top | item 45173355

(no title)

The amount of people here just exposing their network to Tailscale, and recommending others to do the same, is surprising, to say the least.

I've set up Wireguard on a VPS once six years ago, and nothing needed adjustment since. It is as easy as you make it out to be, and depending on the use case the firewall rules can also be simple.

If I need to add a new device, which is probably a rarity for the average user, and once a year for me, it takes two minutes to edit two files and restart a service.

I can see reasons why one would want to use Tailscale, especially in an organization. But just uncritically recommending it for home-lab like setups seems as harmful as pushing people to Cloudflare for everything.

discuss

FrankPetrilli|5 months ago

Inter-node mesh with raw Wireguard is an exercise in patience to say the least; I have a few different colo sites, my house, my phone, LTE/5G hotspots, raspberry pi projects in the field, etc that I want to fully connect together.

Raw Wireguard is fine for a road warrior or site-to-site VPN setup as is common, but when you want multipoint peer-to-peer connections without routing through what might be a geographically distant point, magic DNS, etc, Tailscale really shines through.

If you're paranoid, enable https://tailscale.com/kb/1226/tailnet-lock or run https://headscale.net/ on your own as a control server.

SyrupThinker|5 months ago

For P2P I can totally see the advantage.

Although at that point I'm sure you, and any similar user, would not actually rely on ad-hoc advice like in this thread, and instead just evaluate what is needed.

As an aside, personally speaking, headscale solves basically none of my concerns associated with introducing more software, complexity and third parties (the maintainers) into my network setup. Less so because of paranoia towards the software/product itself, and more so because of the increased surface area to attack.

But I also think that anyone actually bothering to set headscale up probably falls into the aforementioned group of people that actually thinks about their requirements.

venusenvy47|5 months ago

I've been using Netbird on my home network and on my daughter's laptop to provide remote support while she has been at college. This year she moved into an apartment, which has its own cable modem and router/network that I set up. I haven't figured out how I will configure a "zero-trust" architecture that will allow me to act as remote support for her remote network. I'm not the best at networking and I'm afraid of connecting the networks in a manner that I don't expect. I'd be interested to hear if anyone can suggest how to configure this arrangement. I've always had her leave the Netbird client on her laptop turned off unless she is specifically asking for help. I plan to do something similar, where I would have her remote network normally disconnected from whatever VPN bridge network I set up.

robertlagrant|5 months ago

Speaking of Cloudflare - they do have a similar product[0] :)

[0] https://developers.cloudflare.com/cloudflare-one/connections...

SyrupThinker|5 months ago

Ironic, I wasn't aware.

venusenvy47|5 months ago

I have a VPS and have thought about using Wireguard on it for accessing my home network, but I worry that I don't understand the security well enough to use it. Wouldn't less experienced people like myself be safer with Tailscale or Netbird or something that doesn't require extensive knowledge of a publicly-hosted server?