The great thing about Tailscale is that you don't need an external internet-visible server to act as a proxy. Its NAT traversal is near perfect. The digital ocean droplet mentioned in the post is likely creating more problems than it is solving (its IP address is easily recognizable, and so your traffic will be flagged across the internet).
I use a raspberry pi connected to my router as a DNS server and exit node and the experience is seamless. And as a bonus I get to keep using my home IP address for all traffic.
Misleading blog title, I'd more call it "Fixing Tailscale Route Hijacking".
This is, honestly, one of the things I like the least about tailscale, and also one of the things they are least likely to change. I understand why they do it, but it feels a bit like too much magic. Tailscale is an incredible bit of kit though.
Remember that famous HN comment about how you do not need Dropbox because you could setup this thing with sshfs or something? Tailscale is that Dropbox of VPNs.
I have several WG peers(phones, laptop, tablet) hosted up on a US residential symmetric fiber, and a couple of travel routers that can connect to it as well (this was helpful when going overseas so I could get to US TV providers, among other things).
Since I've done that work already, would TailScale buy me anything?
Ease of installation, SSO, peer to peer tunnels (whereas in VPN access server, the server sees inside of the tunnel), no open ports, DNS, private dns server, switching easily between different exit nodes (or no exit node), subnet router, ACL (like cloud firewall), sending files from one device to another, TLS certificate for each device, fall back to TCP/relays when udp is not available. Tailscale is very good if you have to manage many users, and if you want to share nodes with others.
Cool tech!
If you install Tailscale, then you don’t need to think of connectivity for other applications: media servers, file sync, RDP, etc. Otherwise, for each of them, you have to think of networking all over (port forwarding, relays, UPnP, …).
Cons: You have to install an agent running as root on all devices, trust the coordination server to some extent, much bigger attack surface!
They offer some extra's like MagicDNS, go/, ssh auth, etc
But no, if you don't need that and if you've done the setup part, and you're just looking at the VPN part, you wouldn't gain anything.
Tailscale magically works, recovers well from crashes/network changes (I've had a few issues here with WG native client), manages your keys (and rotation of), creates point to point tunnels (which is just confusing via a plain text config with several devices).
Do you ever find yourself in a situation where all NAT traversal strategies fail and your only way is through DERP server. Unless your in your own DERP, this is one of the situations where Tailscale might be useful.
I've got my WG's server endpoint open to the world; unless I'm misunderstanding something this won't be an issue for me.
That being said, none of my WG peers really ever need to talk to each other (but the way I have it set up the remote IP subnet does route within it, so I guess they could).
If you use Wireguard only to route to/from to a central hub that has a static IP address then what you have is perfectly fine.
Tailscale works well for situations where you have lots of roaming devices that perhaps want to talk to each other as well as to central hubs or you want to gate all of this behind some kind of SSO.
While you're correct, it's worth keeping in mind that Wireguard only looks up DNS names when the tunnel is started.
If your remote endpoint address changes, the only way your client will find out is either if you restart the tunnel on the client device by hand, or in the lucky case, if the remote endpoint happens to send some data to you at the right time while your client is still hopefully reachable at the same IP+port, which may not be a given behind a NAT if a port mapping times out from inactivity or if it changed network in the meantime.
It's mainly the initial connection bit that Tailscale does that makes it great, in my opinion. The rest of the features are decent too but for me this is the reason I use it
Of course if you don't need this, or can set up NAT traversal yourself, and don't need anything else Tailscale does aye set up your own WireGuard network, no worries.
All the reasons I use tailscale after initial connection are indeed the same as if I'd set up any other VPN (direct connectivity, secure connection, private connection, etc)
At its very basic level it's a nice wrapper around WireGuard that handles the fiddly bits that might stop the initial connection for you.
When you start having more than two peers and want them all to communicate, it starts getting unwieldy to expand the mesh, because that's not built in to Wireguard. You can certainly still do it, even run your own coordinator (like headscale for tailscale), but it probably saves you time and headache on medium to large meshes.
Ease of use? If self host a couple of services on local RPi but when I tried to setup Wire Guard I just failed... In the end I opted for simple socks5 proxy but I'm tempted to use tailscale as it seems to JuatWork
If you even know about what WireGuard is then you're already in a minority. I personally would rather think as little as possible about networking, so I've been eye-ing tailscale.
I have an upcoming trip to Europe, which I am quite excited about. I wanted to set up a Tailscale exit node to ensure that critical apps I depend on, such as banking portals continue working from outside the country.
I've never had an issue accessing banking portals from Europe.
I wonder if trying to account for that would make you look even more risky/fraudulent. Eg you access the bank portal from a US address but at similar time you physically use the card in Europe.
Not quite banking portals, but I've had banking apps of a South American country that were only available for Play Store accounts of that country. Really annoying, and even with VPN/proxy/Tailscale it's not easily fixable as you can only change the country of a play store account once every 12 months.
I've done some work in this area with large american banks (around a decade ago, so it might have changed!) and generally the only problem you could have is if you were abroad and using a new device – you wouldn't get locked out but it might trigger some extra verification steps
Yes, this is still a thing. Last year I installed Linux on an old laptop to use while traveling in SE Asia. Had problems with TD Bank because of this, complicated by my account needing SMS to the US number for the extra verification.
My credit union seems to blanket ban European IP addresses. You basically get an nginx 403 page if you try to access their site from anywhere that isn’t the US. It’s dumb but I like their other services so I make due with a vpn when I’m in Europe
Don't do that for banks. I had a reverse problem. Went to usa (comming from eu) and used vpn for accessing bank portals. I paid using my card somewhere in sf, and then logged in to my bank using VPN. They blocked me because of possible fraud…
This is why he is setting up his own exit node and paying for his own instance. Using VPNs is an easy way to get a block from your bank. VPN IPs are frequently added to denylists because they have a high chance of being used by bad actors.
Although to be honest, cloud providers also get ban-hammered from time to time.
The best thing would be to have your own physical machine act as an exit node instead of relying on a cloud instance. That would bring a whole series of new problems for keeping a machine up and running while you are away, but doable
It's not about IP reputation, but the bank detecting a payment in one country followed by a login in another. This is exactly what the bank would see if someone stole your card.
I used VPN that was setup in my house not a public one. I clarified with the bank - they saw me logging in from my country and then used my card in SF and blocked me. Private exit node will not help.
Seconded. Banks have all kinds of IP access rules that can bite you. Connecting from an IP allocated to one of the well known clouds will certainly raise a flag as throwaway VPS are often used for fraud.
I understand why they do it (fraud mitigation in layers) but it's still ridiculous. Most US banks don't even offer TOTP for second factor; they force SMS 2FA which is not secure at all.
Maybe once passkeys or hardware keys are widely adopted they can remove the atrocious fraud detection.
Many people (still) don't understand how 2FA works.
Whereas 99.999%? of the users won't use tor/$vpnCompany/cloud provider IPs. It's all in terms of which is less likely to lead to a support request.
I worked with a relatively big bank that used a tool like Akami or Cloudflare. With those tools you can just ban/block entire countries (think any IP from Iran, Russia, etc) or entire ASNs.
A front-end that makes me not tear my hair out and documentation that's fantastic. WireGuard may be what's under Tailscale, but I don't want to fuck with keys and config files to get clients online.
For me, I have a NAS that's running Tailscale just inside my edge at home that can be an exit node as well as provides full subnet router access for my home "servers" subnet so I can get to anything from any device that I authorize a Tailscale client for as if I'm on my home LAN... anywhere.
It was also really easy to share my NAS to someone else for exit node access while traveling, and they reported back a flawless experience streaming movies while overseas via the exit node off my residential 1000/1000 fiber.
And for the 'average person' with an Apple TV? Just grab the Tailscale tvOS app and fire up an exit node of your own for when you travel later on, too!
The tvOS app really is a great Tailscale feature. My in-laws can access media on my home server any time they like with a box that's simple enough for them to understand and maintain.
> Tailscale builds on top of WireGuard by adding automatic mesh configuration, single sign-on (SSO), NAT traversal, TCP transport, and centralized Access Control Lists (ACLs).
Y’all installing Tailscale on work laptops? Unless you got an explicit written permission to do just that - don’t. In many places this is a fireable offence.
Ah, a person that has only worked for a particular type of organisation lectures me about what is and is not appropriate for me to do at work. I love this one. Thankfully I live in a country with real labour laws, where this couldn’t legally be a “fireable offence”, even if it were a problem, which it ain’t.
Good for you. My comment is not directed at you, but at people that may not be aware that installing certain software on work equipment might be a breach of policy.
If you allow staff to install rando VPN profiles, let alone software, and instead rely solely on the goodwill of your employees - don’t. In many places that’s a fireable offence.
I use a raspberry pi connected to my router as a DNS server and exit node and the experience is seamless. And as a bonus I get to keep using my home IP address for all traffic.