I've never used Tailscale, but I want to highlight specifically for working with AWS, you could consider using AWS Systems Manager to access machines that are in private VPCs[1][2]. This has the advantage of reusing the same credentials used already for AWS, as well as being able to further restrict exactly what can be done with them.

[1]: https://aws.amazon.com/premiumsupport/knowledge-center/syste... [2]: https://medium.com/hackernoon/ditch-your-ssh-keys-and-enable...

Huge fan of Tailscale here too. They solved every single complaint I had with using WireGuard (provisioning, key exchange, IP assignment, ACLs, etc.) and did it in a splendid and elegant tool that just disappears.

One of the few products I recommend enthusiastically.

To be clear, WireGuard seemed to have the right level of abstraction as a tool for others to build on (just like it built on top of the noise framework), and someone like Tailscale ran with it.

It seems like any code running in your browser or on your local machine has access to your home network, which was always true, but now your "home network" includes machines in multiple locations, including AWS.
Shoutout to ZeroTier, Nebula which essentially do the same thing. Or Netmaker if you wanna go complete open source/self hosted.
I organically grew my tailscale network and with the recent `tailscale ssh`[0] it has turned my life around. I have no open ports to anything & be it my personal machine in the depths of my closet or stuff on the cloud; everything is seamless connected.

[0]: https://tailscale.com/tailscale-ssh/

Tailscale seems like a great product however I do not want 3rd party to be able to add a key to my ACL. Running a custom control plane server is possible, but then there is little benefit for me compared to direct wireguard with a central peer on a VPS. If it would be possible to use just the NAT traversal without key management, that would be it!

Curretly I am running a tiny VPS as a wireguard server, but I do not trust it to be part of my network. Therfore I run one wireguard tunnel to be able to access my router (has no public ip) and second tunnel inside the first to connect through the router to my home network.

Theoretically, it should be possi le with single wireguard tunnel if I set a route to home router via wireguard gateway - but I never managed to make wireguard encrypt a packet if it came from the same wg interface. Can anybody help?

Tailscale has been a godsend for my team, saving us quite a bit of effort with VPN/firewall administration. There are very few rough edges, and it tends to just work (at least at our scale of a few thousand nodes). We moved over about 8 months ago and have had no issues since. I’ve also moved my home network (RPis, NAS, etc) to their free tier so I can access it remotely.

Some features that are basically effortless and made me choose it over WireGuard and other VPN solutions: easy provisioning, key exchange, IP assignment, ACLs

I recently set up Tailscale, but unfortunately the phone app leaves a lot to be desired battery-wise (it takes up 30% of my total battery usage) so I think I'll be looking elsewhere.

Initially, I had tried setting up Nebula, but I am unable to get a static IP address for the beacon (a requirement for any of these mesh VPNs), hence why I went with Tailscale which acts as a beacon for you. I think I'll try ZeroTier next.

I love tailscale, too. Also, I read this article before it had any upvotes and learned absolutely nothing new or insightful. Wish the author had kept going.
Quote: "In the "before tailscale" times, if I needed to test against the production AWS resources or connect dBeaver for database maintenance, I would edit the security group to add my IP address, do my testing, edit the security group to remove myself. This is as error prone as it sounds. I quite often forgot to remove my IP address from the allowed addresses, a major potential security risk when you are travelling."

My takeaway from this is that the author was either lazy or lacked the knowledge to create an automation script that could've done that automatically (the add/remove) based on location. If that's the whole reason for this tailscale praise, kinda of takes away the tailscail actual usefulness and why it exists in first place.

To add to the OP’s article, Tailscale can map IPv4 to IPv6 addresses when using subnet routers.

Imo this is incredibly handy, as if I want to expose a device to my Tailscale network, I don’t want to have to think about finding an IP address range that won’t conflict with the various local network ranges that my Tailscale devices are on. Especially if you’re using Tailscale in various corporate environments where is used a lot.

Now I can just expose e.g to my Tailscale network but it’s exposed as a unique IPv6 /120 prefix.


How about the old solution of devices connecting to an access VPN running on a nearby AWS VPS?

I have my private network right now. As a plus, devices can make direct connection when they are in restrictive corporate networks (allowing only 443/tcp). Less third parties involved. Seems more secure for personal use.

Sure, it’s not a mesh network, but that doesn’t matter if VPS and devices are in the same region.

But I get that mesh VPN products can be valuable to small businesses: ease of use, ACLs, SSO, central management.

I consider myself relatively technical as a software engineer, but networking isn't my forte. I still don't understand the documentation about bringing in my other devices that don't have clients. I'd like to be able to have access to homekit while out and about on 5g for example - via tailscale.
But since it’s user space aren’t you leaving a ton of performance on the table?
I really love tailscale for my private network.

Nevertheless, I still hope they will revisit support for proper linux kernel wireguard sometime in the near future. This would allow to ditch separate meshing technologies for connecting server nodes (and routing into separate subnets via a tailscale subrouter node). Best of both worlds - ease of use and performance.

I really only started to have a look at other tools (like netmaker, netbird, innernet, wesher) because of these performance caveats (wireguard-go).


What is tailscale doing, exactly? They bill themselves as a VPN, but honestly I'm really a newb with networking (tend to be more on the data engineer/science side).
Tailscale seems to dominate the hn front page. I've written an ask hn about that and I'd like some honest opinions:


Have setup tailscale and pretty happy with it, yesterday enabled TLS so my host have https pretty easy with caddy and reverse oroxy, problem is you can't use subdomains, so every host can only forward one https connection. My main server host several selfhosted services and want them all over https. Have googled an question open at caddy and tailscale forum, anyone here know what route to take?
I use Tailscale as well for my personal stuff (services in various clouds, remote gateway when I'm away from home, etc.) but as someone who defines best practices for enterprise cloud deployments I have a nagging worry about other people using it in work environments as a way to circumvent security guardrails.

That said, I love it and use it extensively from my iPad to work on a personal Gnome desktop via RDP.

Can someone comment on how safe/secure tailscale is? I am not talking about the wireguard part but the closed source part and the company.
I my experience for purpose of home server which should be accessible for everyone, cloudflare tunnels are better, because tailscale solutions require every client to install their app to use the network. It is not convenient if you want to share some webserver with your friend and just send him a link.
It does seem like a great solution but we've shied away from it because the price. For an enterprise you need the business license. Something like OpenVPN Cloud I think is 1/3 the price.
What's the difference between using tailscale vs the AWS VPN?
I use both tailscale and cloudflare access and found tailscale is easier to deploy however cloudflare access also has tunneling which is pretty useful.
Why does this read like a thinly veiled native ad ?
I wish I had Tailscale when I was playing LAN games in college. Spent a lot of time debugging around network issues.
why not just use ssh tunnels with compression ON when you connect to RDS?
is tailscale like forticlient vpn ? so I can ssh into my instance that is not exposed into the world? so my instances can talk to each other without going through the public internet?