I can’t praise Tailscale and its developers enough… I discovered this do-it-yourself VPN solution about half a year ago and boy has it improved my life… Here is what I managed to accomplish with it.
I am running Tailscale on my old macbook air, henceforth referred to as my “server”, my two firesticks, and my phones.
*remotely=outside of LAN, so over internet*
-I can access my SMB shares remotely from my phones with OwlFiles and from my M1 Macbook air seamlessly through Finder. All I had to do was enter a simple command on my server in Terminal to add TCP/445 to “Services”. Tailscale then forwards incoming TCP connections on port 445 from within my tailnet to port 445 on my mac’s server. The result is that I am able to mount my 2TB share from anywhere I have internet and manage my files as though I was on my home network. I also have access to my entire media library from VLC installed on all my devices (once again, through SMB). If only I could somehow add my remote SMB shares to Kodi… But Kodi doesn’t seem to allow me to type in custom IP addresses when trying to add SMB shares. Let me know in the comments if you know how to add remote SMB shares to Kodi (the ones it does not detect automatically).
-Similarly, by adding a suitable HTTPS port to my server’s Tailscale services, I am able to manage the Transmission torrent client installed on my server remotely through Transmission’s web interface (while connected to Tailscale, of course).
-I can back up to Time Machine remotely and accessing my Time Machine backups remotely as well. There are a few caveats though. On my server, I had to add a shared folder (from Settings), allow access to it via SMB and mark it as a Time Machine backup destination. The process is pretty straightforward. The trick is to add it as a backup destination THROUGH TAILSCALE by typing in the Tailscale IP of your server or the Magic-DNS domain name. Also, you will not be able to access pre-existing time machine backups through Tailscale! Only the destinations that you initially add through Tailscale. This is why I have two backup destinations on my server - one that I back up to from my LAN and one that I use over Tailscale remotely. Works like a charm!!!
-I can control my server through VNC remotely and seamlessly as if I was connected to LAN. To do that, I had to add TCP/5900 to my server’s Tailscale services (which is akin to opening up TCP port 5900 to incoming connections from within the tailnet). This is particularly useful when I don’t have my M1 mac with me, but need to run Python code inside Spyder. I just turn on my bluetooth/trackpad combo, connect it to my S10+, jack myself into my tailnet, MultiVNC my way into my server and BAM.
-MagicDNS deserves its own praiseful review. Not only did it assign a permanent, simple domain name to all my Tailscale-enabled devices, but it allowed me to configure my own DNS server for Tailscale-connected devices. I was then able to choose custom DNS servers for specific domains, which let me block FireTV updates without compromising my security (The DNS server used for that looks a little sketchy so I don’t want all of my traffic to go through it) and also use AdGuard DNS without breaking Doordash’s Dasher app by routing doordash-specific DNS requests to Google’s DNS and not AdGuard’s. Solid win here, as Adguard’s DNS bricks the Dasher app. Let me know in the comments if you want to see my Magic-DNS configuration.
-FUNNEL: By running a funnel (proxy) on my home server, I am able to access my dad’s Bell Fibe TV channels through their web interface from anywhere on Earth - Bell treats my traffic as if it’s coming from my home network! It will NOT work if you use the mobile app, but works flawlessly from within Samsung Internet, Safari (on mac) and Grazing 3 (on iOS). Also, it’s quite neat to browse with my Canadian IP even when I am travelling (no more annoying “cookie consent” notices when in the EU). I suspect Netflix users could use this sort of setup to get around password-sharing restrictions. I am also running funnels on my firesticks just in case I need more bandwidth.
-SUBNETS: I am running a subnet on my home server so that I could adb into my firesticks and manage them remotely with scrcpy (update apps, install tweaks, etc). Yes, I am not a huge fan of the command line ^^’ . I can also access my wifi cameras remotely from my mac. The desktop app for the cheap chinese ones only allows you to manage them over LAN, but Tailscale takes care of that. Works like a charm!
I am beyond pleased with everything Tailscale enables me to do. It baffles me that this technology is somehow free to use. I am extremely grateful to be a part of the Tailscale community. Thank you!!
Share your ideas and questions in the comments.
Serious question, what makes tailscale so great? Isn’t it just vpn? I have been using wireguard for years and am now seeing everyone saying how great tailscale is but I can’t see any difference between them. If I already have wireguard setup and running, is there any point to look into setting up tailscale?
Not really, no. Tailscale uses wireguard under the hood. It has a nice user interface and makes setting up a split VPN super easy. It also provides relatively easy ways to do ACL between devices. If you already got wireguard set up, you can skip tailscale.
But it is not opensouce and free?
The client is not, no. Wireguard is open source and you can selfhost headscale, which is an open source server for tailscale, provided by tailscale themselves.
The core client code is open source at github.com/tailscale/tailscale. That repository contains the complete source code for the Linux client, and the core code used in all of the other clients. In general our clients are open source for open source platforms and closed source for closed source platforms, but all of them use that same core code. The closed source parts are essentially just signed GUI’s that talk to the same core.
Thanks for clarifying that :)
I have been running wireguard for a couple of years now, with a DigitalOcean VPS setup as the main server.
One thing I’ve noticed, is that specific wg clients will occasionally lose their connection to the wireguard network, and I’ll have to find some way to get to that machine and then a simple ping will re-establish it’s connection, and I can access that system again.
Started using tailscale a few months ago, parallel to the wg network, and have never ran into that issue with the tailscale daemons. I started using ts, as my backend remote to the wg locked out systems to get wg working again, but ts has been so reliable vs straight wg, that I’m now making it my preferred connection preference.
To be clear: I too am using tailscale for its convenience and reliability. While I havent had any issues with wireguard clients, it is interesting to see that there may be cases where switching from wireguard to tailscale can actually still make sense.
For the time being, their recent additions to wireguard-go have increased its performance by nearly double when compared to the kernel version.
From what I’ve read, the patches are currently under revision by zx2c4 for the kernel version.
Oh, that is crazy! I think I should do a bit of performance testing then :)
If you’re already running wireguard and just want a VPN, there isn’t much that you’re missing out on except for convenience when it comes to device management and routing, automatic hostname DNS resolution, and also getting access to more advanced features like meshing and failover LAN/subnet sharing without needing to figure out how to do it in bare wireguard.
Honestly though, it’s free and makes for a great hassle-free backup VPN that just works. I use wireguard as my primary because it’s fully self-hosted, runs at the kernel level instead of within the userspace so it’s faster, and is more native than installing third-party solutions; with that said, I still run tailscale on all my servers as well in case I bork something while editing wireguard configs at any point.
any downsides to running tailscale? seems like it might just be adding risk (though minor) with little upside.
For my situation, as a backup/secondary VPN? I haven’t really noticed any downsides. It’s come in handy couple of times when I messed up the wireguard config on my wireguard server - it’s on an oracle cloud VM and it’s harder to get a local terminal in there in case you lose SSH/remote access, which I did.
One of the biggest things that it helps with is the double Nat dilemma that folks can run into if they’re either behind cgnat or don’t have control of their network management.
The 1st and main reason I use it for, is to avoid port forwarding.
I was also using Wireguard (and OpenVPN) until my ISP let’s me share the ipv4 with my neighbors. Now I need Talescale.
What also makes it great it’s the NAT traversal techniques. I’ve had trouble escaping my school network with plain wireguard (tried different ports and ideas). With tailscale I have never find a network I can’t escape.
It is simple. One click and done.
It’s just the ease of use, Tailscale sets everything up for you, keeps track of IPs so you don’t need to manually define endpoints, and handles NAT negotiation.
Tailscale doesn’t respect local traffic and they have refused to add split tunneling on their Android VPN client. For these simple reasons, I would never take this product seriously.
They don’t do split tunneling? That’s dumb. I ended up going with netmaker a year or so ago instead of tail scale because I didn’t think tailscale was completely selfhost. Then netmaker put their relay functionality behind a paywall so now I’m stuck on an old version and have to decide to update or not.
You must be a very serious person
Could you explain what you mean by respecting local traffic and split tunneling please?
Sure.
So local traffic is how devices in one network communicate. E.g say you have two computers in your home network, as long as they are joined to your wi-fi they can “talk” to each other without any intermediary between them.
Since VPN clients take over your device network, they also setup special rules to bypass your local network so that your device can continue to talk to other devices in your home network.
Tailscale doesn’t setup these rules and instead expects you install Tailscale to the other devices to continue this inter-connectivity. Could be a malevolent move so that they can jack up the number of installs but I think it’s totally dumb.
Split tunneling is a way to tell the VPN client to bypass an app so that the app does not use the VPN network and uses your local network instead.
Thank you!
Honestly I do love tailscale, but every time when I start using it I am just like… meh. I don’t need a bunch of interconnected as I have 1 homelab, and for other stuff like my backup system it goes over v6 so there is no NAT to speak off(just a firewall). And for any remote devices I just use plain wireguard including my always on VPN on my devices.
However I will continue to recommend Tailscale to people who are new to selfhosting and don’t want to deal with all the networking bullshit, and hey if you want to not be reliant on the tailscale control server host headscale.
I mean, if you’re giving up on self-hosting, sure.
Access SMB… what’s the speed you generally get? I have tried it, and I’d be lucky if it gets 8-16 Mbps over 1Gbps up/down on both sides.
Try NFS, it’s usually faster
The speed is pretty good - I can watch 1080p mkv video stored on my server with no issues at all when I’m in Europe (my server is in Canada). I tried watching 4K and didn’t encounter any stuttering either.
Wait till you learn about Wireguard.
Tailscale uses wireguard under the hood
I think you know that I and everyone else knows that.
way easier to just use tailscale
Yeah as long as you want to be tied to a business forever. Just like youtube and netflix increasing rates, it’s only a matter of time. This is the business plan of technology unfortunately. Charge for software that is free to use.
Once it starts to cost anything it will be easy to swap away.
Unlike YouTube and Netflix, Tailscale is a business oriented product. And as some of the others say, it’ll be easy to switch away from it, if push comes to shove.
It is great but ZT solutions like twingate is just so much easier and faster.
Haven’t heard of twingate, but sounds a lot like the same as OpenZiti.
“The result is that I am able to mount my 2TB share from anywhere I have internet and manage my files as though I was on my home network. I also have access to my entire media library from VLC installed on all my devices (once again, through SMB).”
This just gives me the heebie-jeebies.
I am afraid.
Sticking with Wireguard VPN because it’s what I know. Opening up my whole SMB filesystem to the WAN without feeling like I REALLY know how to secure and lock it down: 😟
Boy, can “guerilla” marketing get more obvious?
I started using tailscale a while ago and it is quite nice tbf
What? Is recommending a product you like marketing?
Or is OP affiliated with them in any way?
Haha if I was affiliated with them, I would not be talking about my collection of torrented material LOL
Since you were most definitely just referring to torrenting your fine selection of exquisitely curated Linux distros, I guess we can let that slide. 😇
That’s a very good point 😀
Anyway, I enjoy reading about what people use, proprietary or not, so kudos for the post!
it’s all good! Just wanted to share my experience with this tech. I am not a networking expert at all - just a tinkerer and a lifehacker who is a sucker for simple and elegant solutions. I am not above putting in some elbow grease when necessary though (like when I had to painstakingly modify coffeescript code in my Ubersicht widgets to make them just right without knowing anything about coffeescript haha)
I have a customer pushing 15Gbit/s of their production traffic in a microservices setup through Tailscale - it works fucking great and they’ve never had issues with it.
It’s been a game changer for me also. One feature that no one seems to address is the tailnet lock function. A common complaint is that tailscale being a 3rd party service could see your data (not true). The more valid concern that tailnet lock addresses is the situation where a hacker could add a malicious node – if they were to get access to the control plane. Tailnet lock addresses this by giving complete control plane approval to you. The alternative is to go full self hosted with the headscale implementation, but I personally don’t feel any need to switch at this point.
Can you go into more detail about your Bell Fibe TV setup? Does it only work in a browser or did you find a way to make it work with an Arris box or Android TV device (which, if it’s on the Bell network, should let you watch any channel you subscribe to)?
I’m wondering how IGMP snooping/multicast would work through the tunnel if I wanted to put a box elsewhere.
So the thing is, my dad pays for Bell Fibe Internet and TV and when I am on LAN, I can watch all the channels that the subscription includes from virtually ANY device (firesticks, iphones, androids, laptops, etc.) either by downloading the Bell Fibe TV app from the appstore or by going to https://tv.bell.ca/home. Bell detects automatically that I am connected to the internet through them, as well as my dad’s subscription (no need to log in or anything). I can trick Bell into thinking that I am at home by running a funnel on my server with the help of Tailscale. Now, when I am away from home, the app will only work when I am on wifi AND connected to Tailscale AND using my server at the exit node (funnel). If I am on cellular, I have to use the website I mentioned earlier. The best browsers for that are Samsung Internet on android and Grazing 3 on iOS, since they allow the picture to fill the entire screen. In principle, you should be able to access your subscription from any device that has a web browser and can run Tailscale.
What can Tailscale do that Zerotier can’t?
Attract tech furries with it’s name
thanks for the effort write-up, I’m still trying to wrap my mind around how this works beyond its just magic
Been a techy since a kid, IT “professional” for 12+ years. In undergrad, I had a professor tell me something I will never forget for as long as I live…
“What I’m teaching you is 95% science (physics, electronic engineering theory, FFT, etc.) and 5% magic”
It’s absolutely true that no matter how well you understand how and why something is working, there is still that absolutely small percentage of “holy shit, I can beam a picture of a cat across the entire planet in a fraction of a second while pooping”.
If that isn’t magic, I truly don’t know what is.
FYI: I read this while pooping :)
I am running a subnet on my home server so that I could adb into my firesticks and manage them remotely with scrcpy
Have you set them up over IP, or are they plugged into a device that you manage them from? If IP, are you concerned about people having unrestricted development access to them if they find themselves on that LAN? If they are plugged in, why do you need a subnet for them?