I’m seeing a lot of this same comment here, so I went to check out this tailscale thing, which clearly I must need.
Can anybody explain what Tailscale is, does, or why everybody seems to have it?
Looking at their website, it’s just a huge wall of business jargon. Really! Read it. It’s nothing but a list of enterprise terminology. There’s a “how it works “ page full of more (different) jargon, acronyms and buzzwords, but no simple explanation of why everybody on this thread seems to be paying money for this thing?
Any help? Should I just pay them my $6/month and hope I figure it out at some point?
It's a wrapper around Wireguard that lets you use common SSO providers (Apple ID, Google, etc) to manage access.
It also handles looking up the IP address of your "nodes" through their servers, so you don't need to host a domain/dns to find the WAN IP of your home network when you're external to it (this is assuming you don't pay for a fixed IP).
Most people put an instance of it on a home server or NAS, and then they can use the very well designed and easy to use iOS/mac/etc client to access their home network when away.
You can route all traffic through it, so basically your device operates as if you're on your home network.
You can accomplish all of this stuff (setting up a VPN to your home network, DNS lookup to your home network) without Tailscale, but it makes it so much easier.
TS makes it super easy to use a VPC I have in the US as my VPN exit while I live in other parts of the world. Apps that work on phones, computers, and my AppleTV are big pluses over Wireguard which I have also used.
I was still completely mystified until your last sentence. And now I'm just mostly mystified. I, too, keep hearing Tailscale Tailscale Tailscale from HN commenters but have no idea why I'd need it. For anything I need to access on (or from) my home network I just use a VPN I've hosted in my home for the last decade or so.
If you've already got a VPN solution your happy with, Tailscale probably adds very little value for you. It's just basically the easiest / most user friendly way to setup a VPN to your home network.
It can do way more than just being a VPN-to-home, but that's how most users use the free part.
It's still valuable. You can access your server with your own VPN set up, but what if you want to share a server to a friend or a family member (examples includes VaultWarden/Bitwarden, Plex, Jellyfin)?
If this is on Tailscale, you can just ask people to install tailscale client and login using one of the IdP, then ask them to accept the node you shared to them, and they can immediately access the server.
The alternative would be 1) sending VPN configs over and maybe also configure their VPN client for them, or 2) expose the service on the Internet protected by some OAuth proxy which really only works for web apps. Neither is easy/trivial.
I'd guess a plurality of people are only sharing Plex with family members, and nothing else. If you only care about sharing Plex, you don't need Tailscale to give a family member access, assuming you have Plex Pass, since Plex does a proxy as you describe.
Basic version is it's a sort of developer focused zero trust network service.
Encrypted overlay network based on wireguard tunnels, with network ACLs based around identity, and with lots of nice quality-of-life features, like DNS that just works and a bunch of other stuff.
(Other stuff = internet egress from your tailscale network ('tailnet') through any chosen node, or feeding inbound traffic from a public IP to a chosen node, SSH tied into the network authentication.
There is also https://github.com/juanfont/headscale - which is a open source implementation of some of tailscale's server side stuff, compatible with the normal tailscale clients.
(And there are clients for a very wide range of stuff).
I can’t tell if you’re trying to help, or just getting into the spirit of the website’s “how it works (using ten pages of terminology and acronyms we just made up)” page.
None of the terminology or acronyms that user used were made up or unique to this. I think you are blaming other people for your unfamiliarity with this kind of tech.
It is simply a managed service that lets you hook devices up to an overlay network, in which they can communicate easily with each other just as though they were on a LAN even if they are far apart.
For example, if you have a server you'd like to be able to SSH into on your home network, but you don't want to expose it to the internet, you can add both it and your laptop to a Tailscale network and then your laptop can connect directly to it over the Tailscale network no different than if you were at home.
Sorry if I appeared rude. That was very much tongue in cheek.
But notice how you just did a much better job of explaining what this thing does without using any jargon at all. The jargon helps if everyone already knows what you’re talking about. It hurts if anyone doesn’t.
That’s what I’m poking fun at. There’s a trait in lots of engineers I’ve worked with over the years to be almost afraid to talk about tech stuff in layman terms. Like they’re worried that someone will think less of them because they used words instead of an acronym. Like they won’t get credit for knowing what a zero trust network is if they describe the concept in a way that regular people might understand.
One of those guys was certainly in charge of this company’s website copy.
Perhaps if we were on Reddit, and also on a general subreddit, then people would speak in less technical terms.
Since this is HN, it’s almost expected the participants here would either know the terms, or at the very least be able to find out what they mean on their own and realize it’s not made up jargon but rather common industry terms.
Tailscale is not trying to sell to the average buyer, it’s trying to sell to a specific audience.
> Like they won’t get credit for knowing what a zero trust network is if they describe the concept in a way that regular people might understand.
I've been trying to get a definition of zero trust at $client from the security people who are pushing tools onto our platform, so we can have an honest conversation around threats and risks, and finding the best balance of tools, techniques and processes to achieve their desired outcomes.
Unfortunately, it seems like everybody just want "zero trust" because a vendor sold them on that idea and they gave money to the vendor, so now there's the need to justify that expense and "extract value" from the tool - even if it may in fact be worse than the controls that are already in place.
It’s worth pointing out that it can be both. The hub and spoke model, relays, is often used for cloud setups where the overhead of installing clients on nodes is not worth the tradeoff
I don't think you need to pay $6 a month to try it out.
Install it on all the machines you want. When you are running it on the machine, it is networked to the other machines that are running it. Now make an 'exit node' on one of those machines by selecting it in the UI, and all your gear can access the internet via that exit node. Your phone can run it. Your apple tv can run it. You can have multiple exit nodes. So you can have a worldwide network and not once did you have to open ports in firewalls etc.
How does it compare to Zerotier? The way I understand it it's kind of overlapping functionality but not necessarily everything.
What I want from Zerotier is basically what you described about Tailscale.
The two problems I have with zerotier are:
1) It's supposed to let a mobile device like an Android tablet route its traffic through zerotier (functioning as a VPN to my home site, in this case). However, I've never got that to work. It's running, but doesn't affect anything network-wise for the other applications (unlike running e.g. openvpn on it)
2) On a couple of computers with specific routing set up to various destinations, when Zerotier runs it simply blocks all of that and there's no way for me to continue accessing anything else than the Zerotier network. No fiddling with routing tables etc. changes any of that. On other computers, also some running OpenVPN, Zerotier does not interfere. I've never figured out what causes this.
So, in short, I'm pondering if I should ditch Zerotier and try Tailscale instead. If it does the same - I simply want a way to connect my devices, but I also don't want to lose total control over routing. For mobile devices I would want full VPN, for computers I don't. Edit: So, I'm both after connecting my multiple networks, as well as VPN'ing certain things or devices through another location.
Having tried both Zerotier and Tailscale, I found Tailscale to be a significant improvement. Tailscale uses Wireguard as the base encrypted protocol instead of a semi-homebrew protocol Zerotier came up with that notably lacks things like ephemeral keys/perfect forward secrecy. Tailscale also has a faster pace of improvement and is responsive to customer asks, regularly rolling out new features, improving performance, or fixing bugs. Zerotier by contrast seems to move slower, regularly promising improvements for years that never materialize (e.g. fixing the lack of PFS).
My last gripe is more niche, but I found Zerotier's single threaded performance to be abysmal, making it basically unusable for small single core VMs. My searching at the time suggested this was a known bug, but not one that was fixed before I switched to Tailscale. Not impossible to work around, but also the kind of issue that didn't endear the product to me or inspire confidence.
It's been a minute since I ran ZeroTier, so my memory is fuzzy.
Tailscale and ZT are not the same. ZT can do certain things that TS can't. One example is acting as a layer 2 bridge. Or a layer 3 bridge. TS can do neither. It can achieve mostly similar results though.
ZT can be a pain to setup. TS is a breeze. ZT's raw performance is quite poor. TS's is usually very good.
If I understood you correctly, you want both a way to access your home LAN when you're out - this is easy. Set up a node with NICs on the LAN subnets you want access to (I run it on my router), and configure the TS node to announce routes to those subnets. Install the TS client on your laptop and mobile and accept those routes. Job done.
If you also want to mask your egress - i.e. reach the Internet via your home network as if you were there - then you need a node (can be the same as above) configured to act as an Exit Node. When you want one of your devices to use this, just select the appropriate exit node. Job done.
So, somewhere on that website, there’s a free version that can be downloaded onto a desktop and run without signing up for their service?
I think I understand what it does now. So, basically you leave a computer running at home, and this thing lets you pretend to be running your internet stuff through it while you’re on the road?
The first plan on the left called 'Personal' is free.
It uses a central orchestrator which is what requires you to sign up. If you prefer to self host your orchestrator you can look into Headscale, an alternative that seeks to be compatible with the clients.
> So, basically you leave a computer running at home, and this thing lets you pretend to be running your internet stuff through it while you’re on the road?
That's one thing you can do with it, yes. You can also run custom DNS entries across it, ACLs, it is very flexible.
Ugh. On mobile, the first plan on the pricing page is “ starter” for $6. The plan to the right is partly visible, indicating that you can scroll that way. There’s nothing to indicate that you can scroll left.
A less hostile website design would have (again) saved me a question.
It seems like it defaults to Business, which is paid. If you tap "Personal" you'll see the free plan.
Sorry, but try a little harder. Tailscale isn't hostile, but it seems you are -- you claim to think you need it, but don't know what it does and can't put in the effort to determine and foist those inabilities on Tailscale?
I've been using Tailscale for many years now and they have a terrific product.
Tailscale is one of the simplest, most useful things I use. I only use the personal plan, but I keep toying with signing up for paid because it’s a damn good product.
The service is free up to certain amount of connected people and devices. You most likely don't need to pay for it. I am pretty heavy user and don't.
It is virtual private network orchestrator. It allows you to connect to other devices that you add to your network as long as they are connected to the internet. So your office computer, home server or NAS. If you have some home automation like home assistant you can connect to it from anywhere. That kind of stuff.
You can run it on a capable router or on a RPi, or on your NAS. It's especially useful if you want to self-host (e.g. Immich). You can use it to authenticate for ssh if you like, or simply give you an IP you can ssh to.
It's especially handy if you want a secondary way in, in case you have problems connecting using wireguard, since it supports using a relay if you're stuck in a hotel with a heavily restricted connection.
If you run DNS at home, you can even configure it to use your home DNS and route to your home subnet(s).
So basically wireguard, but you have to pay for it, and you have create an account through Google/Apple/Microsoft/whatever.
Wireguard is not that hard to set up manually. If you've added SSH keys to your Github account, it's pretty much the same thing. Find a youtube video or something, and you're good. You might not even need to install a wireguard server yourself, as some routers have that built in (like my Ubiquity EdgeRouter)
It's not really "basically wireguard" and you don't have to pay for it for personal use. Wireguard is indeed pretty easy to set up, but basic Wireguard doesn't get you the two most significant features of Tailscale, mesh connections and access controls.
Tailscale does use Wireguard, but it establishes connections between each of your devices, in many cases these will be direct connections even if the devices in question are behind NAT or firewalls. Not every use-case benefits from this over a more traditional hub and spoke VPN model, but for those that do, it would be much more complicated to roll your own version of this. The built-in access controls are also something you could roll your own version of on top of Wireguard, but certainly not as easily as Tailscale makes it.
There's also a third major "feature" that is really just an amalgamation of everything Tailscale builds in and how it's intended to be used, which is that your network works and looks the same even as devices move around if you fully set up your environment to be Tailscale based. Again not everyone needs this, but it can be useful for those that do, and it's not something you get from vanilla Wireguard without additional effort.
I guess I'm still not following. Is there an example thing that you can do with Tailscale that you can't do with Wireguard? "Establishes connections between each of your devices" is pretty vague. The Internet can already do that.
I install tailscale on my laptop. I then install tailscale on a desktop PC I have stashed in a closet at my parents. If they are both logged in to the same tailnet, I can access that desktop PC from my home without any addition network config (no port forwarding on my parents router, UPNP, etc. etc).
I like to think of it as a software defined LAN.
Wireguard is just the transport protocol but all the device management and clever firewall/NAT traversal stuff is the real special sauce.
You can run two nodes both behind restrictive full cone NATs and have them establish an encrypted connection between each other. You can configure your devices to act as exit nodes, allowing other devices on your "tailnet" to use them to reach the internet. You can set up ACLs and share access to specific devices and ports with other users. If you pay a bit more, you can also use any Mullvad VPN node as an exit point.
Tailscale is "just" managed Wireguard, with some very smart network people doing everything they can to make it go point-to-point even with bad NATs, and offering a free fallback trustless relay layer (called DERP) that will act as a transit provider of last resort.
Tailscale is free for pretty much everything you'd want to do as a home user.
It also doesn't constantly try and ram any paid offerings down your throat.
I was originally put off by how much Tailscale is evangelised here, but after trying it, I can see why it's so popular.
I have my Ubuntu server acting as a Tailscale exit node.
I can route any of my devices through it when I'm away from home (e.g. phone, tablet, laptop).
It works like a VPN in that regard.
Last year, I was on a plane and happened to sit next to an employee of Tailscale.
I told him that I thought his product was cool (and had used it throughout the flight to route my in-flight Wi-fi traffic back to the UK) but that I had no need to pay for it!
One of the things keeping me from adopting Tailscale is that I need to sign up with one service, but I can't add multiple services as login options in case one of those SSO providers lock me out, like what happened to Dr Paris Buttfield-Addison with Apple.
I checked, and Tailscale only allows a single Owner [1], so it would still be pretty disastrous if the Owner account was suspended by the single sign-on organisation.
Great, yet another opportunity for Big Tech to track people. I’ll stick to my Wireguard setup, I have a fixed IP and would rather have full control of what is happening by setting up the keys myself than trust a third party.
Not sure if anybody gives you the answer to "what is tailscale?". So, this is my answer (hopefully it's correct and simple enough to understand).
Tailscale allows devices that can access the Internet (no matter how they access the Internet) to see each other.
To do that, you create a tailscale network for yourself, then connect your devices to that network, then your devices can see each other. Other devices that are connecting to the Internet but not to our tailscale network won't see your devices.
AI might explain it better :-) Don't know why I wanted to explain it.
A multipoint VPN that punches through NAT and can be configured to do a lot of neat things besides.
Nothing that a network guru or even a sufficiently motivated hacker couldn’t do on their own, except that the maintenance is practically zero for the personal user and it’s actually easy enough for a very nontechnical person to use (not necessarily to set up, but to use), perhaps with a bit of coaching over the phone. Want to use a different exit point for your traffic? It’s a dropdown list. Share a file? Requires one config step on the client for macOS, once, and then it’s just in the share menu. Windows, Android, iOS are ready to go without that. Share whole directories? Going to require some command-line setup once per shared directory, but not after that.
There are features that are much more enterprise-focused and not as useful for personal stuff, but everything above is in the free version.
I’m not in tech at all, professionally, and never have been. I’m savvy for an end user - I can install Linux or a BSD, I can set up a network, I can install a VPN myself to get back to my home network - but I would never, ever call myself anything more than an interested layman. I probably could figure most of this out on my own, if I had to. Thing is, I don’t have to. It’s more than just Wireguard in a pretty wrapper.
Try it. It won’t take long to figure out why so many people here like it, even if you may not want to use it.
Tailscale can tunnel all your traffic through a chosen exit node so you browse the web and whatnot as if you were at home (or wherever the exit node is), so in this way it's a bit like a VPN from a VPN company, but it doesn't give you a list of countries to select from.
VPN companies aren't really in the business of selling VPNs. They sell proxies, especially proxies that let you appear to come from some country, and you typically connect to the proxy using the VPN functionality (particularly if you're using a consumer device instead of a laptop), but often you can use SOCKS5 instead.
Tailscale isn't in the business of selling proxies.
Which is nice, but still a beta feature. Tailscale itself is indeed a mesh VPN that lets you connect all your devices together.
> If I do not want to expose local services but only protect me and hide from untrusted WiFi, would I better use a traditional VPN or Tailscale?
It does NOT by default route all your internet traffic through one of its servers in order to hide it from your ISP, like the type of VPN you might be thinking of (Mullvad, ProtonVPN etc.).
Though you CAN make it route all the traffic from one of your devices through another, which they call an 'Exit Node'. They also have an integration with Mullvad, which allows you to use Mullvad servers as an exit node. Doing that would be identical to just using Mullvad though.
A system by wich you can expose things on your private network (e.g. your home lan) so you can selectively and securely make them accesible from other places (e.g. over the Internet). You can do all this without tailscale by just configuring secure encrypted tunnels (wireshark, traefic, ...) yourself, but services like tailscale provide you with easy gui configuration for that.
For me: it's a way to access services I host on my homelab LAN from 3000 miles away. Having a router that automatically logs into that and routes TS addresses properly allows you to use all your devices connected to that router to access TS services with no further configuration. I host Kiwix, Copyparty, Llama.cpp, FreshRSS, and a bunch of other services on my homelab, and being able to access all of those remotely is convenient.
It's a cryptographic key exchange system that allows nodes to open Wireguard tunnels between each other. They have a nice product, but I don't like how it spies on your “private” network by default: https://tailscale.com/kb/1011/log-mesh-traffic
You don't need to get too far down the page to see "VPN", which is what it is. But on top of that primitive, it's also a bunch of software and networking niceties.
Can anybody explain what Tailscale is, does, or why everybody seems to have it?
Looking at their website, it’s just a huge wall of business jargon. Really! Read it. It’s nothing but a list of enterprise terminology. There’s a “how it works “ page full of more (different) jargon, acronyms and buzzwords, but no simple explanation of why everybody on this thread seems to be paying money for this thing?
Any help? Should I just pay them my $6/month and hope I figure it out at some point?