Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a bit disingenuous to present solutions like Tailscale as more secure than opening a VPN port on one's on machine. The latter solution should always be preferred when available just because you don't want your infrastructure to depend on a "free" service which might cease to be free tomorrow.


This is a more all-included and resilient system, especially for logging, than just opening a VPN port. I do a lot of corporate installs, and if we had a system like Tailscale then I would be in heaven. The amount of user-created systems are heinous in regards to security, and hard to setup and keep running. Tailscale lets you setup quickly, and reliably with minimal errors OOTB.

If you feel that tailscale will fold, or the free plan will be future limited, then you can drop in headscale which is a near 1:1 API open source tailscale central server.

If you always want to be open source and not rely on API changes or staying up to green on the headscale development (made by a third party), then you can set up netbird, which is both hosted (for free) as an alternative to Tailscale more tailored for developers, but they also open-sourced their entire stack, so you can always leave and use that on your own servers.


Things are much more unscrupulous than potentially ceasing to be free tomorrow. Nobody who values their privacy would ever route their network traffic through a 'free' service.


Tailscale is not marketed as an "anonymity VPN". You're still using the devices in your Tailnet.

Tailsacle provides managed, policy-driven secure connectivity, where the network admin controls access, and where packet payloads are end-to-end encrypted between their nodes using device-to-device links that are WireGuard-based. Their TCP relay system (DERP) helps connectivity when direct peer-to-peer isn’t possible, but traffic through DERP still remains end-to-end encrypted.


Thank you for the explanation. I was definitely unclear on the service that Tailscale apparently actually provides.


Isn’t there separation of the control and data planes? I don’t think Tailscale get to see any of your network traffic.


They need to know how/where to route your outbound traffic. That inherently includes plaintext DNS, TLS handshakes, and otherwise plaintext traffic (like HTTP for example).

Anybody wanting to see what Tailscale is able to see can simply sniff any router interface passing outbound traffic before it enters the WireGuard tunnel interface.


No, that’s not quite true. The wireguard tunnels that the Tailscale daemon creates only go to your own machines. Nothing going through those tunnels goes to or is seen by Tailscale the company. Sometimes those tunnels go through a proxy (especially when you’re afflicted by CGNAT), but the proxy sees only encrypted traffic.


So how does the proxy know where to proxy packets to?


The tailscale client on one of your computers tells it the address of your other computer.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: