this post was submitted on 30 Aug 2023
51 points (93.2% liked)

Selfhosted

40120 readers
1701 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've read a lot of recommendations for tailscale and am on my way to try it out myself. Do you use Tailscale in the "normal" way or do you host your own Headscale server (as I'm planning to do)? Any pros and cons?

all 27 comments
sorted by: hot top controversial new old
[–] PriorProject@lemmy.world 10 points 1 year ago* (last edited 1 year ago) (2 children)

I use Headscale, but Tailscale is a great service and what I generally recommend to strangers who want to approximate my setup. The tradeoffs are pretty straightforward:

  • Tailscale is going to have better uptime than any single-machine Headscale setup, though not better uptime than the single-machine services I use it to access... so not a big deal to me either way.
  • Tailscale doesn't require you to wrestle with certs or the networking setup required to do NAT traversal. And they do it well, you don't have to wonder whether you've screwed something up that's degrading NAT traversal only in certain conditions. It just works. That said, I've been through the wringer already on these topics so Headscale is not painful for me.
  • Headscale is self-hosted, for better and worse.
  • In the default config (and in any reasonable user-friendly, non professional config), Tailscale can inject a node into your network. They don't and won't. They can't sniff your traffic without adding a node to your tailnet. But they do have the technical capability to join a node to your tailnet without your consent... their policy to not do that protects you... but their technology doesn't. This isn't some surveillance power grab though, it's a risk that's essential to the service they provide... which is determining what nodes can join your tailnet. IMO, the tailscale security architecture is strong. I'd have no qualms about trusting them with my network.
  • Beyond 3 ~~devices~~ users, Tailscale costs money... about $6 US in that geography. It's a pretty reasonable cost for the service, and proportional in the grand scheme of what most self-hosters spend on their setups annually. IMO, it's good value and I wouldn't feel bad paying it.

Tailscale is great, and there's no compelling reason that should prevent most self-hosters that want it from using it. I use Headscale because I can and I'm comfortable doing so... But they're both awesome options.

[–] monty@lemmy.one 7 points 1 year ago

Beyond 3 devices, Tailscale costs money

I think you mean beyond 3 users. You are allowed up to 100 devices in the free tier.

[–] TurboLag@lemmings.world 2 points 1 year ago (1 children)

Tailscale doesn’t require you to wrestle with certs or the networking setup required to do NAT traversal. And they do it well, you don’t have to wonder whether you’ve screwed something up that’s degrading NAT traversal only in certain conditions. It just works. That said, I’ve been through the wringer already on these topics so Headscale is not painful for me.

Does Headscale require additional work to deal with NAT traversal on clients? Or is it just for the controller node itself?

[–] PriorProject@lemmy.world 1 points 1 year ago

You connect to Headscale using the tailscale clients, and configuration is exactly the same irrespective of which control server you use... with the exception of having to configure the custom server url with Headscale (which requires navigating some hoops and poor docs for mobile/windows clients).

But to my knowledge there are no client-side configs related to NAT traversal (which is kind of the goal... to work seamlessly everywhere). The configs themselves on the headscale server aren't so bad either, but the networking concepts involved are extremely advanced, so debugging if anything goes sideways or validating that your server-side NAT traversal setup is working as expected can be a deep dive. With Tailscale, you know any problems are client-side and can focus your attention accordingly... which simplifies initial debugging quite a lot.

[–] 1984@lemmy.today 6 points 1 year ago

Tailscale is super simple. Install it on two computers you want to be able to talk to eachother, doesn't matter where they are as long as they have internet access. Authenticate with Tailscale on both computers and you are done.

[–] cyclohexane@lemmy.ml 6 points 1 year ago (1 children)

I started using my own WireGuard config instead of using tail scale. Works great for me, though it does take more work up front.

[–] Starfighter@discuss.tchncs.de 1 points 1 year ago* (last edited 1 year ago)

I started out with WireGuard. As you said its a little finicky to get the config to work but after that it was great.

As long as it was just my devices this was fine and simple but as soon as you expand this service to family members or friends (including not-so-technical people) it gets too annoying to manually deal with the configs.

And that's where Tailscale / Headscale comes in to save the day because now your workload as the admin is reduced to pointing their apps to the right server and having them enter their username and password.

[–] Sethayy@sh.itjust.works 4 points 1 year ago

If you want to really get into it, you can just hose a wireguard instance in a LXC then use iptables for all your routing.

Relies only on FOSS software and gives you a pretty high level of control, but obviously is less intuitive

I am using headscale without any issues

[–] LiveLM@lemmy.zip 3 points 1 year ago

Honestly the main reason to use Tailscale for me is that it handles all the setup itself.
I don't really see the point in Headscale. If I wanted to worry about hosting and configuring I'd prolly just setup regular Wireguard.

[–] solberg@lemmy.blahaj.zone 2 points 1 year ago (2 children)

Tailscale is great but I find it non trivial to run in conjunction with another VPN (Mullvad). Anyone have experience with this? Seems I can have only one or the other for iOS or macOS

[–] Chewy7324@discuss.tchncs.de 4 points 1 year ago

There's an open feature request to allow fo using another wireguard vpn as an exit node on tailscale. Currently you could rent a vps and install mullvad on it. Then select the vps as an tailscale exit node.

Neither Android nor iOS allow for multiple VPN connections at a time. But I'm surprised macOS is that limited in functionality as well.

[–] sn0opy@lemmy.world 3 points 1 year ago (1 children)
[–] solberg@lemmy.blahaj.zone 1 points 1 year ago

I'm loving it but I can't get it to work 😂

[–] johnnyfive@lemmy.world 2 points 1 year ago

use installed on edgerouter-x, no problem, efficient and functional

[–] cadey@pony.social 2 points 1 year ago

@Jerry1098 Note my bias as I work for @tailscale, but:

  • I use the normal SaaS control plane with a tailnet shared with my husband

  • All our machines (towers, phones, laptops, steam decks, homelab nodes, virtual machines, etc) are on our tailnet and can access the storage on the NAS

  • I've written a number of custom tsnet services that do a wide range of things:

    • A private pastebin called tclip
    • A tool to check if my external Mullvad VPN on my NAS is working called vest-pit-near
    • Control endpoints for my CDN named XeDN
    • Other tools that let me do things like monitor Linux ISO release channels or experiments like an "infinite wiki" powered by ChatGPT and Llama 2
  • Almost all of my SSH connections are over Tailscale SSH, even over my local network, it's likely that there's more WireGuard and TLS traffic over the local network than there is clear text for anything else.

  • The NAS is mounted over Tailscale via SMB due to how MagicDNS intersects with Windows. It's kinda neat and gives us a bunch of room for treating it as slower storage on our machines.

  • I share the preview version of my blog over Funnel. Previously I used node sharing to do that, but I started running into the 10 share limit. Sharing it over Funnel does mean that my development site does eventually make its way to random people, but really it's okay.

  • When I travel I either use an exit node while on sketchy public WiFi. When I was at DEF CON recently I set up my own exit node on a budget host in Vegas so that I would have a moderately trustable egress point without suffering from high latency.

I love it so much I ended up working there. It's been one of my best tech finds in a long time. Feel free to ask me anything about how you can use Tailscale! I'm more than happy to answer.

[–] Decronym@lemmy.decronym.xyz 2 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
LXC Linux Containers
NAT Network Address Translation
SSH Secure Shell for remote terminal access
SSO Single Sign-On
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

8 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.

[Thread #92 for this sub, first seen 30th Aug 2023, 12:35] [FAQ] [Full list] [Contact] [Source code]

[–] aesir@lemmy.world 1 points 1 year ago (1 children)

Tailscale just works, I recently tried netbird and netmaker. I did not manage much with the first but netmaker instead seemed even easier to manage than tailscale, being faster at the same time. Unfortunately it failed with peers behin my corporate NATwhich tailscale can bypass with its own relays. But for others it can work very well.

[–] TurboLag@lemmings.world 1 points 1 year ago (1 children)

You can set up relay nodes in the Netmaker config, and enable them only for those nodes behind NAT that need relaying. I've generally had good experience with Netmaker—when it works, it works—but several times it auto-updated and wiped my network config in the process.

What is your experience with Netbird vs Netmaker?

[–] aesir@lemmy.world 1 points 1 year ago

Relays are in the last release become a pro feature. I tested it on netmaker.io SaaS version and they work but it defeats the purpose of selfhosting my VPN manager. You also need to have a good relay, for instance among GCP, Azure, Oracle and Vultr only the latter works because their VPS are not behind a NAT.

Netbird first of all is extremely resource hungry. In some occurrences completely hanged a 1 GB RAM VPS when I was testing. Even without trashing I had issues connecting many of my peers. It has to be said that it was surely my fault in some ways as netbird.io SaaS worked fine.

[–] BastingChemina@slrpnk.net 1 points 1 year ago

I'm using it for work.

At first it was just me, I needed a remote access and I was not a big fan of using the chrome remote desktop that was the "solution" by their IT technician.

So I've setup tailscale and used it to access the shared folders and Remote Desktop.

After that, with my boss approval, I've set it up for several others person in the company and external consultant. Honestly it's great, it just work, it's secure and it is so easy to set up. With just few WhatsApp messages I can give instructions to have the remote desktop running, even to people not especially comfortable with computers.

[–] fraydabson@sopuli.xyz 1 points 1 year ago (1 children)

I’m new with Tailscale. I understand that they don’t manage accounts and require another service like google or apple. That initially turned me off. Then I set up via my sso provider and works great.

[–] Chewy7324@discuss.tchncs.de 1 points 1 year ago (1 children)

What SSO provider do you use?

[–] fraydabson@sopuli.xyz 1 points 1 year ago

Authentik. I really like it !

[–] Struggleandgrunt@feddit.uk 1 points 1 year ago

Hosted headscale for quite a while, it works great and there is plenty of help in the discord if you need it.

[–] lckdscl@whiskers.bim.boats 1 points 1 year ago

I'm using Headscale with minimal issues. It's low on resource and the docs Tailscale provides applies to it which is neat.