Discussion

I Traced My Traffic Through a Home Tailscale Exit Node

devilbunny: Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.

stonecharioteer: Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?

comrade1234: Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.

gpm: While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.

devilbunny: Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.

socalgal2: This is my question too... It's concerning to me that everyone one seems to be using tailscale (and maybe cloudflare access) and that I don't see mention of open source alternatives. I'm sure for some network experts the alternatives are obvious? Setup a server somewhere publically available that runs ??? and have it be your auth/rendezvous server.people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.

mrsssnake: My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.And the ossification continues.

dheera: A TCP over websockets VPN would be fairly simple to write, or ask an AI to write for you