
TailScale – Instantly interconnect your devices and services, wherever they are - pcr910303
https://tailscale.com
======
kenrose
Avery Pennarun is one of the founders (aka apenwarr.ca). Avery’s one of the
most knowledgeable folks about TCP I know and has been building virtual
networks of all kinds 20+ years.

Congrats on the launch!

~~~
rsync
"Avery Pennarun is one of the founders (aka apenwarr.ca). Avery’s one of the
most knowledgeable folks about TCP I know and has been building virtual
networks of all kinds 20+ years."

I really appreciate his (imo) inspired work on 'sshuttle'[1] which he no
longer maintains. I really wish this project would get the attention and
development it deserves...

[1]
[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)

~~~
apenwarr
As far as I know, the person who took over maintaining sshuttle does a pretty
good job - it still works well today on more platforms than ever.

However, I've been thinking that the sshuttle model doesn't completely keep up
with the way the world has been going since I first wrote it ~10 years ago.
There's a lot more stuff in the cloud now! And you want to be connected to
multiple locations, not just a single location, because your team's resources
tend to be scattered over many locations.

Tailscale is a more modern approach based on a similar philosophy: minimizing
setup time and complexity, while relying on an existing mature layer for the
cryptography part so we can't screw it up.

(And yes, it's funny trying to argue both sides in a thread where I'm
competing with myself :))

------
apenwarr
A few people have been asking about Raspberry Pi support. We don't exactly
"support" it yet but we can send an armv7 binary for you to play with if you
ask after signing up. I'm told it works for, say, streaming a home webcam
directly to your phone :)

~~~
prox
This definitely looks like a product that could be great in raspberry dev
projects and other situations that benefit from a direct mesh network!

~~~
dfcarney
(Co-founder here)

[https://motion-project.github.io/](https://motion-project.github.io/) made it
really easy for me to setup a webcam on my Raspberry Pi. Accessing that using
HTTP over WireGuard (via Tailscale) from my iPhone when out of the house was
one of those "delight and amaze" moments.

------
akerl_
Looking at your site, I’m confused by two of the features:

It says “Zero trust” and “Identity via SSO”. Given that the WireGuard protocol
operates on keypairs, if I’m identifying via SSO, what system is converting my
authorization into a keypair? How are existing devices in my network gaining
my public key to communicate with me? The description of “Zero trust” given
also doesn’t really align with the actual definition of zero trust (
[https://en.m.wikipedia.org/wiki/Zero_Trust](https://en.m.wikipedia.org/wiki/Zero_Trust)
); the description talks about device visibility.

~~~
dfcarney
(Co-founder here)

We integrate with existing identity providers (for instance, GSuite, Okta,
Ping, AD) to perform authentication and generate keypairs. Public keys are
shared via a coordination server (and each device's private keys never leave
it). There's an (optional) additional layer of authorization required in which
an admin reviews the endpoints asking to connect. A combination of user and
machine certificates makes it possible to ensure that both the users and
machines are managed properly.

So, basically, we're enabling the "enforcement" side of identity and policy
management at the networking layer, with visibility into users and their
devices.

I hope this helps! Please keep the questions coming.

~~~
akerl_
I’m still trying to square the concept of “zero trust” here. The private keys
never leave my devices, but the TailScale service is responsible for
distributing public keys (which is what makes network access possible between
my new system and another system).

If I’m understanding correctly: I open the TailScale app on my device, and
auth to the TailScale platform using SSO. My device makes a private key, and
sends my public key to TailScale. In the default mode, the TailScale platform
gives me back the pub keys for other devices in my network, and gives my pub
key to those devices. In the optional mode, an admin has to go into the
TailScale platform UI and approve my device.

If that’s correct, in _both_ modes, TailScale could compromise my traffic by
making their own keypair and doing the pub key sharing process. Because it’s
TailScale that’s responsible for validating my SSO before accepting my pubkey,
and it’s the TailScale platform admin interface that’s responsible for
deciding that an admin approved my device (if that feature is enabled),
TailScale can just inject their own pubkey into my network. Am I missing
something? Because that would be the opposite of “zero trust”.

~~~
crawshaw
Your analysis is correct, your machine has to trust the Tailscale auth server.
I think that this is compatible with the technical definition and spirit of
Zero Trust. To elaborate:

In the typical web-only BeyondCorp scenario, a network is Zero Trust because
every connection is done over TLS and clients are validated by client-side
certificates. These client-side certificates are not hand-typed by
administrators into computers, instead they are trusted because they are
signed by a CA root. "Zero trust" means zero trust in the network wires, all
identity is confirmed with some sort of cryptographic certificate.

In the Tailscale model, a node trusts the Tailscale auth server because it
presents a trusted certificate, and so is trusted to distribute endpoint
public keys. A compromised Tailscale auth server compromises the network, in
much the way a compromised CA root compromises an mTLS network.

For larger customers we are planning a self-hosted version of our auth server
(so we are out of the trust loop), and want to publish the protocol we use for
communicating with it for general inspection.

(Tailscale cofounder.)

~~~
akerl_
Interesting. If you’re actually using “Zero trust” to attempt to convey “zero
trust architecture”, in the BeyondCorp sense, I’m more confused than before.

The central premise of BeyondCorp and similar approaches is about no longer
trusting based on network location, and instead always performing trust based
on device identity and other factors. This is why PKI plays such a pivotal
role in BeyondCorp: your organization’s CA signs certificates, which are
present on every device, and that combined with additional forms of user
authentication enables trust regardless of network location. Leveraging a
WireGuard VPN is largely a step “backwards”; it moves back towards a VPN-style
world where you allow access by requiring endpoints to step inside a
conceptual network boundary (by connecting to the VPN). In practice, the
Wireguard model has several advantages over that, but it’s explicitly
different from the BeyondCorp/Zero Trust approach.

Edit to clarify:

“Zero trust architecture” doesn’t refer to whether endpoints trust a central
service/provider, it refers to whether corporate assets base their trust
determinations on the origin point of client traffic. For example, in a non-
Zero-Trust environment, corporate assets might assume clients connecting from
the local network are trusted, and require roaming users to VPN in. By
contrast, a Zero-Trust environment might use MDM-provisioned certificates and
MFA on all connections, regardless of the network placement of the endpoint.

“Zero trust” as colloquially used by service providers tends to mean “you
don’t have to trust us”. This is largely because “zero trust architecture”
doesn’t really make sense as something a provider provides, and also because
providers have latched onto “zero trust” as a buzzword.

~~~
crawshaw
I have not heard the colloquial use of "zero trust" by service providers you
mention. The baseline Tailscale product is not "you don't have to trust us" as
we run the auth server. The variant of our product where you run your own auth
server does have this property, but it is not the default arrangement.

We do use "zero trust" in what you describe as the architectural sense, and I
do not think leveraging WireGuard is a step backwards at all. When one node
wants to communicate, it establishes a WireGuard tunnel to the node it wants
to talk to. That WireGuard tunnel only moves packets for talking to a single
node, to talk to another node you establish a new tunnel.

There is (in our default and recommended setup) a 1-1 relationship between a
public key for an endpoint its IP address. That public key was linked to a
corporate SSO account by the auth server. That means when you send or receive
a packet from the private IP range Tailscale manages, you know exactly the
identity of the source or destination of that packet.

If you configure a Tailscale node to route a subnet, you remove some of the
BeyondCorp-style Zero Trust from your configuration. This feature exists to
help companies transition to Zero Trust, and is not something I want to see as
a final state for anyone's network. The end goal is Tailscale running on every
node in the network.

~~~
doublerebel
> If you configure a Tailscale node to route a subnet, you remove some of the
> BeyondCorp-style Zero Trust from your configuration. This feature exists to
> help companies transition to Zero Trust, and is not something I want to see
> as a final state for anyone's network. The end goal is Tailscale running on
> every node in the network.

If the goal is to not use Tailscale as a standard SDN, and instead run it on
every node with independent tunnels between nodes, when would I pick this vs
using a service mesh that includes service discovery?

Is Tailscale intended to be a service mesh for the average Joe?

When creating an SDN or mesh, it's often preferable to separate local nodes
(e.g. same datacenter) from remote nodes (e.g. different regions). How does
Tailscale handle widely varying latency across the mesh?

~~~
crawshaw
That is a really good question. I like the line "service mesh for the rest of
us." But I want to take the time to get this side of the product right, so the
service discovery features we have been working on will be rolling out slowly.

------
twistiti
ZeroTier is an alternative, free up to 100 devices.

~~~
api
Its free for unlimited devices if you run your own network controller, which
is not that hard. Look under controller/ in the github repo.

~~~
Multicomp
I wonder if Tailscale will offer something similar? I don't know the lift cost
to do a 'sharealike' network controller but perhaps if it is not burdening
their network more than a line in a DB somewhere, they might be willing to do
something similar.

------
caseymarquis
So, is this basically a service which simulates a managed VPN, but establishes
secure P2P connections between devices to maximize throughput? If so, I'm very
curious about pricing.

~~~
apenwarr
Yes, it uses point-to-point connections and there's no VPN server to install.
We're still figuring our pricing, but for now you can try it out for free if
you put your name on the waiting list.

\-- a person who did not expect our site to hit HN quite so soon

~~~
NetOpWibby
Haha, congrats!

I’m loving the web design, feels...comfortable? Idk, I like it.

------
mbn12
\- If both devices are under a NAT the packets flow relayed through a server?
(or in cases where direct connection can be established somehow)

\- And if direct connection is available (both in the same LAN) the flow is
direct? (reducing latency)

If yes, is this done automatically?

If I'm not mistaken this what Logmein Hamachi does. I experience low lat/high
speed in the LAN and in a few cases high latency in some devices (due the
"relayed mode"), when direct link is not established.

Good part is that it seamless for the end user... best case is found
automatically and transparently.

------
Multicomp
This concept seems interesting and I want to know more.

Unfortunately, I'm getting a large amount of friction trying to join your
newsletter. Why do I get a reCAPTCHA to 'verify I'm human' if I've already
typed my email in, then clicked the confirmation link? I have uBO and noscript
to stop most sites trying to get me to enter my email into their modals, but
for the site I actually want I'm being pushed through unnecessary hoops...dang
you mailchip.

~~~
crawshaw
Sorry about that. You can email us directly if you like: info@tailscale.com

~~~
Multicomp
Your offer is kind; I was more griping about MC not liking any user that
doesn't use an un-VPNed connection or running a non-Chrome browser.

I worked my way through the captchas and after a few rounds it let me in.

I am curious - does MC give you insight as to why it captchas certain users?

~~~
apenwarr
We're getting an influx of new waitlist subscriptions right now (most likely
due to this post trending on HN). I have a feeling mailchimp has noticed
something's up and thinks it's a DoS attack. Oops.

------
antpls
Just by my understanding after reading the front page, it means I can ssh into
my Android phone (on LTE) from a desktop computer from another location.

Since most mobile network providers block listening to sockets on the phone,
server applications (to the internet) cannot be hosted on mobile phones. Does
it mean Tailscale app always run in the background and keeps an active
connection to Tailscale servers? Wouldnt it negatively impact the battery of
the phone?

------
atonse
How would this work, would your servers run as sort of the wireguard ”server?”

Also would we be able to connect a pure wireguard client too? (For my router
but probably not needed)

~~~
crawshaw
Install the software on each machine you want in the network, servers and
clients. Any machine in your network can connect to any other machine when it
wants to send a packet.

The protocol is pure wireguard, but it's a little tricky to generate direct
configs for it from the Tailscale network, for various reasons I really should
write up in a blog post.

(Tailscale cofounder.)

~~~
akerl_
How are connections handled if both devices are behind NAT?

~~~
crawshaw
We adapt the tricks from RFC 8445 to WireGuard so two nodes behind NAT routers
can find each other.

------
atonse
This looks really awesome (glad it’s based on WireGuard). Can’t wait to try it
out and use something like this for our infrastructure.

------
_Codemonkeyism
How does it relate to ZeroTier (which I currently use for a lot of things,
lately to connect to my NextCloud from my phone)

------
rbinv
Somewhat off-topic, but I found it funny that the logo dots animate
differently (within the SVG) on each page view.

------
TKAB
Is this manly for businesses or would I also benefit from it in a private
(family, alone) setting?

~~~
crawshaw
Our focus has been business so far, but I use it for my personal home network.
I would like to explore other uses.

