[HN Gopher] How I use Tailscale
___________________________________________________________________
How I use Tailscale
Author : aquariusDue
Score : 140 points
Date : 2025-08-06 08:09 UTC (3 days ago)
(HTM) web link (chameth.com)
(TXT) w3m dump (chameth.com)
| sixothree wrote:
| I love me some tailscale. But it kills the battery on my phone
| and it kills resolve.conf every time I boot wsl. I wish I had
| better luck.
| em-bee wrote:
| i use zerotier without problems on the phone. yes, they are no
| longer open source, but source is accessible and it's not worth
| the effort to switch.
| th0ma5 wrote:
| Straight WireGuard to a single point is completely not
| noticeable.
| 8n4vidtmkvmk wrote:
| Sounds a bit like a fancier ngrok.
|
| Accidentally wiring everything to everything else sounds kind of
| scary.
|
| There's 1 or 2 things I wouldn't mind securely exposing to the
| internet (like Plex) but nothing I need so desperately while I'm
| out and about that I'd even want to take that risk.
|
| Sounds like this is just for self-hosting?
| oliyoung wrote:
| > Sounds a bit like a fancier ngrok.
|
| Well, yes and no.
|
| You can use it like ngrok, and I'm sure you could configure
| wireguard and ngrok to give you something similar to what
| Tailscale does, but Tailscale does it out of the box, with
| polished and well built client and server apps.
|
| I'm no infra guy, I'm just a former front-end eng, but it gives
| me the confidence to expose media centres and file servers etc
| to "the wild" without it being public.
|
| Using Jellyfin to watch content from my home server on my iPad
| while I'm away from home is as "easy" as Disney or Netflix with
| Tailscale, just installed the clients and servers and .. voila?
| Larrikin wrote:
| Having all your mobile traffic routed through AdGuard Home (or
| PiHole) is a game changer. It's also nice using an exit node
| through my home network whenever I am on public wifi.
| burnt-resistor wrote:
| Plex already supports remote access via UPnP.
| https://support.plex.tv/articles/200289506-remote-access/
| c0wb0yc0d3r wrote:
| To me WireGuard is safer than exposing services directly to
| the internet.
| burnt-resistor wrote:
| Sure, it's pretty simple. I had WG provided by an Deciso
| OPNsense router with an automatic VPN profile on most user
| devices. All of my infrastructure also had PKI. (I moved
| recently and have yet to set it up again.)
| 15155 wrote:
| Tailscale is able to hole punch in scenarios where UPnP is
| disabled (just good practice) as well as many NAT
| environments.
| em-bee wrote:
| _Speaking of SSH, Tailscale has special support for it whereby
| it handles any incoming connection to port 22 from the
| Tailscale network, and deals with authentication itself. No
| public keys or passwords: if you're logged into Tailscale you
| can be logged into the machine. This is particularly handy when
| you SSH from a phone, as proper credential management is a bit
| of a nightmare there._
|
| this has me worried. i would not want that. i use zerotier, not
| tailscale, but the principle is the same. i have my laptops and
| my phone connected to my servers. given that all of those
| machines are already on the internet, connecting them into a
| virtual network does not add any risk in my opinion. (at least
| as long as you don't use features like the above). all i get is
| a known ip address for all my devices, with the ability to
| connect to them if they have an ssh server running. when i am
| outside the primary benefit is that i can tell which devices
| are online.
| 15155 wrote:
| This feature isn't enabled by default.
| thrown-0825 wrote:
| I use a similar setup, but for anyone following this guide i
| would not recommend hosting your custom oidc server behind the
| same tailnet it authorizes.
|
| Any configuration issues will lock you out entirely and you will
| need to have tailscale support re-enable an oauth provider and
| its not reversible.
|
| I use an oauth provider to log in to tailscale and keycloak
| internally as an oidc provider for service to service auth.
| redat00 wrote:
| Neat way to use Tailscale !
|
| I have a similar set-up, without authentication however, relying
| on Nebula! https://github.com/slackhq/nebula
| abdusco wrote:
| I tried using `tailscale funnel` against a dummy server `python
| -m http.server`, and within 10 seconds the bots started to check
| for vulnerabilities.
|
| Tailscale warns you about how enabling it will issue an HTTPS
| certificate which will be in a public ledger. But I wasn't
| expecting it to be this quick. 127.0.0.1 - -
| [10/Aug/2025 00:11:34] "GET /@vite/env HTTP/1.1" 404 -
| 127.0.0.1 - - [10/Aug/2025 00:11:34] code 404, message File not
| found 127.0.0.1 - - [10/Aug/2025 00:11:34] "GET
| /actuator/env HTTP/1.1" 404 - 127.0.0.1 - - [10/Aug/2025
| 00:11:34] code 404, message File not found 127.0.0.1 - -
| [10/Aug/2025 00:11:34] "GET /server HTTP/1.1" 404 -
| 127.0.0.1 - - [10/Aug/2025 00:11:35] code 404, message File not
| found 127.0.0.1 - - [10/Aug/2025 00:11:35] "GET
| /.vscode/sftp.json HTTP/1.1" 404 - 127.0.0.1 - -
| [10/Aug/2025 00:11:35] code 404, message File not found
| 127.0.0.1 - - [10/Aug/2025 00:11:39] "GET
| /s/7333e2433323e20343e2538313/_/;/META-
| INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
| HTTP/1.1" 404 -
| mh- wrote:
| Yeah, I have mixed feelings about CT (certificate transparency)
| for this reason. Folks are just consuming the firehose and
| scanning.
|
| And in this case, if the thing you're funnel'ing is on your
| residential connection, it basically amounts to you summoning a
| DDoS.
|
| One (obvious?) tip I'd offer is to put your stuff on high non-
| standard ports if you can. It'll reduce the amount of
| connections you get dramatically.
| gitgud wrote:
| Wait, so bots watch for new records added to this HTTPS cert
| public ledger, then immediately start attacking?
|
| To me that sounds like enabling HTTPS is actually a risk
| here...
| yjftsjthsd-h wrote:
| The server was already exposed. All this does is remove
| obscurity
| mlhpdx wrote:
| I've been experimenting with different ways of using WireGuard
| but hadn't heard of the header based authentication Tailscale
| does. Interesting stuff.
___________________________________________________________________
(page generated 2025-08-09 23:00 UTC)