Use Tailscale for my home server, no ports to open, no complex configuration. Just fire it up and log in and it works, for free! Outstanding piece of software
Speaking as a network engineer who’s been in the industry for over a decade the “How NAT traversal works” article is genuinely one of the best pieces of technical writing I have ever read
Great interview, I think I have been using Tailscale about as long as Wendell has and I have referenced that "How NAT traversal works" many times as a great way to better understand the complexity behind making Tailscale seem like "magic"
there is probably no open source software worse than nextcloud. It is easily one of if not the most janky and worst softwares I've seen in 30 years of open source. I'm glad louis rossmanns new 13 hour video goes over how bad it is and sets up actual good software to replace all of what nextcloud does badly (everything)
I just added a Tailscale exit node to my homelab yesterday, and it has become hands down my most useful tool of all my systems. Great tool, can never go back!
I enabled my Unraid server as an Exit Node yesterday, changed the Tailscale DNS to my Adguard port, and now I have adblocking even when im not at home!
Have been avoiding Tailscale for a while since I thought it sounded too good to be true. I finally caved in early this year and tried it… and yes it just works. Love it.
I was avoiding it for a bit as well, since it sounded more complicated than I probably want to manage so I was using zerotier for a while. I have both where I can now, and I'm starting to slowly switch over since I find that tailscale actually functions more predictably for me and the coordination of the configuration works well. Also, Zerotier has been pushing for heavier monetization now... so I'm moving stuff off it to reduce the node count.
Same here. I hadn't been able to get my head around Tailscale before but this video made everything click. I'm just a personal user so they won't make much money from me right now, but at least I can be an evangelist now. 😀
@@xxxxxx-wq2rd None of your traffic goes through their servers, they basically just work as a sign-post so your devices know where to find each other. They can block your login but none of your data should be compromised.
@@xxxxxx-wq2rd if you aren’t a political enemy, explain it to them. With luck your problem will be resolved. If you are a political enemy, you should have been using headscale, the open source version that you can self host.
I've actually used Tailscale before! Tailscale is awesome if you just want to connect computers. But it's kind of sad that we need something like Tailscale to replace IPv4 instead of having just IPv6 and E2E encryption by default everywhere.
Even if we had the IPv6/E2EE world, managing those connections would need something simple that would be adequate for most users, because most users don't want to create ACLs for all the devices in their lives and maintain them. Tailscale basically is that solution, but for the world we actually live in.
This is some insane timing, I've been spending all day reading the TailScale documentation! Then I open UA-cam and this is the very first thing I see! I think the universe is telling me something.
@chaemelion I thought so at first, but I was on a work PC reading the docs completely detached from my phone with UA-cam, from a different IP, location, and account. If it was the algorithm, they're doing some damn clever data association.
@@zeppelins4ever I don't doubt they do exactly that. I've had some very similar experiences. I wouldn't put it past Google to analyze visits to a website associated with an advertisement client of theirs, and bump that content suggestion a few points for related public IPs by common current or historical clients, by location (again, by IP or otherwise), etc..
I'm halfway into this video and I've been able to set up Tailscale on my laptop, PC, and UnRAID server. This is frickin' WILD. Enumerating services across my network and make the Tailscale plugin on UnRAID a one-stop-shop from anywhere in the world? Holy crap! Thank you.
Tailscale has been great for years - set it up on my dad's machine as an exit node and my homelab also as an exit node. If I need to change something on his network (e.g. change his inverter parameters), I just activate his machine as a exit node and do what I need to. Easily run nightly backups of all his most important files e.g. .docx, .pptx, .xlsx, .pdf etc. on his machine to my homelab. I wish the ACLS were more easily editable by non-technical people through the web GUI but maybe one day that'll be added. Think if the video streaming platforms get more aggressive in enforcing family accounts must all live together, tailscale would be my go-to solution for that too.
I recently set up Tailscale for my friend's home network. We installed it, clicked a few buttons on the admin page, and then were confused what to do next. Tried connecting to the network out of curiosity and it just worked. We both stood up in shock literally gasping at the magic.
I use and enjoy Tailscale but I would like to see a bit of discussion of alternatives, Netbird, Nebula, ZeroTier etc. It just kind of bothers me that using Tailscale means either trusting their infrastructure for key exchange, or running Headscale, the latter of which doesn't seem to really be considered stable and has unclear security properties (whereas at least Netbird and Nebula let you host the direct enterprise code to run your own backend rather than a reverse engineered host, even if Headscale is written with Tailscale's blessing it's still reverse engineered)
I tried Netbird first but I couldn't get it to work, switched to tailscale so easy. I'm using it with the unraid plugin. So even if my server reboots for whatever reason, I do not need to hope my docker container starts up correctly.
One of the devs putting in a bunch of work on headscale, is employed by tailscale. They've got a nice article on why it didn't make sense to just release the headend source as-is.
Genuinely one of the most game-changing pieces of software I've come across in a long time. I travel a lot and need to access resources that have IP allowlists. Now I can just Tailscale into a connection that's already whitelisted with zero drama. Love it - just set it up to access home assistant away from home too!
I literally downloaded and set up tailscale on my Linux and Android device while I was watching this video. Amazing ! will be definitely sharing this video.
Been using it for a while and found out my company uses it internally on some teams too. Really nice way of providing a lot of customisability while having the kind of UX where it’s easy to use for personal use.
I've only been using tailscale for a few months and it's awesome. No matter what I tried, I could never get wireguard to work and it was the only thing that got past the double nat and my ISPs cg-nat. Exit node for me is my pfsense router so I can see my server, cameras - everything on my home network. Yes, it just works and yes, just 5 minutes to set up.
It'd be cool if you could interview the ZeroTier guys, they did most of this stuff before wireguard was a thing. The result is more of an integrated whole rather than a control layer on top of wireguard. Besides that their all-in-one binary hosts all functionality (controller, root servers and end nodes) besides the web portal. The "controller" or "control server" in tailscale is closed source, so if it wasn't for the headscale project we'd be stuck with tailscale as the single provider and authority over what and who enters the network.
👍Emphasizing, "It'd be cool if you could interview the ZeroTier guys, they did most of this stuff before wireguard was a thing. The result is more of an integrated whole rather than a control layer on top of wireguard. Besides that their all-in-one binary hosts all functionality (controller, root servers and end nodes) besides the web portal."
👍Emphasizing, "The "controller" or "control server" in tailscale is closed source, so if it wasn't for the headscale project we'd be stuck with tailscale as the single provider and authority over what and who enters the network."
Great interview. I installed Tailscale on a Truenas server and on our desktops, laptops and use it everyday including when traveling. We also use the exit node when needed while traveling, makes life easier.
Awesome, thanks Wendell for sharing I will look into it always wanted to have access to my media library when I'm on the road but I didn't want to open a big hole in my firewall, the fact that I will be able have and give access and or backup files and pictures securely without uploading it to the cloud is a huge plus!
Wendel, please add a video on using an exit node with Ring cameras! The statement that everyone can see my footage freaked me out more than a little bit!! 😮
The notion of wireless being faster than wired seems alien to me. Hooking up a 25ft patch cable to an ethernet over power adapter is leagues better than trying to use wifi through three walls.
I think it's a reference to USB and how slowly all phone manufacturers are updating to the latest standards. You can't easily connect a patch cable to a phone..
I don't think it's an accurate statement, given that the technology used to improve wireless transmission speeds can be analogously applied to wired copper connections that have significantly less signal to noise.
Wired technology will ALWAYS be faster than wireless. At any given point in time, any random collection of hardware could have faster and slower bits. eg. my laptop has USB3, 1G ethernet, and 11n wireless. a current generation iPhone has 11ac/ax wifi. That fancy new $$$$ Wifi 6E/7 router/accesspoint has 10G wired ports.
@@lordsamnon a Lightning to Ethernet adapter has been around for years. Got one in my troubleshooting bag. Equivalent USB C to Ethernet adapters are available from Amazon and other places. I think he was making a direct reference to the fact that even with their transition from Lightning to USB C, Apple is still introducing new models that only support USB 2. Only the “Pro” model phones support USB 3.
I’ve replaced all our VPN infrastructure with Tailscale at work. It just works so seamless and the enduser doesn’t have to worry about manually connecting when needing a connection to local infrastructure
Before I even heard the phrase “it just works”, it’s exactly how I described it to a friend. It really is an elegant solution to a lot of problems. If it isn’t magic, it’s surely sorcery.
So do almost every cloud service... I take a picture on one phone (iPhone), and by the time walk across the house to pick up the other phone, it'll also have that picture.
Ok this all sounds good... BUT... why do I need a google, microsoft or apple account to use tailscale? I thought the purpose was to being able to avoid these companies! I have recently put an effort of de-googleing my digital life and thinking Tailscale would be a nice addition, was I wrong?
How is this not just another VPN? Genuine question. The word "VPN" is not mentioned even once in the interview but their site's title is "Best VPN Service for Secure Networks"
@Level1Techs would it be possible to use IPSec to encrypt connections at the internet level instead of using TLS on the transport level like HTTPS does so that P2P encryption is not reliant on the transfer protocol.
@@Loanshark753thats how IPsec VPN works for 99% conpanies today. Issues not Limited to: needs static IP’s, crypto is expensive after crossing 1Gb speeds, fiddly to configure, requires always open ports on firewalls (means vulnerabilities bound to happen) and does not handle NAT nicely.
I am from a remote area where the ISP uses private address for connectivity and Static IP cost money In a situation where I can't use DDNS or static IP Tailscale is a saviour for me Now I can do literally anything that requires me to be in person or static IP or DDNS There are no port forwarding no firewall and stuff Just install it and login in It takes about 5 mins to set it up It's really magical
This seems like an awesome idea, but how do we run it locally? relying on tailscale's admin interface and key exchange is just yet one more cloud provider. is this FOSS? can we spin it up on our own servers?
Tailscale is extremely friendly towards small businesses. Like they can’t fully replace having static IPv4 addresses but they not only come very close they do so without any of the security issues surrounding static IPv4.
I use a different mesh network and it’s one of the best, most game changing pieces of tech in my network. It’s almost like having a static ip for all your devices but it ignores things like DHCP and dynamic WAN addresses just by being smarter about how it connects.
I use Tailscale to access my Home Assistant, Jellyfin and TrueNAS instance from outside my home. Additionally, I can also access other devices via subnet routing. This is useful when I need to access my router configuration or build server.
So this guy is basically doing a "do not cite the deep magic to me, witch. I was there when it was written" to the big tech companies when it comes to basic networking and FTP.
He might've been there when it was created, but he's certainly painting with a giant FUD brush to justify his narrative. FTP works just as well today as it did decades ago. ('tho you'll have to install client and server software yourself; no OS installs that stuff out-of-the-box anymore, and most browsers no longer support ftp urls.) "File Server" is also just as cumbersome as it has always been. Tailscale is just one more bit of application "Magic" to install, and figure out how to configure.
I have a laptop 'server' running a large number of services using proxmox with tailscale for networking. Besides having to have a VPN connection and remembering to shut it down while i'm on the same LAN back home to reduce latency and bottlenecks (which already barely exist) it works as if everything is just a public website instead of * my own jerryrigged laptop masquarading as a server, behind a flimsy 1gbit router *
Main risk using Tailscale: they sometimes ban nodes based on geoip (like all Russian nodes recently). So an only safe way is to install open-source reimplementation of their control server called headscale, it is compatible with their clients
I'm using Tailscale. I've set up multiple tailnets for other people. I'm also expecting a rug-pull at some point and try not to set up stuff in a way that can't be done without tailscale, even if it requires a bit more elbow grease.
Airdrop might not work if there are multiple APs or devices connected to different frequencies (2.4, 5, 6Ghz), or if one devices is wireless and the other is wired. Due to TTL=1, if there is no client-to-client multicast forwarding turned on (which is off by default on many devices, including Mikrotik)
This sounds good, but then you make yourself dependent on some cloud service for the key exchange part. Which I don't like. If since learned about headscale which enables that part as self-hosted. So that's even nicer.
How does tailscale get around the NAT? Synology for example will connect your laptop to your NAS over the net but that requires software for each device to talk to a synology server first. The NAS and the laptop independently talk to the synology server. The synology server then looks at the packets and pulls the port info and allows the laptop to talk to the NAS by crafting an IP packet with the correct incoming/outgoing ports to get around the NAT. Does tailscale open new ports as well through UPNP? [EDIT] OOPS, I should have waited till 14:39 but there were no details.
We have some Tailscale nodes setup for one of my clients in place of a formal IPSec configuration, we've had ISPs change static IP addresses not configure the Router correctly and in some cases took days or weeks to notice because of how it routes traffic and just kept working. We've also have it running as a backup interface for some of our backup solutions for our clients so we can remotely access them without the need for more hardware. That said it does introduced some latency (only about 15-20ms though) and at least in some of the cases we have it running it will randomly inject its own DNS entries into the Domain Controller and cause other routing issues although that admittedly could just be a misconfiguration on our part. Its a slick piece of software, honestly for home labs it would be without question the best way to access your own personal enviroment.
So you're being snide over paying $10/2TB/month and being locked into Apple's ecosystem, but paying $5/User/month to be locked into Tailschale's ecosystem is alright? I don't get the logic here. I should mention Headscale - it's a community-driven coordination server. It isn't as full-featured as the primary server, but at least there's less vendor lockin there.
Isn't there a free tier in Tailscale that allows 3 users & 100 devices? How is that locked in? If you need more than three users, you're probably working in an organization that can afford to pay a monthly fee.
@@xlrsecurity Price and vendor lockin are two independent concepts. Vendor lock-in is where it difficult to switch vendors and you are forced to stick with one vendor for legacy reasons. In the case of relying on Tailscale's coordination server, you have no choice to migrate (easily, that is) to another provider if something happens with Tailscale. A few weeks ago there was a big bruhaha over Tailscale geoblocking some country or another. Now, if you're using Headscale, you could theoretically dump the database and recreate your own coordination server or keep using your local version of headscale or somehting else. If you have access to the database you could probably transition everyone to using Innernet or Nebula or something of the sort. If you use Tailscale for IAM and firewalls and everything else, all of your cyber eggs are in one vendor-locked basket and you cannot easily move. Going back to Stallman, there is a difference between Free Beer and Free Software.
Great idea, nice interview! Path Dependency is an important concept to learn - I first heard of it watching Political Science lectures. One example is the difference between streaming music and video: why can't every video streaming service stream everything like it happens with music? Because of legal decisions and legislation from a long time ago ...
Yes it's called policy. It is also policy which decides that most devices on the Internet cannot connect everywhere. It's for security policy reasons to stop everyone from being hacked all the time.
I think you might have things the wrong way round? The zero trust model assumes that you can't trust any device or any user without some kind of authentication. So the public internet/WAN is (and always has been) a ZeroTrust environment...BUT...the ZeroTrust model is actually trying to tackle the old school idea of zones that are trusted and untrusted, such as a a local LAN behind a firewall/NAT. ZeroTrust says that even a LAN should not be inherently trusted. So if you were thinking that tailscale somehow can move you from a ZeroTrust envrionment to a Trust environment then you're setting yourself up for a wide open attack vector, where one compromised machine on the "Trusted" network can wreak havoc - as it's just blindly trusted and given access to potentially jump across to other machines via file shares or through an unpatched exploit as the computers local firewalls are often disabled due to them being on a 'trusted' network. Long story short, trust no user or device anywhere ever. How practical this is to implement and manage is another story for sure...security and convenience/usability are always a point of tension and a juggling act
One thing I'd like is for on my phone, the client that keeps Nextcloud autosynced and whatever else I decide to go through Tailscale to reach my network but regular stuff not to, and with minimal battery impact. Can Tailscale do this? At the moment I've just got my own domain and am open port that forwards to my reverse proxy.
If you don't point your phone to an exit node, what you want is already the default tailscale behaviour. Your traffic to the wider Internet still goes straight out without going through a tunnel, but there is a second subnet you can reach that magically has all of your devices on it. If you want to access devices in your home network that don't have tailscale and don't want to turn on an exit node (full tunnel ie normal self hosted vpn) you can set up your server to be a subnet router. My subnet router means that my nas (that doesn't have tailscale on it) is always accessible to me by it's local ip no matter what network I'm on
@ Thanks for the info. I’m meaning to migrate my setup from being on my NAS to being on a MS-01 Proxmox VM / LXC and using the NAS shares over NFS for storage, while migrating from swag to traefik. I guess I’ll look into using Tailscale while I’m at it.
I don't like the notion of "You don't need to secure your Wordpress instance because it's behind a VPN". There are many security scenarios where this will still get you in the end. Tailscale might help prevent access from the entire internet, but not to all other people. Imagine if you had an ex-employee that left the company, but still has login credentials. Or one of your client computers is compromised, giving whoever access to your vulnerable Wordpress instance. You really can't get away from updating often.
So it's exactly like the DIY VPN's we used to setup and run ourselves before it became impossible to find any VPN software anymore, and after there being no such thing anymore for some 6 years, suddenly Corporations started selling the modern version under corporate control, as if it was a new tech and previously impossible, and as usual most people fell for it, instead of asking why they can't setup their own peer to peer networks over the internet! Windows 3.1 came with a VPN utility, and MIcrosoft killed it too! I don't do Microsoft anymore, haven't for over a decade! HAIL THE MIGHTY TUX!! HAIL LINUX!!!
run "headscale" yourself, that is the control server and then everything is "self hosted" anyway all of the vpns you complain about still exist. Those were using specific older now insecure vpn protocols like IPSEC. openvpn also is very old but still around, and still can run it all yourself. Wireguard is the new guy and that is what tailscale uses
Luckily my ISP gives a public IP on my connection so I can just open ports for things when needed. That said my only ISP option here is centurylink and their DSL is quite slow even if we’re talking internet speeds 10 years ago. I could go and get myself Starlink but their monthly pricing is still a tough sell. Still it’s nice to know that if I go Starlink or another new ISP arrives and goes CGNAT I can use this to run NAS and servers.
Sounds cool! I'm still in a bit of configuration hell with my setup. Got my home network all set, couple of basic services (plex, torrents, vpn access) and recently added VPN... It was working before but now I'm still trying to figure out how to get the ports open correctly when on VPN without being completely in the open... would this be able to help?
Depending on your Plex use case, the only port you would need to open would be for Plex. If you are using a VPN like Wireguard, OpenVPN, ipsec you will need to open ports for those services. If you replace your VPN server with a tailscale exit node you will NOT need to open any ports for VPN access.
if your setup is simply a site-to-site tunnel, then yes, just a simple straight up wireguard is supperior, EXCEPT if you CAN connect the 2 locations. Some places have double router setups and it become impossible to set something like that up.
23:20 The only problem I would have with Tailscale is the difference between Personal Plus and Starter. I know families who would need to go with Starter and well, not only is the price difference quite drastic, the amount of features are also a lot less.
Download here! tailscale.com/download
Read our article summary here: forum.level1techs.com/t/tailscale-interviewing-the-ceo-and-co-creator-avery-pennarun/220053
Thanks for watching! ~ Amber
have you heard of nostr
Use Tailscale for my home server, no ports to open, no complex configuration. Just fire it up and log in and it works, for free! Outstanding piece of software
Speaking as a network engineer who’s been in the industry for over a decade the “How NAT traversal works” article is genuinely one of the best pieces of technical writing I have ever read
Great interview, I think I have been using Tailscale about as long as Wendell has and I have referenced that "How NAT traversal works" many times as a great way to better understand the complexity behind making Tailscale seem like "magic"
"Every time you're going to the cloud, you're paying rent to somebody."
Perfect expression of how I've felt about cloud services for so long.
Or you and your data are the product.
Tailscale + Nextcloud is an actual lifechanging combination. You will feel like a wizard.
there is probably no open source software worse than nextcloud. It is easily one of if not the most janky and worst softwares I've seen in 30 years of open source. I'm glad louis rossmanns new 13 hour video goes over how bad it is and sets up actual good software to replace all of what nextcloud does badly (everything)
I just added a Tailscale exit node to my homelab yesterday, and it has become hands down my most useful tool of all my systems. Great tool, can never go back!
I enabled my Unraid server as an Exit Node yesterday, changed the Tailscale DNS to my Adguard port, and now I have adblocking even when im not at home!
Have been avoiding Tailscale for a while since I thought it sounded too good to be true. I finally caved in early this year and tried it… and yes it just works. Love it.
headscale.
I was avoiding it for a bit as well, since it sounded more complicated than I probably want to manage so I was using zerotier for a while. I have both where I can now, and I'm starting to slowly switch over since I find that tailscale actually functions more predictably for me and the coordination of the configuration works well. Also, Zerotier has been pushing for heavier monetization now... so I'm moving stuff off it to reduce the node count.
@@manitoba-op4jx sure, but you are giving up a lot of what makes tailscale just work tho
@@manitoba-op4jx yep way better, thanks. I'll still gladly avoid tailscale now
Ok, I didn't understand tailscale before this, but now I'm sold.
Same here. I hadn't been able to get my head around Tailscale before but this video made everything click. I'm just a personal user so they won't make much money from me right now, but at least I can be an evangelist now. 😀
but what if the tailscale company decides you are a political enemy or something like that?
@@xxxxxx-wq2rd None of your traffic goes through their servers, they basically just work as a sign-post so your devices know where to find each other. They can block your login but none of your data should be compromised.
@@xxxxxx-wq2rd if you aren’t a political enemy, explain it to them. With luck your problem will be resolved.
If you are a political enemy, you should have been using headscale, the open source version that you can self host.
I've actually used Tailscale before! Tailscale is awesome if you just want to connect computers.
But it's kind of sad that we need something like Tailscale to replace IPv4 instead of having just IPv6 and E2E encryption by default everywhere.
Even if we had the IPv6/E2EE world, managing those connections would need something simple that would be adequate for most users, because most users don't want to create ACLs for all the devices in their lives and maintain them. Tailscale basically is that solution, but for the world we actually live in.
This is some insane timing, I've been spending all day reading the TailScale documentation! Then I open UA-cam and this is the very first thing I see! I think the universe is telling me something.
Or the algorithm is. 😉
@chaemelion I thought so at first, but I was on a work PC reading the docs completely detached from my phone with UA-cam, from a different IP, location, and account. If it was the algorithm, they're doing some damn clever data association.
@@zeppelins4ever I don't doubt they do exactly that. I've had some very similar experiences. I wouldn't put it past Google to analyze visits to a website associated with an advertisement client of theirs, and bump that content suggestion a few points for related public IPs by common current or historical clients, by location (again, by IP or otherwise), etc..
Yes to pay 10 dollars per month to them.
@@MelroyvandenBerg Or, now hear me out, I use the free version.
I'm halfway into this video and I've been able to set up Tailscale on my laptop, PC, and UnRAID server. This is frickin' WILD. Enumerating services across my network and make the Tailscale plugin on UnRAID a one-stop-shop from anywhere in the world? Holy crap!
Thank you.
Damn, that intro statement was on point!
Love this! Tailscale is so amazing! It’s made my life so much easier as an amateur homelabber and a person with an interest in networking.
Tailscale has been great for years - set it up on my dad's machine as an exit node and my homelab also as an exit node. If I need to change something on his network (e.g. change his inverter parameters), I just activate his machine as a exit node and do what I need to. Easily run nightly backups of all his most important files e.g. .docx, .pptx, .xlsx, .pdf etc. on his machine to my homelab. I wish the ACLS were more easily editable by non-technical people through the web GUI but maybe one day that'll be added. Think if the video streaming platforms get more aggressive in enforcing family accounts must all live together, tailscale would be my go-to solution for that too.
I recently set up Tailscale for my friend's home network. We installed it, clicked a few buttons on the admin page, and then were confused what to do next. Tried connecting to the network out of curiosity and it just worked. We both stood up in shock literally gasping at the magic.
I use and enjoy Tailscale but I would like to see a bit of discussion of alternatives, Netbird, Nebula, ZeroTier etc. It just kind of bothers me that using Tailscale means either trusting their infrastructure for key exchange, or running Headscale, the latter of which doesn't seem to really be considered stable and has unclear security properties (whereas at least Netbird and Nebula let you host the direct enterprise code to run your own backend rather than a reverse engineered host, even if Headscale is written with Tailscale's blessing it's still reverse engineered)
I'm currently exploring Headscale vs Nebula myself. Oh and now Netmaker, that one looks interesting.
I tried Netbird first but I couldn't get it to work, switched to tailscale so easy. I'm using it with the unraid plugin. So even if my server reboots for whatever reason, I do not need to hope my docker container starts up correctly.
One of the devs putting in a bunch of work on headscale, is employed by tailscale.
They've got a nice article on why it didn't make sense to just release the headend source as-is.
Add twingate to the list 😊
@@peegee101 Twingate is closed source and not self-hostable right? Only known because of paid sponsorships to a bunch of UA-camrs.
Genuinely one of the most game-changing pieces of software I've come across in a long time. I travel a lot and need to access resources that have IP allowlists. Now I can just Tailscale into a connection that's already whitelisted with zero drama. Love it - just set it up to access home assistant away from home too!
Used tailscale for a couple of years and it just works. What a wonderful product!
I literally downloaded and set up tailscale on my Linux and Android device while I was watching this video. Amazing ! will be definitely sharing this video.
Been using it for a while and found out my company uses it internally on some teams too. Really nice way of providing a lot of customisability while having the kind of UX where it’s easy to use for personal use.
arguably the best piece of software in my network
Tailscale user here. I love it. Great Work.
Tailscale is an awesome product that has already revolutionized networking everywhere I know, simply because it's so simple to use.
I've only been using tailscale for a few months and it's awesome. No matter what I tried, I could never get wireguard to work and it was the only thing that got past the double nat and my ISPs cg-nat. Exit node for me is my pfsense router so I can see my server, cameras - everything on my home network. Yes, it just works and yes, just 5 minutes to set up.
Fellow Canadian 👋🏼 🇨🇦 thanks for the great chat and amazing software!
It'd be cool if you could interview the ZeroTier guys, they did most of this stuff before wireguard was a thing. The result is more of an integrated whole rather than a control layer on top of wireguard. Besides that their all-in-one binary hosts all functionality (controller, root servers and end nodes) besides the web portal. The "controller" or "control server" in tailscale is closed source, so if it wasn't for the headscale project we'd be stuck with tailscale as the single provider and authority over what and who enters the network.
👍Emphasizing, "It'd be cool if you could interview the ZeroTier guys, they did most of this stuff before wireguard was a thing. The result is more of an integrated whole rather than a control layer on top of wireguard. Besides that their all-in-one binary hosts all functionality (controller, root servers and end nodes) besides the web portal."
👍Emphasizing, "The "controller" or "control server" in tailscale is closed source, so if it wasn't for the headscale project we'd be stuck with tailscale as the single provider and authority over what and who enters the network."
Tailscale is such a fantastic piece of software. I cannot imagine my life without it anymore. Shout out to the Tailscale team!
Great video! Thank you, Wendell, I had no idea this existed, but it looks really useful!
Great opening!
Great interview. I installed Tailscale on a Truenas server and on our desktops, laptops and use it everyday including when traveling. We also use the exit node when needed while traveling, makes life easier.
Awesome, thanks Wendell for sharing I will look into it always wanted to have access to my media library when I'm on the road but I didn't want to open a big hole in my firewall, the fact that I will be able have and give access and or backup files and pictures securely without uploading it to the cloud is a huge plus!
Wendel, please add a video on using an exit node with Ring cameras! The statement that everyone can see my footage freaked me out more than a little bit!! 😮
De-Ring yourself for ultimate security
@@zaneandre6387In time I will but for now I would love to know what Wendell meant!
It's an incredible application, love using it
The notion of wireless being faster than wired seems alien to me. Hooking up a 25ft patch cable to an ethernet over power adapter is leagues better than trying to use wifi through three walls.
I think it's a reference to USB and how slowly all phone manufacturers are updating to the latest standards.
You can't easily connect a patch cable to a phone..
I don't think it's an accurate statement, given that the technology used to improve wireless transmission speeds can be analogously applied to wired copper connections that have significantly less signal to noise.
Wired technology will ALWAYS be faster than wireless. At any given point in time, any random collection of hardware could have faster and slower bits. eg. my laptop has USB3, 1G ethernet, and 11n wireless. a current generation iPhone has 11ac/ax wifi. That fancy new $$$$ Wifi 6E/7 router/accesspoint has 10G wired ports.
@@lordsamnon a Lightning to Ethernet adapter has been around for years. Got one in my troubleshooting bag. Equivalent USB C to Ethernet adapters are available from Amazon and other places.
I think he was making a direct reference to the fact that even with their transition from Lightning to USB C, Apple is still introducing new models that only support USB 2. Only the “Pro” model phones support USB 3.
You’re all wrong.
Alright, convinced me to setup Tailscale within my network infrastructure. I have been putting it off for so long . I will be installing next week.
I’ve replaced all our VPN infrastructure with Tailscale at work. It just works so seamless and the enduser doesn’t have to worry about manually connecting when needing a connection to local infrastructure
Looking forward to more Tailscale tutorials, thanks for the great work you do!
This sounds absolutely incredible, I hate how most home labers have to rely so heavily on cloud flare. I cant wait to download and play around!
So how does the user count work? What does a user mean in this licensing model? Do you have to log in somewhere for it to work?
Before I even heard the phrase “it just works”, it’s exactly how I described it to a friend. It really is an elegant solution to a lot of problems. If it isn’t magic, it’s surely sorcery.
So do almost every cloud service... I take a picture on one phone (iPhone), and by the time walk across the house to pick up the other phone, it'll also have that picture.
I have not even watched the video yet. I just have to say that I love and use WireGuard, and I LOVE!!! Tailscale.
This randomly appeared in my feed and wow it is like magic. Minutes to access my truenas scale server at work from home
I love it. Been using it for years. OMG note you are talking about it. So awesome
Wow!! That's awesome!!!! I can think of so many ways to use that! I have actually been wanting something just like this!
Tailscale makes homelabbing simple for the normal person. Thanks Avery.
Ok this all sounds good... BUT... why do I need a google, microsoft or apple account to use tailscale? I thought the purpose was to being able to avoid these companies!
I have recently put an effort of de-googleing my digital life and thinking Tailscale would be a nice addition, was I wrong?
I may be wrong but I think headscale is what you’re after.
yeah i did a U-turn as soon as i saw that lol
just use wireguard frfr
I love Tailscale! Never having to open ports and expose my home network to the internet is super handy.
This was a very helpful explanation of Tailscale.
Hey Wendell, great guest!
I hope this interview was conducted via p2p connection.
I wanted to setup wireguard btn my home pc n laptop. But port forwarding was an issue. Will try it today💯
Tailscale really is magical stuff. This guy is brilliant for real.
How is this not just another VPN? Genuine question. The word "VPN" is not mentioned even once in the interview but their site's title is "Best VPN Service for Secure Networks"
full mesh. it's like a VPN but each point tries to talk directly to each other point unlike a VPN where all points connect centrally
@Level1Techs would it be possible to use IPSec to encrypt connections at the internet level instead of using TLS on the transport level like HTTPS does so that P2P encryption is not reliant on the transfer protocol.
@@Loanshark753 it would probably be better to check the official site instead of youtube comments
@Level1Techs sorry but you can also setup a VPN as a full mesh.
@@Loanshark753thats how IPsec VPN works for 99% conpanies today. Issues not Limited to: needs static IP’s, crypto is expensive after crossing 1Gb speeds, fiddly to configure, requires always open ports on firewalls (means vulnerabilities bound to happen) and does not handle NAT nicely.
I am from a remote area where the ISP uses private address for connectivity and Static IP cost money
In a situation where I can't use DDNS or static IP
Tailscale is a saviour for me
Now I can do literally anything that requires me to be in person or static IP or DDNS
There are no port forwarding no firewall and stuff
Just install it and login in
It takes about 5 mins to set it up
It's really magical
Been using tailscale since the early days, its great!
This seems like an awesome idea, but how do we run it locally? relying on tailscale's admin interface and key exchange is just yet one more cloud provider. is this FOSS? can we spin it up on our own servers?
think you can self host it via: headscale
looking very promising. im in.
YESSSSS I HAVEN'T EVEN LISTENED TO IT YET BUT I LOVE TAILSCALE
I use Tailscale every day - greatest thing ever!
Tailscale is extremely friendly towards small businesses. Like they can’t fully replace having static IPv4 addresses but they not only come very close they do so without any of the security issues surrounding static IPv4.
Great interview! I would be super interested in hearing about the camera setup.
I use a different mesh network and it’s one of the best, most game changing pieces of tech in my network. It’s almost like having a static ip for all your devices but it ignores things like DHCP and dynamic WAN addresses just by being smarter about how it connects.
Definitely going to have to check this out for my new network overhaul.
Finally someone whos speaking my language!
I use Tailscale to access my Home Assistant, Jellyfin and TrueNAS instance from outside my home. Additionally, I can also access other devices via subnet routing. This is useful when I need to access my router configuration or build server.
Feels like Distracted Boyfriend meme. Holding Wireguard's hand while looking at Tailscale.
Tailscale uses wireguard internally. Wireguard is the core building block, Tailscale is a full-featured service.
I love that WebVM integrated Tailscale to allow an in-browser Linux to be part of your own network as a full host 🤯
This is amazing technology making our life easy. ❤
Tailscale is just a fancy beginner friendly VPN but still cool tech.
Currently using it on my Synology!
So this guy is basically doing a "do not cite the deep magic to me, witch. I was there when it was written" to the big tech companies when it comes to basic networking and FTP.
Reminds me of Hamachi about 15 years ago
He might've been there when it was created, but he's certainly painting with a giant FUD brush to justify his narrative. FTP works just as well today as it did decades ago. ('tho you'll have to install client and server software yourself; no OS installs that stuff out-of-the-box anymore, and most browsers no longer support ftp urls.) "File Server" is also just as cumbersome as it has always been. Tailscale is just one more bit of application "Magic" to install, and figure out how to configure.
I have a laptop 'server' running a large number of services using proxmox with tailscale for networking. Besides having to have a VPN connection and remembering to shut it down while i'm on the same LAN back home to reduce latency and bottlenecks (which already barely exist) it works as if everything is just a public website instead of * my own jerryrigged laptop masquarading as a server, behind a flimsy 1gbit router *
Great ad. Just installed on my android. Thanks.
Main risk using Tailscale: they sometimes ban nodes based on geoip (like all Russian nodes recently). So an only safe way is to install open-source reimplementation of their control server called headscale, it is compatible with their clients
I'm using Tailscale. I've set up multiple tailnets for other people. I'm also expecting a rug-pull at some point and try not to set up stuff in a way that can't be done without tailscale, even if it requires a bit more elbow grease.
The amount of automation i have been able to leverage with Tailscale being the highway is the best. Also SSH keys handling is a breeze
Real Truman Show opening
Airdrop might not work if there are multiple APs or devices connected to different frequencies (2.4, 5, 6Ghz), or if one devices is wireless and the other is wired. Due to TTL=1, if there is no client-to-client multicast forwarding turned on (which is off by default on many devices, including Mikrotik)
This sounds good, but then you make yourself dependent on some cloud service for the key exchange part. Which I don't like. If since learned about headscale which enables that part as self-hosted. So that's even nicer.
Wow, this sounds amazing. Thanks.
How does tailscale get around the NAT? Synology for example will connect your laptop to your NAS over the net but that requires software for each device to talk to a synology server first. The NAS and the laptop independently talk to the synology server. The synology server then looks at the packets and pulls the port info and allows the laptop to talk to the NAS by crafting an IP packet with the correct incoming/outgoing ports to get around the NAT. Does tailscale open new ports as well through UPNP? [EDIT] OOPS, I should have waited till 14:39 but there were no details.
We have some Tailscale nodes setup for one of my clients in place of a formal IPSec configuration, we've had ISPs change static IP addresses not configure the Router correctly and in some cases took days or weeks to notice because of how it routes traffic and just kept working. We've also have it running as a backup interface for some of our backup solutions for our clients so we can remotely access them without the need for more hardware.
That said it does introduced some latency (only about 15-20ms though) and at least in some of the cases we have it running it will randomly inject its own DNS entries into the Domain Controller and cause other routing issues although that admittedly could just be a misconfiguration on our part.
Its a slick piece of software, honestly for home labs it would be without question the best way to access your own personal enviroment.
This is like a breath of fresh air, thanks so much for making this and sharing. Kudos o7
So you're being snide over paying $10/2TB/month and being locked into Apple's ecosystem, but paying $5/User/month to be locked into Tailschale's ecosystem is alright?
I don't get the logic here.
I should mention Headscale - it's a community-driven coordination server. It isn't as full-featured as the primary server, but at least there's less vendor lockin there.
Isn't there a free tier in Tailscale that allows 3 users & 100 devices? How is that locked in?
If you need more than three users, you're probably working in an organization that can afford to pay a monthly fee.
@@xlrsecurity Price and vendor lockin are two independent concepts. Vendor lock-in is where it difficult to switch vendors and you are forced to stick with one vendor for legacy reasons. In the case of relying on Tailscale's coordination server, you have no choice to migrate (easily, that is) to another provider if something happens with Tailscale. A few weeks ago there was a big bruhaha over Tailscale geoblocking some country or another. Now, if you're using Headscale, you could theoretically dump the database and recreate your own coordination server or keep using your local version of headscale or somehting else. If you have access to the database you could probably transition everyone to using Innernet or Nebula or something of the sort. If you use Tailscale for IAM and firewalls and everything else, all of your cyber eggs are in one vendor-locked basket and you cannot easily move. Going back to Stallman, there is a difference between Free Beer and Free Software.
Great idea, nice interview! Path Dependency is an important concept to learn - I first heard of it watching Political Science lectures. One example is the difference between streaming music and video: why can't every video streaming service stream everything like it happens with music? Because of legal decisions and legislation from a long time ago ...
Yes it's called policy. It is also policy which decides that most devices on the Internet cannot connect everywhere. It's for security policy reasons to stop everyone from being hacked all the time.
TailScale can be used on every server and/or VM to create a ZeroTrust environment.
I think you might have things the wrong way round? The zero trust model assumes that you can't trust any device or any user without some kind of authentication. So the public internet/WAN is (and always has been) a ZeroTrust environment...BUT...the ZeroTrust model is actually trying to tackle the old school idea of zones that are trusted and untrusted, such as a a local LAN behind a firewall/NAT. ZeroTrust says that even a LAN should not be inherently trusted. So if you were thinking that tailscale somehow can move you from a ZeroTrust envrionment to a Trust environment then you're setting yourself up for a wide open attack vector, where one compromised machine on the "Trusted" network can wreak havoc - as it's just blindly trusted and given access to potentially jump across to other machines via file shares or through an unpatched exploit as the computers local firewalls are often disabled due to them being on a 'trusted' network. Long story short, trust no user or device anywhere ever. How practical this is to implement and manage is another story for sure...security and convenience/usability are always a point of tension and a juggling act
brilliant content
One thing I'd like is for on my phone, the client that keeps Nextcloud autosynced and whatever else I decide to go through Tailscale to reach my network but regular stuff not to, and with minimal battery impact. Can Tailscale do this? At the moment I've just got my own domain and am open port that forwards to my reverse proxy.
If you don't point your phone to an exit node, what you want is already the default tailscale behaviour. Your traffic to the wider Internet still goes straight out without going through a tunnel, but there is a second subnet you can reach that magically has all of your devices on it.
If you want to access devices in your home network that don't have tailscale and don't want to turn on an exit node (full tunnel ie normal self hosted vpn) you can set up your server to be a subnet router.
My subnet router means that my nas (that doesn't have tailscale on it) is always accessible to me by it's local ip no matter what network I'm on
@ Thanks for the info. I’m meaning to migrate my setup from being on my NAS to being on a MS-01 Proxmox VM / LXC and using the NAS shares over NFS for storage, while migrating from swag to traefik. I guess I’ll look into using Tailscale while I’m at it.
i just setup up tailscale on my truenas last month and i wish i would have done it sooner.
Thank you Tailscale!
I don't like the notion of "You don't need to secure your Wordpress instance because it's behind a VPN". There are many security scenarios where this will still get you in the end. Tailscale might help prevent access from the entire internet, but not to all other people. Imagine if you had an ex-employee that left the company, but still has login credentials. Or one of your client computers is compromised, giving whoever access to your vulnerable Wordpress instance. You really can't get away from updating often.
spot on - I just had a rant to another commentor here about the ZeroTrust model
Always wanted something like this, will have to give it a go.
😮 just installed this two days ago. This looks like foreshadowing 😆
Tailscale has completely changed how I access resources on my home network.
So it's exactly like the DIY VPN's we used to setup and run ourselves before it became impossible to find any VPN software anymore, and after there being no such thing anymore for some 6 years, suddenly Corporations started selling the modern version under corporate control, as if it was a new tech and previously impossible, and as usual most people fell for it, instead of asking why they can't setup their own peer to peer networks over the internet!
Windows 3.1 came with a VPN utility, and MIcrosoft killed it too! I don't do Microsoft anymore, haven't for over a decade!
HAIL THE MIGHTY TUX!! HAIL LINUX!!!
run "headscale" yourself, that is the control server and then everything is "self hosted" anyway all of the vpns you complain about still exist. Those were using specific older now insecure vpn protocols like IPSEC. openvpn also is very old but still around, and still can run it all yourself. Wireguard is the new guy and that is what tailscale uses
sounds like consul/envoy/istio wrapped together. love it
Luckily my ISP gives a public IP on my connection so I can just open ports for things when needed. That said my only ISP option here is centurylink and their DSL is quite slow even if we’re talking internet speeds 10 years ago. I could go and get myself Starlink but their monthly pricing is still a tough sell. Still it’s nice to know that if I go Starlink or another new ISP arrives and goes CGNAT I can use this to run NAS and servers.
Sounds cool! I'm still in a bit of configuration hell with my setup. Got my home network all set, couple of basic services (plex, torrents, vpn access) and recently added VPN... It was working before but now I'm still trying to figure out how to get the ports open correctly when on VPN without being completely in the open... would this be able to help?
Depending on your Plex use case, the only port you would need to open would be for Plex. If you are using a VPN like Wireguard, OpenVPN, ipsec you will need to open ports for those services. If you replace your VPN server with a tailscale exit node you will NOT need to open any ports for VPN access.
Tailscale is cool and all, but I find just wireguard is what I want 99% of the time, maybe when my ISP removes my IP It will be handy
if your setup is simply a site-to-site tunnel, then yes, just a simple straight up wireguard is supperior, EXCEPT if you CAN connect the 2 locations. Some places have double router setups and it become impossible to set something like that up.
23:20 The only problem I would have with Tailscale is the difference between Personal Plus and Starter.
I know families who would need to go with Starter and well, not only is the price difference quite drastic, the amount of features are also a lot less.