 | |
And even if everything is secure right now, you cannot guarantee this stays the case in the future. By using the "tailscale ecosystem" you are locking yourself into a provider that can change the ecosystem (clients, services, servers) or put things behind a paywalls anytime. Or create add-ons that are useful and no longer privacy-preserving. The fact that they are a VC-funded business makes me believe this is how the company will end up: Customer data will be monetized in one way or another. How else are going to create returns for shareholders that justify their valuation? Certainly not by open sourcing stuff and not looking at your data. We've seen these VC incentives play out again and again in other companies. Just use wireguard. It really isn't that hard. | |
| |
Not really true, tailscale clients do allow you to point to different control servers and open source implementations do exist[1] and are thriving. The clients are also open source and you can even create one yourself if you are willing to. The thing is, what makes tailscale works really well as a "central" control server is that it makes a lot easier to connect your personal machines. You don't need to deploy your own server, or mess with networking stuff. You just download it, log-in and there you go. I myself have invited some non-tech friends to my network for playing lan games from time time and they find pretty easy to setup tailscale on their side. [1]: https://github.com/juanfont/headscale | |
| |
Yeah, but having that is clearly not aligned with making money. They could make it more difficult or impossible to use headscale at any moment. | |
| |
Once a FOSS ecosystem exists, it can always be maintained as such. What may theoretically happen is that the same client won't be able to join both an open-source controller and a controller from Tailscale-turned-evil. I suppose that corporations, especially those without huge IT departments, will and do happily pay Tailscale the reasonable money, and have their secure VPN just working. For them, it's no different than paying for Zoom or Office365, only cheaper. They totally do not want to depend on in-house networking expertise. So I think Tailscale will be doing well financially, | |
| |
They could, but let's cross that bridge when we get to it. You're trying to justify the dislike of a product because of what they might do. That's a pretty weak argument. | |
| |
> Just use wireguard. It really isn't that hard. For us. For the folks who browse HN all day, yeah. But have you tried getting a non-technologist to use it? I set a friend up with Tailscale between her Synology and laptop and it was a breeze - something I could do over the phone. For me getting Wireguard set up wasn't tricky, but I definitely leaned on Google some, and I would argue I know what I'm doing. I would love for a company to release bridge as open source that I could deploy on a VM somewhere but still have it be Tailscale easy for normal folks, but there's no money in that model. | |
| |
I fail to see how that is any different to other modern network control solutions out there? Every major network vendor is moving towards a cloud control service of some kind. Further, Honestly at this point I would trust TailScale over say OpenVPN, or Cisco, or ..... | |
| |
Having evaluated them -- Road 1: Sale to usual suspects like Palo Alto (though that window is closing due to raising $100M) or Cisco (that window may close if they raise again?). It is basically modern vpn, though will be years with a big enterprise culture reset & a consumer tier for that to become true. They will run out of acquirers soon who would have the incentive to overpay, eg, if they raise more and narrows down to say oracle, ms, apple, and google, not sure why any would buy vs build. Hopefully they will not dip much into the funds so they can cleanly exit without forcing an acquirer to screw over their users. (See: Evernote) Road 2: IPO and become a platform for bigger stuff... Like end-user-friendly VPN. Who knows, but good luck! Flipping to 'real' enterprise sales and figuring out the consumer tiers are big culture shifts, but luckily... Hireable. Meanwhile, growing just with more niche/skilled Linux power user teams gets them far -- the compliance checkbox is huge for growth, see Drata and Vanta -- so am not worried :) Agreed with the OSS concern so we decided against putting them in the critical path of our enterprise offering (a shame!), but as an internal tool, it looks great! | |
| |
> Just use wireguard. It really isn't that hard. In many situations it's not just hard, it's outright impossible. For example, how would you connect two Raspberry Pis between two CG-NATted internet connections using Wireguard, without resorting to setting up a publicly reachable VPN server? If you have a public and at least semi-stable IPv4 address and control your firewall/NAT, great. But unfortunately less and less people do, these days. | |
|
| |
> Ideally, IPv6. Yes, if you have it everywhere you want to host services and everywhere you want to access these services, that's great. Realistically, I think it's going to be decades until an IPv6-only service is feasible. > Otherwise, NAT traversal techniques such as STUN, or hole-punching. Neither of which Wireguard supports out of the box. To be clear, it absolutely shouldn't – it's a different concern, and the appeal of Wireguard is specifically that it isn't trying to do everything and the kitchen sink. So, is there an easy-to-use NAT traversal orchestration service for Wireguard out there that isn't Tailscale? | |
|
| |
"Inspired by Tailscale" So, before Tailscale there wasn't a solution. Now we have one, but it's yet another tool we have to manually manage. | |
|
| |
Not an option, as long as I regularly need to access my devices from IPv4-only networks. Have you tried using IPv6 on a hotel wi-fi, in-flight, or a corporate guest network? | |
| |
>Just use wireguard. It really isn't that hard. I love WG and use it extensively, but the attraction of Tailscale (and why I use it) is that it takes disparate concepts and gives you a nice visual control panel to manage them and see the status of all your devices in one place. Nothing. Absolutely nothing exists for Wireguard that does even some of that, which doesn't also cost money. I don't think Wireguard is even capable of the 'DERP' server concept to get around NAT limitations. So no, you can't 'just use Wireguard' to accomplish what Tailscale does. | |
| |
Spoken like somebody who has never had a "Can you help me get my microsoft wifi [Spectrum cable internet] to make sure my gmail [[email protected]] doesn't send my retirement [tax refund] to the hackers" type call. | |
| |
>And even if everything is secure right now, you cannot guarantee this stays the case in the future. By using the "tailscale ecosystem" you are locking yourself into a provider that can change the ecosystem (clients, services, servers) or put things behind a paywalls anytime. I can't (and refuse) to live my lie by "what ifs." If they do any of those things, it's easy enough to pivot to the 3 or 4 other providers our there, like ZeroTier, who offer the same thing. My hope is if they do, the FOSS community will have gotten their act together and built a capable replacement, which is usually the case. | |
| |
At this point you could stir up hysteria over anything. Your cloud provider, ISP, operating system support team, XYZ SaaS provider could also just invent a new billing policy to screw the customer over.At the same time, ^ the big providers have profitable revenue streams, so they don't have much incentive to change their billing. VC startups of course on growing instead of verifying that their business model actually works, and end up either: - locking the software behind a paywall - locking the software behind a paywall - inventing a proprietary + open-source + pay us royalties license - pretending that their software is free whilst employing a proprietary + pay us royalties for anything bigger than a hobby project license - going bust | |
|
| |
Leaving aside adoption, there is a degree to which HN is impressed that Tailscale has taken a set of technical problems that have caused many of us pain over the years and that drive some less than ideal setups and just made them go away. They are magically taken care of behind an easy to use setup that Just Works. There's basically none of the "you have to tweak this setting under this circ*mstance" needed to get it working. That is difficult engineering requiring people who understand the problem domain and have a clear picture of the right architecture, as well as good product engineering. | |
| |
Isn't TailScale "just" WireGuard? | |
| |
Yes. It is just Wireguard… with a bit of magic on top. As far as I can tell, the Tailscale magic is maintaining and distributing a wg.conf that is setup for a dynamic mesh Wireguard network. To do this (and in particular the NAT traversal aspect), they use their own software to setup and figure out NAT ports. One you have Wireguard figured out, it’s pretty easy to setup a hub and spoke model VPN, especially if you have a static server somewhere. Setting up a dynamic mesh VPN is another thing entirely and doing it without requiring a server from Tailscale to be part of the network is, like I said, a bit of magic. It’s a straightforward setup that they explain quite well on their site. But to actually make it work is quite impressive to me. | |
| |
> without requiring a server from Tailscale AFAICT, Tailscale does not route your traffic through its servers (because it would be costly, among other things), but it does control your VPN nodes to distribute all the configuration fairy dust. So a server from Tailscale is still needed (and billed for). | |
| |
Right, the command and control server -- but that server does not need to be part of your private Tailscale/WG network. The Tailscale server is only required for coordinating the WG configuration. My point was that this was all done without the Tailscale server needing to actually participate in your private network. That is to say, the Tailscale server can't monitor your traffic or private servers. Except of course in the case of Funnel... which is the original subject here. In this case, the Tailscale ingress server is added to your private network/nodelist. This it so that it can communicate with whatever private service you are running and then proxy that back out to the public Internet. | |
| |
I think tailscale may be the only company that is build on WireGuard but also commits code to wireguard repo itself. That says a lot, to me at least, but parent's comment on giving the keys to the kingdom to a third party still holds (as it does for many other SaaS/cloud/hosted platforms of course). | |
|
| |
Nope. It's Wireguard 'underneath' but a whole lot more over the top. Try this:Go set up a Wireguard connection from your PC at home to one at work. Then do the same thing with tailscale. One will be a lot easier than the other. And that's only 2 computers... | |
| |
Um. I already have like 100s of WG connection. Office to cloud, various servers all over connected to others, servers on many WG "subnets". WG is the easiest VPN I've ever used. Dropped all these other crazy rigs (stunnel, ssh-tunnel, etc) cause WG always "just works" and is on every platform. However, I've spent loads of time as network admin, planning IP-space for VPN layers, first time in 1997. | |
| |
I agree it's not ideal, but I can tell you why I'm excited about things like[0] Tailscale, Cloudflare Tunnel, ngrok, etc. They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. It's a step in the right direction, back towards the initial intent of the internet, but also forward with the lessons we've learned in the real world. The reality today is that selfhosting is way too hard[1]. It shouldn't be any more complicated or less secure than running an app on your phone. I think services like Tailscale are going to enable the first generation of selfhosting that approaches that level of simplicity. Once the market is proven, the second generation is going be designed for selfhosters and have features like end-to-end encryption, domain name integration, and simple GUI interfaces. The other key pieces are strong sandboxing, which is now possible on all major desktop OSes through virtualization (mobile is coming[2]), and dead-simple cloud backups. The technology for all these things exists, it just hasn't been integrated yet. [0]: https://github.com/anderspitman/awesome-tunneling [1]: https://moxie.org/2022/01/07/web3-first-impressions.html [2]: https://twitter.com/kdrag0n/status/1584017653269958656?lang=... [4]: I concede that the network upload connection is likely much slower, but expect that to improve over time. | |
| |
> They enable you to move your selfhosted services from expensive, slow VPSes you don't control to fast devices in your own home[4]. IMO this is strictly better than a VPS in terms of privacy and data control. How is trusting your network entry point to Cloudflare (or whoever) any better than having it at a VPS? At least with the VPS you know what's happening inside the box. Here's a better solution: Get a free/cheap VPS. Setup a Wireguard tunnel from your home server to it. Slap a reverse proxy on the VPS that forwards internet traffic through the tunnel to your home server. | |
| |
> How is trusting your network entry point to Cloudflare (or whoever) any better than having it at a VPS? I was referring to the other advantages, not the privacy. They're about the same on privacy. > Here's a better solution: Get a free/cheap VPS. Setup a Wireguard tunnel from your home server to it. Slap a reverse proxy on the VPS that forwards internet traffic through the tunnel to your home server. Way too difficult for the users I'm trying to reach. | |
| |
Strong sandboxing, yes. But I'd especially appreciate it if it was wrapped up in an interface like Sandstorm.io. I want to teach something like Tailscale about my contacts, so they are allowed to communicate with my services (through their services). Then I want to run an app inside a strong sanbox that has capability-based APIs to do things kind of like ZeroMQ for sending messages TO THE CONTACTS. I don't want the API to look like a tcp/ip or udp connection. I want the app to think it's sending a message to a contact I've given it permission to talk to. If this was running in a strong sandbox, I think this would be an awesome way to develop and use simple federated apps. If something like Mastodon existed on top of this, I'd think it would be really secure and much easier to tell people to stand up their own node... | |
| |
I consider Sandstorm to sort of be the platonic ideal in many ways. But in practice, the fact that the apps have to be modified to run on it holds it back. | |
| |
Sure, but I feel like that's just part of the trade-offs. And chicken-and-egg, really. But if I were really bought in to Sandstorm.io, developing new apps for it would make a lot of sense, and I agree with their assessments about accounts and security - that those are better left to the OS. So I'm just wanting to build federated apps, using that same philosophy. And if Tailscale Funnel let me safely run in a sandbox on prem...? That sounds amazing. Like, this is the kind of thing where I'd buy a headless PC just to host federated apps for my extended friends and family network, if the config were painless enough and the sandbox secure enough, and the self-updating, self-maintaining story of Sandstorm.io worked well enough... It's like the Chrome OS of federation, in my head. The OS does exactly and only what you need, making it easy for you to add the business logic of your thing. Like, I wish this was roughly how SAS worked... I wish to hell more businesses felt secure in letting their employees stand up convenience servers. And I feel like these are steps in the right direction. | |
| |
Honestly, I hate the idea of having a middle man, but having tried and researched extensively how to make something like a direct tunnel between two clients over the internet it just doesn't always work. NAT is a godsend for IPv4 exhaustion, but it's also fundamentally crippled the ability for people to host things or make things available directly from their homes. Hole-punching is an inexact process due to the variety of different NAT types, some of which (e.g. Carrier-grade) simply do not allow that sort of connection. So there must be a middle man that accepts packets on their publicly available port and passes it on to another established connection. TURN/STUN (et. al.) exist but are archaic and do the same thing but with less accountability. I hate it too but until we have IPv6 by default with user controlled firewalls hosting something in your garage without a business line is not feasible. Hell I have a 5$ a month VPS purely so it can act as the middle man to the servers in my home. At least then I only need to trust myself as the middle man. | |
| |
Their middle man in the data plane handles encrypted packets so that's not the problem here. The problem is their control plane that controls the encryption keys. A malicious admin inside TS (or a hack) could grant itself membership in any of their customer's networks. (Or at least this is the worry I read from GP) | |
| |
That's definitely a concern, but I feel this can be mitigated by running your own network on top of theirs. Anyone in my home is part of my network, doesn't mean they're in the wg network too. Aside from that, it's definitely a problem that they could include themselves in any customer network, but the accountability still stands. If someone got in without your screw-up, at least you know who to point the finger at once the dust settles. I'd argue it should be treated as a base to overlay your network on top of. Although admittedly I say that as someone that doesn't use their services for similar reasons. | |
| |
> If someone got in without your screw-up, at least you know who to point the finger at once the dust settles. How do you know you didn't screw up? There are so many vulnerabilities in the gazillion or random stuff you run every day on your laptop. I'd argue it's more likely that something like that was breached than Tailscaled was breached or rogue. | |
| |
Forget the server, what especially worries me is the client. For some weird reason the GUI clients for Windows, macOS and iOS are closed-source. I never understood exactly why that is, considering that the Linux and Android ones are fully open. The fact that there isn't a reason documented anywhere certainly worries me. | |
| |
One can install the FOSS client and daemon on macOS similarly to Linux: https://github.com/tailscale/tailscale/wiki/Tailscaled-on-ma... I do that mostly because it's running as a LaunchDaemon. > Forget the server Pop the headscale server in and you get a fully FOSS system. https://github.com/juanfont/headscale That I don't do, because the coordination server, the relay system (which you can also self-host), and the server side UI are really good. And also the public behaviour of the persons working at Tailscale as well as Tailscale's approach towards FOSS generally increase my level of trust in them. IOW they strike me as Nice Folks(TM), and if Nice Folks(TM) don't inspire confidence to you then you probably want to run the whole thing as described above. I mean, please read this in its entirety. They even have a "Encouraging Headscale" section. https://tailscale.com/opensource/ | |
| |
> I mean, please read this in its entirety. They even have a "Encouraging Headscale" section. Honestly that makes it even weirder. Usually companies will just not acknowledge that an open alternative that plugs into their existing product exists, and if they do it's for enforcement/diverting purposes ("Don't use this, please stick to the official stuff") If you're at a point where you acknowledge, accept, and even help the unofficial FOSS alternative, why not make your official stuff the same way? | |
| |
Product differentiation. If you run the head scale server, I’m not certain the funnel service will work. And there’s probably other stuff that is not planned to work with the FOSS coordinator server. And of course, one of the big things is: they don’t have to support anything with headscale, even if it’s sort of their software. Use the official stuff, and you get support. Pay, and you get better support. | |
| |
For that matter one can use Windows’s built-in WSL or Hyper-V functionality to run the Linux tailscale client, too. In fact, I do this anyway because their Windows client’s subnet router functionality is documented as being less performant than their FOSS client. I use my home desktop running Windows as a subnet router from tailscale into my home network, but when I read the note about performance I quickly installed Alpine Linux on a Hyper-V virtual machine and installed tailscale on there. That simple Alpine VM takes up so little resources that I don’t even notice any impact on performance with my 2009 12 core Xeon system. (This was a huge system, but I would imagine a modern low-midrange CPU would easily outperform it and likewise handle a micro-VM just as well) One static route added to my home router, and traffic flows both directions just fine. No need to install the client on any more machines on my network. This also saves on licensing, helping me stay within my free plan. :) | |
|
| |
That doesn't seem to make any sense. It's nice poetically I guess, but that's not the reason. | |
| |
Maybe it doesn't make sense to you, and you may not agree with it, but if they state that this is the reason why they do it this way, then we should at least consider that it might actually be the reason why they do it this way. | |
| |
Maybe the codebases need some tidying for open source, the chronology seems to make sense. I guess it isn't as simple as 'make repo public'. | |
| |
I see no reason why the tidying couldn't be done in public. Why not make a public repo that's closed off to external influence until it's "tidy" enough? | |
| |
If they use a proprietary third party library, they might not have a source distribution license of said library. The same way that you can't just unilaterally decalare an MIT licensed project is GPL without ensuring that all of the code was dual licensed or covered under a CLA. EDIT: I saw another comment that says that it's "just" the GUI applications for Windows and Mac that aren't open, but the core functionality is. I know that in Windows-land, it's _very_ common to use proprietary UI libraries like Telerik UI[0], or devexpress [1] [0] https://www.telerik.com/purchase/individual/winforms.aspx [1] https://www.devexpress.com/ | |
| |
I've had the same thought re: iOS/macOS clients. Oh how I would love to dive into those small codebases and add some simple QOL stuff. I've been watching but they don't seem to be adding any Apple-platforms focused roles/people, which is fine, but I wanna work at Tailscale… | |
| |
Well, they need something closed source to keep customers and to not end up like Docker, Inc. /s | |
| |
I think that by the sheer nature of Wireguard, it doesn't matter much. We don't send any readable data to Tailscale, they, for the greater part, handle plumbing between nodes. What goes in the pipes remains unnoticed and unknown to them. Their MagicDNS feature may raise different concerns though, but I'll let others comment on it. | |
| |
This new service allows them (or if they’re hacked - anyone)… to MitM your connections - they state themselves they could ssl terminate the connections as they own the ts.net level, they say they don’t but that’s now… | |
| |
> This new service allows them (or if they’re hacked - anyone)… to MitM your connections... TFA mentions that the immutable certificate logs reveal if something spooky is going on. Not enough of a guarantee since the tailscale client may siphon off certs from a local device to its servers anyway. But that's us being extremely paranoid about tailscale (in which case, why use it?). Second, most services are run behind reverse-proxying load balancers which invariably are setup to "MiTM" aka terminate TLS. The providers running those load balancers control IPs + DNS records too, for good measure. I guess, supporting a dizzying array of functionality makes Tailscale a decentralised cloud service provider themselves. | |
| |
Why depend on Tailscale when you can go 100% open source and use slack's nebula or plain old wireguard or one of those open source wireguard manager apps. | |
| |
Plain old wireguard doesn't do double-nat hole punching. And many of the open-source alternatives (such as innernet) also don't. | |
| |
"Plain old wireguard" In my mind wireguard was still the new kid on the block. Technology moves so fast. | |
| |
Same here. Also, in my mind, wireguard just works. I tried setting up OpenVPN one time and gave up. Wireguard was a breath of fresh air. Generated some QR codes for my mobile devices, rsynced some .conf files to my machines and I was good to go. | |
|
| |
Have you tried Tailscale? It's just a whole new experience getting all your devices connected in 10 minutes. It's quite something. | |
| |
I did and the CPU usage on the clients is much higher compared to kernel wireguard or even nebula (userspace, written in go). Add the fact that it has no advantage over nebula and I stopped using it in a heartbeat. | |
| |
This is true, on my iPhone 12 mini Tailscale is often the heaviest app (now at 17%) whereas Wireguard never really registered. Strange thing is that on some days Tailscale also barely registers. Could be that the Home Assistant app, which also takes a lot off battery connects via the Tailnet, and it communicates a lot in the background (tracks my position and some other Phone sensors.) | |
| |
Nebula seems to be under Defined Networking (https://www.defined.net/) now. It lacks the ease and tooling of the multitude of others that emerged in the space. My gut is that it's usable for the clever home user but meant for a professional IT dept with the ability/desire to build their own tooling and automation around it. The spartan mobile app is a sign of such. Tailscale is probably more easily usable for the average user than nebula or even vanilla wireguard. | |
| |
Because the whole point of Tailscale is that it's zero config, I don't really want ot mess about with wireguard. | |
| |
Former Wireguard user here. It's fantastic for point to point VPN but I moved to Tailscale last week and it's so much better having all of my devices on one flat network. Not to mention getting my parents devices on there with no config. | |
| |
Now image having twenty employees running Wireguard. Having to send them keys and configs, off boarding and managing it. Tailscale (or Headscale for that matter if you host it yourself) is magical in comparison. https://github.com/juanfont/headscale | |
|
| |
>But somehow we're all meant to be happy giving full control of our entire network to a commercial company running a closed source command and control server? Yes, Tailscale is THAT good this tradeoff is worth it. | |
