I wonder, does either have "magic DNS" where I can access machines by their hostname or hostname.local or hostname.intra.mydomain? Last I checked zerotier had added a push dns feature but not on linux which is a deal breaker.
That's lit, thanks for sharing. So nice to see thats working and I can start using zerotier for real! I think this is an underappreciated convenience for people running smaller networks.
I use Tailscale's MagicDNS. Definitely a huge convenience as I run a few services that I use on the web browser, so having a domain name instead of the IP address is a win.
Or as it turns out, the horribly ugly hostname.home.arpa, because why would you expect to have any of the more natural and obvious TLDs for home network domains:
Been using tailscale for over a year and a half to get access to HomeAssistant running on a box at home from my iPhone wherever I am. Works great, have never had any issues. The iPhone app connects quickly.
They jump through a lot of hoops to make the iOS app work (due to stricter resource restrictions on iOS). Shame it is closed source though, because following their network engine implementation that's open-source has been quite a learning experience.
All the hoop-jumping I can think of is open-source. https://github.com/tailscale/go has the Go toolchain changes for size reduction (though most get upstreamed), and the rest of the size reduction stuff comes from lazy configuration, i.e. keeping as little idle state as possible. But that's useful for memory reduction on all platforms, so it's just in the general network engine at https://github.com/tailscale/tailscale .
Just set this up on my NAS, it’s so helpful. Really hope their business tier proves profitable, these free/easy features for personal account are great.
It’s also ludicrous how easy it is to setup. The website claims it takes minutes. It took minutes, but only because I sat there with it working trying to work out how I finished the config. After cursing the brevity of the documents I realised that they were complete and it was actually running. Total setup was less than 10 minutes, maybe even 5 minutes.
Tailscale adds a layer of NAT traversal logic on top of regular WireGuard, so in most cases you end up with p2p WireGuard tunnels between your devices, as if the NAT wasn't there. https://tailscale.com/blog/how-nat-traversal-works/ has the gory details, it's less easy than I just made it sound :)
Tailscale without a central server is raw Wireguard, basically. You can do that but then you lose Tailscale's automatic NAT traversal and packet relay fallbacks for when UDP is blocked or NAT traversal fails.
It is possible for enterprises, though we encourage users to first see if the hosted version will work for them because support is difficult, and thus significantly more expensive, for self-hosting.
I will if we end up trying it out, though I think we'll just go with your version anyway. It's between you guys and Cloudflare, AFAIK, as Cloudflare's VPN does authentication to services easier too.
You might want to consider innernet. It's still got a central server, but it's self-hosted and similarly easy to deploy. Check it out here: https://github.com/tonarino/innernet
tailscale is p2p. IIRC, centralization is mostly for the control-plane (dns configuration, network configuration, flow logs, authn) and to route around unyielding NATs (without compromising on WireGuard's crypto-key routing).
Also their blog post [1] explains issues around a truly mesh network, and how a centralized coordination point solves this issue with little disadvantages.
The most obvious use case is to replace absolutely anything you'd ever use OpenVPN or IPSEC for. Building on that, Tailscale is so simple that you consider things you wouldn't have before just because OpenVPN would have been so painful to set up. It has fine-grained access control and it integrates with SSO.
It's good for home use, but --- and I am bias I guess because of my background --- where it really shines is corporate connectivity. If I joined a company as a security person and it was running some horrible OpenVPN access VPN for its dev team right now, one of my top action items would be to replace it immediately with Tailscale.
As a privacy tool, it's a legitimate qualm. As a company security thing, it's close to exactly what you want. In particular, you very much want as much of this stuff as possible linked to your Okta or GSuite account. Not just Tailscale; everything. It's why sso.tax is such a big deal.
Most use it to access their home server that are not directly internet facing. Like how you access work servers through VPN. Same purpose really. Files, medias, apps etc.
I'm wondering if there's any benefit to the average tech-savvy person to using Tailscale/ZeroTier as a VPN (with a VPS, say) vs. just using a consumer-facing VPN like Mullvad or whatever.
It's possible to set up tailscale with exit node routing (ie: similar to what Mullvad does) - but it will be your exit node (eg: an on-prem server, a vm you manage). So that basically allows you to do legacy access control via ip whitelists (only allow IP our.office to talk to your.dmz.service that we develop manage for you).
If possible, just bringing the node/servicenin question "into" the wireguard/tailscale network would be better. But good luck getting a hospital to allow you to connect your tailscale to their patient record db (or what have you - obviously in this case you'd hope they have a solid vpn and give you access.. ).
For the use case of "talk via vm through mullvad exit node" i suppose you could set up Mullvad on the vm, and tailscale on the vm with Mullvad vpn as exit node, then join all your other nodes to tailscale.
Tailscale would replace how you connect to your vm, not mullvad.
Well if you're using VPN for well "shady stuff" (e.g. torrenting), I don't suppose a VPS with your Full name, credit card, and billing address is specially helpful.
But except that deploying Wireguard* on a VPS for bypassing censorship/georestrictions is quite nice and cheaper compared to many paid ones.
* Tailscale and Zerotier aren't really needed if you want to route all your traffic thru a single machine, wireguard itself does exactly this.
I'm currently looking into implementing a VPN setup on AWS to allow my team to access services in private subnets. Tailscale seems great but too pricey for our small company. I'm playing with Pritunl now, but looking for other suggestions. Ideally I want to have some SSO functionality so we don't have to manage users and the team can log in with their company Google account. Any suggestions for this type of setup?
WireGuard. Run it on a bastion box. There isn’t a batteries included tool I know that’s good at this. The WireGuard ecosystem means you gotta glue a lot of OSS stuff together.
tldr make sure the bastion box can reach the stuff you need it to reach as far as subnets and security groups go, ensure kernel will fwd traffic from WireGuard clients, run WireGuard daemon, and expose it to the outside world via eip. I’m oversimplifying (dns, sec groups, routing client traffic to other subnets) - but hopefully that explains the gist.
I have a small Python script that takes a XLSX file as input and populates a dir with config files and QR code images for each user.
Or you can check out some of the OSS ways to do self-service vpn mgmt with a web UI that authenticates against Google auth. I haven’t deployed this yet but it looks cool https://github.com/subspacecloud/subspace
If you know this sort of tech well it is not hard to deploy and manage yourself. But tailscale has a really killer clientside experience and “just works” so honestly it might be worth the $$$
Thanks for the suggestion. I have seen subspace, but haven't had a chance to explore it deeply. I don't mind deploying and managing my own setup, but since my team is small, I want to limit how much time I have to spend on this in the long run. I have definitely considered running my own setup of barebones WireGuard, but haven't come across an elegant user management solution.
I've looked into replacing my personal WireGuard setup with an innernet [0] managed network. You can throw it onto a generic VPS and make managing WireGuard peers super easy.
It's not unlike Tailscale and nebula (that others already mentioned) but I think it deserves to be mentioned.
Wireguard isn't so good for mesh networks because every new node requires reconfiguring all the others. Even with management utilities this is a pain, so instead I recommend something like nebula
https://github.com/slackhq/nebula
Not necessarily. You can have one or several (potentially load-balances) “gateways” which act as entrypoints into subnets.
At some point you’ll probably want to integrate with some identity management , but dozens of users and hundreds of servers are totally fine to manage as yaml in ansible IME.
As other have suggested, Nebula (https://github.com/slackhq/nebula) is pretty elegant. It has groups-based access built in which is extremely convenient.
You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.
Yeah, we do use it for ssh access. I know about the portforwarding capabilities, but haven't explored it for this use case. Given that our environment is dynamic, I don't know if accessing internal services via portforwarding over ssh is going to be feasible.
This is great! But now that I have family and friends network, and a work network - how do I easily switch from one to the other? As far as I can tell, one has to log out and back in via the "long" oauth route for every device (ie: phone and laptop for work from home)?
> This plan is also available to families and friends. Connect to your dad’s photo server, provide feedback on your daughter-in-law’s new app, and check in on your neighbor’s shared driveway webcam.
EDIT: https://tailscale.com/kb/1139/tailscale-vs-zerotier/
That is a very fair writeup for a competing product. Nice!