Hacker News new | past | comments | ask | show | jobs | submit login
Tailscale free for open source projects (tailscale.com)
171 points by tosh 77 days ago | hide | past | favorite | 59 comments

Can someone explain to me why I would use this instead of zerotier? Are there benefits I haven't seen?

EDIT: https://tailscale.com/kb/1139/tailscale-vs-zerotier/

That is a very fair writeup for a competing product. Nice!

Up for this. Zerotier is very easy to set up too and quite stable in our experience.

I wonder, does either have "magic DNS" where I can access machines by their hostname or hostname.local or hostname.intra.mydomain? Last I checked zerotier had added a push dns feature but not on linux which is a deal breaker.

Tailscale offers exactly that, and even calls it "MagicDNS"! https://tailscale.com/kb/1081/magicdns/

That's lit, thanks for sharing. So nice to see thats working and I can start using zerotier for real! I think this is an underappreciated convenience for people running smaller networks.

I use Tailscale's MagicDNS. Definitely a huge convenience as I run a few services that I use on the web browser, so having a domain name instead of the IP address is a win.

You can turn on mdns with systemd network files too. Which works over zerotier because it's L2.

Or as it turns out, the horribly ugly hostname.home.arpa, because why would you expect to have any of the more natural and obvious TLDs for home network domains:


I think .arpa is beautiful. I wouldnt use "home" for the subdomain though.

mDNS/Bonjour will work on small-medium sized networks since multicast works.

I don't think it works with Tailscale even though the tailscale0 interfaces say MULTICAST.

Was talking about ZeroTier.

Been using tailscale for over a year and a half to get access to HomeAssistant running on a box at home from my iPhone wherever I am. Works great, have never had any issues. The iPhone app connects quickly.

They jump through a lot of hoops to make the iOS app work (due to stricter resource restrictions on iOS). Shame it is closed source though, because following their network engine implementation that's open-source has been quite a learning experience.

All the hoop-jumping I can think of is open-source. https://github.com/tailscale/go has the Go toolchain changes for size reduction (though most get upstreamed), and the rest of the size reduction stuff comes from lazy configuration, i.e. keeping as little idle state as possible. But that's useful for memory reduction on all platforms, so it's just in the general network engine at https://github.com/tailscale/tailscale .

Just set this up on my NAS, it’s so helpful. Really hope their business tier proves profitable, these free/easy features for personal account are great.

It’s also ludicrous how easy it is to setup. The website claims it takes minutes. It took minutes, but only because I sat there with it working trying to work out how I finished the config. After cursing the brevity of the documents I realised that they were complete and it was actually running. Total setup was less than 10 minutes, maybe even 5 minutes.

The steps are basically:

“Step 1: Sign up for an account

Step 2: Add a machine to your network

Step 3: Add another machine to your network”


I have never used anything in my whole career that was as easy to set up as Tailscale. It is terrifying.

How does it pass your firewall? Is it through the client for each machine?

Tailscale adds a layer of NAT traversal logic on top of regular WireGuard, so in most cases you end up with p2p WireGuard tunnels between your devices, as if the NAT wasn't there. https://tailscale.com/blog/how-nat-traversal-works/ has the gory details, it's less easy than I just made it sound :)

Haha, thank you. Going to read that.

the setup is such a pleasure to use - they've really nailed the onboarding and are a great example for other startups

I wish there was something like tailscale but without a central server.

Tailscale without a central server is raw Wireguard, basically. You can do that but then you lose Tailscale's automatic NAT traversal and packet relay fallbacks for when UDP is blocked or NAT traversal fails.

Or you can self-host Tailscale with https://github.com/juanfont/headscale if you want.

Really impressive to see Tailscale employees recommending free alternatives to their own service!

Not much to lose. Very few interested in self hosting are probably the type who are going to pay anyway! :)

So worst case they help with the open source code or bug reports or they get sick of self hosting and pay (or use our hosted one for free).

Can I self-host but still pay you an enterprise contract for when things go wrong? Or is that not supported?

Happy to discuss, send us an email!

It is possible for enterprises, though we encourage users to first see if the hosted version will work for them because support is difficult, and thus significantly more expensive, for self-hosting.

I will if we end up trying it out, though I think we'll just go with your version anyway. It's between you guys and Cloudflare, AFAIK, as Cloudflare's VPN does authentication to services easier too.

At $5/user/month (as a small company) it's MUCH easier to pay Tailscale than run something myself.

I wouldn't run it myself out of price sensitivity, but more because of trust.

Then again, I imagine the keys are generated on the device and the code can be audited to never share them, plus it's WG under the hood.

You might want to consider innernet. It's still got a central server, but it's self-hosted and similarly easy to deploy. Check it out here: https://github.com/tonarino/innernet

tailscale is p2p. IIRC, centralization is mostly for the control-plane (dns configuration, network configuration, flow logs, authn) and to route around unyielding NATs (without compromising on WireGuard's crypto-key routing).

Also their blog post [1] explains issues around a truly mesh network, and how a centralized coordination point solves this issue with little disadvantages.

[1] https://tailscale.com/blog/how-tailscale-works/

As others have noted, just self-host a Zerotier controller. It's what I do.

Isn't that just vanilla WireGuard then?

You can self-host ZeroTier controllers. Also gives you unlimited devices that way.

Could anyone please tell me what is Tailscale for? It allows you to connect to other computers in your home? For doing what?

The most obvious use case is to replace absolutely anything you'd ever use OpenVPN or IPSEC for. Building on that, Tailscale is so simple that you consider things you wouldn't have before just because OpenVPN would have been so painful to set up. It has fine-grained access control and it integrates with SSO.

It's good for home use, but --- and I am bias I guess because of my background --- where it really shines is corporate connectivity. If I joined a company as a security person and it was running some horrible OpenVPN access VPN for its dev team right now, one of my top action items would be to replace it immediately with Tailscale.

My rough understanding with Tailscale is they have a central server you need to trust. How do you feel about this from a security perspective?

As a privacy tool, it's a legitimate qualm. As a company security thing, it's close to exactly what you want. In particular, you very much want as much of this stuff as possible linked to your Okta or GSuite account. Not just Tailscale; everything. It's why sso.tax is such a big deal.

Most use it to access their home server that are not directly internet facing. Like how you access work servers through VPN. Same purpose really. Files, medias, apps etc.

I'm wondering if there's any benefit to the average tech-savvy person to using Tailscale/ZeroTier as a VPN (with a VPS, say) vs. just using a consumer-facing VPN like Mullvad or whatever.

It's possible to set up tailscale with exit node routing (ie: similar to what Mullvad does) - but it will be your exit node (eg: an on-prem server, a vm you manage). So that basically allows you to do legacy access control via ip whitelists (only allow IP our.office to talk to your.dmz.service that we develop manage for you).

If possible, just bringing the node/servicenin question "into" the wireguard/tailscale network would be better. But good luck getting a hospital to allow you to connect your tailscale to their patient record db (or what have you - obviously in this case you'd hope they have a solid vpn and give you access.. ).

For the use case of "talk via vm through mullvad exit node" i suppose you could set up Mullvad on the vm, and tailscale on the vm with Mullvad vpn as exit node, then join all your other nodes to tailscale.

Tailscale would replace how you connect to your vm, not mullvad.



Well if you're using VPN for well "shady stuff" (e.g. torrenting), I don't suppose a VPS with your Full name, credit card, and billing address is specially helpful.

But except that deploying Wireguard* on a VPS for bypassing censorship/georestrictions is quite nice and cheaper compared to many paid ones.

* Tailscale and Zerotier aren't really needed if you want to route all your traffic thru a single machine, wireguard itself does exactly this.

I'm currently looking into implementing a VPN setup on AWS to allow my team to access services in private subnets. Tailscale seems great but too pricey for our small company. I'm playing with Pritunl now, but looking for other suggestions. Ideally I want to have some SSO functionality so we don't have to manage users and the team can log in with their company Google account. Any suggestions for this type of setup?

WireGuard. Run it on a bastion box. There isn’t a batteries included tool I know that’s good at this. The WireGuard ecosystem means you gotta glue a lot of OSS stuff together.

tldr make sure the bastion box can reach the stuff you need it to reach as far as subnets and security groups go, ensure kernel will fwd traffic from WireGuard clients, run WireGuard daemon, and expose it to the outside world via eip. I’m oversimplifying (dns, sec groups, routing client traffic to other subnets) - but hopefully that explains the gist.

I have a small Python script that takes a XLSX file as input and populates a dir with config files and QR code images for each user.

Or you can check out some of the OSS ways to do self-service vpn mgmt with a web UI that authenticates against Google auth. I haven’t deployed this yet but it looks cool https://github.com/subspacecloud/subspace

If you know this sort of tech well it is not hard to deploy and manage yourself. But tailscale has a really killer clientside experience and “just works” so honestly it might be worth the $$$

Thanks for the suggestion. I have seen subspace, but haven't had a chance to explore it deeply. I don't mind deploying and managing my own setup, but since my team is small, I want to limit how much time I have to spend on this in the long run. I have definitely considered running my own setup of barebones WireGuard, but haven't come across an elegant user management solution.

I've looked into replacing my personal WireGuard setup with an innernet [0] managed network. You can throw it onto a generic VPS and make managing WireGuard peers super easy.

It's not unlike Tailscale and nebula (that others already mentioned) but I think it deserves to be mentioned.

[0]: https://github.com/tonarino/innernet

Wireguard isn't so good for mesh networks because every new node requires reconfiguring all the others. Even with management utilities this is a pain, so instead I recommend something like nebula https://github.com/slackhq/nebula

Not necessarily. You can have one or several (potentially load-balances) “gateways” which act as entrypoints into subnets.

At some point you’ll probably want to integrate with some identity management , but dozens of users and hundreds of servers are totally fine to manage as yaml in ansible IME.

As other have suggested, Nebula (https://github.com/slackhq/nebula) is pretty elegant. It has groups-based access built in which is extremely convenient.

You can bolt-on SSO fairly easily - just create a certificate signing service. I created https://github.com/unreality/nebula-mesh-admin in a weekend, so its fairly easy to add a SSO flow in.

Thanks! This seems pretty interesting, I will definitely explore it further.

AWS SSM allows you to remote as well tunnel to hosts regardless of subnet.

Yeah, we do use it for ssh access. I know about the portforwarding capabilities, but haven't explored it for this use case. Given that our environment is dynamic, I don't know if accessing internal services via portforwarding over ssh is going to be feasible.

This is great! But now that I have family and friends network, and a work network - how do I easily switch from one to the other? As far as I can tell, one has to log out and back in via the "long" oauth route for every device (ie: phone and laptop for work from home)?

> This plan is also available to families and friends. Connect to your dad’s photo server, provide feedback on your daughter-in-law’s new app, and check in on your neighbor’s shared driveway webcam.


Long time tinc user here. Is this a comparable thing?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact