[HN Gopher] Tailscale's human-scale networks are still controlle...
___________________________________________________________________
Tailscale's human-scale networks are still controlled by Google and
Microsoft
Author : xrd
Score : 99 points
Date : 2022-04-04 19:41 UTC (2 days ago)
(HTM) web link (iliana.fyi)
(TXT) w3m dump (iliana.fyi)
| ncmncm wrote:
| See, this should be the very first thing we should find out about
| Tailscale, and not only after we have invested time and effort.
| beardicus wrote:
| How would you invest effort without first signing up, and how
| would you sign up without learning of these login limitations?
| ncmncm wrote:
| It is not obvious to somebody trying it out that even if they
| switch up to a paid subscription, they would still depend on
| dodgy third parties to authenticate.
| newaccount74 wrote:
| It's pretty clearly documented on the Tailscale website.
| This is not something they are hiding.
| silisili wrote:
| There's something really amiss with this thread. I saw all these
| comments a day or two ago, but it's saying they are new?
| ggpsv wrote:
| That's right. I posted this one the other day
| https://news.ycombinator.com/item?id=30913492
| silisili wrote:
| Right, I was noticing specifically SOLAR_FIELDS comment here
| - https://news.ycombinator.com/item?id=30913492#30914165
|
| On both threads it says 4 hours ago. I thought I was going
| insane because I remember googling Netmaker at the time, and
| it definitely wasn't today. Clicking into their profile shows
| the comment '1 day ago'
| X-Cubed wrote:
| There are alternative solutions available for those that don't
| like the Tailscale authentication model, including using
| Wireguard directly.
|
| Tailscale does not need to be all things to all people, and
| especially not at the free tier for personal use. Adding extra
| complexity to the product would mean that it would no longer be
| the easy to use tool that it currently is.
| spydum wrote:
| Agree, and by leveraging other common IDPs, they take
| themselves out of the high touch account management tasks for
| that tier.
| dddw wrote:
| Nebula from slack, but very beta.
| attackroll wrote:
| I like how "I'm not sure if they realize it yet, but Tailscale
| seems to work extremely well for polycules." is thrown in, as if
| its usual for any company to know what a "polycule" is.
| alexktz wrote:
| I had to look it up. A romantic network, or a
| particular subset of relationships within a romantic network,
| whose members are closely connected. They can be intimate,
| familiar, romantic, or sexual in nature , but not limited to.
| The polycule created is unique to the people involved and the
| variations, they create.
| renewiltord wrote:
| What's a polycule in this context? Apparently it's a polyamorous
| relationship group but I don't see how Tailscale is particularly
| useful there so it must mean something else.
| [deleted]
| mkeedlinger wrote:
| I actually don't think it does mean something else. iliana is
| quite technical; I would imagine that they relate to other
| technical folk. I have little network services I've shared with
| friends before, perhaps they do something similar.
| renewiltord wrote:
| Oh, so like analogous to the polyamory notion of sharing
| partners, this is about sharing software/infra with other
| people.
|
| To be clear, not alleging it wasn't technical. The polyamory
| <-> shared services thing just wasn't obvious to me since I
| was unfamiliar with the term.
| titanomachy wrote:
| I believe that the author is literally polyamorous, has a
| community of romantic partners that they refer to as a
| "polycule", and wishes to operate a VPN exclusively for
| members of that community.
|
| I don't think it's meant as a metaphor.
| renewiltord wrote:
| Oh! Well, can't say that's my proudest moment. Thanks for
| explaining!
| LilBytes wrote:
| https://twitter.com/ilianathewitch/status/151113611828407
| 091...
|
| Definitely right.
| renewiltord wrote:
| Haha well, in defence of the site, it's literally just me
| who got it wrong. Other people downvoted my initial
| comment because it must have been obvious to them.
|
| I have to say I was a little afraid at the end that I
| might have inadvertently offended someone.
|
| This is a better outcome in comparison.
| cassianoleal wrote:
| Definitely not just you. This thread is how I came to
| understand what it was too.
| beardicus wrote:
| Having to use Google or GitHub to log into Tailscale definitely
| gave me pause when I was signing up. I actually pumped the brakes
| for a few months when I first encountered that, but eventually
| relented and chose GitHub.
|
| I don't particularly _want_ another login, but I also don't
| cherish the thought of losing access to Service A because of the
| actions of Service B.
| mr337 wrote:
| Same here, for something that they pitch as being so self
| hosted signing up without using your own email was really weird
| to me. Still haven't signed up....
| Saris wrote:
| I'm going through this right now, the free gsuite plan is
| ending and I have accounts tied to it through "Login with
| Google".
|
| Luckily not too many, but it still strikes me just how stupid I
| was to use that option on any site, instead of an email and
| password.
| [deleted]
| wmf wrote:
| If you're an oppressed freedom fighter you have to self-host
| everything. No aaS will ever pass your risk management and they
| especially can't afford to do so on the free plan.
|
| In this case check out headscale.
| AdamJacobMuller wrote:
| > Tailscale runs on pretty much anything
|
| I run it on an SFP: https://plumspace.com/products/smart-sfp/
|
| It's cool.
| jftuga wrote:
| Thanks for sharing this. About how much do they cost?
| nsonha wrote:
| I'm dumb, could you explain what this does and potential uses
| in home network?
| pzduniak wrote:
| It's an ARM Linux device that you plug into a port that's
| usually only present in switches.
| kajiryoji wrote:
| If you don't want your technology to have a proprietary stack,
| then definitely checkout Nebula[1]. It's very easy to setup and
| works very well in my experience.
|
| [1]: https://github.com/slackhq/nebula
| brnt wrote:
| Can you compare it to Yggdrasil?
| erikh wrote:
| ZeroTier isn't controlled by anyone other than ZeroTier.
|
| Give it a shot! :)
| sockaddr wrote:
| Yeah. What tailscale is doing here seems like a great way to
| make networking even more fragile than it already is. I've
| checked out tailscale on occasion but always return to
| zerotier. I personally run my own zerotier infra. And standing
| up roots is relatively easy after you get through it once.
| Ir0nMan wrote:
| I have not tried ZeroTier yet but have come across it quite a
| bit lately. What advantages if any would you say it has
| compared to just running a simple Wireguard VPN into your
| remote network?
| watermelon0 wrote:
| ZeroTier is peer-to-peer, like Tailscale, and both of them
| maintain proxies, in case direct connection cannot be
| established.
|
| The main difference (to Tailscale) is that ZeroTier doesn't
| need an identity provider, since each machine needs to be
| whitelisted in ZT admin panel.
| cassianoleal wrote:
| It very much needs an identity provider, only they
| implement it themselves instead of outsourcing it to
| Google/MS.
|
| On Tailscale you also need to whitelist machines in the web
| console. There's probably an automated way to do it as well
| but I haven't looked into it since I only use it for a few
| static hosts.
|
| I've migrated from ZT to TS about a year ago because ZT was
| much slower (network bandwidth-wise) and CPU-intensive than
| Tailscale on my setup. YMMV.
| kosikond wrote:
| I migrated off ZT because of weird instability of traffic
| with file ops on Samba shares and the MagicDNS.
|
| MagicDNS is such a killer feature, all nodes are really
| hands off and I don't need to worry about IP addresses
| anymore
| api wrote:
| You can self-host the ZeroTier controller which is the
| identity provider and you an do so without breaking
| interoperability with the rest of the network.
| ggpsv wrote:
| I've been using Tailscale for a couple of personal use cases and
| it has become one of my favorite products. It really simplified
| my setup and it "just works".
|
| That said, I share OP's concerns as someone who has been
| evaluating alternatives to Google Workspace and Office 365. It is
| understandable that they may be prioritizing a B2B model, a
| decision which may be at odds users like OP and myself. That
| said, I still recommend it to teams/people who do not share this
| concern.
|
| I hesitate investing further than my current setup because of
| this reason and I've been investigating whether
| Headscale/ZeroTier fit the bill. It is a shame because it is such
| a great product and it has been a while since I last had an
| equivalent experience using software.
| systemvoltage wrote:
| What is the use case for Tailscale?
|
| I can ssh into machines without issue. Configure a firewall
| port and allow only ssh connections.
|
| I'm curious because Tailscale is on HN every other day. I'd
| like to give it a try but not sure for what problem I have.
| smackeyacky wrote:
| I use it to replace ssh tunnels. I used to have a couple of
| ports open on my office router I would ssh through. I closed
| those off and use tailscale on a single machine in my office
| as a subnet router.
|
| Now when I am at home or travelling, I have direct access to
| my test database, VMs and remote desktops without having to
| tunnel those ports.
|
| When they say zero conf they mean it. Truly impressive
| product. I could get away with the free version but I paid
| for it I was so impressed.
| SOLAR_FIELDS wrote:
| Easier cloud networking.
|
| I don't use Tailscale, I use a competing and currently
| arguably better product (Netmaker).
|
| Imagine you're a business building XYZ software product. You
| build a k8s cluster in one region, but now you need your
| system also to exist simultaneously in another region for
| failover reasons. Now you need region A to be able to have
| replicas in region B in real-time amongst many other
| requirements and those two networks from each region need to
| be able to understand and talk to each other with minimal
| setup and headache. Perhaps network A is set up on
| DigitalOcean and network B is on AWS or GKE for financial or
| technical reasons. Example: it's cheaper to have surplus
| machine needs on AWS/GKE but you don't want machines running
| there all the time because it's expensive.
|
| Enter Wireguard mesh networking. Ever since kernel Wireguard
| made it into Linux this is where the endgame has been for
| cloud deployments. It's a huge improvement over the previous
| solutions. Netmaker and Tailscale are two offerings of that
| solution.
|
| Note that I'm not affiliated with Netmaker at all. Just a
| quite happy customer.
| cassianoleal wrote:
| Tailscale uses wireguard-go which is a Wireguard in
| userspace implementation, not the kernel driver.
| bogomipz wrote:
| Interesting. How hard would it t build you own Tailscale
| implementation then? Does Tailscale just mostly provide a
| nice UX and provisioning on top of wireguard-go?
| randomblock1 wrote:
| Yes, basically. How to create your own Tailscale-like
| WireGuard tunnel:
|
| 1. Put WireGuard on a Pi. Create a server config.
|
| 2. Open the WireGuard port to the Internet (don't worry,
| it's invisible)
|
| 3. Install WireGuard elsewhere, and generate a client
| config.
|
| All devices can now talk to each other. Tailscale has a
| "magic DNS" feature, which is nice, but WireGuard also
| supports custom DNS in the config.
| livueta wrote:
| Yeah, definitely worth mentioning that Wireguard is
| actually _super easy_ to manually configure, especially
| if you don 't have a bazillion hosts or need to integrate
| with auth domains. I think a lot of the stuff individuals
| end up setting up Tailscale/Zerotier for (they obviously
| have a lot of other stuff going on, but the relevance to
| individual/small group users may be limited) would be
| equally well-served by plain old Wireguard.
| atonse wrote:
| It's VPN software hooked up to external authentication.
|
| So your SSH server wouldn't even need to have a public IP.
| which is yet another guard.
|
| And the proper authentication adds extra layer of identity
| guarantees so you know who can and can't access network
| resources.
| dx034 wrote:
| Can it really work if the server doesn't have a public IP?
| It works if the server blocks all incoming traffic, but
| doesn't it have to be routable? It can of course work via
| DHCP, but I would consider my devices at home still to have
| a public IP, even if they share it.
| vineyardmike wrote:
| If you consider devices behind a NAT to have a public IP
| than yes it needs a public IP. Really, it needs to just
| be routable to the internet. Tailscale handles the NAT
| busting and p2p handshake, while the nodes directly talk
| to each other (over WireGuard)
| archseer wrote:
| https://tailscale.com/blog/how-nat-traversal-works/
| brokenmachine wrote:
| Great link. Thanks.
| ggpsv wrote:
| Some of my use cases:
|
| - Ditch my previous VPS + Wireguard setup which I had to
| maintain
|
| - Easily add/remove my own exit nodes as I wish/need (either
| using my own devices or any VPS)
|
| - Use my beefy desktop as a remote development setup
|
| - Running syncthing/rclone across all of my devices without
| relying on relay nodes or whatever
|
| - Accessing all of my devices remotely
|
| They just make it dead simple to run your network without
| worrying as much about opening yourself to the internet. I
| know you can achieve this without Tailscale but they just
| make it so easy. Their ACL system is pretty easy to configure
| and you can even add assertions to it.
|
| They've documented some use cases here
| https://tailscale.com/kb/guides/
| tailspin2019 wrote:
| I share the same concerns. They also had some bizarre and
| worrying behaviour where anyone signing up with the same domain
| would automatically be joined to your account, seemingly
| without any approval steps.
|
| This was ostensibly to allow "corporate" accounts to easily
| group all users together, but the behaviour relies in the
| backend on a manually maintained (by Tailscale) list of
| "shared" domains where this auto joining behaviour would be
| bypassed (eg. @gmail.com) to prevent say all Gmail users being
| grouped into the same account.
|
| Of course this manual list missed some obscure shared email
| domains and there were users complaining on GitHub that they
| were unexpectedly seeing other users/machines in their account.
|
| I hope this terrible design decision has now been fixed in some
| way but it adds to my slight unease at the authentication model
| being used (along with the OP's concerns).
|
| Aside from this Tailscale is a great product, but for something
| focussed on security these sorts of things need to be given a
| high priority (if they're not already).
| ggpsv wrote:
| Oh, I wasn't aware of that. That's certainly worrisome
| considering Tailscale's default configuration for the ACL and
| authenticating new machines. Fortunately I updated my
| settings to change the default ACL policy and to manually
| approve any new machines.
___________________________________________________________________
(page generated 2022-04-06 23:01 UTC)