#Tailscale
#Cloudflare Access vs #Tailscale?
@dbtechyt not that exciting, but I've been putting more storage and work into my cheapo #NAS lately. It's running #OpenMediaVault as well as #Jellyfin, and I've just started using #TailScale so that I can access my homelab from anywhere which was a quick and easy upgrade.
Something like (1) would actually be very akin to something like a point-deployable #Tailscale connection -- maybe they've thought about doing this?
Sadly, Tailscale itself isn't a viable solution to this for me because it creates a full VPN -- there are environments where that's not needed, desirable, or even allowed sadly. Otherwise, I probably wouldn't have any of these problems as I think Tailscale + SSH "just works".
While I'm saying thanks to #tailscale, missed a big one.
Have a family member going through chemo who needed access to their home office network and machine.
Traditional VPN was struggling with combo of hospital network and the home office being connected via #StarLink
@tailscale had no trouble with it. It's been a massive help.
Just hooked up #nextdns with my #tailscale network. Super easy and really impressed so far. Would recommend.
Like basically everything @tailscale build 🩷
It has been an interesting experience setting up #tailscale. I already have a manual #wireguard based VPN setup for home, office, devices, and travel, so I've had to go in small increments and figure out how to get both to coexist while transitioning from one to the other. 😆
Finally had the motivation to get proper #TLS certificates set up for the #homelab. Using #Tailscale means no more exposed ports but also meant needing to play with #Certbot #DNS challenges. Extremely easy using the certbot_dns_porkbun plugin.
At some point, actual useful stuff like #Tailscale & #Cloudflare tunnels probably aren't going to be free anymore, will they?
The nixOS + morph setup has been pretty fun so far, but now I've got tailscale running (modulo one hack to add an exit node), and that kills ssh. Anyone facing something similar?
I've loosened the reverse path routing based on this very informative report, but not dice yet: https://github.com/tailscale/tailscale/issues/4432
Dear lazyfed, does anyone know how to configure `tailscaled` to start with a specific exit node set? I know I can manually call `tailscale up` or `tailscale set`, but that is ugly and cumbersome[1].
[1] And doesn't actually work for my nixOS setup which loses its ssh connection the moment I run `tailscale up`.
I have been meaning to get off my lazy duff and switch from ZeroTier to Tailscale for the longest and the idea of almost-zero config dynamic relative URLs to access things is pushing me towards the tipping point… Need to research how many of my limited brain clock cycles will need to be burned for this.
Accessing go links across tailnets by Will Norris (willnorris.com)One of the more fun projects I’ve worked on at Tailscale is golink, which provide simple, private shortcuts that you can share with others on your tailnet. We have hundreds of go links at Tailscale that we use on a daily basis.
But I also run a personal golink server in my homelab with some links …
Anyone using @tailscale #Tailscale on a Mac with an exit node? I'd love to know how to keep it from clobbering routes to local subnets. I have both RFC1918 subnets and public subnets that I need to leave routes in place for. "Allow Local Network Access" doesn't work.
Anybody know of any #tailscale #autocompletions for #fishshell ?
Would anyone be interested in a write up of my adventures in getting back to a #SmartHome - using:
- #HomeAssistant on #RPi, with #Zigbee (inc. zigbee2MQTT , Mosquitto, and a wide mix of manufacturer devices);
- #AQI, PM2.5 and VOC monitoring with same;
- #AdGuard for DNS-based #Adblocking at scale inc. even when away from home; and
- #Tailscale #VPN for access to all of it away from home.
I just installed #tailscale on some of my devices. I don't use it much, but it sure is nice to view the #jellyfin movie collection from anywhere and ssh into the homelab to run updates on various machines.
@kraigschmidt @daringfireball this just happened to be the most recent (aside from my just now toot) about #Tailscale so... I could go into what I understand technically (wireguard with them dealing with key management), but...
Here's how I *use* it. I have a NAS at home &other systems, none internet-accessible. With Tailscale, when I'm out of the house, I can still access those resources on my phone, like my password manager, admin stuff, etc. All securely and without opening my home network.
Spurred on by a question from my spouse, I'm finally, 2 years after first thinking about doing it, looking into how to effectively move off Google Photos to a self-hosted setup on my #SynologyNAS and all the "fun" of setting her up with #Tailscale at the same time... (I've got it working for Synology Drive and other access for me already)
#NextDNS and #tailscale setup beautifully for the first phase of the family security tooling upgrade.
The best bit is using ACLs to pass different DNS profiles based on tags.
Next step… sort out the #idp piece
I don't really know how to do a full blog post about, basically, "#tailscale did what it says it's supposed to do and did it disturbingly well", but at any rate, #tailscale does what it says on the tin, and does it with aplomb. So there's a toot, I guess
So it seems like the only way for me to have a multi-user Tailnet is to use a Github Organization, which requires every user to have a GH account.
All of the other ways look like they rely on a different paid service to setup.
I wish I could just sign up and invite people using Passkeys only.
I don't particularly like relying on an external IdP here.
I spend that last hour moving my Wireguard + BGP setup to #Tailscale.
Why? Good question, mostly because I wanted to try something new.
And so far, it’s nice.
Still gotta figure out why traffic from my now legacy Wireguard Roadwarrior clients doesn’t reach stuff behind the Tailnet anymore.
And why I can’t invite users to my Tailnet…
I am back online after 3 days of outage caused by my #Tailscale getting logged out and #Nomad spitting out wrong config in the template block
Forgot discovery hashtags: #rust #tailscale
#Tailscale seems to work fine since I disabled MagicDNS. However, now the domain https://chat.sum7.eu that is my #xmpp server is shown as "Not found", I have 2 other xmpp accounts and they both work :blobcatderpy:
#Tailscale on #Android has begun acting weird, it acts as a full #VPN making accessing stuff outside my tailnet utterly impossible. Seems to be an update causing this but I haven't tried to downgrade. Any other ideas?
Trying out #Tailscale today since we need a good and simple #VPN solution for Evenly. And so far it looks great.
Especially impressed that they manage to ship a macOS client in the App Store (no bullshit installers) and their ability to ship an app without a 300MB copy of chromium attached.
I haven't tried this until now, but this method works perfectly as expected! Just running two commands on the remote proxy server allows me to use it by `socks5://<tailscale-server-alias>:1080` on the local machine. #tailscale #socks5
Ok, #Tailscale on #MacOS has broken already... which I cant get my head around!
Booted up this AM, and the client just doesnt load. Its not in the system tray, and no matter how many times I reinstall, reboot, shutdown etc. does it re-appear!
It connects when I load the app from App Launcher... but no GUI, so can't interact with it at all :(
TMW you go to enable your #Tailscale VPN over a remote exit node only to realize you'd enabled it by default and things are so seamless/smooth that you didn't even notice in the first place.
:-)
Think I finally have my ultimate home networking config sussed. Blog post en route.
The plan is to use #tailscale on all our devices, with #nextdns as our DNS provider, and then use the ACLs to provide the kids devices with different policies, no matter where they connect from.
#pfsense will also be added into the mix, to give access to the home network.
Beautiful!
OK. You placed the ad, so I'm gonna ask…
Can you explain what #Tailscale is actually FOR? Like, what's the use case?
I've been hearing about it for awhile, but I don't get how I'm supposed to USE it, even though I suspect i'm squarely in the wheel house for potential customers…
@peppe exactly, we should get rid of #systemd, #Syncthing, #Tailscale, and the login screen :blobfoxangrylaugh:
#tailscale does a tremendous job of Bait, it's just a matter of time when they get bought and do a Switch too
I would like to have some machines on my home network available to me at work. I can't install tools like #tailscale on my work PC. I just need the ability to SSH into my home machines from work. I am thinking a VPS is needed to make this happen.
I know I am asking the right people here. How do I accomplish this?
Spent most of my time this evening attempting to get a #Tailscale setup I'm happy with and have just failed miserably. :(
I can't use an exit node without routes for the various home network VLANs and I cant use routes without my home servers using the subnet routers for local traffic.
And that's not including the fact that everything now talks to the exit nodes DNS instead of the ones local to them - like my networks Adguard instances.
a nice thing about #Tailscale's client being open source is that I could answer myself the question “I wonder how auto-updates work on Debian?”:
time for some beta testing!
Alright, #Tailscale is great when it's behaving itself. A relatively common thing I tend to do is to send pictures from my phone to my laptop, and I've used various convoluted workflows for that, including sending through my scratchpad on a work Slack.
With Taildrop, it's so much simpler: Share with Tailscale, pick my laptop, file appears in my Downloads.
I might use this more often.
#tailscale people, if I have multiple subnet routers in my home and one fails, shouldn't the network gracefully fallback onto the other, keeping LAN devices accessible? Didn't work as expected.
Solution: Extra config is required for failover: https://tailscale.com/kb/1115/subnet-failover/
@GreyLinux @wireguardvpn but I'm very close to trying out @tailscale #wireguard #tailscale #vpn
if you use #tailscale and you stopped using it on your android phone due to battery usage, try it again they've fixed it, I leave it running on my phone as a VPN 24/7 now and the usage is fine
#MacOS makes things so bloody hard at times. Trying to install #Tailscale on my #intune managed device (my tenant, so I’m not trying to dodge rules ) - can’t install from AppStore (we haven’t allow listed it), can’t drag and drop into app directory (not sure why) and the #homebrew is just the cli.
Pain in the backside! Need to add it to our enterprise store
If anyone out here in mastodon.radio land is using #Tailscale as part of the control plane for their radio network, and would like to do an experiment in sharing, let me know.
I don't want to open up my OpenWebRX setup to the entire world (for reasons), but I would be interested in sharing it out individually.
Docs are here
https://tailscale.com/kb/1084/sharing/
Of particular interest is figuring out how well streaming audio works through this net configuration.
cc @tailscale
Ok, #tailscale was far too easy to setup and get going. What’s the catch?
Privacy aspects don’t seem great, as they collect some device and user specific data, but not the end of the world.
This includes a move away from the star-like setup where nodes are connecting to one node which routes traffic trough it.
Now, I can setup my own topology that defines traffic flow. It's not as powerful as #tailscale where peers figure out how to connect directly.
What is everyone’s thoughts on #tailscale?
What's the cheapest-and-actually-available piece of Pi-ish-sized hardware you've seen that's able to run #tailscale usefully, as a subnet router for some remote IoT devices? #SmallComputers #RaspberryPi #SoC #hardware
At the end of your flake.nix (just before the final closing }), there should be a line that looks like this:
});
}) // {
};
nixos-infect has is the ability to customize the target NixOS install with arbitrary Nix expressions. This configuration puts a NixOS module into /etc/nixos/tailscale.nix that does the following:
Enables Tailscale's node agent tailscaled
Creates a systemd oneshot job (something that runs as a one-time script rather than a persistent service) that will authenticate the machine to #Tailscale and set up Tailscale SSH
In 'nix develop', we don't need a copy of the source tree in the #Nix store.
pfa - what a flake can do
https://christine.website/blog/nix-flakes-1-2022-02-21/
Once the inputs are resolved, they're passed to the function outputs along with with self, which is the directory of this flake in the store. outputs returns the outputs of the flake, according to the following schema.
wiki
Oh boy, I've just been convinced by @xor to try #Tailscale to replace #NabuCasa to connect to my #HomeAssistant. Well, this is going to be interesting. New stuff to try. 😄
#HomeAutomation #SmartHome #AllThingsOpen
#Headscale is an #OpenSource #Selfhosted version of the #Tailscale control server. You can use the Open Source Tailscale clients with it, and have full control of your private network. Runs on #Linux, and #Docker of course! https://youtu.be/OKwrfmMoAk0
Had some fun couple of days at work;
Moved a, consumer level hardware, server to a new location. Didn’t have access to monitor or anything, just hooked up power and Ethernet and tried to boot it. After waiting a little bit I saw the activity lights come on the Ethernet port.
But was it up and running? It’s my first #OpenSuse box, so didn’t know if I had done something wrong.
Checking #TailScale on my phone it showed the server as green!
I’ve never had an easier move:)
@ShadowJonathan @ada @benaryorg It is the same and no I'm not wanting to ramble but you refuse to acknowledge that not everyone lives in the #USA where it's perfectly legal to sell peoples' financial history without their explicit consent and where it's basically seen as unavoidable to get doxxed by every corporation.
I get paid to keep shit secure and private and none of my employers - past or present - would consider #Tailscale just for the legal risks alone.
@ShadowJonathan @benaryorg I know that it's basically "#WireGuard with #P2P capabilities" but then why would I want to use that over #tinc?
Call me weird but almost all employers / clients I worked for want a centralized VPN Server for numerous reasons and keep the clients stupid and not rely on external parties to have their VPNs work...
That's why they'd rather want WireGuard, #OpenVPN, #L2TP or even #IPsec instead of #Tailscale or tinc.
Cuz like compliance shit and GDPR exist...
http://f-droid.org/repository/browse/?fdfilter=dynalogin&fdid=org.dynalogin.android&fdpage=1
#oath #android #2fa
sudo auth fails on android, terminal works
multiuser #tailscale
on #github organization 1
not sure about other #git forge
cc @tailscale
Mullvad on Tailscale: Privately browse the web · Tailscale
"your device generates a #WireGuard key pair: the public key is used to identify peers in #Mullvad’s infrastructure, and the private key is used to encrypt traffic. When you use Tailscale with a Mullvad exit node, it’s the same thing! Your node registers its existing #Tailscale-generated WireGuard key pair with Mullvad’s infrastructure. Any traffic coming over the internet is terminated at Mullvad’s network edge, and end-to-end encrypted all the way to your device. Basically, you get to bring Mullvad’s entire fleet of servers into your tailnet."
https://tailscale.com/blog/mullvad-integration/#:~:text=your%20device%20generates,into%20your%20tailnet.
Making My Life Easier With Tailscale - Patshead.com Blog
"An open-source #Tailscale server is not available yet. It definitely looks like an open-source server implementation is on Tailscale’s roadmap.
Tailscale’s server is really only needed to help the client devices find each other and get connected. None of your network traffic passes through the Tailscale servers."
https://blog.patshead.com/2020/09/making-my-life-easier-with-tailscale.html#:~:text=An%20open%2Dsource%20Tailscale,through%20the%20Tailscale%20servers.
My Homelab NAS on NixOS - Xe Iaso
"copying things off of a #Synology box's samba configuration file, I managed to trick everything into working and now all the machines on our tailnet can access the data on the NAS without too much trouble. Even iPhones and iPads thanks to the recent addition of SMB mounting on iP{hone|ad}OS. It also works over #Tailscale too, so I can get into the #NAS' files anywhere I have an internet connection."
https://xeiaso.net/blog/my-homelab-nas-2021-11-29/#:~:text=copying%20things%20off,an%20internet%20connection.
Next time i am not buying a coffee or a beer till they advertise their #wifi router as a #tailscale exit node :neofox_evil: :
also #taildrop is simpler than #ftp :D
except that it wants me tobe #root
tailscaled runs as root, files are received by root. In the current version, root has to retrieve the files using sudo.
With #tailscale #ssh i can use every #nix buildon my machine with my phone , without installing a single thing on phone but ssh utils
iirc it wasnt the same with plain ssh
Mastodon - Need #selfhosted ideas for a headless Raspberry Pi 4 B (8GB), Running Raspberry Pi OS light (no desktop) 64bit, headless, connected to a router (600/100 connection at the moment), has #tailscale and #nix (wanted to go with NixOS but didn't have a ton of time to make the headless install work, will retry it at some point).
In the past this Pi was used for DNS blocking and Nextcloud but since I'm using NextDNS I don't currently need the former.
@neil @itsfoss It's v cool* and the one theoretical security risk if not self-hosting - - that someone "at" #Tailscale could add a foreign device to your mesh network via the control plane can now be entirely mitigated.
*One minor annoyance: the on/off button on the Android app.
It's great for remoting home when already using a different VPN. Eg, using Mullvad but needing to access a box at home. Just choose the Tailscale address/DNS name.
Tailscale is very cool … although it would've saved much head scratching and frustration if I'd realised earlier (and/or it was published more clearly) that macOS clients can't advertise subnet routes.
@tailscale I wanted to try out the service, which sounds amazing, but stopped in my tracks when I read the Privacy Label and other Info. The unanonymised logging & data retention etc. is a big no for privacy-conscious Europeans and sharing this with the likes of AWS, even worse. I think you can do a lot better - I know privacy is a hard concept for you to grasp that side of the Atlantic, but why not give it a try. #Tailscale
omg are we getting tailscale auth support built into livebook?!
#tailscale recognizes its product and has #RemoteJobs :)
Listed to only be for US and Canada
* Full Stack Software Engineer
* macOS Software Engineer
* Product Engineer
* Security Software Engineer
* Windows Software Engineer
* Accounting Manager
* Strategic Finance
A testing database I had on a VPS got hit with ransomware :blobfoxannoyed: It was testing and had nothing on it, so nothing was lost. But I don't get how it got pwned.
I hadn't bothered to change the default password on the database since it was an empty testing database, so yeah that makes it easy. But I had it behind #UFW firewall, access only allowed through #Tailscale. Password logins are disabled in #SSH and only key logins enabled, also only allowed through Tailscale.
Seeing some weird behavior with #tailscale exit nodes. If I set my exit node on my iPhone to be my Apple TV, both of which are on the same network at the moment, theoretically the shortest route should be local. When I try it I seem to get my upload speed as my download speed, which would suggest that it's not being routed directly. Am I missing something?
#orgmode #emacs #Tailscale’s tclip is a self hosted code snippets (as in gists) manager, which can now render org-mode markup.
There are couple of ways to deploy it on one’s infrastructure, including #portablectl and #docker, though I was not able to get it running due to this error https://github.com/tailscale-dev/tclip/issues/40
wooop 🎉
#tailscale has VPN On Demand support on iOS now, which means my phone can finally auto-vpn when trying to access home-assistant off our home network 🎉
Apple TV, now with more Tailscale
You can now use your Apple TV as a Tailscale exit node, which is a pretty neat trick (I rely on Tailscale for access to my home servers when I’m away, plus one or two cloud servers without public IPs).(...)
Making NixOS modules for fun and (hopefully) profit
I used Mullvad for a couple week and it was just fine, but the Tailscale is a gamechanger for me, easiest VPN for home users ever - and now: Mullvad VPN and Tailscale partnership, nice
https://mullvad.net/en/blog/2023/9/7/tailscale-has-partnered-with-mullvad/ #tailscale #mullvad
@tailscale mind blown, love this feature #tailscale
I have struggled to understand the use case(s) for #tailscale. Why would a normal (but nerdy) person use it? Or, what does it do…?
I know I've been talking a lot about Tailscale recently, but this is important enough to involve another mention - the latest version of Tailscale in the app store now supports VPN On Demand, a feature that let's you inform iOS when the VPN should and should not be activated, including whitelisting or blacklisting wifi networks. This was the final feature that Tailscale was lacking that vanilla Wireguard for iOS has had for a very long time. https://tailscale.com/kb/1291/ios-vpn-on-demand/
#Tailscale #wireguard
Tailscale's iOS app is a whole lot better in terms of accessibility after their move to SwiftUI. It still doesn't support automatic exit nodes when you switch off of wifi and back, but ennh, we can't get everything. P.S. #Tailscale is incredible.
@linuxmatters How is #Tailscale or #zerotier different from a normal VPN I setup on my home router? Especially if I self host it?
So it sounds like it does the same but just routing the traffic dedicated to the “LAN” which one could do with other VPN solutions as well.
I feel like I’m missing something obvious here.
@micahflee before I used #tailscale I used #nmap on my own devices a lot to see what services came online
I'm considering switching to #Kubernetes to manage some of the services on my homelab, in part because it seems to be one of the more coherent ways to make paired #Tailscale / service "endpoints" without having to have separate machines for each one, but I'm tripping over the fact that I utterly don't grok the abstractions and how they're implemented.
I hate the idea of having a magic API that I don't even know how to *talk about* much less modify.
Soo, the #Homematic integration for #HomeAssistant is nice and all, but it has one major flaw: when you configure it, you can give it a hostname of your Homematic controller, and it'll then resolve that to an IP address, and store the IP in its config, not the original host name.
Which sucks, when HA and HM run on the same machine, in separate #docker containers, because then the initial hostname will resolve to the container's internal IP, and after a reboot of the host (or multiple containers being restarted and getting new internal IPs) that IP might belong to a completely different container.
There's docs for Homematic about how this can be solved with a "MacVLAN", which basically assigns a random mac address to a container, and then exposes that container under a static IP address to the host, but that leads to a "new device" showing up in my network every time the Homematic container restarts.
Luckily, Homematic has @tailscale integrated, which is a VPN solution built on Wireguard.
And I have #Tailscale running on the Raspi that's acting as my docker host.
Which means, I'm able to just enter the Homematic controller's tailscale IP address in Homeassistant's config dialog for the HM integration, and all of a sudden the parts click together and everything works smoothly, without any hacks. :awwwblob:
A few days using #Obsidian, and I think I'm going to keep it. It's super polished, and I always wanted a personal #wiki, which is essentially what it is.
For me the main advantage over #Joplin is how good linking between notes works.
The biggest disappointment is that there's no built in #encryption
But the real star of this entire thing is #SyncThing, which is much better than I suspected when I glanced it a long time ago. Especially in combination with #TailScale.
My kingdom for #Tailscale support on my Unifi Dream Machine.
I have a version running as a user, but it is super hacky and most features don't work. It's useful as an exit node, but I'd like to be able to give all the devices on my network access to my tailnet.
If anyone is curious about how to approach using #Tailscale as a VPN to your #Django application (say a version that grants you access to the admin site), I have a high level outline here: https://github.com/aspiredu/heroku-tailscale-buildpack#limit-access-to-web-app-to-tailscale-users
If you have questions, please ask.
Just setup #Tailscale for accessing my home gear while I'm away. So far so good.
It's so nice when something just works, and tailscale works so well I'm wondering what the catch is. The dashboard reminds me a lot of the ubiqiti controller, just a massive step up in UX from html forms on a router.
I'm ok with point to point tunnels, rather than full access to my entire home subnet.
I've been thinking a lot over the last few days about this #FLOSSWeekly #podcast (https://twit.tv/shows/floss-weekly/episodes/664) about @tailscale #Tailscale, in which the CEO, Avery Pennarun, discusses his views on #FOSS. The relevant portion starts at 44:00, and resonates with me a lot in the context of what motivates me (it's *rarely* money; I acknowledge I currently have privilege around this).
Avery elaborates on his blog: https://apenwarr.ca/log/20211229
Relevant transcribed (as best I can) excerpts follow.
I really like the whole #Passkey idea, but with more services, such as @tailscale, adding support, I can definitely see that it's going to be a hassle for those of us who haven't bought into services like #Apple and #Google, which allow cloud-syncing of Passkeys (@bitwarden #Bitwarden are adding support but aren't there yet).
I set up a #Tailscale account with a #Passkey on my #Yubikey the other day, and in addition to eating up one of my precious 32 slots on my Yubikey, I can't add a second key in case I lose my first one.
Well Tailscale Up has the best conference food and coffee I’ve had in years. And talks!! #Tailscale #TailscaleUp