I am not an IT professional and I am not a beginner. You managed to use just the right level to be perfect for me. I just loaded Tailscale on 5 of my devices and working up the nerve to add it to my Terramaster NAS (scary 😮) if I mess up my 11 TB data store. I just heard about Tailscale two weeks ago. I do home automation with several small Linux machines (Raspberry PIs and Inovato, Quadra). It appears Tailscale will fix a lot of holes in my system. THANK YOU
I used to use Hamachi, Teamviewer, Zerotier One, and Twingate to connect between my home PC and office PC. None of that can beat Tailscale. Its just works. And very low ping. Which is important because I connect mainly using VNC (windows to windows). Tailscale really solve my connection issue.
Great video! This was definitely much easier and smoother than other previous attempts. Seems like Tailscale just works. Thanks for sharing this, Christian.
Seriously, dude. I was watching so many videos lately about remote access/vpn to connect to my RPi Jellyin from outside of my network and NOTHING worked. YOURS though was easy as f**k ^___^ Cheers man. Looking forward to access my library now on holidays ;)
Great video Christian. From a security perspective it sounds like a hackers dream....compromise one node and have secure access to all the other nodes. I can see the use case for it for homelabs and remote access where you know each node is safe but from a business perspective I don't think it's a good idea. At least with the traditional VPN gateway you can implement 2FA and make sure it is enforced. Keep up the the good work.
One key thing is that you can configure the access rights each node (or group of nodes) has to other nodes - so you can easily remove the default configuration of all nodes being able to access all other nodes. This allows you to set up a configuration where staff with 2FA logins can access all or some of the deployed systems all from a single config file, which is pushed out to all the managed nodes.
You can, and should, use ACLs with tailscale. You can go very fine grained with this. As for ID management, there is 2FA on azure, google... I don't see your point.
Yeah, that "magical fix-all" doesn't shout "Secure!" to me. I think I'll try the hard way, seems to get more control of what actually happens. Thank Christian for an interesting video tho!
Looks cool, but you do give up a lot on your security and have to trust them not to mess up and not to collaborate with any government, or is it open source and you could also run your own private master server? (obviously this doesn't guarantee much, but still....)
You can't run your own tailscale server, it's all based on the service. However, it's not like you would send any traffic to their servers and the private keys never leave your devices.
well that's the point. I can see why they have this as a service. For poeple who don't care about security, can't host themself a coordinator or are too lazy, but why aren't they giving a Community Edition of the coordinator ?? Just this fact make me suspicious. I use to enjoy your viddo but this time I found wayyyy to enthousiast about a solution that rely on a service held outside of your control. Yes that's sound a great set of techno put together, would I give up the security and privacy of my assets for that ... No way. I think you haven’t been clear enought about that risk in this video. Anyway keep the good stuff, I, usualy like your contents 😊
Well, maybe it's just me, but I like good managed services and I don't care much whether it is open-source or not, as long is they have a fair and transparent service model. Proprietary software isn't necessarily worse or less secure than open-source, at least in my opinion. I talk quite enthusiastic about it because I really am 😁. However, I understand why some people have a different and stronger stance on privacy and open-source than me, and thats totally fine, I can respect that. Hopefully I always find a way to make interesting videos about services like this, even though you won't use it for security or privacy reason. So thanks for the open and honest feedback, bro!
I'd love to see the follow up video about Magic DNS. If you happen to have a qnap NAS I'd love to see a user friendly Video on how to get tailscale up and running. Cheers and keep up the great work.
exit nodes run only on Linux clients , you should activate IP forwarding and then run tailscale up --exit node and login to the portal and check the Linux node and go to the subnet routing and enable exit node on the portal , all other clients will be able to see it as exit node and when you click on windows or mac clients to use exit node , all traffic will go through your exit node.
What about SIP Phones, like Yealink? Got a local Telephone System on one Location, and Phones on 3 other Locations. Actuall we Use Sophos Firewalls that are connected together.
Tailscale will negotiate a path between both devices, so they can find each other and send traffic. In scenarios where there's no path existing, it can use the relay servers.
@@christianlempa thanks, so if the firewalls and NAT are in effect on both ends, relay server it is ? Are there bandwidth limitations if a relay server is used ?
Very cool. This was my introduction to Tailscale and I’m impressed. I’m going to give it a try. However one of the Mail reasons I’ve gotten into home lab stuff is reducing the dependency on others. Based on subscription details looks like your still dependent on tailscale the company. Is there any way to fully self host the solution?
When I try mounting my Synology shares to my desktop “connect to server” on my Mac, it asks for a password. Every password I’ve tried associated with my NAS doesn’t work. Which password do I need?
Would love a video on the built-in DNS functionally. Also could I buy a vps on DO and have it ONLY be accessible via tailscale, and what about Docker containers, can i have Those only on tailscale?
I am new to networking and VPN. I want to be able to connect to my devices from anywhere. They are in my garage in which I can only create a wireless network since I cannot get any internet cables in there. My best bet, as far as I know, is to have a router that can be configured to TailScale but having sim card or using 4G LTE USB modem. If anyone has any suggestions for me, let me know please. The router I was planning to get is Beryl AX (MT-3000) which supports TailScale.
I haven't done a comparison, yet. However I think that the architecture of tailscale is pretty good. Of course it is a hosted service where you need a google/m$ or github account so you need to give some trust to these companies. However, for the security side the wireguard protocol is pretty solid and the privatekeys are never shared with tailscale. So technically they are able to redirect your traffic but not able to decrypt it, which is a nice option. I know that zerotier offers a self-hosted solid so in a direct comparison zerotier would win obviously, but that doesn't mean you would need to worry about using tailscale. Hope that helps 😄
If you need Layer 2 connectivity and protocols beyond the IP stack you can run inside Zerotier network cause every zerotier network acts like a Layer 2 Switch , hope it is clear ..
One thing is causing me trouble. When I installed and started tailscale on my server. My server is able to connect to internet. When I installed on my laptop and mobile. When I am connected to tailscale, I loose internet. How to fix this ? I want to be able to use tailscale to create usable domain names for my servers to share with others. I know tailscale is for private communication. But this seemed possible as well. I read about exit nodes tried to configure that as well. But it didnt' work
Unfortunately it's hard to hear you with the ridiculous music playing. Aside from that, how is this easier than setting up PiVPN? Install PiVPN, connect to PiVPN, access everything on your network. No need to manually setup individual devices/nodes as you seem to have to do with Tailscale. By comparison Tailscale seems incredibly laborious.
Yea, it’s just one of those programs that saves you a few extra clicks. But in return you open a massive security door, and open all your traffic to their servers that are probably glowing.
In all cases I would recommend 2-factor authentication, but seems someone with access could share a device to their own network and gain access that way. Just something to be aware off..
I did not understand about 13:45, I have a wg server on my vps, the issue is I need that since i have portainer etc but my dorm wifi blocks the wg server port thus I should not-blocked ports and have a lot of different .conf files for every peer.. with tailscale as I understood, he understands that fw or nat is blocking it and ? would just find another port or switch over to tcp? Did i miss something? Thank you very much
Hi, does anybody know how to install SSL certs on nextcloud with Tailscale? I have enabled SSLon Admin panel and I have generated crt and key file by tailscale, What should be further steps? I have nextcloud hosted on LXC Container on Proxmox, installed by snap.
The one thing that drives me nuts and Im not sure there is a workaround is if other devices are on the same LAN, your device will over travel over Tailscale instead of your Local LAN. I noticed this when using a node as a subnet router. I would guess thats the computer making the decision but there doesnt seem to be a workaround...well from what noticed.
That shouldn't be the case, if both devices are connected to the same LAN, tailscale will figure out the fastest path between them. I've tested it in my local network and it works pretty well.
@@christianlempa Yeah I dont get it. while connected with the windows app, I did some traceroutes and it takes the tailscale path everytime. I mentioned this to support and they said its somewhat expected behaviour but will look into see what they can do. Iv seen a number of posts with the issue. There is kind of a work around but doesn't always work which is make the advertised subnet one mask less so if my LAN is /24 mark it as /23. Dont think it works for Linux though.
Hi Christian, Another great video. 2 quick questions. 1) Which are the differences between Tailscale and ZeroTier? 2) With Tailscle am I able to get on all machine the same public IP (as would be with a "normal" VPN)? Thanks
1.) Tailscale and ZeroTier have two different network protocols underneath. I like the WireGuard implementation a lot, so Tailscale is my favorite :) And they have a pretty smart implementation of the network stack. 2.) You can assign one peer as a "gateway", this will route all traffic from the clients through it.
@@christianlempa Thank you for your answer. Not considering the easier way to configure Tailscale over WG.... What do you think is better....Wireguard in a docker container or Tailscale?
Where is the catch? Seriously, if it sounds too good to be true, it usually is. What are the downsides, for example compared to setting a wireguard vpn yourself manually?
@@christianlempalets say yur in a company network & yur device is in a subnet vLAN that has no public internet acess & u want to connect to another device in another subnet vLAN within the company network, would tailescale work on this too?
@@catchnkill Sorry i mean is there a self hosted DIY CDN running in a self Content delivery system?? An on-premises solution running in our own servers to avoid cloudflare tracking and for full privacy and control??
Thanks for this video. I struggled with zerotier to setup my server as standard route for DNS and as VPN. And in tailscale it just needs a toggle of the button exit node 😯 Seems easier and better documented. Going to try it and finish my setup.
@@christianlempa when i sudo tailscale up, this message appear "failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)"
@@christianlempa self hosting with headscale is definitely something that would be interesting because it removes two problems, 1)removing a untrusted company from having the keys, etc. to your network as a possible point of vulnerability 2) cost factor for people that want more than 20 devices or 1 account for their setups. Besides aren't you the host all the things in your own lab for learning purposes guy? I would say why not try?
When the free plan mentions one user, what exactly does that mean? For instance I care to have our employees connectr outsite the corp environment to the dc serv who has a very special crm program running from a folder (no client installation or anything) i am trying to figure out what exactly do I need to make this work. By saying work I mean 20-25 people outside office to be able to connect to the crm program after initiating a connection via tailscale. Do I need a price plan with as many users connecting (from their different machines) or jsut one user to set all that up?
If you want to manage all machines with 1 user account, that's totally fine. But if you'd want to add additonal users who can all manage their own machines and infrastructure they you need to upgrade a license. But you could technically just use 1 user for management.
i Set up TailScale because my ipv6 and ipv4 change from Orange Fai in France. Difficult to have your own firewall in France at home. So Tailscale is not bad for this kind of solution coupled with Adguard-Home with some configurations to tls-dns, I use it to use as a vpn with an outgoing at home when I am remote or need access to a file on my local nas. It can also be useful for doing a lan to lan for online video games. After security question it is a problem to solve between the chair and the keyboard.
I am a hobbyist. You did a great job with the video; however, I am on Truenas Scale, and there is no drop-down menu for it. I attached my machine, downloaded the app, and set it up with the AUTH code. I am lost from here. Can you help?
From the security perspective, I don't think that its a doable solution for corporate networks. What we should focus on is a data protection rather than bring ease in life. Though, it is good for people who aren't concerned about the security and use it for home-network to home-network connectivity. By enabling the mesh network between the servers and the clients as every node that is added on Tailscale account can access each other which again leaves me a big question mark on what if 1 client machine got compromised. Whoaa!!! A disaster will occur as accessing all other nodes which could be either be a server or another work station can be accessed by the Hacker. By having the VPN server, we manage the keys and exchange algorithms at our own end instead of leaving it on some third party network. Anyways I like the way you described it but it is always better to notify the vulnerabilities associated with the solution.
You can limit the nodes other nodes can connect to in tailscale. You could also ask for additional passwords on important nodes. I agree that the most secure way to host a vpn is by managing your own server. But i think the main issue for tailscale is that the admin hub is too out in the open.
Thanks for the explanation, but I'm still confused as to the purpose of tailscale. I understand it's a VPN so communication between two machines is secure, but what's the connection able to do? Can I use it on machine 1 to view a remote desktop of a second machine? or am I limited to just seeing the terminal of the second machine on the first. Would this be able to send files pictures from my phone to my pc without having to deal with a wired connection? Any insight would help a lot!
The use case is to connect two or more machines that are located in different physical locations over a secure tunnel, just like would be on the same local network
This just sounds like security disaster with extra steps. There is no way anybody is connecting to any of my local machines without punching through NAT first. This video fails to explain how this “magic” is done, and the way it works is Tailscale runs relay nodes that help establish direct connections through P2P and in case where direct is not possible, your data flows through a remote node. The machines behind NAT that you are connecting to reverse the flow of traffic by basically asking the remote server what to send over, which is the “magic” we see. This is all encrypted, but it’s basically trust me bro guarantee since neither tailscale client or server parts are fully open source. So 1) you’re supposed to run third party app on all of your infra that has access everywhere and isn’t even open source and 2) it all communicates using key pairs you can’t manage and the parts of code that make them and use them are not 100% open source either.
I keep getting replies to this about how "i should read how it works." I know how it works, you don't. Tailscale is a security disaster with extra steps and this will remain true until all of it is made open source. Noone sane deploys this bag of cats on a network they need to trust.
Hi Christian, thanks for making a video about tailscale :-) Tailscale is one of the best and intuitive tools, I have seen since years! It never was so easy to use VPN and not only between two devices, but between many devices - with static ip-addresses for every device :-) Normaly, every device can connect to each other device that is connected with the same authentication-account, but you can limit access (for devices and protocols) with access rules very easyly on the tailscale-dashboard, too - that's fantastic! With a smartphone it is easy to be "always on", so secure connections to all my machines from everywhere. For my opinion tailscale is a real revolution! Thanks a lot for your video and please more such holy shit stuff :-)
Thank you for your video. How would you best transfer files from one computer (node) to another if you were using a Mac to Mac or windows to windows? Also how could you do a “VNC” connection to control another computer through Tailscale? Would you please do a video on that?
You might check out "Taildrop" a beta feature in Tailscale to send/receive files over Tailscale, might be useful. For the VNC part, you can just connect to the devices using the tailscale internal IP address. Hope that helps ;)
Hey, awesome vid, mate! Can you help me with something? I'm using a TrueNAS Server that's located on my home network and I want to acess it remotely, I tried to use OPEN VPN but for some reason it isnt working as I wanted... So, do you think Tailscale can help me?
Do you really think this is a good idea from security point of view. You have to install on every client a “trojan” that connects you to a “service” in the US. Of course, it is easy to setup, no question, but as an it professional, like you always claim - who controls this network? This service has two sides of the same coin. You just mentioned the easy usage, but have forgotten the security aspect. What’s wrong with the “IT world”? Don’t you think about security anymore? I’m just waiting for the news… “Tailgate VPN hacked because of …”
It's important to talk about security, however comparing a managed VPN service with a "trojan" is a bit out of place, come on.. :) However, it's a valid concern you have and of course nobody forces you to use a service like tailscale, you can always manage VPNs yourself. The fundamental misconception is that most people see a VPN as a "security" barrier to get access to a network. This is in my opinion a outdated security concept and should be replaced with Zero Trust Networking concepts. Means, you should never trust a client just because it's part of a VPN network. I see tailscale more as a managed connection but not as a security barrier. All devices inside the VPN should be treated the same like external devices. I'll make a video about this in the near future, because I think that needs further explanation and a dedicated video! Anyway, thanks for your input.
Wireguard is funded by the US Government under the Open Technology Fund. They also funded a few more so called "privacy" projects such as Signal messenger. Remember the Crypto AG and ANØM cases. US Government is already known for creating fake privacy tools. Even the most used cryptography algorithms are funded by NSA/CIA.
@@helloworld963 yes, because they need it too, also, onion routing was created by US navy and needed extra traffic to hide their own traffic, and now we have tor, you can do what ever you want and the US navy can't do anything to stop you, considering you are careful to protect your identity with best practices
Challenge: Every time a vuln is found in Tailscale, I do a shot. Every time a major VPN provider has a critical CVE, YOU do a shot. Deal? Just kidding, I don't want to be kicked off of TH-cam for encouraging alcoholism and suicide.
I'm still concerned about data security and data compromise resulting from relying on some company. Large company may have resources to build a infrastructure themselves and for small firm, it is still possible to configure the machines keys and exchanging them, because not all node need to connect to every other nodes anyhow.
If you aren't managing your keys, someone else is. - Steve Gibson
What could possibly go wrong? - Steve Gibson.
trust no-one. - Steve Gibson.
@@totallynotgad damn, good to know. Thanks
you have to change your password anyway either before or after a hack
-Michael Jackson
not your keys, not your cheese
@jerromerro9405 you need to be using more than just a password
I am not an IT professional and I am not a beginner. You managed to use just the right level to be perfect for me. I just loaded Tailscale on 5 of my devices and working up the nerve to add it to my Terramaster NAS (scary 😮) if I mess up my 11 TB data store. I just heard about Tailscale two weeks ago. I do home automation with several small Linux machines (Raspberry PIs and Inovato, Quadra). It appears Tailscale will fix a lot of holes in my system. THANK YOU
Are you still using Tailscale? I wanna access to a SMB server remotely and safely
I used to use Hamachi, Teamviewer, Zerotier One, and Twingate to connect between my home PC and office PC. None of that can beat Tailscale. Its just works. And very low ping. Which is important because I connect mainly using VNC (windows to windows). Tailscale really solve my connection issue.
Why would you hurt ourselves with VNC on a Windows to Windows setup? Just use RDP
@@TheMaevian rdp fails at scaling.. and compressing 🤣
Every now and then Wireguard gives me some headaches. After this tutorial I fell in love with Tailscale. Thank you very much Christian, you are great!
Great video! This was definitely much easier and smoother than other previous attempts. Seems like Tailscale just works. Thanks for sharing this, Christian.
Np! Glad you liked the video 😀
Hi Christian, another great video! Please continue with more detailed related stuff like MagicDNS etc. - thanks.
Thank you 😊, great suggestion!
Seriously, dude. I was watching so many videos lately about remote access/vpn to connect to my RPi Jellyin from outside of my network and NOTHING worked. YOURS though was easy as f**k ^___^ Cheers man. Looking forward to access my library now on holidays ;)
Haha nice! :D glad it was helpful
Great video Christian. From a security perspective it sounds like a hackers dream....compromise one node and have secure access to all the other nodes. I can see the use case for it for homelabs and remote access where you know each node is safe but from a business perspective I don't think it's a good idea. At least with the traditional VPN gateway you can implement 2FA and make sure it is enforced.
Keep up the the good work.
I was thinking that if you’re account is compromised, then you’ve got a real nightmare on your hand, but for a local set up, it should be fine, no?
If you compromise a node that is running a VPN.... its EXACTLY the same. Also: Tailscale support auth via 2FA.
One key thing is that you can configure the access rights each node (or group of nodes) has to other nodes - so you can easily remove the default configuration of all nodes being able to access all other nodes. This allows you to set up a configuration where staff with 2FA logins can access all or some of the deployed systems all from a single config file, which is pushed out to all the managed nodes.
@@rogerthomas368 how do i setup 2FA on it?
You can, and should, use ACLs with tailscale. You can go very fine grained with this. As for ID management, there is 2FA on azure, google... I don't see your point.
Thank you Christian, just trying out now to see it, had some problems with Wireguard so I'll try this for now ;)
How do you know who, or what community, is behind Tail scale that makes it "safe?"
Yeah, that "magical fix-all" doesn't shout "Secure!" to me. I think I'll try the hard way, seems to get more control of what actually happens.
Thank Christian for an interesting video tho!
Great job, as always. Thanks Christian.
Looks cool, but you do give up a lot on your security and have to trust them not to mess up and not to collaborate with any government, or is it open source and you could also run your own private master server? (obviously this doesn't guarantee much, but still....)
You can't run your own tailscale server, it's all based on the service. However, it's not like you would send any traffic to their servers and the private keys never leave your devices.
well that's the point. I can see why they have this as a service. For poeple who don't care about security, can't host themself a coordinator or are too lazy, but why aren't they giving a Community Edition of the coordinator ?? Just this fact make me suspicious. I use to enjoy your viddo but this time I found wayyyy to enthousiast about a solution that rely on a service held outside of your control. Yes that's sound a great set of techno put together, would I give up the security and privacy of my assets for that ... No way. I think you haven’t been clear enought about that risk in this video. Anyway keep the good stuff, I, usualy like your contents 😊
Well, maybe it's just me, but I like good managed services and I don't care much whether it is open-source or not, as long is they have a fair and transparent service model. Proprietary software isn't necessarily worse or less secure than open-source, at least in my opinion. I talk quite enthusiastic about it because I really am 😁.
However, I understand why some people have a different and stronger stance on privacy and open-source than me, and thats totally fine, I can respect that. Hopefully I always find a way to make interesting videos about services like this, even though you won't use it for security or privacy reason.
So thanks for the open and honest feedback, bro!
@@christianlempa I’m new and dumb can’t we have both with a vps?
How does it compare to Zerotier?
I'd love to see the follow up video about Magic DNS. If you happen to have a qnap NAS I'd love to see a user friendly Video on how to get tailscale up and running. Cheers and keep up the great work.
Thanks, I didn't know about this cool service. More videos like this please.
Awesome 😁, sure I'll do!
Your English is Good i didnt know you were German until you mentioned it. Thought you were from Minnesota lol
OMG!! I love this!!! Great video.
Thanks mate!
whats the difference between zerotier and tailscale both seem to be similar to me
They offer some different features, depending on what you need, you can chose both, they’re good :)
@@christianlempa but would the response time for both would be same?
Is tailscale self hosted or does it need (internet) to dial home to the company to work?
please explain how to set up subnets and exit nodes in the tail scale
Maybe I make a second video about this stuff at some point, but no plans in the near future.
exit nodes run only on Linux clients , you should activate IP forwarding and then run tailscale up --exit node and login to the portal and check the Linux node and go to the subnet routing and enable exit node on the portal , all other clients will be able to see it as exit node and when you click on windows or mac clients to use exit node , all traffic will go through your exit node.
Thank you for this video and the tip on an easy VPN solution!
You're welcome!
My apple phone already uses a VPN for nextdns, so I assume I couldn't use tailscale at the same time?
What about SIP Phones, like Yealink? Got a local Telephone System on one Location, and Phones on 3 other Locations. Actuall we Use Sophos Firewalls that are connected together.
but how does this work. If I ping a remote computer, which path does that traffic take ? Are there bandwidth limitations ?
Tailscale will negotiate a path between both devices, so they can find each other and send traffic. In scenarios where there's no path existing, it can use the relay servers.
@@christianlempa thanks, so if the firewalls and NAT are in effect on both ends, relay server it is ? Are there bandwidth limitations if a relay server is used ?
Is it possible to set up a site-to-site VPN between two routers that have Tailscale already pre-installed?
Very cool. This was my introduction to Tailscale and I’m impressed. I’m going to give it a try. However one of the Mail reasons I’ve gotten into home lab stuff is reducing the dependency on others. Based on subscription details looks like your still dependent on tailscale the company. Is there any way to fully self host the solution?
Headscale. Found it further down. Thanks I’ll take a look at it also
Haven't tried it myself, but I'm sure it's great!
When I try mounting my Synology shares to my desktop “connect to server” on my Mac, it asks for a password. Every password I’ve tried associated with my NAS doesn’t work. Which password do I need?
Would love a video on the built-in DNS functionally. Also could I buy a vps on DO and have it ONLY be accessible via tailscale, and what about Docker containers, can i have Those only on tailscale?
OMG thanks it really work good and install proces was easier than changeing light bulb
Thank's! I'm glad it helped :)
I am new to networking and VPN. I want to be able to connect to my devices from anywhere. They are in my garage in which I can only create a wireless network since I cannot get any internet cables in there. My best bet, as far as I know, is to have a router that can be configured to TailScale but having sim card or using 4G LTE USB modem. If anyone has any suggestions for me, let me know please. The router I was planning to get is Beryl AX (MT-3000) which supports TailScale.
Do you have any video on how to use it as a Internet gateway (Exit node) to use it as a VPN for all traffic? thanks
Not yet, maybe that’s coming next year but I won’t promise anything
@@christianlempa I really need to find some info on Exit Node, can't find it anywhere, maybe you can shed some light on that :) tnx
Hi, thank you for your videos. I am just curious to know how does it compare to Zerotier, in term of privacy and security?
I haven't done a comparison, yet. However I think that the architecture of tailscale is pretty good. Of course it is a hosted service where you need a google/m$ or github account so you need to give some trust to these companies. However, for the security side the wireguard protocol is pretty solid and the privatekeys are never shared with tailscale. So technically they are able to redirect your traffic but not able to decrypt it, which is a nice option. I know that zerotier offers a self-hosted solid so in a direct comparison zerotier would win obviously, but that doesn't mean you would need to worry about using tailscale. Hope that helps 😄
If you need Layer 2 connectivity and protocols beyond the IP stack you can run inside Zerotier network cause every zerotier network acts like a Layer 2 Switch , hope it is clear ..
This is really cool. I could RDP directly two Windows PCs behind a NAT. This kicks TeamViewer or anyDesk ass out :D I wish we had a selfhost option.
Headscale ig?
One thing is causing me trouble. When I installed and started tailscale on my server. My server is able to connect to internet. When I installed on my laptop and mobile. When I am connected to tailscale, I loose internet.
How to fix this ? I want to be able to use tailscale to create usable domain names for my servers to share with others. I know tailscale is for private communication. But this seemed possible as well. I read about exit nodes tried to configure that as well. But it didnt' work
Unfortunately it's hard to hear you with the ridiculous music playing. Aside from that, how is this easier than setting up PiVPN? Install PiVPN, connect to PiVPN, access everything on your network. No need to manually setup individual devices/nodes as you seem to have to do with Tailscale. By comparison Tailscale seems incredibly laborious.
Exactly!
Yea, it’s just one of those programs that saves you a few extra clicks. But in return you open a massive security door, and open all your traffic to their servers that are probably glowing.
Question, what if someone gets access to your account (e.g. GitHub auth service)? Or hacks the Tailscale service?
Well then you are in trouble bro
In all cases I would recommend 2-factor authentication, but seems someone with access could share a device to their own network and gain access that way. Just something to be aware off..
Well that's the reason why I said in the video, you can add 2FA to your accounts.
I did not understand about 13:45, I have a wg server on my vps, the issue is I need that since i have portainer etc but my dorm wifi blocks the wg server port thus I should not-blocked ports and have a lot of different .conf files for every peer.. with tailscale as I understood, he understands that fw or nat is blocking it and ? would just find another port or switch over to tcp? Did i miss something? Thank you very much
If you're running a self-hosted wg server you need to worry about ports, not with tailscale.
I'd like to know if this is better than using CloudFlare tunnels...hmm...
It's a different solution, depends on what you're aiming to do
Hi, does anybody know how to install SSL certs on nextcloud with Tailscale? I have enabled SSLon Admin panel and I have generated crt and key file by tailscale, What should be further steps? I have nextcloud hosted on LXC Container on Proxmox, installed by snap.
Has the "L" always been missing from the "Digital Life" sign?
It's back at the end of the video!
The one thing that drives me nuts and Im not sure there is a workaround is if other devices are on the same LAN, your device will over travel over Tailscale instead of your Local LAN. I noticed this when using a node as a subnet router. I would guess thats the computer making the decision but there doesnt seem to be a workaround...well from what noticed.
That shouldn't be the case, if both devices are connected to the same LAN, tailscale will figure out the fastest path between them. I've tested it in my local network and it works pretty well.
@@christianlempa Yeah I dont get it. while connected with the windows app, I did some traceroutes and it takes the tailscale path everytime. I mentioned this to support and they said its somewhat expected behaviour but will look into see what they can do. Iv seen a number of posts with the issue. There is kind of a work around but doesn't always work which is make the advertised subnet one mask less so if my LAN is /24 mark it as /23. Dont think it works for Linux though.
TailScale is good but do you have any idea about any similar open source projects coming up that can be running in the private server..
I had a look on netmaker. But the licence confuses me. Seems not to be 100% foss...
what if you want to give access to someone else? does he have to login into tailscale with your credentials? for example google username and password
Hi Christian,
Another great video.
2 quick questions.
1) Which are the differences between Tailscale and ZeroTier?
2) With Tailscle am I able to get on all machine the same public IP (as would be with a "normal" VPN)?
Thanks
1.) Tailscale and ZeroTier have two different network protocols underneath. I like the WireGuard implementation a lot, so Tailscale is my favorite :) And they have a pretty smart implementation of the network stack.
2.) You can assign one peer as a "gateway", this will route all traffic from the clients through it.
@@christianlempa Thank you for your answer. Not considering the easier way to configure Tailscale over WG.... What do you think is better....Wireguard in a docker container or Tailscale?
How secure is this, because your data is still being sent through Tailscale's network right?
No, the traffic is sent between the endpoints
Love your content man.
Thank you 😊
Where is the catch? Seriously, if it sounds too good to be true, it usually is. What are the downsides, for example compared to setting a wireguard vpn yourself manually?
Hello, with this video do you hide your ip adress using a vpn or you create a vpn at your ip adress?
Haven't though about hiding my IP... why?
Great tutorial! Can you explain how to VNC to a VPS that is connected to Wireguard ?
Thank you! :) It's pretty simple, you set up the VNC just like you would do on a local network, let us know on discord if you have any questions
@@christianlempalets say yur in a company network & yur device is in a subnet vLAN that has no public internet acess & u want to connect to another device in another subnet vLAN within the company network, would tailescale work on this too?
is there a self hosted alteranative to cloudflare ?
Gcore?
@@catchnkill
Sorry i mean is there a self hosted DIY CDN running in a self Content delivery system??
An on-premises solution running in our own servers to avoid cloudflare tracking and for full privacy and control??
Thanks for the video Chris. What' s the difference with zerotier?
Thanks mate, zerotier uses a different VPN protocol as far as I know
Can i ask you im from algeria im using wireguard to bypass restriction and free internet but there much bugs in morning is there solution for that ?
that's actually more setup, if you need to install it on every server/device
you can forward entire subnets, if you want to.
Thanks for this video.
I struggled with zerotier to setup my server as standard route for DNS and as VPN.
And in tailscale it just needs a toggle of the button exit node 😯
Seems easier and better documented.
Going to try it and finish my setup.
Oh I'm glad to hear it ;) Thanks
Hi! Great video! What SSH Client do you use? Need one that can save logins, open mutiple tabs, and FREE :)
Mobaxterm
hi Christian can u make video how to connect tailscale wsl2 work.
I think there is not much you need to do, just install the tailscale on the Windows machine. Your WSL should have access to the same network as well.
@@christianlempa when i sudo tailscale up, this message appear "failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)"
thanks I learned something new
Glad to hear it!
Can you please make a video on setting up Headscale
Not sure right now, I may take a look but don't know if it's really worth the effort to be honest :/
@@christianlempa self hosting with headscale is definitely something that would be interesting because it removes two problems, 1)removing a untrusted company from having the keys, etc. to your network as a possible point of vulnerability 2) cost factor for people that want more than 20 devices or 1 account for their setups. Besides aren't you the host all the things in your own lab for learning purposes guy? I would say why not try?
When the free plan mentions one user, what exactly does that mean?
For instance I care to have our employees connectr outsite the corp environment to the dc serv who has a very special crm program running from a folder (no client installation or anything) i am trying to figure out what exactly do I need to make this work. By saying work I mean 20-25 people outside office to be able to connect to the crm program after initiating a connection via tailscale. Do I need a price plan with as many users connecting (from their different machines) or jsut one user to set all that up?
If you want to manage all machines with 1 user account, that's totally fine. But if you'd want to add additonal users who can all manage their own machines and infrastructure they you need to upgrade a license.
But you could technically just use 1 user for management.
@@christianlempa Thank you for your quick reply, but I can t even start it ... I have a weird error whicj cant troubleshoot anywhere
i Set up TailScale because my ipv6 and ipv4 change from Orange Fai in France.
Difficult to have your own firewall in France at home.
So Tailscale is not bad for this kind of solution coupled with Adguard-Home with some configurations to tls-dns, I use it to use as a vpn with an outgoing at home when I am remote or need access to a file on my local nas. It can also be useful for doing a lan to lan for online video games.
After security question it is a problem to solve between the chair and the keyboard.
Hi there, which terminal application are you using? Looks way cooler than my putty
I'm using Windows Terminal and use WSL2, I've documented most of my setup in this video: th-cam.com/video/oF6gLyhQDdw/w-d-xo.html
Im using the tailscale windows 11 but windows 7 its not installing there any solution
I am a hobbyist. You did a great job with the video; however, I am on Truenas Scale, and there is no drop-down menu for it. I attached my machine, downloaded the app, and set it up with the AUTH code. I am lost from here. Can you help?
For everyone who doesn't like the idea of this being managed by a 3rd party, they now have a self hosted option called headscale.
From the security perspective, I don't think that its a doable solution for corporate networks. What we should focus on is a data protection rather than bring ease in life. Though, it is good for people who aren't concerned about the security and use it for home-network to home-network connectivity.
By enabling the mesh network between the servers and the clients as every node that is added on Tailscale account can access each other which again leaves me a big question mark on what if 1 client machine got compromised. Whoaa!!! A disaster will occur as accessing all other nodes which could be either be a server or another work station can be accessed by the Hacker.
By having the VPN server, we manage the keys and exchange algorithms at our own end instead of leaving it on some third party network.
Anyways I like the way you described it but it is always better to notify the vulnerabilities associated with the solution.
You can limit the nodes other nodes can connect to in tailscale.
You could also ask for additional passwords on important nodes.
I agree that the most secure way to host a vpn is by managing your own server. But i think the main issue for tailscale is that the admin hub is too out in the open.
Please go into the DNS in another video, interested to discover more about how it works
Good suggestions, I'll take a look at it bro ;)
Hi, is Plex server can be run on Tailscale?
I am getting 10-400ms ping over my local network?
any tips how to fix this on MacOS?
Well that’s hard without any info xD maybe check out our discord
Thank you @@christianlempa! it resolved itself today, so it would now be impossible :)
More content on neat tricks using Tailscale would awesome btw!
@@yagoa Well done! :)
What terminal emulator are you using there in Windows please?
Windows Terminal
Thanks for the explanation, but I'm still confused as to the purpose of tailscale. I understand it's a VPN so communication between two machines is secure, but what's the connection able to do? Can I use it on machine 1 to view a remote desktop of a second machine? or am I limited to just seeing the terminal of the second machine on the first. Would this be able to send files pictures from my phone to my pc without having to deal with a wired connection?
Any insight would help a lot!
The use case is to connect two or more machines that are located in different physical locations over a secure tunnel, just like would be on the same local network
This just sounds like security disaster with extra steps. There is no way anybody is connecting to any of my local machines without punching through NAT first. This video fails to explain how this “magic” is done, and the way it works is Tailscale runs relay nodes that help establish direct connections through P2P and in case where direct is not possible, your data flows through a remote node. The machines behind NAT that you are connecting to reverse the flow of traffic by basically asking the remote server what to send over, which is the “magic” we see. This is all encrypted, but it’s basically trust me bro guarantee since neither tailscale client or server parts are fully open source. So 1) you’re supposed to run third party app on all of your infra that has access everywhere and isn’t even open source and 2) it all communicates using key pairs you can’t manage and the parts of code that make them and use them are not 100% open source either.
It's really funny that you think tailscale is a "security disaster". Maybe try to understand it first before blindly attacking it 👍
I keep getting replies to this about how "i should read how it works." I know how it works, you don't. Tailscale is a security disaster with extra steps and this will remain true until all of it is made open source. Noone sane deploys this bag of cats on a network they need to trust.
could i setup my own Tailscale server instead of using their server
There is an unofficial project called headscale
Hi Christian, thanks for making a video about tailscale :-) Tailscale is one of the best and intuitive tools, I have seen since years! It never was so easy to use VPN and not only between two devices, but between many devices - with static ip-addresses for every device :-) Normaly, every device can connect to each other device that is connected with the same authentication-account, but you can limit access (for devices and protocols) with access rules very easyly on the tailscale-dashboard, too - that's fantastic! With a smartphone it is easy to be "always on", so secure connections to all my machines from everywhere. For my opinion tailscale is a real revolution! Thanks a lot for your video and please more such holy shit stuff :-)
Haha thank you so much for the nice feedback! 🥰
Thank you for your video. How would you best transfer files from one computer (node) to another if you were using a Mac to Mac or windows to windows? Also how could you do a “VNC” connection to control another computer through Tailscale? Would you please do a video on that?
You might check out "Taildrop" a beta feature in Tailscale to send/receive files over Tailscale, might be useful. For the VNC part, you can just connect to the devices using the tailscale internal IP address. Hope that helps ;)
Thanks man very interesting
You're welcome
Does the user running the service needs to be admin? Because that was the case with wireguard
It needs to run with sudo, yes
Hi there ! If I install Tailscale on a Romanian Ubuntu Server, it’s mean that all my connnected devices will have Romanian IP ?
Not by default. You could use a node as a gateway though, enabling it in the admin panel.
@@christianlempa lovely’s 💪
Hey, awesome vid, mate! Can you help me with something? I'm using a TrueNAS Server that's located on my home network and I want to acess it remotely, I tried to use OPEN VPN but for some reason it isnt working as I wanted... So, do you think Tailscale can help me?
Awesome video! Please tell us more about the Magic DNS and how to set it up.
Thanks mate! I'll take a look at it :)
Very easy install, having trouble on how to send magic packet via tailscale, where my powered-off pc still doesn't get the packet.
Thanks mate :) tailscale and wireguard operates is a layer3 VPN, magic packet is layer2, so it's not possible this way, unfortunately.
@@christianlempa Zerotier is Layer 2 switch so you can send magic packet but you have to check ZT knowledgebase how to do it.
What program do you use for ssh?
Just the normal ssh client in the terminal
Where is magic dns video
Still no time for it :( sorry mate
@@christianlempa it happens! No probs!
It sounds like Tailscale is very similar to NordVPN's Meshnet using WireGuard.
Is it possible to tunnel internet through one of the peers?
Yes, it is possible on peers running linux/windows, to configure them as an "exit node".
@@samuelfoldi4416 windows isn't supported as an exit node, only linux.
@@samuelfoldi4416 Only Linux supported as exit node for now , Mac will be the next OS then Windows.
Do you really think this is a good idea from security point of view. You have to install on every client a “trojan” that connects you to a “service” in the US. Of course, it is easy to setup, no question, but as an it professional, like you always claim - who controls this network?
This service has two sides of the same coin. You just mentioned the easy usage, but have forgotten the security aspect.
What’s wrong with the “IT world”? Don’t you think about security anymore? I’m just waiting for the news… “Tailgate VPN hacked because of …”
It's important to talk about security, however comparing a managed VPN service with a "trojan" is a bit out of place, come on.. :)
However, it's a valid concern you have and of course nobody forces you to use a service like tailscale, you can always manage VPNs yourself. The fundamental misconception is that most people see a VPN as a "security" barrier to get access to a network. This is in my opinion a outdated security concept and should be replaced with Zero Trust Networking concepts. Means, you should never trust a client just because it's part of a VPN network. I see tailscale more as a managed connection but not as a security barrier. All devices inside the VPN should be treated the same like external devices.
I'll make a video about this in the near future, because I think that needs further explanation and a dedicated video! Anyway, thanks for your input.
Wireguard is funded by the US Government under the Open Technology Fund. They also funded a few more so called "privacy" projects such as Signal messenger. Remember the Crypto AG and ANØM cases. US Government is already known for creating fake privacy tools.
Even the most used cryptography algorithms are funded by NSA/CIA.
@@helloworld963 yes, because they need it too, also, onion routing was created by US navy and needed extra traffic to hide their own traffic, and now we have tor, you can do what ever you want and the US navy can't do anything to stop you, considering you are careful to protect your identity with best practices
Be careful, a hacker is already on to it Lol
Challenge: Every time a vuln is found in Tailscale, I do a shot. Every time a major VPN provider has a critical CVE, YOU do a shot.
Deal?
Just kidding, I don't want to be kicked off of TH-cam for encouraging alcoholism and suicide.
Is there any self-hosted alternative to tailscale?
There is a third-party implementation of the tailscale backend API, called "headscale". I haven't used it, yet, but you might check it out.
@@christianlempa thanks for the heads up. I will check it out
Just sign in to "Google" or "Microsoft" and it's all automatic. Ummm that's gonna be a big NO for me...
That's fine 😉
Yeah, I had a good laugh when I saw that. Hey BigTech, here's the keys to my LAN, have a good look around.
thnsk sir amazing easyl to understand
Thx!
I'm still concerned about data security and data compromise resulting from relying on some company. Large company may have resources to build a infrastructure themselves and for small firm, it is still possible to configure the machines keys and exchanging them, because not all node need to connect to every other nodes anyhow.
look at headscale
Hello can you help me set this up ? We can use team viewer and I pay with Bitcoin
Frigging nightmare setting up tailscale on MacOS TBQFH. NoMachine is much easier.
giving all your vpn keys to a third party is the worst thing you can do in a self-hosting environment
Cool video! What prompt do you use?
Oh the video on mdns would be great
It's like with crypto accounts. If you don't have the keys you don't have the coins.
i love your videos
Thanks mate 😁
Thanks so much for your videos !
Could you post a Netmaker tutorial, possibly with NPM? Thanks
Keep up the good work
thank you! netmaker would be something way down my priority list, sorry :(
@@christianlempa no worries. thanks for the reply. ill keep an eye open for a tutorial on this. i look forward to your next informative video
MOAR!
Sounds good, but you become dependent on the fact that Tailscale services stay up.
very useful channel
Thx mate :)
How does he know it’s secure?
He doesn't.