The part I never understood with Tailscale is the ACL's. I wish they put a front end to it to make it easier to configure. But your explanation was pretty good and understandable.
Used Tailscale for two years with spotty reliability. I have since moved to Netbird and have had great success. The Netbird routing nodes are brilliant.
Another great video! Would love to see more tailscale videos. Something I'm particularly interested in that I haven't found any videos or guides on is the App Connector feature.
I hope public WiFi do not block tailscale as it's my lifeline for accessing internet and my homelab, it's just that good. With some ACL tutorial I can even get github runners working on my private server.
Thankyou Jim's for considering tailscale. In previous video of yours about ENTE with terrific, I had requested for a tutorial of ENTE with caddy as sidecar and Tailscale. I think you should make a tutorial. I have struggled my self to do a testing but failed miserably. You new video will be a part of this video and will be much helpful. I have currently managed Tailscale, caddy as sidecar and nextcloud-aio. its working but with some secutity and setup warning inside nextcloud dashboard. there is probably some DNS issur with my setup as I am running docker rootless. SO I think the docker rootless misbehave. Regards
Very cool! Hoped you'd delve a bit into specific services as well (apps, services, funnel, etc) but nevertheless it's a perfect introduction for newbies to Tailscale! A question: have you ever used Zerotier, and if yes, would you recommend that instead of tailscale?
For me Zerotier is more simple to use, Mikrotik routers have built-in Zerotier. Zerotier minus is 1admin and 10 devices vs Tailscale 3 admins and 100 devices for free version.
@@iclaudiu I started out with zerotier but just don't have the time to digest the setup for an exit node and subnet routing. Hope Jim will cover it :) Tailscale is more user-friendly though, was a breeze to set up. Though I really really love ZT and would prefer it. Btw it allows 25 devices for free.
I wish there was a more feature-rich GUI for Tailscale across general GUI-compatible operating systems. This would make it much easier for newcomers and non-UNIX users to navigate, without needing to understand command-line syntax. The current GUI options are too basic-Windows has only a bare-bones interface, and UNIX systems often lack a GUI altogether. Only my Raspberry Pi OS has a GUI option, but even that could be improved. If Tailscale really wants to encourage more people to adopt UNIX, a more advanced, visually intuitive GUI would help a lot. Most people are used to OS interfaces on Windows, macOS, and Android, which offer full-featured, user-friendly GUIs. A simple network map with icons, usernames, and easy-to-use options would make it so much more accessible. An enhanced GUI would let new users click or check boxes to configure settings without needing to type commands, making the software more appealing and user-friendly.
Thanks for the great video! It was really interesting. Have you considered creating a video on how to securely connect to a home lab while on the go using a combination of classical VPNs like Mullvad and Tailscale? This would allow users to benefit from both services, ensuring strong privacy and convenient remote access. I know about the native Tailscale integration with Mullvad but I like to keep my VPN as seperated as possible. Cheers!
It's an interesting idea. I can think of reasons to do it for certain activities... But struggling to see a point for a homelab. Definitely sounds interesting though.
@@Jims-Garage I personally have my phone connected to tailscale 24/7 so I can access my homeassistant instance and other services. I enjoy the added privacy of a VPN but I can see that not everybody is as paranoid about everything as me.
Yet another interesting and more importantly - informative video. Thanks Jim! I have a bit of wondering around the DERP relay - if let's say we have two remote sites which we want to connect. In one of them the node is behind a "easy nat" and in the other location the node is behind a "hard nat". Will Tailscale manage to initiate a direct connection in this case? Or it would fall back to DERP?
Agree with comments re their ACL page needing a nicer UI but really impressed with their VS Code plugin, very slick and easy, esp with built-in SSH option. Re Netbird - I tried self hosting it but just couldn't get it to work properly. Tailscale also have pretty decent docs and explanations. One dkwnai I found is some corporate networks block aceess to their control plane server.
Great video as always. The part which I don’t quite understand is, if it would be possible to ‘route’ all of our family members phones/laptops through our local network. So I can see all of the traffic, but also can access local services like synology calendar. So they also get synced without punching a hole in my network for the nas. Is it possible to connect to the router? Or do I need to tie every phone to every service? But then I think they aren’t ‘on my local network’ anymore? So I cant use the policies I’ve made in unifi anymore? That would be something I would like to have more in depth coverage about. Not from a homelab perspective, but from a family privacy and security perspective.
One thing I've tried to setup many times is a Tailscale exit node that exits through a killswitched VPN but I just can't get it to work. I tried setting it up as a compose stack with Gluetun but no matter what I try, for some reason it just won't work. Any ideas? (Maybe I should just pay for the built in mullvad VPN but I'd like to be able to use any provider.)
Not watched yet , i think tailscale is where i what to go , Basically though i want to access a windows machine, to then access the rest , its where on my lan / home i do , so from remote, basically RDP 🤷 Vm windows, my net Cheers for the great vids
It does make it easy, though I miss the option you get with traditional VPN where you get access to a full network. Meaning I connection with my VPN client and I can access all the hosts on my network (or what I have allowed in the configuration/firewall).
Firewalls are usually good and 99% configured to stop incoming traffic ... However if you run services which have to reach the internet you'll end up inevitably with open ports such as http and https ... There is a ton of malware out there that installs through that and lots of segmented programmes that open tunnels from inside out ... Whatever fire rules you have if you don't create specific ones for all the services in/out your network is still vulnerable ... With this being said will tailscale help ? Traffic is generally encrypted via HTTPS either way ...
i'd only use it with headscale, and other self hosted servers needed to even run this - to not depend on any of their servers. as using their services would tell them when my servers are or aren't online, when somebody connects to it or not, and from where. (and worse case: allow them also access into my network or some info about it)
Jim always amazes me with his quality of video, great explanation. I think Tailscale should have picked you as their "Developer Advocate" rather than that guy at tailscale who makes youtube videos, who struggles when asked about a simple networking question in livestream. Instead of showing actual stuff he shows his face 90% time in the video.
The part I never understood with Tailscale is the ACL's. I wish they put a front end to it to make it easier to configure. But your explanation was pretty good and understandable.
I struggle with ACLs the same. This is why I'm strongly considering netbird, but I haven't had the time to set it up.
It is odd why it isn't more user friendly. I would expect it be a GUI like Netbird etc (I have a video on that).
Does Tailscale have a faster connection (through put) than Netbird?
Hows the performace compare to using Headscale (is Headscale more performant)?
We need a video for Taiscale vs WireGuard vs Netbird.
Used Tailscale for two years with spotty reliability. I have since moved to Netbird and have had great success. The Netbird routing nodes are brilliant.
Yes, I currently use Netbird self-hosted and it's been reliable.
I tried netbird's mobile app and so far it's terrible. What's your use case?
Another great video! Would love to see more tailscale videos. Something I'm particularly interested in that I haven't found any videos or guides on is the App Connector feature.
I considered looking into it but it stated it was still in beta.
I hope public WiFi do not block tailscale as it's my lifeline for accessing internet and my homelab, it's just that good. With some ACL tutorial I can even get github runners working on my private server.
Hey Jim, thanks for another comfy vid. Can you remind me what you was using (hardware) for your opnsense router?
It's a VM on my MinisForum MS-01.
Thankyou Jim's for considering tailscale. In previous video of yours about ENTE with terrific, I had requested for a tutorial of ENTE with caddy as sidecar and Tailscale. I think you should make a tutorial. I have struggled my self to do a testing but failed miserably. You new video will be a part of this video and will be much helpful.
I have currently managed Tailscale, caddy as sidecar and nextcloud-aio. its working but with some secutity and setup warning inside nextcloud dashboard. there is probably some DNS issur with my setup as I am running docker rootless. SO I think the docker rootless misbehave.
Regards
Very cool! Hoped you'd delve a bit into specific services as well (apps, services, funnel, etc) but nevertheless it's a perfect introduction for newbies to Tailscale!
A question: have you ever used Zerotier, and if yes, would you recommend that instead of tailscale?
Thanks, I will go into those features in the next video. Zero tier is on the list
For me Zerotier is more simple to use, Mikrotik routers have built-in Zerotier. Zerotier minus is 1admin and 10 devices vs Tailscale 3 admins and 100 devices for free version.
@@iclaudiu I started out with zerotier but just don't have the time to digest the setup for an exit node and subnet routing. Hope Jim will cover it :) Tailscale is more user-friendly though, was a breeze to set up. Though I really really love ZT and would prefer it. Btw it allows 25 devices for free.
I wish there was a more feature-rich GUI for Tailscale across general GUI-compatible operating systems. This would make it much easier for newcomers and non-UNIX users to navigate, without needing to understand command-line syntax. The current GUI options are too basic-Windows has only a bare-bones interface, and UNIX systems often lack a GUI altogether. Only my Raspberry Pi OS has a GUI option, but even that could be improved.
If Tailscale really wants to encourage more people to adopt UNIX, a more advanced, visually intuitive GUI would help a lot. Most people are used to OS interfaces on Windows, macOS, and Android, which offer full-featured, user-friendly GUIs. A simple network map with icons, usernames, and easy-to-use options would make it so much more accessible. An enhanced GUI would let new users click or check boxes to configure settings without needing to type commands, making the software more appealing and user-friendly.
I agree. Netbird is the poster child currently.
@@Jims-Garage ???
@@marcus_cole_2 whilst I acknowledge that it's not on the client, the netbird control plane is self hosted and much simpler to use IMO
That's really cool. Thanks for the vids.
Thanks for watching!
Thanks for the great video! It was really interesting. Have you considered creating a video on how to securely connect to a home lab while on the go using a combination of classical VPNs like Mullvad and Tailscale? This would allow users to benefit from both services, ensuring strong privacy and convenient remote access. I know about the native Tailscale integration with Mullvad but I like to keep my VPN as seperated as possible. Cheers!
It's an interesting idea. I can think of reasons to do it for certain activities... But struggling to see a point for a homelab. Definitely sounds interesting though.
@@Jims-Garage I personally have my phone connected to tailscale 24/7 so I can access my homeassistant instance and other services. I enjoy the added privacy of a VPN but I can see that not everybody is as paranoid about everything as me.
Yet another interesting and more importantly - informative video. Thanks Jim! I have a bit of wondering around the DERP relay - if let's say we have two remote sites which we want to connect. In one of them the node is behind a "easy nat" and in the other location the node is behind a "hard nat". Will Tailscale manage to initiate a direct connection in this case? Or it would fall back to DERP?
I believe both need Easy NAT for it to work. Otherwise it goes to DERP. You can also host your own DERP if needed so it doesn't use Tailscale's.
@@Jims-Garage Thanks a lot. I need to explore :)
Agree with comments re their ACL page needing a nicer UI but really impressed with their VS Code plugin, very slick and easy, esp with built-in SSH option. Re Netbird - I tried self hosting it but just couldn't get it to work properly. Tailscale also have pretty decent docs and explanations. One dkwnai I found is some corporate networks block aceess to their control plane server.
What I have understood about Tailscale that the derp server is only used when connecting two machines. Those two get an wireguard tunnel.
It's for when machines cannot make direct connections (as demonstrated).
Great video as always. The part which I don’t quite understand is, if it would be possible to ‘route’ all of our family members phones/laptops through our local network. So I can see all of the traffic, but also can access local services like synology calendar. So they also get synced without punching a hole in my network for the nas.
Is it possible to connect to the router? Or do I need to tie every phone to every service?
But then I think they aren’t ‘on my local network’ anymore? So I cant use the policies I’ve made in unifi anymore? That would be something I would like to have more in depth coverage about. Not from a homelab perspective, but from a family privacy and security perspective.
Yes, that's possible. There's an option to allow a client to share LAN access. What that means is it shares the local network to other clients.
Thanks.
I've been planning for some time to manage the ACLs with terraform
One thing I've tried to setup many times is a Tailscale exit node that exits through a killswitched VPN but I just can't get it to work. I tried setting it up as a compose stack with Gluetun but no matter what I try, for some reason it just won't work. Any ideas?
(Maybe I should just pay for the built in mullvad VPN but I'd like to be able to use any provider.)
I tried the same thing but as i use adguard dns on my phone i'm having an error message...
Any idea?
Not watched yet , i think tailscale is where i what to go ,
Basically though i want to access a windows machine, to then access the rest , its where on my lan / home i do ,
so from remote, basically RDP 🤷
Vm windows, my net
Cheers for the great vids
Not sure if it's just a me issue. I've found the tailscale android app is a battery drainer over using say the standard wireguard app.
It does make it easy, though I miss the option you get with traditional VPN where you get access to a full network. Meaning I connection with my VPN client and I can access all the hosts on my network (or what I have allowed in the configuration/firewall).
You can do that. Allow LAN access on the client.
@@Jims-Garage perfect, thank you.
Firewalls are usually good and 99% configured to stop incoming traffic ... However if you run services which have to reach the internet you'll end up inevitably with open ports such as http and https ... There is a ton of malware out there that installs through that and lots of segmented programmes that open tunnels from inside out ... Whatever fire rules you have if you don't create specific ones for all the services in/out your network is still vulnerable ... With this being said will tailscale help ? Traffic is generally encrypted via HTTPS either way ...
i'd only use it with headscale, and other self hosted servers needed to even run this - to not depend on any of their servers.
as using their services would tell them when my servers are or aren't online, when somebody connects to it or not, and from where.
(and worse case: allow them also access into my network or some info about it)
Yes, the privacy trade-off won't work for everyone.
It would very help if you please share the process turn off DEEP server on windows and Linux
I assume you mean DERP? If so, it's nothing to do with the OS, it's simply due to networking.
@@Jims-Garage yes DERP how to you off that ..please share the config
@Common-man_life put all the clients on the same subnet and you won't have a problem.
@@Jims-Garage if in different then have issue please share how you doing the setup so it would very help
@Common-man_life I showed how to do it in OPNSense firewall. You need rules to allow traffic between vLANs.
What about ZeroTier?
On the way soon
Great material. Thank you for sharing your precious knowledge and time for free :)
Glad it was helpful!
You really want to thank him, throw him a few bucks with the Thanks button or become a subscriber to his Patreon. Help feed his sweater addiction!
It's not free. Nothing is free.
Tailscale vs Netbird, I can't decide :(
Tailscale vs NetBird please ;)
They're basically the same just the management is different. I have a video on Netbird and I still use it personally...
NetBird has a prettier icon on your Windows taskbar.
Jim always amazes me with his quality of video, great explanation. I think Tailscale should have picked you as their "Developer Advocate" rather than that guy at tailscale who makes youtube videos, who struggles when asked about a simple networking question in livestream. Instead of showing actual stuff he shows his face 90% time in the video.
Wow, thanks! I'll have to check out the videos you're referring to.