The Internet today is flawed. We possess smartphones, tablets and laptops that surpass the performance capabilities of servers from 20-30 years ago, yet we can’t talk to them without the use of some intermediary: a server to connect to. This approach is flawed and inefficient since it will be a single choke point for everyone’s traffic, not to mention the privacy-related drawbacks (one entity seeing who everyone is talking to….).
Examples of this centralization hurting everyone:
We can’t even access resources on our local network without some corporations’ servers acting as a middleman.
Tailscale is a clever solution to this problem. It uses WireGuard as it’s base to build a mesh network for your devices, essentially making it appear as if they are all connected to the same network. Each device gets a static IP on this network, which is in the Carrier-grade NAT address space to avoid any collisions with your own networks. Tailscale by default only ever routes connections to machines on this mesh network through the WireGuard VPN, but you can make a machine advertise itself as an exit node to route all your Internet traffic through that device, effectively making a traditional consumer VPN typically used to mask IP addresses.
I have been using Tailscale for a couple weeks now and in the process, have become profoundly enamoured with the tech.
The install process is stupidly easy. A script basically sets up the repos for your Linux distro, after which you can use your package manager to install Tailscale, or (for Windows, Mac, Android or iOS) you just install the application. After authenticating with one of the identity providers they support (we’ll discuss this later), you are just connected to your mesh network (Tailscale calls it a tailnet).
The docs are amazing, and the blog is phenomenal. Their article on NAT traversal and how they maintain their free plan are excellent examples. In fact, I am using the former as a sort of guide to build something you may find interesting (more on this later).
As for the latter, I really appreciate them addressing how it is that they have such a good free plan. They clearly outline the fact that since their software makes direct connections, it doesn’t really matter how many devices you have, the amount of traffic the company itself has to deal with is minuscule (an IP address, port, pubkey and maybe some authentication info). Having a free plan allows developers and hobbyists to try out the software, and later be encouraged by the experience to nudge their companies to try it out as well, getting some valuable enterprise customers over the long run as well as getting the word out and gaining free publicity (ahem). They also try to keep the DERP (relays used when no direct connections can be made) costs low through some manner of rate limiting.
However, in most cases, it makes direct connections to your devices for maximum efficiency and privacy, and if it can’t, it just uses relays located around the world, combined with some careful management and rate limiting to make sure their hosting bill on AWS doesn’t skyrocket. What this means is that you can almost always access your device no matter what kind of connection you have, and that connection is completely private.
Private keys never leave the device, and Tailscale doesn’t really ever have the ability to read your traffic info. The only real info they have is the fact that you connected from one device to another at this time.
If you still think this is too much info, you can self-host the Tailscale control plane using headscale on an Internet-facing device. This creates 1 Tailnet you can connect your devices to. The Tailscale devs are fairly friendly towards this project, and the CLI and desktop apps come with options to change the control plane to whatever URL you wish. - MagicDNS is extremely convenient. The Tailscale client already (kinda sorta) hijacks DNS on the installed devices, so having it resolve your devices on the mesh network is fairly trivial. So, you don’t even need to remember the static IP addresses of your devices.
One nice byproduct of this is that DNS over HTTPS can also work on Linux. Tailscale always resolves resources on the Internet through a DNS over HTTPS supported DNS resolver, like Cloudflare or Quad9. (This can be tweaked in the Tailscale admin panel). This is fairly useful on networks that block port 853, the port used for DNS over TLS, which seems to be more standard in Linux thanks to systemd-resolved only supporting DoT.
HTTPS certs can be generated as well for certain web features to work. So, no more messing with self-signed certs and getting them in every program’s certificate store, Tailscale creates a subdomain on tailscale.net for you to use for each device.
There is even an SSH server implementation that uses your Tailscale’s identity provider for authentication instead of SSH keys, as well as a file sharing command you can use to finally get files from one place to another without worrying about storage quotas or being rate limited or having some shady cloud provider read your files. I haven’t used these two yet, though. I just use the standard SSH server and scp.
Tailscale helps automate tedious parts of networking so that we can all enjoy the Internet in its original, collaborative spirit.
I imagine for Tailscale the company, it is not a huge issue as their main customers are enterprises, who already use some identity provider. This could be a gripe for individuals using Tailscale. If this is an issue for you, consider self-hosting headscale.
The only time (at the time of writing) Tailscale does use the kernel implementation is when a Linux device advertises itself as an exit node. Even then, the exit node is the only one that ever uses the kernel WireGuard.
I’ll keep my eye on this and related issues because if this does end up being done. Tailscale will be much faster for it.
In spite of the gripes I have with their product, I really like Tailscale. It is cliché, but it just works. I use it to access my home network from afar for right now, even using a Raspberry Pi as a homemade VPN, and it has worked nicely so far. The security is pretty good, even if the third party authentication requirement means that both Tailscale and that identity provider can add devices to the Tailnet without your knowledge (though, again, it can’t exactly do a whole bunch of damage since the bulk of the business logic is still contained in the open source client, and also headscale exists if you really want to minimize this risk).
If you don’t want to bother opening ports or using dynamic DNS services or really doing a whole lot of work related to NAT traversal, Tailscale is a good place to start (and hopefully end).
That’s all for today. Bye for now!
Note: “WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld.
This website was made using Markdown, Pandoc, and a custom program to automatically add headers and footers (including this one) to any document that’s published here.
Copyright © 2024 Saksham Mittal. All rights reserved. Unless otherwise stated, all content on this website is licensed under the CC BY-SA 4.0 International License