top | item 41499131

(no title)

stas2k | 1 year ago

I don't want to sound negative, but I genuinely don't get the premise of Tailscale.

VPN as a service sounds wrong from security perspective, as you are giving away all the keys. The same goes to the VPN providers for Internet access, but that at least is not trusted as much as Tailscale is.

These internal services that are annohnced are just... Services you can run on the Internet with TLS.

discuss

baq|1 year ago

> VPN as a service sounds wrong from security perspective, as you are giving away all the keys.

yes, that's the value proposition. storing keys securely isn't free. if your threat model makes you trust your vpn provider less than yourself, by all means do it yourself.

> These internal services that are annohnced are just... Services you can run on the Internet with TLS.

I don't want the internet to even know I'm running a service if I only run it for myself.

ubercore|1 year ago

Admittedly I use it for home stuff only, not a business, but I can much more securely provide a service on my tailnet by leaning on Tailscale to handle it for me than I can myself, without a significant amount of effort. I want to leave securely deploying services at work, at work, and lower my administrative overhead at home.

For a lot of businesses of a certain size, I'm sure the math works out similarly.

snapplebobapple|1 year ago

selfhost headscale or netbird or nebula for basically the same thing pretty fully in your control. The appeal is it's a an encrypted mesh network with a very performant point to point with relay if needed vpn backing it up. This lets you keep things reasonably private and much higher performance than the traditional vpn to the office router/infrastructure at office vpn. it lets you create an overlay network that matches your vlan rules keeping everyone segregated in their lane no matter where their devices are. Services on the internet with TLS are a bad idea for many, many things (both attack surface wise with everyone in the world being able to hit the service, but also with how questionably secure massive corporate technical projects often are, which can only change slowly due to business concerns (i.e. spending the dough to change this means no profit for the quarter and significant downtime because it was built wrong over a couple decades but manages to power the a lot of the business activity flow))

moritzruth|1 year ago

> VPN as a service sounds wrong from security perspective, as you are giving away all the keys.

Tailscale’s Android and Linux clients are open-source[0] and based on WireGuard (which AFAIU is now part of the Linux kernel[1]). With other VPN software you may be owning the keys but you cannot verify what the program does.

Tailscale requires a coordination server to function. This component is not open-source, but there is an open-source reimplementation called Headscale[2] that you can host on your own server.

Additionally, there is "tailnet lock"[3]:

> Tailnet lock lets you verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet.

---

> These internal services that are annohnced are just... Services you can run on the Internet with TLS.

I haven’t used Tailscale in a professional context, so I cannot comment on the usefulness there, but I am using it (with Headscale) in my homelab. It makes it very easy to access all the services spread onto multiple boxes from everywhere, let them all use the same AdGuard Home DNS server without having to configure them individually and tunnel all my traffic through my home internet connection using an exit node[4].

I normally use croc[5] for file transfers between boxes, but when I had to fetch some files from my Windows game streaming computer, it was easier to just use Taildrop because Tailscale was installed already.

[0] https://github.com/tailscale/tailscale

[1] https://en.wikipedia.org/wiki/WireGuard

[2] https://headscale.net/

[3] https://tailscale.com/kb/1226/tailnet-lock

[4] https://tailscale.com/kb/1408/quick-guide-exit-nodes

[5] https://github.com/schollz/croc

rollcat|1 year ago

> Tailscale’s Android and Linux clients are open-source

All of their client code is open source, save for the bits required to ship to/comply with any app store requirements. The "Linux" client also builds and runs cleanly on many other Unix-like OS's, and they've put a lot of effort to work around a lot of non-standardised stuff on various Linux distros to ensure smooth UX. It felt like hard work just reading about the issues they've ran into.

> based on WireGuard (which AFAIU is now part of the Linux kernel)

Tailscale has its own user-mode WG client library. In fact, you can use Tailscale as a library in a Go program, they have numerous examples for cool hacks such as authentication proxies (your VPN connection becomes your auth token, no other login required).

> I haven’t used Tailscale in a professional context, so I cannot comment on the usefulness [...]

I have and it's amazing. Stuff just works, and it naturally fills roles you wouldn't even expect it to, such as asset/inventory management (being THE source of truth to answer: "is this box even online"). We also use it to throw distributed LAN parties (not every game can be hosted on a headless box, sometimes there's nobody with a PC on a public IP, etc). It does something useful for everyone.

thefz|1 year ago

Tailscale's appeal is in WireGuard.

And they offer a decently integrated product.

aborsy|1 year ago

I don’t follow. They don’t hold any keys at all. The private keys never leave users’ devices. They say this clearly.

You can also enable Taillock. That will prevent addition of nodes to your network.

It will be a joke otherwise.