I did a similar thing with a cheap VPS and Wireguard. I don't trust Tailscale, and prefer controlling all aspects of my VPN. Right now I'm only using a single node, but it would be trivial to start another in a different region, and automate the whole thing.
The tailscale daemon/CLI/client code is already open source and works with the above as the control server.
The tailscale team appear to be encouraging development of headscale too:
"Our opinion is that Headscale provides a valuable complement to Tailscale: It helps personal users better understand both how Tailscale works and how to run a coordination server at home. As such, Tailscale works with Headscale maintainers when making changes to Tailscale clients that might affect how the Headscale coordination server works, to ensure ongoing compatibility."
Personally I find WireGuard and tailscale/headscale to be extremely complementary, and with these you don't cede any control vs running WireGuard on its own.
I'm aware of Headscale and Tailscale's stance on open source. I just don't trust it that it's not phoning home or leaking data. In general, I prefer avoiding complex tools in this space. Zerotier, etc.
Besides, Wireguard alone already does all I need from a mesh VPN. The UX could be a bit better, but I wouldn't trade ease of use for the peace of mind that my VPN traffic is secure.
I am manually managing a Mesh network but as the number of nodes get larger copying config entries is getting a tad tedious. And its sending of 'you are probably doing it wrong' signals. How do you/others manage a WG only (no thirdparty) mesh network? Have you written any config scripts (bash/Powershell/python) to add entries to some master config?
We use a Python Fabric script to automatically generate the conf and deploy it to each server when a new server, or client user, is added to the wireguard network.
The master config is essentially the Fabric script. It contains each servers IP, public key, etc. We even do server-server pre-shared keys.
Tailscale uses Wireguard, but offers so much more on top. I used to think the same, but I think I was mixing it up with Zerotier; had a play with it and now think it's pretty great.
For example, you can set ACL rules for which devices can access which others (or the internet, if you have explicit exit nodes) - it's using Wireguard for networking, but you can't do that with (just) Wireguard, it's not just 'make Wireguard easier to set up', as you said that doesn't really need doing.
There's value to some to having networking config centralised like that. It allows things like auto adding certain clients to certain rules/groups automatically.
Not spending time cycling through each server to poke iptables.
not familiar with wireguard per se, but afaik it's using udp-packets which get translated/mapped just fine by any NAT implementation. nothing in need of punching imho.
if your access concentrator (server) is behind a nat, you'll need a port-forwarding from the outside but that's rare.
Tailscale builds a mesh, where the participants can communicated directly, so it's common for all nodes to be behind a FW that does NAT. There is a very interesting blog post from tailscale about all the trickery they pull to reliably deal with NAT: https://tailscale.com/blog/how-nat-traversal-works/
The sentence following the one about phoning home/leaking data explains the rationale. The computer user prefers simpler software. It's great that it's possible to compile a client provided by Tailscale from source, but this does not address the complexity issue.^1
Is the Tailscale control server open source. Why not. What's the rationale for that.
There's no problem IMHO with arguing Tailscale can make its own decisions and do whatever it wants. However the same argument must apply to the computer user. He can make his own decisions and do whatever he wants.
1. Wireguard was allegedly written at least in part because OpenVPN, another open source option, was excessively complex. Tailscale relies on Wireguard. If avoiding complexity was irrational, and people behaved rationally, then perhaps Wireguard would not have been written and Tailscale would not exist.
Avoiding complexity where possible sounds rational to me.
Headscale is the open source central server for tailscale - it implements the same protocols etc and when you use tailscale client with it it only connects to the login server you gave it.
The official reason for why there's no official open source server is that headscale got there first, before tailscale team could (their words, not mine) the unholy mess that was the production server into something people could compile and deploy themselves.
Unless you want to deal with Fedora's release cycle, you're not going to push software through their repos. This isn't a Tailscale thing, this is a "just about everyone" thing.
>Something I don’t understand is if the client is open source, why is it not in the fedora repos? Why do I need to add a new repo to dnf?
Just because one group of people haven't done something doesn't mean it doesn't qualify. To show the exact opposite, look at OpenBSD. They have included Wireguard into their kernel.
Fedora not including Wireguard may be political, personal, or none-of-the-above. Maybe somebody hasn't offered to take on that task/responsibility.
I'm not sure if GP was referring to a wireguard package or a tailscale one. But to complete the picture, there's also a tailscale package in OpenBSD's repos.
To be fair, I'm not familiar enough with Tailscale to claim that it does any of these things. I know that parts of it aren't OSS, but can be replaced with a 3rd-party alternative that is.
Even so, software being open source doesn't make it inherently trustworthy. I would have to look into it, or trust that the community has done due diligence. My default stance towards all software is to not trust it, which can change as I get familiar with the project.
And then there's the complexity. I prefer using simpler tools if they accomplish what I need. It's less surface area for me to trust, and less chances for bugs. Not that Wireguard is necessarily simple, but since Tailscale is a wrapper around it with additional features, none of which I need, I'm perfectly fine using WG directly.
I've been running wireguard on my own for a few years. I like it, but wish there was a better GUI.
I tried installing headscale. I didn't feel like I got the immediate rush of "cool, I have the baseline thing working" without reading the docs. And, I needed to use this for a GUI: https://github.com/gurucomputing/headscale-ui. I love the command line and am happy to use that, but I'm unsure if there is a benefit to headscale over wireguard if I'm already doing command line management.
I just read this article on tailscale vs. openziti and it mentioned netmaker (a YC company). I tried installing it, but out of the box, the "DNS" did not seem to work correctly (I could not use the machine.netmaker local alias, and not sure why not).
Is anyone here a power user that also benefits from a full fledged GUI? Is tailscale the only option there? I prefer to self-host whenever I can, despite loving tailscale and the people behind it.
Tailscale is P2P which is nicer than a VPS as a hub and spoke approach.
But one thing that Tailscale didn't do well (at least early on) is performance. It's user space Go, which seemed to cap the data transfers when I tested it out. I would prefer a really fast data transfer P2P so I could use Tailscale in between my web server and DB.
> It's user space Go, which seemed to cap the data transfers when I tested it out.
Compared to another VPN? I’d be curious to know whether the kernel mode byte shuffling solves that problem. But even so, a kernel module is a pretty big ask only for connectivity.
In my experience, UDP in general isn’t as performant in practice as one would think. Not saying you can’t push the limits, and even outperform TCP, but to do so with a reliable cross platform way isn’t exactly trivial today.
All my benchmarks (albeit user space) have shown that pushing bytes over udp has a higher CPU overhead, and that’s even if you omit retransmission, congestion control, etc etc (ie just push garbage bytes). And even if your cpu can handle the throughput, the congestion control can still bite you for god knows what reason. When I ran quic benchmarks they got deprioritized in the presence of tcp traffic. Don’t know all the reasons why (sorry, just didn’t have the time) but at least to me TCP wins the bang-for-the-buck-throughput-on-commodity-hardware category, hands down. Maybe this changes with platform-specific optimized vectored IO, but that alone would be a huge effort. No, the more time I spent on it, the more I appreciated all the things TCP gives me for free, and it’s remarkable resilience in complex conditions. I am also happy I don’t have to worry about bulky 3p libraries. This is what the OS is supposed to do, imo. So this UDP-hype-renaissance we’ve seen over the last years is a bit premature or at least not as obvious as people hoped (including myself).
Another fun fact (for anyone who read this far): contrary to popular belief p2p TCP isn’t harder to do than UDP, not really.
The problem with TCP compared to UDP is when you do VPN over links where there's some amount of round trip time. I routinely run VPN over a 300+ ms ping times, and any TCP-based VPN suffers dramatically when doing a TCP connection through that TCP-based VPN. Switch to a UDP-based VPN and the problem disappears (easy to test by using OpenVPN and switch the configuration between TCP and UDP. But I've tested with other types of VPN as well). When you're closer to home the problem disappears.
Another thing I wondered about is how much CPU overhead VPNs add, and how it performs when maximizing throughput. (Not Tailscale but a “regular” one with kernel packet switching). Do you have any experience with that?
I only use OpenVPN regularly. My internet connection is either 100Mbit or 1Gb both up and down, but depending on where I am the actual external bandwidth varies - mostly it's around 50Mbit end-to-end, subjectively. If I send data at max speed through the network then I observe that OpenVPN may use quite a bit of CPU (maybe up to around 40% of one core (i7-7500U), but it doesn't limit the transfer speed I get compared to when I do a direct transfer without VPN (interestingly, on long latency lines (when I go OpenVPN from Japan to Europe) I often get better and more consistent performance when going through OpenVPN (configured to use UDP).
usually VPNs in linux push IP (TUN) or ethernet (TAP) frames between the nodes so you really need to be using UDP or else you are going to have problems with running TCP over TCP and the congestion algorithms conflicting with each other. openvpn which supports TCP refers to this problem as TCP meltdown and advise using UDP where possible (https://openvpn.net/faq/what-is-tcp-meltdown/) VPNs that use TCP as the transport layer could try and special case TCP handling and treat them as a flow and just transport the TCP data streams instead of the IP packets but you would still be left with issues when you are transferring UDP across TCP which is not ideal.
Thanks! I don’t have a lot of experience with VPNs but for sure UDP is much better suited for packets which is the abstraction layer that VPNs operate on.
> VPNs that use TCP as the transport layer could try and special case TCP handling and treat them as a flow and just transport the TCP data streams instead
Yes! An interesting observation is that TCP composes really well, ie relaying works excellent. However, for VPNs it’d be nesting TCP which melts down quickly.
>> But one thing that Tailscale didn't do well (at least early on) is performance.
AFAIK currently user space wireguard-go is faster then kernel implementation due to improvements[1] that landed there such as Generic receive offload (GRO) and TCP Segmentation Offload (TSO).
Tailscale client is open source but server is not. Also, it is not a VPN service solely but it also allows remote access to your machine for admins. I don't like that at all.
In addition to setting ACLs, you can start the tailscale client in "shields up" mode, where it adds a local rule preventing connections from other nodes to yours. Of course that's not perfect (there are ways to avoid it that if blocked would in turn break legitimate uses by you) but it's there.
I also use wireguard on a vm for my VPN needs. I also use it to connect a few servers together.
I tried the open source tailscale alternative netmaker which is quite nice but in the end I found it unnecessary for my 5-6 hosts since the wireguard stuff for me is basically set-it-and-forget-it. (I chose netmaker because it also uses wireguard.)
nordvpn (or maybe something more trustworthy than it, like mullvad) is the complete opposite of just routing all your traffic through your own vps, it changes your public IP address making tracking you harder (obviously opsec is important there with browser fingerprinting etc).
If you always go to your own vps then that IP address is tied to you, typically via a credit card.
> 'until' executes the statement before the condition.
This is not the case. From the Open Group Base Specifications Issue 7, 2018 edition,
2.9.4 Compound Commands, The until loop:
The format of the until loop is as follows:
until compound-list-1
do
compound-list-2
done
The compound-list-1 shall be executed, and if it has a zero exit status, the until command completes. Otherwise, the compound-list-2 shall be executed, and the process repeats.
I tried using this or a similar repo to set up a Tailscale exit node on Fly.io before.
The downside is that my traffic never went direct; it was always relayed via a Tailscale DERP node, as Fly.io machines were only accessible via anycast, and so a direct connection from Tailscale on my machine to the exit node on Fly.io couldn't be established.
So performance wasn't as great (and I felt bad about using up Tailscale's DERP bandwidth, as a free user).
Fly.io or not, this was an issue I always ran into with Tailscale.
They talk a big game about NAT punching, and using various UDP shenanigans to get around P2P connection formation issues, but at the end of the day, most of my connections were via DERP, even with fairly trivial firewall configurations.
Tailscale works hard to do all this stuff automatically.
Possibly you'd have more luck on a network where your client can allow incoming UDP connections on the Tailscale port, and so the exit node would be able to establish a direct connection.
But for a Tailscale peer I have running on AWS ECS, I can open the UDP port there, so a direct connection always happens regardless of what sort of network my Tailscale clients are on. I don't know if there's any Fly equivalent to get a direct connection to a UDP port.
Yes, fly.io allows you to expose a UDP port. See the fly.toml [1] in the repo. Make sure the tailscale port is pinned [2] to the exposed port (41641 in that case).
I just tested it again and the connections are made directly (after the first 2,3 packages go via DERP):
tailscale ping fly-ams
pong from fly-ams (100.96.123.32) via DERP(ams) in 15ms
pong from fly-ams (100.96.123.32) via [2604:1380:4601:d605:0:6c3b:eed5:1]:41641 in 12ms
tailscale status
100.96.123.32 fly-ams patte@ linux active; offers exit node; direct [2604:1380:4601:d605:0:6c3b:eed5:1]:41641
100.101.54.36 fly-hkg patte@ linux active; offers exit node; direct [2605:4c40:95:4eed:0:40f0:67b1:1]:41641
This is cool, but you should really understand what you're in for if you choose to do this. In particular, running your own VPN does not enhance your privacy posture, and in fact makes it much worse, because your little cloud VPS is uniquely yours and yours only. You become much more fingerprintable, and any sufficiently determined sysadmin can easily manually trace your cloud instance's IP back to you.
Yeah, marketing. Also, I had the same point / question: what do you really get out of this aside from possibly confounding local network attackers if you’re e.g. out at a coffee shop? This seems like a really bad idea if you’re doing something that would get you a DMCA strike, as now their automated systems can just email legal@vps-provider and get them to give up your billing info to sue you.
Censorship circumvention? Not everyone on this planet lives in your particular country. I also trust third-party VPNs and VPS providers (however dodgy they may be) a lot more than I trust my own ISP. That fact alone will tell you all you need to know.
What other utility do these VPNs that are hosted somewhere (like a random fly.io machine) offer? I have a VPN server running in my living room to access my home network when I'm out and about, but I don't see why you'd set one up just randomly somewhere unless you weren't interesting in the masking aspect.
This is great to escape untrusted/unknown local networks like a dodgy coffee shop or something. But definitely no protection against state level threats, etc.
Isn't the problem that the exit IPs will be flagged / blocked, meaning at best you'll get a ton of captchas etc.? I have set up personal Wireguard VPNs with Algo[1] before on DO, and while they work fine, they cause a lot of friction for that reason.
I've recently built something similar [0], but the complete opposite. I wanted to forward traffic onto my homeserver without a public IPv4. I've tried Tailscale Funnel, but the inability to use custom domains made me look for other solutions. I ended up with a fly.io app acting as a TCP proxy over Tailscale. Considering how crappy the setup is, it's surprisingly reliable. Great job fly.io and Tailscale teams! I haven't had any issues in the month or so I've been using it.
This way you don't depend on a VPN provider, and can easily host it on any VPS. I suppose it would work on fly.io as well.
I use the hub and spoke setup to access my home network over the internet, and Wireguard works great.
This also doesn't require any special gateways or DNS setup. All connected hosts just use the DNS server on my main router, which resolves all internal domains.
Wireguard to this day does not handle IPv6 correctly. When connecting to a domain with A and AAAA records it stupidly prefers the A one.
Which works horribly on 464xlat providers, as now you're routing your VPN traffic over a IPv6->IPv4 proxy. While that's fine for outgoing stuff it breaks all incoming stuff as soon as you put your phone to sleep, as nothing can send stuff your way anymore.
Tailscale makes outbound connections so it circumvents the need for IPv6 with things like CGNAT.
OP, why not use an open source equivalent to Tailscale Funnel? For example, I work on the OpenZiti project and we created zrok.io which is fully open source alternative - https://github.com/openziti/zrok.
I do something similar but with HAProxy and a micro GCE VM which acts as my edge which hits a Tailscale subnet router and routes to my MetalLB install. Works _really_ well.
Why the IP? This isn't really necessary, unless you're also considering inbound traffic to be routed to a node into your tailnet. You are more likely to get GeoIP'd in the US due to the IP you get assigned.
Note: Asian region does not offer the full 160GB, but only 20GB IIRC, like HKG and NRT.
This seems like a bad idea for torrenting. Using a service with a billing account in your name seems like a really easy way to get subpoenaed and taken to court. The benefit of services like Mullvad is the “small fish in an ocean” aspect that you lose with running your own VPS.
It is unfortunate that many GeoIP providers will just use Fly.io's Chicago address even when the nodes are somewhere entirely different in the world.
You sometimes get lucky and get something that doesn't resolve to United States, and sometimes the IPv4 is US, while IPv6 is correctly the location, or vice versa.
> Geo IP databases are very inaccurate for companies like ours. Some of our IPs are registered with RIPE 3, and thus default to Amsterdam. The geo IP providers might choose to use our corporate address for those instead, but then they’ll show in either Chicago or Delaware.
> Meanwhile, we can put IPs anywhere in the world with a one line config change. We won’t, but the IAD IPs could just as easily be routing to Sydney tomorrow. We could even route it everywhere!
> traceroute and mtr are the only real way to see where a given connection is being routed. You can usually see city names and airport codes in the intermediate hops.
> IP databases don’t actually try to solve this, they’re mostly interested in identifying consumer locations. The ISP’s business address is often good enough for consumer IPs.
TIL the complexity of VPN is still higher than my desire to self host. I've run OpenVPN in very complex configurations across multiple datacenters for companies, I've worked on distributed systems and networking tech for decades but honestly all of this is still very much in the, too painful to setup, state. I'm playing around with Tailscale Funnel now and the tsnet package in Go, that's pretty nice. Embedding headscale or running it separately seems like a huge effort but I like that I can programmatically build things on Tailscale.
More and more I'm just thinking stuff like what Signal did with a proxy server makes sense. Run a bunch of proxies, hide the complexity. Maybe default it in the browser. Maybe I'm old, who knows.
If you care about simplicity, you should try our managed public IP address service called Hoppy. We give you clean IPv4 /32 and IPv6 /56 blocks, and don't block ports allowing you to even host a mail server.
If you like tsnet, you will probably like the open source project I work on called OpenZiti. Its an open source overlay network that allows you to embed zero trust networking and SDN into almost anything - https://github.com/openziti. This includes tunnelers for all popular OSs as well as SDKs for many languages incl. Go, Java, Python, C, C#, Node, ect ect.
Outline[1] is significantly easier to use. They have out of the box support for AWS, GCP and Digital Ocean. You can have your own VPN setup on digital ocean for $5 a month, and you can generate keys and share the VPN with friends/family who then only need to download the Outline app on their device. I have zero affiliation with outline but it's an incredibly useful tool, I was looking to build something similar when I discovered it.
It's private in that it's your own VM you're running the VPN on. No one else has access to it. Whether you trust Google or not, it's all open source[1].
perhaps easier to setup, but not in use and a single exit point. the setup given allows to easily scale into other regions. also, authentication is done using tailscale, so no sharing if config or keys. just invite them to your tailnet of share the server to their tailnet.
It's also very easy to use, it's just a normal VPN. You open the app and hit connect and you're connected. Outline is also very easy to add new regions to, you can deploy a VPN anywhere AWS, GCP, or Digital Ocean have data centers in, and you can use the one liner install script to install it in other cloud providers.
Tailscale is cool for sure but it also requires a third party involved in this. Outline has no third party server component. For almost everyone Outline is much easier to setup and use.
> so no sharing if config or keys. just invite them to your tailnet of share the server to their tailnet.
It's the same level of effort as outline. Outline manager has a button that generates an invite that someone else just puts into the outline client and now they have access to your VPN. You can revoke keys and do all the things you'd expect to be able to do, but again with no third party involved.
I use a combination of Tailscale and Nord Meshnet on Raspberry Pis that I have set up at my home and family home in different countries as my personal VPN. Home country does not have a good relationship with VPNs and the commercial VPN services discontinued their servers there. So now I get a clean residential IP from my family home when I want to surf from that country.
In order to easily watch region-restricted content, I want to put all entertainment devices in my house on a separate wifi router, and run all traffic through a chosen tailscale exit node.
I'm not, but you could use vanilla Wireguard either directly to the exit node, or to another device (a little Pi or something) running Tailscale as a ..relay node I think they call it.
Thanks, that's a nice trick for watching from a computer... i have dumb / closed devices, and devices belonging to kids that I don't want to touch. Hence the whole separate-wifi-AP thing.
Sorry, I glossed over it, but not just from a computer - many more routers have Wireguard support than Tailscale (if any do at all, I don't know).
So you could do exactly as you planned, just with the router -> exit node (or router -> some Tailscale relay as an extra step to provide that interface) as plain Wireguard.
If all you need is to "change your IP" for some specific purpose, this and many other tutorials out there can accomplish this task for <$5/month. You are in complete control and have to trust no-one. However be aware of the following downsides:
1. You are mapping your traffic 1:1 to the VPN IP address, that you are the sole user of. This will do virtually nothing for pseudo-anonymity as your original ISP assigned IP will be quickly linked to your new VPN IP by every single shady data broker out there as you lose the benefit of "being lost in the crowd" when you share VPN exit IPs with hundreds/thousands of other people.
2. If you do anything shady that results in a LE subpoena or a DMCA, it's like you were not using a VPN at all. The cloud provider will hand over your details instantly.
3. Many sites block data-center ranges. You will not be able to use most streaming services, and random websites like Papa Johns, Home Depot, banks, gov websites, Ticketmaster, etc. Not all ASNs are banned, but many are. Commercial VPNs can (and do) re-route traffic using "residential looking" or actual residential IP addresses to combat this.
4. Performance MAY not be great. VPN providers do quite a bit of Linux kernel tuning in order to get high(er) throughput.
Depending on your use case, the above may not matter but if you plan to use this 24/7, be prepared to be annoyed.
> You are in complete control and have to trust no-one.
I mean, you have to trust the VPN for reasons you enumerate in (1):
> This will do virtually nothing for pseudo-anonymity as your original ISP assigned IP will be quickly linked to your new VPN IP by every single shady data broker out there as you lose the benefit of "being lost in the crowd" when you share VPN exit IPs with hundreds/thousands of other people.
It would be suicidal for a commercial "non logging" VPN to keep track of IPs + timestamps. It also costs money to store this (best DB is no DB), and does not guarantee 1:1 mapping even if it was in place as exit IPs are shared by multiple users at any given moment.
It is suicidal only if there's a way to get caught. also, the full picture of the finances involved isn't always clear – the vpn business may be just a front for some other much more profitable shady business.
Besides, post Snowden, it is silly to still believe in such claims as non-logging. there are many high probability possibilities:
– it is a legitimate business but a secret court order compelled it to install a tap and feed it to secret government agency.
- its not a real business but actually a secret govt security agency's slush fund funded cyber intelligence warfare operation.
- its an unscrupulous mafia funded business running a massive hacking/blackmail operation masquerading as a business.
- its an unscrupulous shady business that's harvesting and selling your personal data to black market data brokers.
You're not wrong. All of those are possible. However some countries are better than others for some points you raised. For example, Canada has no NSL (National security letter) equivalents. We cannot be compelled to covertly log some/all of our users with the current laws on the books. Of course this can change in the future.
Shady businesses are out of scope when it comes to laws, but that's true for any industry. There are ways to protect yourself, if your opsec warrants it, by "double wrapping" and using 2 separate VPN providers simultaneously.
Greed is also a huge factor. Dishonest providers can implement all kinds of SDKs into their software and 2-3x their revenues. This is why its important to use VPNs that offer open source apps you can audit and compile yourself which would protect against some obvious violations, but one can do all kinds of evil shit server side without the end user ever knowing.
There’s no way to inspect whether or not a VPN logs IPs, and even if the exit IPs are shared, the VPN necessarily knows that your IP connected to some remote IP and can log that information irrespective of the exit node. As for the cost of log storage, we’re talking about 64 bits of data per connection—you can log a billion connections for less than $0.25 per month.
Does a commercial VPN service help to access American banking websites from abroad? Often times, banks just lock accounts when accessed from foreign IPs. I understand banks' concern about hacking. Or just spin up wireguard on home based router, then VPN into home network?
If your use case is to access home content/services while abroad, spinning up a WG server at home, or even using Tailscale "exit node feature" (https://tailscale.com/kb/1103/exit-nodes/) would accomplish what you need.
On a commercial side, we take reports from users. If someone tells us bank X doesn't work from VPN country location Y, we can fix that in minutes.
If someone's interested, this blog was very helpful: https://www.procustodibus.com/tags/wireguard/