Avery Pennarun is one of the founders (aka apenwarr.ca). Avery’s one of the most knowledgeable folks about TCP I know and has been building virtual networks of all kinds 20+ years.
"Avery Pennarun is one of the founders (aka apenwarr.ca). Avery’s one of the most knowledgeable folks about TCP I know and has been building virtual networks of all kinds 20+ years."
I really appreciate his (imo) inspired work on 'sshuttle'[1] which he no longer maintains. I really wish this project would get the attention and development it deserves...
As far as I know, the person who took over maintaining sshuttle does a pretty good job - it still works well today on more platforms than ever.
However, I've been thinking that the sshuttle model doesn't completely keep up with the way the world has been going since I first wrote it ~10 years ago. There's a lot more stuff in the cloud now! And you want to be connected to multiple locations, not just a single location, because your team's resources tend to be scattered over many locations.
Tailscale is a more modern approach based on a similar philosophy: minimizing setup time and complexity, while relying on an existing mature layer for the cryptography part so we can't screw it up.
(And yes, it's funny trying to argue both sides in a thread where I'm competing with myself :))
A few people have been asking about Raspberry Pi support. We don't exactly "support" it yet but we can send an armv7 binary for you to play with if you ask after signing up. I'm told it works for, say, streaming a home webcam directly to your phone :)
https://motion-project.github.io/ made it really easy for me to setup a webcam on my Raspberry Pi. Accessing that using HTTP over WireGuard (via Tailscale) from my iPhone when out of the house was one of those "delight and amaze" moments.
Looking at your site, I’m confused by two of the features:
It says “Zero trust” and “Identity via SSO”. Given that the WireGuard protocol operates on keypairs, if I’m identifying via SSO, what system is converting my authorization into a keypair? How are existing devices in my network gaining my public key to communicate with me? The description of “Zero trust” given also doesn’t really align with the actual definition of zero trust ( https://en.m.wikipedia.org/wiki/Zero_Trust ); the description talks about device visibility.
We integrate with existing identity providers (for instance, GSuite, Okta, Ping, AD) to perform authentication and generate keypairs. Public keys are shared via a coordination server (and each device's private keys never leave it). There's an (optional) additional layer of authorization required in which an admin reviews the endpoints asking to connect. A combination of user and machine certificates makes it possible to ensure that both the users and machines are managed properly.
So, basically, we're enabling the "enforcement" side of identity and policy management at the networking layer, with visibility into users and their devices.
I hope this helps! Please keep the questions coming.
I’m still trying to square the concept of “zero trust” here. The private keys never leave my devices, but the TailScale service is responsible for distributing public keys (which is what makes network access possible between my new system and another system).
If I’m understanding correctly: I open the TailScale app on my device, and auth to the TailScale platform using SSO. My device makes a private key, and sends my public key to TailScale. In the default mode, the TailScale platform gives me back the pub keys for other devices in my network, and gives my pub key to those devices. In the optional mode, an admin has to go into the TailScale platform UI and approve my device.
If that’s correct, in both modes, TailScale could compromise my traffic by making their own keypair and doing the pub key sharing process. Because it’s TailScale that’s responsible for validating my SSO before accepting my pubkey, and it’s the TailScale platform admin interface that’s responsible for deciding that an admin approved my device (if that feature is enabled), TailScale can just inject their own pubkey into my network. Am I missing something? Because that would be the opposite of “zero trust”.
Your analysis is correct, your machine has to trust the Tailscale auth server. I think that this is compatible with the technical definition and spirit of Zero Trust. To elaborate:
In the typical web-only BeyondCorp scenario, a network is Zero Trust because every connection is done over TLS and clients are validated by client-side certificates. These client-side certificates are not hand-typed by administrators into computers, instead they are trusted because they are signed by a CA root. "Zero trust" means zero trust in the network wires, all identity is confirmed with some sort of cryptographic certificate.
In the Tailscale model, a node trusts the Tailscale auth server because it presents a trusted certificate, and so is trusted to distribute endpoint public keys. A compromised Tailscale auth server compromises the network, in much the way a compromised CA root compromises an mTLS network.
For larger customers we are planning a self-hosted version of our auth server (so we are out of the trust loop), and want to publish the protocol we use for communicating with it for general inspection.
Interesting. If you’re actually using “Zero trust” to attempt to convey “zero trust architecture”, in the BeyondCorp sense, I’m more confused than before.
The central premise of BeyondCorp and similar approaches is about no longer trusting based on network location, and instead always performing trust based on device identity and other factors. This is why PKI plays such a pivotal role in BeyondCorp: your organization’s CA signs certificates, which are present on every device, and that combined with additional forms of user authentication enables trust regardless of network location. Leveraging a WireGuard VPN is largely a step “backwards”; it moves back towards a VPN-style world where you allow access by requiring endpoints to step inside a conceptual network boundary (by connecting to the VPN). In practice, the Wireguard model has several advantages over that, but it’s explicitly different from the BeyondCorp/Zero Trust approach.
Edit to clarify:
“Zero trust architecture” doesn’t refer to whether endpoints trust a central service/provider, it refers to whether corporate assets base their trust determinations on the origin point of client traffic. For example, in a non-Zero-Trust environment, corporate assets might assume clients connecting from the local network are trusted, and require roaming users to VPN in. By contrast, a Zero-Trust environment might use MDM-provisioned certificates and MFA on all connections, regardless of the network placement of the endpoint.
“Zero trust” as colloquially used by service providers tends to mean “you don’t have to trust us”. This is largely because “zero trust architecture” doesn’t really make sense as something a provider provides, and also because providers have latched onto “zero trust” as a buzzword.
I have not heard the colloquial use of "zero trust" by service providers you mention. The baseline Tailscale product is not "you don't have to trust us" as we run the auth server. The variant of our product where you run your own auth server does have this property, but it is not the default arrangement.
We do use "zero trust" in what you describe as the architectural sense, and I do not think leveraging WireGuard is a step backwards at all. When one node wants to communicate, it establishes a WireGuard tunnel to the node it wants to talk to. That WireGuard tunnel only moves packets for talking to a single node, to talk to another node you establish a new tunnel.
There is (in our default and recommended setup) a 1-1 relationship between a public key for an endpoint its IP address. That public key was linked to a corporate SSO account by the auth server. That means when you send or receive a packet from the private IP range Tailscale manages, you know exactly the identity of the source or destination of that packet.
If you configure a Tailscale node to route a subnet, you remove some of the BeyondCorp-style Zero Trust from your configuration. This feature exists to help companies transition to Zero Trust, and is not something I want to see as a final state for anyone's network. The end goal is Tailscale running on every node in the network.
> If you configure a Tailscale node to route a subnet, you remove some of the BeyondCorp-style Zero Trust from your configuration. This feature exists to help companies transition to Zero Trust, and is not something I want to see as a final state for anyone's network. The end goal is Tailscale running on every node in the network.
If the goal is to not use Tailscale as a standard SDN, and instead run it on every node with independent tunnels between nodes, when would I pick this vs using a service mesh that includes service discovery?
Is Tailscale intended to be a service mesh for the average Joe?
When creating an SDN or mesh, it's often preferable to separate local nodes (e.g. same datacenter) from remote nodes (e.g. different regions). How does Tailscale handle widely varying latency across the mesh?
That is a really good question. I like the line "service mesh for the rest of us." But I want to take the time to get this side of the product right, so the service discovery features we have been working on will be rolling out slowly.
I wonder if Tailscale will offer something similar? I don't know the lift cost to do a 'sharealike' network controller but perhaps if it is not burdening their network more than a line in a DB somewhere, they might be willing to do something similar.
So, is this basically a service which simulates a managed VPN, but establishes secure P2P connections between devices to maximize throughput? If so, I'm very curious about pricing.
Yes, it uses point-to-point connections and there's no VPN server to install. We're still figuring our pricing, but for now you can try it out for free if you put your name on the waiting list.
-- a person who did not expect our site to hit HN quite so soon
- If both devices are under a NAT the packets flow relayed through a server? (or in cases where direct connection can be established somehow)
- And if direct connection is available (both in the same LAN) the flow is direct? (reducing latency)
If yes, is this done automatically?
If I'm not mistaken this what Logmein Hamachi does. I experience low lat/high speed in the LAN and in a few cases high latency in some devices (due the "relayed mode"), when direct link is not established.
Good part is that it seamless for the end user... best case is found automatically and transparently.
This concept seems interesting and I want to know more.
Unfortunately, I'm getting a large amount of friction trying to join your newsletter. Why do I get a reCAPTCHA to 'verify I'm human' if I've already typed my email in, then clicked the confirmation link? I have uBO and noscript to stop most sites trying to get me to enter my email into their modals, but for the site I actually want I'm being pushed through unnecessary hoops...dang you mailchip.
We're getting an influx of new waitlist subscriptions right now (most likely due to this post trending on HN). I have a feeling mailchimp has noticed something's up and thinks it's a DoS attack. Oops.
Just by my understanding after reading the front page, it means I can ssh into my Android phone (on LTE) from a desktop computer from another location.
Since most mobile network providers block listening to sockets on the phone, server applications (to the internet) cannot be hosted on mobile phones. Does it mean Tailscale app always run in the background and keeps an active connection to Tailscale servers? Wouldnt it negatively impact the battery of the phone?
Install the software on each machine you want in the network, servers and clients. Any machine in your network can connect to any other machine when it wants to send a packet.
The protocol is pure wireguard, but it's a little tricky to generate direct configs for it from the Tailscale network, for various reasons I really should write up in a blog post.
Thanks for this. I was planning a similar setup with udpspeeder and possibly an anycast core with fallback to e.g. iodine if the network is that broken. This was motivated by things like to ~80% downstream packet loss my grandma's DOCSIS 3 link had (likely due to bad wiring in her apartment complex, as DVB-C was similarly impacted), which broke things _hard_. I quickly went to dialing aria2c way up in powerpill for archlinux package upgrades. Other times I have dual/triple/quadruple homed hosts (to be fair, I won't have the quad-homed host for a while, because it's dual-provider LTE + wifi + 1000BASE-T, LTE + 2.4G wifi + 5G wifi + 1000BASE-T, or some other dual-mode wireless that will require hacking two cards into the laptop and for wifi also getting a 2.4 vs. 5.8 diplexer so the cards can share the same antennas without interfering with each other too much.
Congrats on the launch!