IAmATeaf
Known around here
You don’t get something for nothing! Just create a free gmail account and use that, that is what I did?
Tail Scale VPN
- Thread starter Dorsey Pender
- Start date
You need to use an existing identity provider to add nodes to your TailScale MESH VPN. Once a node is added, you are only using their coordination server to connect devices together through your firewall NAT/CGNAT. Once the connection is established, all traffic is then routed directly between devices and not through their coordination server. You can also host your own coordination server (aka HeadScale) if you wish, although that requires hosting it on a VPS.
TailScale is not a so called "Privacy" VPN promoted by YouTube shills in exchange for kickbacks, which tracks all your information or installs a root certificate to decrypt all your information to sell to advertisers. You can watch an excellent video on that subject.
In fact, I use Tailscale to encrypt all my information when connected to untrusted networks (public venues, airports, pubs, etc.) and select an exit node to route all traffic through my home ISP.
Supported SSO identity providers · Tailscale Docs
Last edited:
I have used Tailscale myself for a specific purpose on a network outside of my control. But all things being equal, I simply like self hosted solutions better. Setting up your own wireguard self hosted VPN is not that difficult and the benefit is that you are not relying on anyone else's cloud service to make it work. While your actual data might not pass through Tailscale's system, the connection requests do rely on their systems. Their system might go down, they might change their business model and start charging even for small setups, etc, etc, etc. By self hosting, you are only relying on your own equipment.
Sure self hosting requires a single port to be forwarded to an encrypted service that you are running, but I still feel that is more secure than relying on Tailscaleand having to install their software on every device I want to connect with. EDIT - as elvisimprsntrr points out below, the "software issue" really isn't different from other solutions.
Sure self hosting requires a single port to be forwarded to an encrypted service that you are running, but I still feel that is more secure than relying on Tailscale
Last edited:
Tailscale also can require a port to be forwarded for best performance/reliability. Although usually it does this by itself via UPnP (if the router owner did not turn that off) or through UDP "hole punching" through your NAT (and the ISP's NAT if you have CGNAT). But with some kinds of NATs the hole punching technique is very difficult and slow to achieve a working tunnel because of port numbers being randomized. This is why you may observe, upon initial connection, you have higher latency or lower speed for a while as Tailscale will tunnel its traffic through a hosted proxy server while it is trying to establish a direct tunnel. I used to get that effect all the time with zerotier but don't notice it as much with Tailscale - I think Tailscale has either better tunneling tech or just faster proxy servers. Or maybe both.
You only need a single instance of Tailscale running on or behind your firewall to connect to any device on your home network via its local IP address if you enable advertise routes, including embedded devices. For example, I run Tailscale on my pfSense firewall to remotely connect to my HDHomeRun streaming OTA TV tuner when not at home. I can also connect directly to all my camera RTSP streams using third party IP Cam apps.
Last edited:
Tailscale does not require UPnP nor does it require manual port forwarding. It establishes a P2P connection between clients on your TailScale MESH VPN. Anyone with good security practices should never enable UPnP on a router/firewall.
Last edited:
Perhaps a poor choice of words on my part. Tailscale certainly does not require a port to be forwarded, but it does help it to achieve direct tunnels faster.
Some routers let you limit UPnP to be usable by specific LAN IPs but not by everything on your LAN, which is nice.
In pfSense you can add ACL rules to UPnP, if you so choose to enable UPnP.
Also, Tailscale is using Wireguard as its VPN "engine", and Wireguard is using UDP as its transport protocol. That makes port forwarding pretty safe, because you cannot discover the port by traditional probing. Wireguard will only respond to the connections(UDP packets) that use known secrets.
I'm not using Tailscale, but bare-bone Wireguard, what is definitely slightly more complex to setup but it gives you full control over your VPN.
In short, having UDP port forwarding definitely makes tunnel setup and the connection much faster, without compromising security.
Yeah, that was flawed logic on my part...... I was thinking more about mobile devices, but you have to install an app regardless of which remote solution you want to use, so that issue is moot. If I want to run Wireguard (directly), then I still need to install the Wireguard app on my phone, so it is really no different than having to install Tailscale on my phone. I guess because I have to have both installed on my phone and I installed Tailscale second, I was incorrectly making it sound like Tailscale required something "more" than the other solutions.
Thanks for pointing out my error.....
It is not what I'd call super easy to set up, but the general idea is you register a domain using Cloudflare (or transfer one in from another domain host), then set up a Cloudflare Tunnel which is where a machine (e.g. Blue Iris machine) on your network establishes an outbound connection to Cloudflare which they can use to proxy traffic from the internet to a service running on your LAN. The value is that it works like port forwarding even if you can't port forward.