ago|reply
[+] [-] tptacek|4 years ago|reply
It's good for home use, but --- and I am bias I guess because of my background --- where it really shines is corporate connectivity. If I joined a company as a security person and it was running some horrible OpenVPN access VPN for its dev team right now, one of my top action items would be to replace it immediately with Tailscale.
[+] [-] shriek|4 years ago|reply
[+] [-] aheckler|4 years ago|reply
[+] [-] probotect0r|4 years ago|reply
[+] [-] whalesalad|4 years ago|reply
tldr make sure the bastion box can reach the stuff you need it to reach as far as subnets and security groups go, ensure kernel will fwd traffic from WireGuard clients, run WireGuard daemon, and expose it to the outside world via eip. I’m oversimplifying (dns, sec groups, routing client traffic to other subnets) - but hopefully that explains the gist.
I have a small Python script that takes a XLSX file as input and populates a dir with config files and QR code images for each user.
Or you can check out some of the OSS ways to do self-service vpn mgmt with a web UI that authenticates against Google auth. I haven’t deployed this yet but it looks cool https://github.com/subspacecloud/subspace
If you know this sort of tech well it is not hard to deploy and manage yourself. But tailscale has a really killer clientside experience and “just works” so honestly it might be worth the $$$
[+] [-] jeroenhd|4 years ago|reply
It's not unlike Tailscale and nebula (that others already mentioned) but I think it deserves to be mentioned.
[0]: https://github.com/tonarino/innernet
[+] [-] alephu5|4 years ago|reply
[+] [-] redninja83|4 years ago|reply
You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.
[+] [-] turtlebits|4 years ago|reply
[+] [-] e12e|4 years ago|reply
[+] [-] e12e|4 years ago|reply
Nice!
[+] [-] jrm4|4 years ago|reply
https://tinc-vpn.org/
[+] [-] hikerclimber1|4 years ago|reply
[deleted]