Maybe I have a fundamental misunderstanding of how Tailscale works, but I always feel like there is a disconnect in how it is received on HN.
Usually people are pretty critical/cynical of sending sensitive data to a closed source third party server, no matter how strong their claims of 'being the good guys' are (eg see Telegram).
But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
And even if everything is secure right now, you cannot guarantee this stays the case in the future. By using the "tailscale ecosystem" you are locking yourself into a provider that can change the ecosystem (clients, services, servers) or put things behind a paywalls anytime. Or create add-ons that are useful and no longer privacy-preserving. The fact that they are a VC-funded business makes me believe this is how the company will end up: Customer data will be monetized in one way or another. How else are going to create returns for shareholders that justify their valuation? Certainly not by open sourcing stuff and not looking at your data. We've seen these VC incentives play out again and again in other companies.
I remember reading that Tailscale is "helping out" [1] development of Headscale [2], an open-source re-implementation of their command server so that the two remain compatible as new features are added to the official one.
Leaving aside adoption, there is a degree to which HN is impressed that Tailscale has taken a set of technical problems that have caused many of us pain over the years and that drive some less than ideal setups and just made them go away. They are magically taken care of behind an easy to use setup that Just Works. There's basically none of the "you have to tweak this setting under this circumstance" needed to get it working. That is difficult engineering requiring people who understand the problem domain and have a clear picture of the right architecture, as well as good product engineering.
I agree it's not ideal, but I can tell you why I'm excited about things like[0] Tailscale, Cloudflare Tunnel, ngrok, etc.
They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. It's a step in the right direction, back towards the initial intent of the internet, but also forward with the lessons we've learned in the real world.
The reality today is that selfhosting is way too hard[1]. It shouldn't be any more complicated or less secure than running an app on your phone.
I think services like Tailscale are going to enable the first generation of selfhosting that approaches that level of simplicity. Once the market is proven, the second generation is going be designed for selfhosters and have features like end-to-end encryption, domain name integration, and simple GUI interfaces.
The other key pieces are strong sandboxing, which is now possible on all major desktop OSes through virtualization (mobile is coming[2]), and dead-simple cloud backups.
The technology for all these things exists, it just hasn't been integrated yet.
Honestly, I hate the idea of having a middle man, but having tried and researched extensively how to make something like a direct tunnel between two clients over the internet it just doesn't always work.
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.
I think that by the sheer nature of Wireguard, it doesn't matter much. We don't send any readable data to Tailscale, they, for the greater part, handle plumbing between nodes. What goes in the pipes remains unnoticed and unknown to them.
Their MagicDNS feature may raise different concerns though, but I'll let others comment on it.
Why depend on Tailscale when you can go 100% open source and use slack's nebula or plain old wireguard or one of those open source wireguard manager apps.
>But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
Yes, Tailscale is THAT good this tradeoff is worth it.
This is huge. One of the last major missing features from Tailscale IMO. I maintain a list of tunneling solutions[0]. Personally, I think the future of p2p networking and selfhosting may be through tunneled, SNI-routed TLS connections (exactly what Tailscale just announced). It solves IP exhaustion, NAT, and IP privacy at the cost of an extra hop and no UDP.
The big question is going to be pricing. The current top player in this space is Cloudflare Tunnel, which is a loss-leader product that technically forbids selfhosting anything other than HTML sites.
Selfhosting media can use tons of bandwidth. Any service that doesn't charge per GB is incentivized to limit your speeds.
> It solves IP exhaustion, NAT, and IP privacy at the cost of an extra hop and no UDP.
That is awfully expensive for something ipv6 already solves minus the privacy part. I don't see how it can be considered "huge". A slight convenience maybe?
Also, routing everything through a 3rd party is a massive downside.
So basically that would mean a cloudflare for P2P, though maintaining data privacy at least.
It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
BTW this maintains data privacy but you can still tell a whole whole lot from metadata.
On the flip side it would prevent the kind of “griefing” with DDOS that happens every once in a while with self hosted and P2P things. It’s not that common unless you are engaging with certain communities but it is an inherent Internet architectural flaw that this kind of works around (at a cost).
Agreed, this is awesome! I've been using Cloudflare Tunnel for local dev, but the fact that it seems to be coupled to their CDN product with no way to permanently turn off the CDN functionality has caused quite a few headaches lately (though it's possible to turn off temporarily using "Development Mode").
Would love to give this a try, though from the post it's not clear if we could use our own custom domains instead of the provided ts.net ones? This is a necessity for my use case where I need to be able to handle wildcard subdomains.
Where do you see Cloudflare Tunnel T&C? Their help documentation seems to promote Tunnel/Access apps in every possible scenario:
> Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server running your data center. Tunnel does not programmatically enforce any throughput limitations.
> If you are hosting a Tunnel in GCP, AWS, or Azure you can view our deployment guides which are more prescriptive in assigning minimum system requirements.
Tailscale and the people building it continue to blow me away. The ingenuity, reliability, polish, and speed of feature delivery are unparalleled in software.
I'm eager to get rid of needing DDNS and open ports just for web hooks. And I can "flatten" my stack by cutting out a reverse proxy / weird port forwarding stuff.
I've been using tailscale in my home setup for a while and really appreciate the simplicity. It has just worked in my experience. Before taking the leap for tailscale I was semi-struggling with a vault + wireguard + consul-template approach which was pretty cool and fun to setup but a bit unnerving to be unsure if I got anything wrong and the chances of me being exposed.
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?
I went all-in on Tailscale couple of years ago but slowly (and painfully) moving away from it.
It's a fantastic service but with a big flaw: its iOS app eats battery like crazy. I didn't know about it until I accidentally saw it one day: IIRC, it had consumed 20-25% battery averaged out over 10 days. (I used to keep it running in the background all the time, only to route DNS requests to pihole on a home server.) When I googled, it seems like a known problem on their forums for a long time.
For that they need a certificate. They have two options of obtaining that:
a) They request one from a CA. This will be logged in Certificate Transparency logs, and thus you could detect it by comparing the certs logged with the ones your local machine generated
b) they could have their software upload the certificate from your machine. That would need effort to detect (deeply inspecting the software and/or its traffic), but if a whiff of such a "feature" were to be found by anyone it couldn't really be explained away. (and aren't their clients app open-source? then at least it'd be reduced to source inspection and compiling yourself, which makes hiding stuff harder)
If I CNAME my domain to my assigned ts.net then I'm guessing funnel won't work because of the SNI lookup will it? Is that on the radar? Right now I'm using cloudflared but if I can get rid of it in favor of this that would be one less daemon to worry about. Wouldn't be able to do esni though. sooo, how about a vanity .ts.net I get to choose?
It's very nice that it doesn't do TLS termination, but it seems to rely on SNI. That's cool, but it probably precludes SNI encryption in the future. Is there a plan around this? Maybe in the IPv6 world, it becomes a non-issue... But I wonder what comes first: the push for ESNI everywhere, or actually substantial IPv6 adoption.
(Edit; though come to think of it, in practice, if the IP address each host resolved to was unique, it wouldn't really matter very much from a security/privacy standpoint, so I guess it's probably not important...)
Author here. This shouldn't preclude doing us Encrypted ClientHello in the future. We control the DNS for *.ts.net so we can publish our public key for browsers/etc to encrypt the ClientHello to, if I'm remembering the latest encrypted SNI spec(s)?
Is there any updates on being able to use the IOS app for self hosted tailscale? Also what is the status of fully self hosted tailscale in general?
I just don't trust my VPN to be managed by a 3rd party like this. I'm willing to pay money even (though I don't have much) for hobby use - but I don't like the possibility of exposing network devices like this. To be honest I'm a bit surprised seemingly everyone else is.
In addition to your points, we over here also have our own reasons for self-hosting everything (for example, to protect ourselves from being cancelled at any moment for being forced into a citizenship you didn't ask for by being born at the wrong place).
Having an app that can setup its own completely secure networking no matter where it's run is game changing, as soon as I get into the alpha, the Cloudflare tunnel it's on right now is going down!
Exit nodes are usually still behind your firewall and have no open incoming ports. If you're willing to reconfigure your firewall to open incoming ports, you probably didn’t need Funnel in the first place.
What do you mean by "trust", what's your threat model? Tailscale does way, way more than just facilitate key exchange. If tailscale.com goes down or rogue, you're still in a pickle even with PSKs; just because there's a Wireguard under the hood, doesn't mean you can swap an API endpoint and continue as if nothing happened.
Even with self-provided PSKs, you're going for an (IMHO) pretty poor trade-off; keys, certificates, etc should be regularly rotated, that's a chore that's best left automated. At that point, why not just set up Wireguard yourself?
If you have legitimate concerns, you should be using Headscale[1] (or even plain Wireguard) from day 1. Otherwise - personally I find the current threat model very reasonable, it's in no way worse than trusting any other VPN provider, and they're keeping a pretty big chunk of their code base open for auditing.
Tailscale is really, really doing a good job of taking all of the different secure remote networking tasks that have always been possible but self-managed and tedious, and wrapping it all in an automated, friendly interface.
Every time they come out with a new product, I read about it and think "Wow, that's really useful. That would be such a pain for me to roll by hand."
Everything they do was already possible with open source tooling, but they make it accessible. It reminds me of when Dropbox first came out.
I really want to like Tailscale but I couldn't easily find a way for it to work on a jumpbox running Ubuntu 14.04 that I don't have root access to.
Anyone have a way to install the client on a non-rooted box? I couldn't find anything in the docs about the assumption that it requires root or not, other than it being implied by their install steps using system package managers.
Something else interesting they're doing is their tsnet package, which lets you join your process to the tailnet and bind tcp listeners/connect to TCP services via their tailnet IP or subnet.
I'm writing some stuff using this at the moment, but I also just saw https://github.com/tailscale/golink which does the same thing: a single binary that runs a link shortener that joins itself to your tailnet.
tl;dr: don't run your service on a machine then join that to tailnet, directly bind your service to an in-memory tailnet client
This is yet another amazing cherry-on-top of an amazing product. I switched Internet providers a couple months ago and was horrified to find that I was now behind a CGNAT. I went looking for a solution to reach my home lab on the go and found Tailscale. Tailscale solved that issue - and I actually had the epiphany that if I couldn't reach my home network without it then nobody else could either. So, maybe the CGNAT is actually a big security benefit in that way - but I digress.
I originally was thinking of it like a network-level VPN but realised if I installed it on everything individually it would give me DNS and HTTPS certs for all the machines in my home lab - that work from anywhere as long as my laptop was connected to Tailscale. That is something I always wanted to do with let's encrypt but never got around to. And now this!
It has really inspired my imagination. I've been running labs teaching 5-15 people k8s and k8s security out of AWS but this means I might be able to just run a bunch of VMs in my home lab all with Tailscale loaded and point people easily at them all. Maybe with code-server (VS code in a browser) on them to give them a browser-based terminal. And that is just one possible usecase...
Thank you Tailscale people - it is such a great product that has exceeded all my expectations!
Sounds promising! I recently got gigabit fiber through Sonic, who does not offer static IP addresses. I did read the article but it is pretty deep in to some stuff I am not that familiar with. Can anyone clarify, if I own some domain name, can I host something on my raspberry pi or whatever and use funnel with my domain so that someone can visit my domain and get to that hosted thing? And how would this compare to dynamic DNS approaches? Thanks!
[+] [-] sixhobbits|3 years ago|reply
Usually people are pretty critical/cynical of sending sensitive data to a closed source third party server, no matter how strong their claims of 'being the good guys' are (eg see Telegram).
But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server?
[+] [-] mudrockbestgirl|3 years ago|reply
Just use wireguard. It really isn't that hard.
[+] [-] simjnd|3 years ago|reply
[1]: https://tailscale.com/opensource/
[2]: https://github.com/juanfont/headscale
[+] [-] rkangel|3 years ago|reply
[+] [-] apitman|3 years ago|reply
They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. It's a step in the right direction, back towards the initial intent of the internet, but also forward with the lessons we've learned in the real world.
The reality today is that selfhosting is way too hard[1]. It shouldn't be any more complicated or less secure than running an app on your phone.
I think services like Tailscale are going to enable the first generation of selfhosting that approaches that level of simplicity. Once the market is proven, the second generation is going be designed for selfhosters and have features like end-to-end encryption, domain name integration, and simple GUI interfaces.
The other key pieces are strong sandboxing, which is now possible on all major desktop OSes through virtualization (mobile is coming[2]), and dead-simple cloud backups.
The technology for all these things exists, it just hasn't been integrated yet.
[0]: https://github.com/anderspitman/awesome-tunneling
[1]: https://moxie.org/2022/01/07/web3-first-impressions.html
[2]: https://twitter.com/kdrag0n/status/1584017653269958656?lang=...
[4]: I concede that the network upload connection is likely much slower, but expect that to improve over time.
[+] [-] fudgefactorfive|3 years ago|reply
NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes.
Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability.
I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man.
[+] [-] EMIRELADERO|3 years ago|reply
For some weird reason the GUI clients for Windows, macOS and iOS are closed-source.
I never understood exactly why that is, considering that the Linux and Android ones are fully open.
The fact that there isn't a reason documented anywhere certainly worries me.
[+] [-] ocimbote|3 years ago|reply
Their MagicDNS feature may raise different concerns though, but I'll let others comment on it.
[+] [-] IceWreck|3 years ago|reply
[+] [-] rs_rs_rs_rs_rs|3 years ago|reply
Yes, Tailscale is THAT good this tradeoff is worth it.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] anderspitman|3 years ago|reply
The big question is going to be pricing. The current top player in this space is Cloudflare Tunnel, which is a loss-leader product that technically forbids selfhosting anything other than HTML sites.
Selfhosting media can use tons of bandwidth. Any service that doesn't charge per GB is incentivized to limit your speeds.
[0]: https://github.com/anderspitman/awesome-tunneling
[+] [-] tjoff|3 years ago|reply
That is awfully expensive for something ipv6 already solves minus the privacy part. I don't see how it can be considered "huge". A slight convenience maybe?
Also, routing everything through a 3rd party is a massive downside.
[+] [-] api|3 years ago|reply
It’s better than no P2P but IPv6 solves exhaustion and NAT without the performance hit or protocol limitations and with no extra third party intermediary in the way.
BTW this maintains data privacy but you can still tell a whole whole lot from metadata.
On the flip side it would prevent the kind of “griefing” with DDOS that happens every once in a while with self hosted and P2P things. It’s not that common unless you are engaging with certain communities but it is an inherent Internet architectural flaw that this kind of works around (at a cost).
[+] [-] lewisl9029|3 years ago|reply
Would love to give this a try, though from the post it's not clear if we could use our own custom domains instead of the provided ts.net ones? This is a necessity for my use case where I need to be able to handle wildcard subdomains.
[+] [-] systemvoltage|3 years ago|reply
> Our connector, cloudflared, was designed to be lightweight and flexible enough to be effectively deployed on Raspberry Pi, your laptop or a server running your data center. Tunnel does not programmatically enforce any throughput limitations.
> If you are hosting a Tunnel in GCP, AWS, or Azure you can view our deployment guides which are more prescriptive in assigning minimum system requirements.
https://developers.cloudflare.com/cloudflare-one/connections...
[+] [-] tsujamin|3 years ago|reply
This explains so much of what I’ve seen added to their codebase recently
[+] [-] 0x6c6f6c|3 years ago|reply
[+] [-] aquaticsunset|3 years ago|reply
I'm eager to get rid of needing DDNS and open ports just for web hooks. And I can "flatten" my stack by cutting out a reverse proxy / weird port forwarding stuff.
[+] [-] slondr|3 years ago|reply
[+] [-] thisisthenewme|3 years ago|reply
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?
[+] [-] 6ak74rfy|3 years ago|reply
It's a fantastic service but with a big flaw: its iOS app eats battery like crazy. I didn't know about it until I accidentally saw it one day: IIRC, it had consumed 20-25% battery averaged out over 10 days. (I used to keep it running in the background all the time, only to route DNS requests to pihole on a home server.) When I googled, it seems like a known problem on their forums for a long time.
So, beware if you are an iOS user.
[+] [-] detaro|3 years ago|reply
For that they need a certificate. They have two options of obtaining that:
a) They request one from a CA. This will be logged in Certificate Transparency logs, and thus you could detect it by comparing the certs logged with the ones your local machine generated
b) they could have their software upload the certificate from your machine. That would need effort to detect (deeply inspecting the software and/or its traffic), but if a whiff of such a "feature" were to be found by anyone it couldn't really be explained away. (and aren't their clients app open-source? then at least it'd be reduced to source inspection and compiling yourself, which makes hiding stuff harder)
[+] [-] matthewaveryusa|3 years ago|reply
[+] [-] jchw|3 years ago|reply
(Edit; though come to think of it, in practice, if the IP address each host resolved to was unique, it wouldn't really matter very much from a security/privacy standpoint, so I guess it's probably not important...)
[+] [-] bradfitz|3 years ago|reply
[+] [-] inquirer39243|3 years ago|reply
I just don't trust my VPN to be managed by a 3rd party like this. I'm willing to pay money even (though I don't have much) for hobby use - but I don't like the possibility of exposing network devices like this. To be honest I'm a bit surprised seemingly everyone else is.
[+] [-] 5e92cb50239222b|3 years ago|reply
https://github.com/juanfont/headscale
In addition to your points, we over here also have our own reasons for self-hosting everything (for example, to protect ourselves from being cancelled at any moment for being forced into a citizenship you didn't ask for by being born at the wrong place).
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] anderspitman|3 years ago|reply
[+] [-] AviationAtom|3 years ago|reply
Tailscale crew: I know y'all read HN, so I say to you: keep up the good work and innovation!
[+] [-] deafpiano|3 years ago|reply
Having an app that can setup its own completely secure networking no matter where it's run is game changing, as soon as I get into the alpha, the Cloudflare tunnel it's on right now is going down!
[+] [-] 2bluesc|3 years ago|reply
Seems to me this would save them the hassle of dealing with the bandwidth.
[+] [-] apenwarr|3 years ago|reply
[+] [-] aborsy|3 years ago|reply
Any plan?
Self hosting Tailscale will then not be needed, since users don’t need to trust Tailscale anymore.
[+] [-] rollcat|3 years ago|reply
Even with self-provided PSKs, you're going for an (IMHO) pretty poor trade-off; keys, certificates, etc should be regularly rotated, that's a chore that's best left automated. At that point, why not just set up Wireguard yourself?
If you have legitimate concerns, you should be using Headscale[1] (or even plain Wireguard) from day 1. Otherwise - personally I find the current threat model very reasonable, it's in no way worse than trusting any other VPN provider, and they're keeping a pretty big chunk of their code base open for auditing.
[1]: https://github.com/juanfont/headscale
[+] [-] biotinker|3 years ago|reply
Every time they come out with a new product, I read about it and think "Wow, that's really useful. That would be such a pain for me to roll by hand."
Everything they do was already possible with open source tooling, but they make it accessible. It reminds me of when Dropbox first came out.
[+] [-] yewenjie|3 years ago|reply
Technically is it very different from Cloudflare Tunnels?
[+] [-] anderspitman|3 years ago|reply
[+] [-] jsd1982|3 years ago|reply
Anyone have a way to install the client on a non-rooted box? I couldn't find anything in the docs about the assumption that it requires root or not, other than it being implied by their install steps using system package managers.
[+] [-] dave_universetf|3 years ago|reply
[+] [-] tsujamin|3 years ago|reply
I'm writing some stuff using this at the moment, but I also just saw https://github.com/tailscale/golink which does the same thing: a single binary that runs a link shortener that joins itself to your tailnet.
tl;dr: don't run your service on a machine then join that to tailnet, directly bind your service to an in-memory tailnet client
[+] [-] anderspitman|3 years ago|reply
[+] [-] alwaysanon|3 years ago|reply
I originally was thinking of it like a network-level VPN but realised if I installed it on everything individually it would give me DNS and HTTPS certs for all the machines in my home lab - that work from anywhere as long as my laptop was connected to Tailscale. That is something I always wanted to do with let's encrypt but never got around to. And now this!
It has really inspired my imagination. I've been running labs teaching 5-15 people k8s and k8s security out of AWS but this means I might be able to just run a bunch of VMs in my home lab all with Tailscale loaded and point people easily at them all. Maybe with code-server (VS code in a browser) on them to give them a browser-based terminal. And that is just one possible usecase...
Thank you Tailscale people - it is such a great product that has exceeded all my expectations!
[+] [-] gz5|3 years ago|reply
There are also free options, e.g. ngrok [0] And open source options, e.g. openziti [1]
Doing webhooks and dark webhooks for quite some time. Always good to have more options - what does Funnel do differently than those?
[0] https://blog.ngrok.com/posts/getting-started-with-webhooks [1] https://openziti.io/my-intern-assignment-call-a-dark-webhook...
[+] [-] tasn|3 years ago|reply
Also, funny they should mention Github, as they literally just added webhook tunneling to the Github CLI a few days ago.
[+] [-] Komodai|3 years ago|reply
[deleted]
[+] [-] ftufek|3 years ago|reply
[+] [-] TaylorAlexander|3 years ago|reply
[+] [-] otar|3 years ago|reply
I am watching it very closely and considering to set it up for my small team.