The part I never understood with Tailscale is the ACL's. I wish they put a front end to it to make it easier to configure. But your explanation was pretty good and understandable.
@@Greg.M I've had generally horrible performance over Tailscale. Could never figure out the root cause; it didn't seem to have anything to do with my hardware or networks.
Used Tailscale for two years with spotty reliability. I have since moved to Netbird and have had great success. The Netbird routing nodes are brilliant.
Another great video! Would love to see more tailscale videos. Something I'm particularly interested in that I haven't found any videos or guides on is the App Connector feature.
I have seen your videos, about Netbird and now Tailscale, but I would like to know which would be your choice between Netbird, Tailscale and Wireguard and why, right now I use Wireguard and so far it has worked very well for me, but is it worth changing to Netbird for example?
@@Jims-GarageIt would be great to see how they differ. I know they’re similarly marketed and do many of the same things, but they do some differently and have somewhat different focuses (kind of like GitHub vs GitLab). Both seem like great options, but are there specific reasons why I should want either in specific situations?
Thanks for the great video! It was really interesting. Have you considered creating a video on how to securely connect to a home lab while on the go using a combination of classical VPNs like Mullvad and Tailscale? This would allow users to benefit from both services, ensuring strong privacy and convenient remote access. I know about the native Tailscale integration with Mullvad but I like to keep my VPN as seperated as possible. Cheers!
It's an interesting idea. I can think of reasons to do it for certain activities... But struggling to see a point for a homelab. Definitely sounds interesting though.
@@Jims-Garage I personally have my phone connected to tailscale 24/7 so I can access my homeassistant instance and other services. I enjoy the added privacy of a VPN but I can see that not everybody is as paranoid about everything as me.
Thankyou Jim's for considering tailscale. In previous video of yours about ENTE with terrific, I had requested for a tutorial of ENTE with caddy as sidecar and Tailscale. I think you should make a tutorial. I have struggled my self to do a testing but failed miserably. You new video will be a part of this video and will be much helpful. I have currently managed Tailscale, caddy as sidecar and nextcloud-aio. its working but with some secutity and setup warning inside nextcloud dashboard. there is probably some DNS issur with my setup as I am running docker rootless. SO I think the docker rootless misbehave. Regards
Very cool! Hoped you'd delve a bit into specific services as well (apps, services, funnel, etc) but nevertheless it's a perfect introduction for newbies to Tailscale! A question: have you ever used Zerotier, and if yes, would you recommend that instead of tailscale?
For me Zerotier is more simple to use, Mikrotik routers have built-in Zerotier. Zerotier minus is 1admin and 10 devices vs Tailscale 3 admins and 100 devices for free version.
@@iclaudiu I started out with zerotier but just don't have the time to digest the setup for an exit node and subnet routing. Hope Jim will cover it :) Tailscale is more user-friendly though, was a breeze to set up. Though I really really love ZT and would prefer it. Btw it allows 25 devices for free.
Great video as always. The part which I don’t quite understand is, if it would be possible to ‘route’ all of our family members phones/laptops through our local network. So I can see all of the traffic, but also can access local services like synology calendar. So they also get synced without punching a hole in my network for the nas. Is it possible to connect to the router? Or do I need to tie every phone to every service? But then I think they aren’t ‘on my local network’ anymore? So I cant use the policies I’ve made in unifi anymore? That would be something I would like to have more in depth coverage about. Not from a homelab perspective, but from a family privacy and security perspective.
I wish there was a more feature-rich GUI for Tailscale across general GUI-compatible operating systems. This would make it much easier for newcomers and non-UNIX users to navigate, without needing to understand command-line syntax. The current GUI options are too basic-Windows has only a bare-bones interface, and UNIX systems often lack a GUI altogether. Only my Raspberry Pi OS has a GUI option, but even that could be improved. If Tailscale really wants to encourage more people to adopt UNIX, a more advanced, visually intuitive GUI would help a lot. Most people are used to OS interfaces on Windows, macOS, and Android, which offer full-featured, user-friendly GUIs. A simple network map with icons, usernames, and easy-to-use options would make it so much more accessible. An enhanced GUI would let new users click or check boxes to configure settings without needing to type commands, making the software more appealing and user-friendly.
Agree with comments re their ACL page needing a nicer UI but really impressed with their VS Code plugin, very slick and easy, esp with built-in SSH option. Re Netbird - I tried self hosting it but just couldn't get it to work properly. Tailscale also have pretty decent docs and explanations. One dkwnai I found is some corporate networks block aceess to their control plane server.
Yet another interesting and more importantly - informative video. Thanks Jim! I have a bit of wondering around the DERP relay - if let's say we have two remote sites which we want to connect. In one of them the node is behind a "easy nat" and in the other location the node is behind a "hard nat". Will Tailscale manage to initiate a direct connection in this case? Or it would fall back to DERP?
I hope public WiFi do not block tailscale as it's my lifeline for accessing internet and my homelab, it's just that good. With some ACL tutorial I can even get github runners working on my private server.
It does make it easy, though I miss the option you get with traditional VPN where you get access to a full network. Meaning I connection with my VPN client and I can access all the hosts on my network (or what I have allowed in the configuration/firewall).
Not watched yet , i think tailscale is where i what to go , Basically though i want to access a windows machine, to then access the rest , its where on my lan / home i do , so from remote, basically RDP 🤷 Vm windows, my net Cheers for the great vids
I now have Tailscale running on Windows, Linux and IoS! Any recommendations for a low power consuming Tailscale peer device that I can run economically energy-wise 24x7 in a remote location to serve as an exit node?
@@Jims-Garage I have all three as spares! Would a Pi Zero W have enough processing power to push through say 10Mbps if it was running no other "applications"?
i'd only use it with headscale, and other self hosted servers needed to even run this - to not depend on any of their servers. as using their services would tell them when my servers are or aren't online, when somebody connects to it or not, and from where. (and worse case: allow them also access into my network or some info about it)
Can you make a video on how to connect this on Truenas scale with like nginx or traefik and cloudflare I want my network secured with this setup on my nas would be dope
@@Jims-Garage ya i just want to keep my nas atleast local but without zero ports open from what i read if you do this option cloudflare into tailscale ip into nginx to truenas techically no ports are open and everything is still local.
One thing I've tried to setup many times is a Tailscale exit node that exits through a killswitched VPN but I just can't get it to work. I tried setting it up as a compose stack with Gluetun but no matter what I try, for some reason it just won't work. Any ideas? (Maybe I should just pay for the built in mullvad VPN but I'd like to be able to use any provider.)
Firewalls are usually good and 99% configured to stop incoming traffic ... However if you run services which have to reach the internet you'll end up inevitably with open ports such as http and https ... There is a ton of malware out there that installs through that and lots of segmented programmes that open tunnels from inside out ... Whatever fire rules you have if you don't create specific ones for all the services in/out your network is still vulnerable ... With this being said will tailscale help ? Traffic is generally encrypted via HTTPS either way ...
Tailscale work well with devices with root access. But it is not reliable in CI/CD platform where root access is not permitted. If anyone planning to use Tailscale to deploy to private server through Tailscale network, use private self-hosted CI/CD runner instead.
Jim always amazes me with his quality of video, great explanation. I think Tailscale should have picked you as their "Developer Advocate" rather than that guy at tailscale who makes youtube videos, who struggles when asked about a simple networking question in livestream. Instead of showing actual stuff he shows his face 90% time in the video.
![Pterodactyl Is The Perfect Platform For Hosting All of Your Game Servers [Minecraft, Rust, CS GO]](http://i.ytimg.com/vi/-9qVssXzgWM/mqdefault.jpg)
The part I never understood with Tailscale is the ACL's. I wish they put a front end to it to make it easier to configure. But your explanation was pretty good and understandable.
I struggle with ACLs the same. This is why I'm strongly considering netbird, but I haven't had the time to set it up.
It is odd why it isn't more user friendly. I would expect it be a GUI like Netbird etc (I have a video on that).
Does Tailscale have a faster connection (through put) than Netbird?
Hows the performace compare to using Headscale (is Headscale more performant)?
@@Greg.M I've had generally horrible performance over Tailscale. Could never figure out the root cause; it didn't seem to have anything to do with my hardware or networks.
@@theglowcloud2215 . . . with Netbird - how was your performance (in comparison)?
Used Tailscale for two years with spotty reliability. I have since moved to Netbird and have had great success. The Netbird routing nodes are brilliant.
Yes, I currently use Netbird self-hosted and it's been reliable.
I tried netbird's mobile app and so far it's terrible. What's your use case?
Another great video! Would love to see more tailscale videos. Something I'm particularly interested in that I haven't found any videos or guides on is the App Connector feature.
I considered looking into it but it stated it was still in beta.
We need a video for Taiscale vs WireGuard vs Netbird.
What would you like to see? I've covered all of those.
I have seen your videos, about Netbird and now Tailscale, but I would like to know which would be your choice between Netbird, Tailscale and Wireguard and why, right now I use Wireguard and so far it has worked very well for me, but is it worth changing to Netbird for example?
@@Jims-GarageIt would be great to see how they differ.
I know they’re similarly marketed and do many of the same things, but they do some differently and have somewhat different focuses (kind of like GitHub vs GitLab).
Both seem like great options, but are there specific reasons why I should want either in specific situations?
That's really cool. Thanks for the vids.
Thanks for watching!
Great video, Jim. Thank you. Are you going to expand on this? say integrating Tailscale with Traefik and so on?
I might do. As long as you allow LAN, set your DNS resolver correctly and don't have overlapping networks it should just work
Thanks for the great video! It was really interesting. Have you considered creating a video on how to securely connect to a home lab while on the go using a combination of classical VPNs like Mullvad and Tailscale? This would allow users to benefit from both services, ensuring strong privacy and convenient remote access. I know about the native Tailscale integration with Mullvad but I like to keep my VPN as seperated as possible. Cheers!
It's an interesting idea. I can think of reasons to do it for certain activities... But struggling to see a point for a homelab. Definitely sounds interesting though.
@@Jims-Garage I personally have my phone connected to tailscale 24/7 so I can access my homeassistant instance and other services. I enjoy the added privacy of a VPN but I can see that not everybody is as paranoid about everything as me.
Thankyou Jim's for considering tailscale. In previous video of yours about ENTE with terrific, I had requested for a tutorial of ENTE with caddy as sidecar and Tailscale. I think you should make a tutorial. I have struggled my self to do a testing but failed miserably. You new video will be a part of this video and will be much helpful.
I have currently managed Tailscale, caddy as sidecar and nextcloud-aio. its working but with some secutity and setup warning inside nextcloud dashboard. there is probably some DNS issur with my setup as I am running docker rootless. SO I think the docker rootless misbehave.
Regards
Very cool! Hoped you'd delve a bit into specific services as well (apps, services, funnel, etc) but nevertheless it's a perfect introduction for newbies to Tailscale!
A question: have you ever used Zerotier, and if yes, would you recommend that instead of tailscale?
Thanks, I will go into those features in the next video. Zero tier is on the list
For me Zerotier is more simple to use, Mikrotik routers have built-in Zerotier. Zerotier minus is 1admin and 10 devices vs Tailscale 3 admins and 100 devices for free version.
@@iclaudiu I started out with zerotier but just don't have the time to digest the setup for an exit node and subnet routing. Hope Jim will cover it :) Tailscale is more user-friendly though, was a breeze to set up. Though I really really love ZT and would prefer it. Btw it allows 25 devices for free.
Hey Jim, thanks for another comfy vid. Can you remind me what you was using (hardware) for your opnsense router?
It's a VM on my MinisForum MS-01.
Great video as always. The part which I don’t quite understand is, if it would be possible to ‘route’ all of our family members phones/laptops through our local network. So I can see all of the traffic, but also can access local services like synology calendar. So they also get synced without punching a hole in my network for the nas.
Is it possible to connect to the router? Or do I need to tie every phone to every service?
But then I think they aren’t ‘on my local network’ anymore? So I cant use the policies I’ve made in unifi anymore? That would be something I would like to have more in depth coverage about. Not from a homelab perspective, but from a family privacy and security perspective.
Yes, that's possible. There's an option to allow a client to share LAN access. What that means is it shares the local network to other clients.
I wish there was a more feature-rich GUI for Tailscale across general GUI-compatible operating systems. This would make it much easier for newcomers and non-UNIX users to navigate, without needing to understand command-line syntax. The current GUI options are too basic-Windows has only a bare-bones interface, and UNIX systems often lack a GUI altogether. Only my Raspberry Pi OS has a GUI option, but even that could be improved.
If Tailscale really wants to encourage more people to adopt UNIX, a more advanced, visually intuitive GUI would help a lot. Most people are used to OS interfaces on Windows, macOS, and Android, which offer full-featured, user-friendly GUIs. A simple network map with icons, usernames, and easy-to-use options would make it so much more accessible. An enhanced GUI would let new users click or check boxes to configure settings without needing to type commands, making the software more appealing and user-friendly.
I agree. Netbird is the poster child currently.
@@Jims-Garage ???
@@marcus_cole_2 whilst I acknowledge that it's not on the client, the netbird control plane is self hosted and much simpler to use IMO
Agree with comments re their ACL page needing a nicer UI but really impressed with their VS Code plugin, very slick and easy, esp with built-in SSH option. Re Netbird - I tried self hosting it but just couldn't get it to work properly. Tailscale also have pretty decent docs and explanations. One dkwnai I found is some corporate networks block aceess to their control plane server.
What I have understood about Tailscale that the derp server is only used when connecting two machines. Those two get an wireguard tunnel.
It's for when machines cannot make direct connections (as demonstrated).
Yet another interesting and more importantly - informative video. Thanks Jim! I have a bit of wondering around the DERP relay - if let's say we have two remote sites which we want to connect. In one of them the node is behind a "easy nat" and in the other location the node is behind a "hard nat". Will Tailscale manage to initiate a direct connection in this case? Or it would fall back to DERP?
I believe both need Easy NAT for it to work. Otherwise it goes to DERP. You can also host your own DERP if needed so it doesn't use Tailscale's.
@@Jims-Garage Thanks a lot. I need to explore :)
Great material. Thank you for sharing your precious knowledge and time for free :)
Glad it was helpful!
You really want to thank him, throw him a few bucks with the Thanks button or become a subscriber to his Patreon. Help feed his sweater addiction!
It's not free. Nothing is free.
I hope public WiFi do not block tailscale as it's my lifeline for accessing internet and my homelab, it's just that good. With some ACL tutorial I can even get github runners working on my private server.
It does make it easy, though I miss the option you get with traditional VPN where you get access to a full network. Meaning I connection with my VPN client and I can access all the hosts on my network (or what I have allowed in the configuration/firewall).
You can do that. Allow LAN access on the client.
@@Jims-Garage perfect, thank you.
Not watched yet , i think tailscale is where i what to go ,
Basically though i want to access a windows machine, to then access the rest , its where on my lan / home i do ,
so from remote, basically RDP 🤷
Vm windows, my net
Cheers for the great vids
You have to make up your mind soon :)
While you're at it, maybe test out Twingate as well
I now have Tailscale running on Windows, Linux and IoS! Any recommendations for a low power consuming Tailscale peer device that I can run economically energy-wise 24x7 in a remote location to serve as an exit node?
@@unmesh59 a cheap, second hand mini pc from eBay? An old laptop? An old Pi?
@@Jims-Garage I have all three as spares! Would a Pi Zero W have enough processing power to push through say 10Mbps if it was running no other "applications"?
@unmesh59 I don't know ... You could test locally. It might be able to.
@@Jims-Garage I tried it and it works!
@unmesh59 awesome, thanks
I've been planning for some time to manage the ACLs with terraform
i'd only use it with headscale, and other self hosted servers needed to even run this - to not depend on any of their servers.
as using their services would tell them when my servers are or aren't online, when somebody connects to it or not, and from where.
(and worse case: allow them also access into my network or some info about it)
Yes, the privacy trade-off won't work for everyone.
Can you make a video on how to connect this on Truenas scale with like nginx or traefik and cloudflare I want my network secured with this setup on my nas would be dope
@@InsaiyanTech I will consider it. Essentially you want the LAN option enabled on the client
@@Jims-Garage ya i just want to keep my nas atleast local but without zero ports open from what i read if you do this option cloudflare into tailscale ip into nginx to truenas techically no ports are open and everything is still local.
One thing I've tried to setup many times is a Tailscale exit node that exits through a killswitched VPN but I just can't get it to work. I tried setting it up as a compose stack with Gluetun but no matter what I try, for some reason it just won't work. Any ideas?
(Maybe I should just pay for the built in mullvad VPN but I'd like to be able to use any provider.)
I’m trying to figure this out as well but it’s over my head and beyond my knowledge sadly I’m in the same boat.
Are you using a IBM Model M keyboard?
@@tompaah7503 sadly not, but it's a custom mechanical
🎉
Thanks.
I tried the same thing but as i use adguard dns on my phone i'm having an error message...
Any idea?
Not sure if it's just a me issue. I've found the tailscale android app is a battery drainer over using say the standard wireguard app.
Firewalls are usually good and 99% configured to stop incoming traffic ... However if you run services which have to reach the internet you'll end up inevitably with open ports such as http and https ... There is a ton of malware out there that installs through that and lots of segmented programmes that open tunnels from inside out ... Whatever fire rules you have if you don't create specific ones for all the services in/out your network is still vulnerable ... With this being said will tailscale help ? Traffic is generally encrypted via HTTPS either way ...
What about ZeroTier?
On the way soon
It would very help if you please share the process turn off DEEP server on windows and Linux
I assume you mean DERP? If so, it's nothing to do with the OS, it's simply due to networking.
@@Jims-Garage yes DERP how to you off that ..please share the config
@Common-man_life put all the clients on the same subnet and you won't have a problem.
@@Jims-Garage if in different then have issue please share how you doing the setup so it would very help
@Common-man_life I showed how to do it in OPNSense firewall. You need rules to allow traffic between vLANs.
Tailscale work well with devices with root access. But it is not reliable in CI/CD platform where root access is not permitted. If anyone planning to use Tailscale to deploy to private server through Tailscale network, use private self-hosted CI/CD runner instead.
Tailscale vs NetBird please ;)
They're basically the same just the management is different. I have a video on Netbird and I still use it personally...
NetBird has a prettier icon on your Windows taskbar.
Tailscale vs Netbird, I can't decide :(
Jim always amazes me with his quality of video, great explanation. I think Tailscale should have picked you as their "Developer Advocate" rather than that guy at tailscale who makes youtube videos, who struggles when asked about a simple networking question in livestream. Instead of showing actual stuff he shows his face 90% time in the video.
Wow, thanks! I'll have to check out the videos you're referring to.