What does HackerNews think of headscale?
An open source, self-hosted implementation of the Tailscale control server
Tailscale's business model has never been anonymity, last I used them they even required either a Google or O365 account to even use the service.
You might want to look into Headscale[1] instead, it's a server-side implementation of Tailscale that you can self-host. It comes with its own drawbacks but from what I've seen it's worth it if you want more control over the network.
Requires a lot more setup, but it is an option. I've been self-hosting headscale for some time and it is quite stable.
My escape hatch from the monopoly is headscale[0] which I can self host.
There's headscale[1] that fills the gap somewhat.
- https://bore.pub && https://sslip.io - https://github.com/juanfont/headscale
I don't think there's anyone using this kind of tools for emails, the technical limitations elude my understanding TBH. This comment might be border to off-topic, but I think the tools fill in the niche use-case you just mentioned. Have fun!
edit: might be of your interest to check this list! https://github.com/anderspitman/awesome-tunneling#recommenda...
Even with self-provided PSKs, you're going for an (IMHO) pretty poor trade-off; keys, certificates, etc should be regularly rotated, that's a chore that's best left automated. At that point, why not just set up Wireguard yourself?
If you have legitimate concerns, you should be using Headscale[1] (or even plain Wireguard) from day 1. Otherwise - personally I find the current threat model very reasonable, it's in no way worse than trusting any other VPN provider, and they're keeping a pretty big chunk of their code base open for auditing.
The thing is, what makes tailscale works really well as a "central" control server is that it makes a lot easier to connect your personal machines. You don't need to deploy your own server, or mess with networking stuff. You just download it, log-in and there you go. I myself have invited some non-tech friends to my network for playing lan games from time time and they find pretty easy to setup tailscale on their side.
https://github.com/tailscale/tailscale/wiki/Tailscaled-on-ma...
I do that mostly because it's running as a LaunchDaemon.
> Forget the server
Pop the headscale server in and you get a fully FOSS system.
https://github.com/juanfont/headscale
That I don't do, because the coordination server, the relay system (which you can also self-host), and the server side UI are really good.
And also the public behaviour of the persons working at Tailscale as well as Tailscale's approach towards FOSS generally increase my level of trust in them. IOW they strike me as Nice Folks(TM), and if Nice Folks(TM) don't inspire confidence to you then you probably want to run the whole thing as described above.
I mean, please read this in its entirety. They even have a "Encouraging Headscale" section.
Tailscale (or Headscale for that matter if you host it yourself) is magical in comparison.
https://github.com/juanfont/headscale
In addition to your points, we over here also have our own reasons for self-hosting everything (for example, to protect ourselves from being cancelled at any moment for being forced into a citizenship you didn't ask for by being born at the wrong place).
But I think with headscale it can be fully self hosted: https://github.com/juanfont/headscale
I have yet to try it out but it looks pretty good.
Yes and also I don't want another thing to maintain.
> but are non-technical people part of the customer base here?
Yes. I'm 100% sure that there are companies that use Tailscale that employ nontechnical people who need access to resources only available on the VPN.
> I'm just not convinced that the amount of work to set up wireguard is more than the amount of work to install and set up tailscale. Copy-paste IP and public key vs. download and login.
For you, maybe it's so simple it's not worth thinking about different options. For me, it doesn't make much sense. I've made a concerted effort to remove publicly accessible, self-managed infrastructure from my network. I just don't want to deal with it. I do not have a VPS to install a Wireguard server on, I'm not interested in setting one up, and I really don't need it in the first place (especially if Tailscale gets me into my home network).
> wireguard is basically free as it's in-kernel everywhere
Not everyone runs Linux. There is a time cost for user set up as well - even if I wanted to run my own wireguard server, I'm probably not going to hand out access to people to SSH in and do a self-service type signup. Therefore, it falls on me. With Tailscale, I (or somebody else) can just add a Github user to an org and the rest can be done by an end user. The majority of the people who I'd want on my Tailscale network are already in a Github org that I control, so I usually don't even need to do that.
> What's the argument for increasing my attack surface and introducing a centralized failure point and new recurring payment?
The same as it is for any other paid service: running this myself requires more time and effort than it's worth (not just setup -- end user support, maintenance, upgrades, etc factor in too) + I'm willing to let somebody else take care of it for me. For my uses, Tailscale is actually free but I'm thinking about switching away from the Github Community Plan to a paid plan specifically because the product is good enough that I want to pay for it.
Also: if you're more inclined to self-host your stuff, you can get the best of both worlds via https://github.com/juanfont/headscale
Good on tailscale for fostering the community and not playing this like most startups would!
from the project page:
https://github.com/juanfont/headscale
>Node registration
> • Single-Sign-On (via Open ID Connect)
> • Pre authenticated key
Could you please elaborate on this solution? I'm not sufficiently knowledgeable about OpenID to quite understand what you mean, but I'd like to avoid any of the mentioned SSO providers, as they're all blocked on my systems for personal use.
Added: Found these as per mention in your post:
[0] https://openid.net/connect/
... so I assume you mean that I could install one of [0-2] along with Headscale [3] to get the similar effect of installing Tailscael, just without those annoying SSO providers? I will see if I can find the time for examining that solution. Anything that can keep MS and Goog away is most welcome