I traced my traffic through a home Tailscale exit node
tech.stonecharioteer.com155 points by stonecharioteer 5 days ago
155 points by stonecharioteer 5 days ago
Tailscale tangential use case! :)
I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.
Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks
Yes I figured this out too, you can actually put any IP address you want in the code field for RustDesk, it doesn’t have to be a RustDesk code only.
Little tip for anyone who decides to try this:
You need to enable IP access on the device you intend to connect to. It's under the security settings in RustDesk.
I've been playing around with it. The iOS RustDesk app is nice, and I've been controlling my Mac Mini at home using my iPad Pro with a Magic Keyboard, and it's shockingly smooth!
How secure is all this? Not really into networking and I always wondered if this has any risks.
If you're just connecting over Tailscale and your machine is otherwise not exposing the (configurable) port to the internet, it's fine as far as I know. Set up firewall entries if you are concerned.
The only other thing I can add is - with very little configuration, you can allow direct routing to your entire local lan. If anyone is interested, I’ll document it. I’ve set it up in an lxc container on my Proxmox home server and am very happy with it. Allows direct access to all my VMs on the go!
Oh lovely. How is your experience with RustDesk? Is it better than VNC?
Been using it for a while, older versions had memory leaks with multiple monitors (or virtual monitors too), nowadays seems better.
Supports various video encoders, various bitrate settings, allows sharing clipboard (though still has an annoying bug where sometimes copying something new into the clipboard doesn't work and only 2nd attempt works) and the relay is also easy to setup and host, in addition to it being free!
Honestly my favorite software in this space since RealVNC decided they want to be greedy (and since VNC / RDP kinda sucks in my experience).
my experience with RustDesk + Tailscale is really good. when i only needed windows remote devices, the Windows Remote Desktop over Tailscale is great. I used RustDesk for access to macOS and Android devices (all over Tailscale) and works great too. No complaints really. Much less hassle to setup than Parsec (latency isn't as good though), and way snappier than AnyDesk through their network. Great tool enabled by Tailscale.
> Is it better than VNC?
It's the year 2026 out there. Anything is better than VNC.
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
This may very well be the system in use.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
I suspect there's less thought put into it than that.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
Well, yeah, they didn't roll their own. Offhand, I forget the product, but it's definitely off the shelf.
My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.
> I'm not going to raise the issue either way.
Except, you kinda just did
Not to them, in a way they can’t just ignore. I could be anyone here on HN.
That's why I said kinda.
It'd be funny if someone working there was a visitor here...and it doesn't matter who you are. I was thinking of them closing the loophole
I understand your point better now, but if that was really a risk I cared about, I wouldn’t have put it on the public Internet to begin with.
The worst they can do to me is make me tether, and my iPad will never hit that allotment. And, like I said, I think they use it themselves. So, no incentive to close their loophole.
Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?
I think this is mostly a Wireguard thing and not specifically a Tailscale thing. Wireguard does what they call "cryptokey routing" where if you prove you possess a key that the other peer knows, you get the traffic (subject to firewall, allowed IPs list, etc etc). Wireguard stores the most recent address:port that it heard from a particular cryptokey on, but it natively lets peers roam, as long as only one roams at a time.
Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
When I work at the local coffee shop I cannot SSH to my remote servers for work on their wifi, but if I connect to Tailscale and use my exit node at home I can. Lifesaver
My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
And the ossification continues.
> Called this out and the security team said noone complains
Classic. And this probably works do every complaint. You need an irritated executive.
> IPv4 HTTPS on port 443
TCP or TCP and UDP?
SSTP can work if they don't look at the traffic too hard.
A TCP over websockets VPN would be fairly simple to write, or ask an AI to write for you
I use tailscale and mullvad vpn for a list of exit nodes i can choose from to work around restrictions, but also bad routing.
Like, when in asia and the route is to europe, sometimes it adds weird hops, while when i use an exit-node in Japan, i know, i have perfect routing to Japan and from there perfect routing to europe.
But the Mullvad VPN exit nodes often runs into problems like cloudflare blocking. So i am looking for alternative, not well known providers for exit-nodes.
Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...
> Sometimes i even dream of sending my europe traffic via the internal aws network via regions, but hey...
It's more work, but you can definitely do this. Inter-region traffic still carries egress charges though, so be aware of that in advance. This is a very common pattern in enterprise networking when building cloud-based SDWAN topologies: branch a,b,c connect to hub-1 in us-east-2; branch d,e,f connect to hub-2 in us-west-2; dc1 connects to hub-1 in us-east-2; dc2 connects to hub-2 in us-west-2; services in dc1 and dc2 can reach each other for DR and clients in branch f can reach services hosted in dc1.
Underlying all of these SDWAN technologies is essentially basic site-to-site VPN tunnels. Most still use IPSEC, although Wireguard is also used sometimes.
Oh man, i can not even imagine setting up something like this by hand. Maybe with terraform.
The only tricky part is the inter-region routing, and this can be managed largely within AWS using Transit Gateways (TGW), for a price, for more of a price AWS even makes it easier with Cloud WAN: https://aws.amazon.com/cloud-wan/
See: https://aws.amazon.com/blogs/networking-and-content-delivery...
Basically if you just link your VPCs in each region with the appropriate routing policies, you can just connect to your preferred VPN server in each region and ultimately get routed correctly. This is what companies with cloud-based SDWAN do for providing SASE services to end-user clients.
> problems like cloudflare blocking. [...] Sometimes i even dream of sending my europe traffic via the internal aws network via regions
I'd bet you'd see a lot of blocking coming from AWS IP pools too.
I set up a Debian vps, installed Tailscale with ufw and fail2ban. I use this as my exit node. Costing around 2 euros per month. No blocking so far.
Thank you.
I pay like 10 euro per month. For tailscale with Mullad VPN, which has like 50 countries setup with several exit-nodes in each country.
But with blocking. :)
Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal? I've never used Tailscale, but I have a Wiregaurd setup on my home server for the same purpose as described in the article, and I've never had any issues with it.
Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
If you're just doing hub-and-spoke anyway, yeah, you can do it yourself. I did for years. But holy smokes, is it a PITA to manually copy keys around to devices; especially when they might not even be yours. I have my Tailscale account hooked up to my self-hosted identity server and now it's just a matter of logging in on whatever device I want to be on the network.
Plus, I have the option of spinning up a random EC2 box whenever I want and instantly joining it to the network with basically no fuss.
I feel like articles like this do Tailscale a disservice to a certain degree. Most people know Tailscale helps with managing the mesh of connected devices. And as many people have said here you can do this manually with Wireguard, Netbird, Nebula, ZeroTier and many others. Why Tailscale is so helpful is the ACL system. I have about 40 devices connected to my Tailnet and depending on tags devices can or can't access direct communication and also certain exit node networks. Traditional VPNs generally suck because you dump out of a host and have flat access to everything. Tailscale allows you to segment access without disrupting general Internet access with minimal friction and ACLs allow segmentation to happen at the user / device level. Most people aren't using Tailscale ACLs, in fact I rarely hear it discussed. Also the article fails to mention Tailscale Peer Relays [0] which decreases the dependency on DERP relays significantly and are controlled by, you guessed it, ACLs.
The article does list what Tailscale adds on top of WireGuard:
> WireGuard by itself is mostly the data plane. Tailscale adds the control plane on top: identity/SSO, peer discovery, NAT traversal coordination, ACL distribution, route distribution (including exit node default routes), MagicDNS, and fast device revocation.
I think you missed the point. There's nothing in the article going into any of why this would help differentiate Tailscale from plain-old-Wireguard. Simply saying this and moving on is not that.
I have a phone and laptop; those are my only two "mobile" devices that I might ever use to access my home network remotely. I set them up once, it took a few minutes, and I won't have to do it again unless I replace one of them.
I can completely understand using Tailscale for enterprise networks, but it seems very overengineered for my personal VPN needs.
Yeah, sure, that seems simple enough.
I have a family of four. Plus a couple relatives who like having access to some of my self-hosted stuff. So, that's 6 people, each with at least one phone and one laptop, but probably an iPad too, or an extra work laptop, or something else random. Plus my youngest is addicted to buying old laptops on eBay and switching to them.
You made me curious, so I looked it up: I have 17 machines. Yeah... I'm not going back to plain WireGuard. :D
How do you handle home network IP changes?
i had this issue, with an even more wild set of restrictions, so i used Caddy to "output its own access log" and i had a cron job on any server at home that would hit that caddy server with a pre-defined key, so like `http://caddyserver.example.com/q?iamwebserver2j` for one server and "q?iamVOIP" for another.
https://github.com/genewitch/opensource/blob/master/caddy_ge...
https://github.com/genewitch/opensource/blob/master/show_own...
And now i have bi-directional IP exposure. it's cute because you can't tell if you just drive by, it doesn't look like it does anything. you have to refresh to see your IP, which is a little obfuscation.
if you care about security, not sure what to tell you. use port knocking.
Please note: this doesn't require installing anything on any remote, just a cron job to curl a specific URL (arbitrary URL). I used it to find the IP to ssh on remote radio servers (like allstar, d-star) for maintenance, for example.
Not OP, but a static IP was about US$10 as a one off payment.
It’s really nice.
> Genuinely curious: is Tailscale actually providing any values to this use case beyond what you get from a raw Wiregaurd exit node with port forwarding instead of Tailscale's NAT traversal?
Yes, but I guess it depends on how much of an adoption barrier/pain you want to deal with. Tailscale's control plane is dead simple and they ship apps on basically every platform so its easy to onboard mobile devices in addition to anything else. I'm a literal former network engineer with over two decades of experience, and I tried Tailscale randomly one of the first few times it popped on HN and stuck with it precisely because of how easy it was and how trivial it was to verify the security of my tunnels. Doing this manually is definitely possible on devices you control, but it's not a fun time, and Tailscale is dead simple.
It has plenty of useful control plane features out of the box. Nothing much you _couldn’t_ do yourself but you don’t have to. Or with Headscale as the self-hosted open-source version
with wireguard i found that pretty almost every public wifi blocked it and even a lot of private internet connections at my friends houses did as well
if my mobile provider blocked it as well it would have been completely useless
probably depends on your location a lot though
Dynamic IP addresses.
Update your DNS when it changes. Pretty trivial.
Yeah I tried writing a script for that, but at a certain point using an off the shelf tool that does everything is easier.
Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
This is my question too... It's concerning to me that everyone one seems to be using tailscale (and maybe cloudflare access) and that I don't see mention of open source alternatives. I'm sure for some network experts the alternatives are obvious? Setup a server somewhere publically available that runs ??? and have it be your auth/rendezvous server.
people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.
I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.
There is a well documented opensource alternative to Tailscale - Headscale. The tailscale client is already opensource, Headscale is opensource drop in replacement for the control server which isn't, and fully compatible with Tailscale clients:
https://github.com/juanfont/headscale
If you can be bothered running the headscale container, you generally don't need to pay for tailscale. It's been pretty well supported and widely used for a number of years at this point. Tailscale even permit their own engineers to contribute to headscale, as the company sees it as complimentary to the commercial offering.
> Headscale is ... drop in replacement
I've been really happy with headscale, but I wouldn't call it a complete drop in replacement as I would with vaultwarden. Some features (e.g. Mullvad integration, ACL tests, etc) are missing.
Upgrading also requires upgrading every minor version or you run into db migration issues, but that comes with the territory of running your own instance.
I would recommend folks look up if headscale suits their needs (like it did for me for many years) before switching over.
The headscale API is very different than the Tailscale API so if you're automating setting up clients it's not quite drop in. Once a client is up, though, from what I've heard it's seamless.
> I don't see mention of open source alternatives
Check out Nebula (created by Slack) - https://github.com/slackhq/nebula
Fundamentally very similar to Tailscale. I've been using it for years and it has been flawless. It doesn't have as many bells and whistles as Tailscale but it does what it does very well.
I use nebula too. Originally manually, but more recently with defined.net (hosted admin interface). Nebula works great!
The Tailscale client (non-GUI) is open source: https://github.com/tailscale/tailscale
And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): https://tailscale.com/opensource#encouraging-headscale
I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.
Whether or not you're being overly paranoid depends on your needs.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
You keep saying you don't mind timing and volume information known by Tailscale but much more concerningly compared to that is that they can add peers to your tailnet. In fact that's how their optional open-port scanner service discovery feature works. And even if you trust Tailscale, which I generally do, then there is the concern that they only support login through SSO via identity providers. You have to trust them as well.
I have an iPhone. I pretty much have to trust Apple. If you took that over then yes, you could screw me over pretty hard.
And yes, they could add peers to my tailnet. That’s why every time I have talked about TS I say it’s about your threat model. I’m a home user, and while I wouldn’t just open up my network, there’s nothing here that will get me in prison or dead. If I had that kind of info it would never, ever meet the internet in any form.
I would be more cautious if I ran a large multinational corporation. I don’t. I think I can trust Tailscale not to be the operators of an enormous “residential IP VPN” botnet.
Tailscale is not different. It simply makes managing WG configuration easier, and adds some useful value-added features on top.
But, as you know, you can also manage this configuration yourself, either via traditional config mgmt tools, helpers like wg-meshconf, or even plain shell scripts, if you like. I'm aware this is a very HN-Dropboxy comment, but it's really not that complex[1], and is easily manageable for a small deployment.
Another VPN tool I used before WG gained momentum was tinc, which supports mesh networking out of the box. It's even easier to configure and maintain, and supports all platforms. It does run in userspace, which should make it slower than WG, but I found the performance acceptable for my modest use cases. Highly recommended.
[1]: https://www.procustodibus.com/blog/2020/11/wireguard-point-t... (this blog is a great WG resource!)
You can also build a mesh network using standard wireguard. While manual configuration requires exchanging keys and settings between devices, many ansible playbooks can automate this process with minimal effort.
I noticed the same, I had nodes on 2 different ISPs.
On one ISP inbound IPv6 was blocked at router, while on other IPv6 was fully allowed.
Tailscale detected this is automatically created the tunnel from the blocked one to the other.
I was super impressed, as this was handled automatically.
Interesting article; do you have any details on the performance differences?
Differences between openvpn and tailscale exit nodes? I can run some tests this weekend.