As in, would they be able to access your server?
If you do not trust Tailscale as a company, here is an open source re-implementation of the server called headscale. Some/all clients are open source as well. So, you can review all components yourself or pay for a professional third-party review. Otherwise, if you take a binary blob from any origin, including Tailscale, and have it run with privileges on your server, there are few limits on what this blob can do. Yes, backdoors are technically possible, but probably bad for Tailscale’s business if that ever came to light.
I’ve never heard of professional third-party review of open source code. That’s a service people offer?
I’ve always wanted to do this however do I understand it correctly that I need to host headscale on a vps server that is not in my tailnet/home network?
It can be on your home network, but it needs to be reachable via HTTPS through the internet. So yeah, a vps is probably the best option.
I dont think so. It would just require some ports open.
From what I understand tailscale is basically wire guard but made convenient. And how they do that is by managing you wire guard keys for you. So I would have assumed they could use the keys to access your network. HOWever while trying to look into this just now I found out tailnet lock exist and it says “When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet.”
deleted by creator
Yeah true, that’s part of making wire guard more convenient. You have to have a 3rd connection for that I think. In tailscales case it the headscale server.
If you’re concerned about privacy I don’t know why you’d use Tailscale over Wireguard directly. The latter is slightly more fiddly to configure, but you only do it once and there’s no cloud middleman involved, just your devices talking directly to each other.
Yes, fair. I was just attracted by the no-hassle method of Tailscale.
deleted by creator
Yes and because wiregurad is stateless you’ll need a script that checks if your DNS endpoint has updated and restart the wireguard interface so it pulls the fresh DNS/updated IP address. I had to make said bash script for my nodes.
Nope, just an open port. Works directly with public IP. I guess if some ISPs IP lease time is short and they keep changing it regularly, it might become a hassle.
Wait, this could work behind a provider NAT? That’s something I never ever solved
I’m afraid if you’re behind CGNAT it won’t work. Your router should have unique public IP. I’m not too well versed though…
Thanks, that’s sort of what I thought
deleted by creator
for authentication you need an account at one of their supported SSO providers (which is mostly a big tech brand) or at an OpenID service.
the bigger problem is that (I think) the choosen SSO provider will be able to impersonate you, and so they could reconfigure your network or connect to it
deleted by creator
The official service is bound to need a SSO login from bad privacy related providers. They insist in not allowing a simple account creation with just email and password.
You can relatively easily set up a self-hosted OIDC sever like like Keycloak or Kanidm.
The biggest downside, as I understand it, is that it’s difficult to convince others to use your tailnet
Bust curious: what’s the usecase of others joining your tailnet? Filesharing/Private cloud services?
Yeah, that’s why I use TailScale at all. I host services for my close friends to enjoy
You can enable Funnel, which doesn’t require others to have the TS client.
Had no idea that existed, I wonder what the security is like
Why not a direct VPN/WireGuard link to your home network? Works flawless.
Tailscale is very convenient if your home network is behind a CGNAT.
How about netbird, all open source and self hostable
Veilid
I use zerotier and afaik they can’t access it, hence, I assume it’s the same for tailscale
The WireGuard encryptions stops when data reaches their servers and the data is re-encrypted to be sent to the client. So, theoretically, they can look at all the data being passed through.
Read more here about TLS termination and TLS passthrough. https://blog.aiquiral.me/bypass-cgnat
deleted by creator