Just a quick update on the performance portion of the video : In subsequent testing performance is pretty much a non-issue now. I set up a link to a Synology NAS at my mother's place which is running on 500 megabit symmetrical fiber and I'm now pushing the full speed back and forth. See the update: th-cam.com/video/D8lJcf0V_-4/w-d-xo.html
@@jothain On Tailscale specifically? I do have a playlist of self hosted applications which is what I was likely referring to in regards to a series: lon.tv/selfhosted - this particular video didn't perform all that well initially but has since picked up quite a bit so I may do some updates soon.
One of the great things about Tailscale is it gets around CGNAT. So if anyone (like me) has their network connections over CGNAT and you've wanted to be able to connect back, this is your solution. Also, it works on the NVidia Shield! So, when we are away in our RV, we can connect back to watch Plex over my CGNAT connections!
One of my clients uses a Western Digital NAS and they were recently hit with an outage for 2 weeks or so. Many WD customers were locked out of their data because they depended only on cloud storage. Don't Do That People. Luckily we had local access to the company data and prevented any data loss. WD is in the storage business. You would think they are secure. Nothing is secure. Always take extra precautions like this. Thank LON.
@@mactastic144 the way how WD nases work, u login/authenticate trough their online service. After attack they have disabled this feature, so many people couldn't access their nases
The speedtest via iperf showed that you were relayed and that the devices did not establish a direct connection. Tailscale, zerotier, and similar type of overlay networks are designed to consistently try to establish a direct connection between devices when possible. If a direct connection can be made, you will pretty much go at full speed possible for the link (unless tailscale runs in userspace, like it does in windows, but that should still yield 200-300 megabits). This can happen if your firewall or the one at the other end is using a type of NAT that randomizes the source port. Relayed connections going through a DERP server (as they are called in Tailscale) will have limited bandwidth. You can set up your own DERP server if you want faster speeds. Usually, direct connections are more common than them being relayed. I recall zerotier giving some stats that 95% of all devices were able to establish a direct connection. I don't know if tailscale ever commented on that.
If you have a device set up at your house that is running tailscale that you leave on all the time. (I use a raspberry pi). You can set it up as a exit node. It will let you use tailscale just like a regular VPN service and can also set it to allow local network access to your other devices on your network.
This video dropped at the right time for me. I recently switched to T-Mobile 5G Home Internet and found I couldn't stream from my Plex server on my NAS. This sounds like exactly what I need. I'll be testing it tomorrow during my lunch break. I'd like to see another video on the more advanced features of Tailscale. I'd love to use it to access my PS5 for remote play without having to flash my router with custom firmware to run Tailscale.
Great video Lon! I’ve been using Tailscale for about a year now. One thing I have done is have my local Synology NAS run scheduled backups to another offsite Synology NAS using Hyper Backup over Tailscale. Of course the initial backup was done when they were both local. I’d like to see how you can access your PC’s data files from a Laptop or Mobile Phone when on the road. 👍🏻👍🏻
I have been looking at Tailscale as a solution for home lab access when away from the house. Thanks for covering this and I always appreciate your videos.
Excellent explanation, as usual, Lon. Tailscale does indeed seem very versatile, but by the same token, simple and straightforward to set up. I would like to see more detail though on what can be done with Tailscale.
Really excellent explanations, demonstrations, and with applications Lon. One concern you didn't address is that once setup, the end user is completely reliant on the integrity of the Tailscale security posture and their implementation as opposed to truly hosting one's own VPN with hardware and custom configuration.
My target audience for this are people who are currently poking holes in their router (or gasp uPNP) so for those folks this is definitely an improvement. But I think setting up your own server is always the best way to have full control.
There are multiple things that address this. The tailnet lock feature allows you to verify that no node is added to your network without being signed by already trusted nodes, this means you don't have to trust the tailscale infrastructure because even if it was malicious your devices wouldn't trust any node it tried to add or replace. There is also a way to self-host the coordination server called headscale if you really don't want to use any of their infrastructure. Additionally the client code is open source so that can be validated.
TAILSCALE uses WireGuard for its VPN but Tailscale works reliably behind other firewalls in my experience e.g. using Wi-Fi when staying in a hotel where vanilla WireGuard does not.
Thank you SO much for your video. This is 100% what I was looking for. It's so clear for someone like myself, who is not very tech-savvy and needs to have his hand held through all of the steps. I really appreciate it.
Another great video Lon. Tailscale was a godsend because I can get into my own LAN without having to open ports on my router. One detail I have run into though: Because Tailscale works as a VPN, if you routinely use a VPN when outside of your own LAN, at least on the desktop and mobile OSs I use, you cannot run both your regular VPN and Tailscale. You must drop out of your regular VPN to be able to start up Tailscale.
If you have a device set up at your house that is running tailscale that you leave on all the time. (I use a raspberry pi). You can set it up as a exit node. It will let you use tailscale just like a regular VPN service and can also set it to allow local network access to your other devices on your network.
Tailscale has completely solved my home lab networking needs. It deserves more attention. Now I can travel with an ultralight notebook and connect, via Microsoft Remote Desktop Services, to my machine learning servers. Remote desktop latency is so low I don't notice any lag. Tailscale has proven easy to use and reliable. Install and forget. Other solutions such as AnyDesk and Teamviewer were unreliable, too heavy, and otherwise problematic.
Not a fan of "Cloud" control. I have a Pi that I set up as a VPN server on a VLAN, also now have WireGuard on the UDM-Pro so they both keep me off the cloud. I only have one service remaining on the cloud (can't dump it) and that is the way I like it.
How does Tailscale compare in features/security to Unifi "Wi-Fi Man" or their new "Wireguard" which has now been added. I am looking for the best solution to log in remotely to my security cameras, and to access files on my Synology NAS. Very nice presenation.
I think if you have the aptitude (it sounds like you do) using the wireguard option on UniFi is the best way to go. There’s no cloud intermediary, and a single connection gets you into your network.
Hi Lon, that was a great video. Could you please also cover NordVPN's Meshnet service? I believe it's similar to Tailscale but maybe uses different protocols?! Not sure. Thanks
Thanks for a great video. Can Tailscale be intalled on a ASUS GT-AXE11000 router? I'd like to connect to the entire LAN network - not only clients. The router is pre-set for WireGuard, if that changes anything.
So could you use Tailscale to watch Netflix or Amazon Prime movies when out of the country, or would this require you to leave your TV on in order to do this? Or is this type of use more suited for a network VPN?
So you could use the "exit node" feature to do that. No need to have the TV on the computer will appear as though it's coming from your home network as it will be routing Internet traffic through the tunnel.
@@kellymatthew That's a good question .. I bet you could probably issue a cron command to trigger it but I haven't experimented with that myself. This person has an example of it here: mickderksen.wordpress.com/2016/06/08/how-to-schedule-a-vpn-connection-on-synology/
Thanks, very informative Video. I want to ask a few things. I am a new to HomeLab. Currently running a TrueNas Scale Os on my server. I want to get remote access for few things like Nextcloud, sync photoback up, Plex/Jellyfin, along with commercial VPN running at that server for qBittorrent and 'arrr' applications. Is there any way, that i can get remote Access with tailscale Tunneling or is there better way? As for Info, i am looking for a simple approch, as i am not an IT Guy. Thank you. Appreciate your Help.
Thank you for the video Lon. You've now given me ideas/procedures for multiple projects ie. livestreams, recording, cloud gaming... huge help, thanks so much, have a great new year.
Can you make a remote device such as an android box with Tailscale loaded, use a specific app to stream all data thru the exit node or subnet? To make that remote device look like it’s streaming from your home network?
The problem with Tailscale is your can't use your own domain name with https you have to use the name they give you. You can put that 100 IP in your ip address were you have your domain name hosted. But then can only go to http not https.
Since one of the missing features of the gen4 Tablo DVR is the remote access for viewing recorded or live video, would Tailscale allow a remote user to overcome this deficiency until Tablo revises their system?
I know it’s been a while, but I was wondering the same thing. I just bought a Tablo tv 4th gen and would like to watch and set up recordings when away from home.
While it has a relay available for the most part Quickconnect relies on UPNP or having open ports. So I'd prefer Tailscale's approach which keeps it behind the firewall and invisible to network scans.
@@LonSeidmanThis seems like a better value proposition as long as it offers similar performance and features (active during sleep mode, throughput, etc.)
@@LonSeidman I would agree that an average consumer no, but anyone watching this channel would have no issues. I am not sure if you ever reviewed Firewalla, but I switched to this from using a home Untangle license and found Firewalla to be a lot easier. Comes with WireGuard server built in too. Without learning more about Tailscale, which I’m going to check out, I am still concerned a 3rd party is involved and could be a point of compromise.
Is there a way I can get this work with NordVPN I’m using NordVPN to keep my IP safe and I want to use tailscale to get remote access to my jellyfin server to watch outside my network
They lost me on two points. Any service that forces a connection with a provider rather than email is bad. That means two companies are allegedly spying. Tailscale says they will put cookies on the browser for advertising. That means we are being tracked. Likely explains why the free service is generous. They are making money on the free accounts. They say just turn off do not track on the browser. That is a request to the website. They are not required to honor it. I would never use this service. A permanent VPN connection is important. Just about all iot devices cannot install vpn. The reason for putting iot on a separate network. The VPN really belongs on the router or an external firewall. With a kill switch if it goes down not to reveal the IP address.
Not for me. I do not want to go through and rely on any third party, especially handing out my identity information. I have been using the VPN supplied with my low-end Synology NAS. It was reasonably easy to set-up and has been reliable. The primary issue has been a result of Comcast's limited upload speed. I tried setting up a VPN on the PI (Lon's video) but for me the performance was poor. I did not spend time fussing with it since the Synology was working well and just dropped the Pi.
The free service is likely already being charged by allowing them to get data to advertise and possibly sell. As they say, when it is free we are the product. Unfortunately we are still the product in most cases even when we pay for a product.
@@LonSeidman excellent explanation and they sound good. I just can't get pass the privacy statement regarding adding cookies for advertising purposes. As well as forcing people to use social media logins to join. This suggests we really don't know what they are doing with our activity. They may not be able to view our pc data but this suggests they maybe viewing our actions. Telemetry and metadata is just as important and often more important than data.
So Tailscale is not like a traditional SSL VPN solution then, because let's say if a company has 1000 servers, does that mean I have to install Tailscale on all of them 1000 times??(this is gonna be a little crazy) where on traditional SSL VPN solution, once a client connects with a VPN client on their computer, then they can access whatever those 1000 servers they want. (I know the SSL configuration on either router/firewall is a little complex, but once IT administrator done this, it's gonna be worry free, of course all end users don't really care, they just use it)
Just a quick update on the performance portion of the video : In subsequent testing performance is pretty much a non-issue now. I set up a link to a Synology NAS at my mother's place which is running on 500 megabit symmetrical fiber and I'm now pushing the full speed back and forth. See the update: th-cam.com/video/D8lJcf0V_-4/w-d-xo.html
Apparently you haven't continued this series, like you implied to do in the end or have I just missed it?
@@jothain On Tailscale specifically? I do have a playlist of self hosted applications which is what I was likely referring to in regards to a series: lon.tv/selfhosted - this particular video didn't perform all that well initially but has since picked up quite a bit so I may do some updates soon.
One of the great things about Tailscale is it gets around CGNAT. So if anyone (like me) has their network connections over CGNAT and you've wanted to be able to connect back, this is your solution. Also, it works on the NVidia Shield! So, when we are away in our RV, we can connect back to watch Plex over my CGNAT connections!
One of my clients uses a Western Digital NAS and they were recently hit with an outage for 2 weeks or so. Many WD customers were locked out of their data because they depended only on cloud storage. Don't Do That People. Luckily we had local access to the company data and prevented any data loss. WD is in the storage business. You would think they are secure. Nothing is secure. Always take extra precautions like this. Thank LON.
so the NAS was on a different network than the users? Shouldn’t they be using Microsoft 365 or Google Workspace?
@@mactastic144 the way how WD nases work, u login/authenticate trough their online service. After attack they have disabled this feature, so many people couldn't access their nases
The speedtest via iperf showed that you were relayed and that the devices did not establish a direct connection. Tailscale, zerotier, and similar type of overlay networks are designed to consistently try to establish a direct connection between devices when possible. If a direct connection can be made, you will pretty much go at full speed possible for the link (unless tailscale runs in userspace, like it does in windows, but that should still yield 200-300 megabits). This can happen if your firewall or the one at the other end is using a type of NAT that randomizes the source port. Relayed connections going through a DERP server (as they are called in Tailscale) will have limited bandwidth. You can set up your own DERP server if you want faster speeds. Usually, direct connections are more common than them being relayed. I recall zerotier giving some stats that 95% of all devices were able to establish a direct connection. I don't know if tailscale ever commented on that.
If you have a device set up at your house that is running tailscale that you leave on all the time. (I use a raspberry pi). You can set it up as a exit node. It will let you use tailscale just like a regular VPN service and can also set it to allow local network access to your other devices on your network.
This video dropped at the right time for me. I recently switched to T-Mobile 5G Home Internet and found I couldn't stream from my Plex server on my NAS. This sounds like exactly what I need. I'll be testing it tomorrow during my lunch break.
I'd like to see another video on the more advanced features of Tailscale. I'd love to use it to access my PS5 for remote play without having to flash my router with custom firmware to run Tailscale.
It works, been doing it for a while now.
Great video Lon! I’ve been using Tailscale for about a year now. One thing I have done is have my local Synology NAS run scheduled backups to another offsite Synology NAS using Hyper Backup over Tailscale. Of course the initial backup was done when they were both local. I’d like to see how you can access your PC’s data files from a Laptop or Mobile Phone when on the road. 👍🏻👍🏻
I have been looking at Tailscale as a solution for home lab access when away from the house. Thanks for covering this and I always appreciate your videos.
Excellent explanation, as usual, Lon. Tailscale does indeed seem very versatile, but by the same token, simple and straightforward to set up. I would like to see more detail though on what can be done with Tailscale.
Wow! What a great teacher, so articulate and fundamentally precise.
This is great. My NAS software is phasing out its VPN/remote access services so I needed a new solution. I think this will work out great.
Really excellent explanations, demonstrations, and with applications Lon. One concern you didn't address is that once setup, the end user is completely reliant on the integrity of the Tailscale security posture and their implementation as opposed to truly hosting one's own VPN with hardware and custom configuration.
My target audience for this are people who are currently poking holes in their router (or gasp uPNP) so for those folks this is definitely an improvement. But I think setting up your own server is always the best way to have full control.
This is why I will not use Tailscale. It defeats the purpose of VPN.
There are multiple things that address this. The tailnet lock feature allows you to verify that no node is added to your network without being signed by already trusted nodes, this means you don't have to trust the tailscale infrastructure because even if it was malicious your devices wouldn't trust any node it tried to add or replace. There is also a way to self-host the coordination server called headscale if you really don't want to use any of their infrastructure. Additionally the client code is open source so that can be validated.
+ it’s backed behind a single sign on like your google account.
Is there a video for a self hosted solution you could share?
man what are the odds. Just saw this package in synology and came here to learn more!
TAILSCALE uses WireGuard for its VPN but Tailscale works reliably behind other firewalls in my experience e.g. using Wi-Fi when staying in a hotel where vanilla WireGuard does not.
Thank you SO much for your video. This is 100% what I was looking for. It's so clear for someone like myself, who is not very tech-savvy and needs to have his hand held through all of the steps. I really appreciate it.
Another great video Lon. Tailscale was a godsend because I can get into my own LAN without having to open ports on my router. One detail I have run into though: Because Tailscale works as a VPN, if you routinely use a VPN when outside of your own LAN, at least on the desktop and mobile OSs I use, you cannot run both your regular VPN and Tailscale. You must drop out of your regular VPN to be able to start up Tailscale.
If you have a device set up at your house that is running tailscale that you leave on all the time. (I use a raspberry pi). You can set it up as a exit node. It will let you use tailscale just like a regular VPN service and can also set it to allow local network access to your other devices on your network.
Love the video. Would love a video on more that can be done with tailscale.
Tailscale has completely solved my home lab networking needs. It deserves more attention. Now I can travel with an ultralight notebook and connect, via Microsoft Remote Desktop Services, to my machine learning servers. Remote desktop latency is so low I don't notice any lag. Tailscale has proven easy to use and reliable. Install and forget. Other solutions such as AnyDesk and Teamviewer were unreliable, too heavy, and otherwise problematic.
Do you think your Remote Desktop would run a VM on a home NAS remotely ?
Not a fan of "Cloud" control. I have a Pi that I set up as a VPN server on a VLAN, also now have WireGuard on the UDM-Pro so they both keep me off the cloud. I only have one service remaining on the cloud (can't dump it) and that is the way I like it.
Home Assistant had a recent CVE although I don't think it was exploited in the wild.
Great video Lon. Let’s see more of it please. Thanks.
How does Tailscale compare in features/security to Unifi "Wi-Fi Man" or their new "Wireguard" which has now been added. I am looking for the best solution to log in remotely to my security cameras, and to access files on my Synology NAS. Very nice presenation.
I think if you have the aptitude (it sounds like you do) using the wireguard option on UniFi is the best way to go. There’s no cloud intermediary, and a single connection gets you into your network.
Hi Lon, that was a great video. Could you please also cover NordVPN's Meshnet service? I believe it's similar to Tailscale but maybe uses different protocols?! Not sure. Thanks
Really need a self hostable product like this that is as turnkey. Yes, there are a number of solutions available but all of them are a pita to setup.
Great video, been using Tailscale for a while, works great. 73.
Thanks for a great video.
Can Tailscale be intalled on a ASUS GT-AXE11000 router? I'd like to connect to the entire LAN network - not only clients.
The router is pre-set for WireGuard, if that changes anything.
You just got this video linked to by the Tailscale email newsletter.
Great video thanks for sharing, if you can please do more tailscale videos, very impressive sort of vpn app
So could you use Tailscale to watch Netflix or Amazon Prime movies when out of the country, or would this require you to leave your TV on in order to do this? Or is this type of use more suited for a network VPN?
So you could use the "exit node" feature to do that. No need to have the TV on the computer will appear as though it's coming from your home network as it will be routing Internet traffic through the tunnel.
Channels DVR has support for this now too. I wanna try it vs keeping my port open
So with Tailscale, I can add computers then RDP into them from any network? (as long as both are connected to my account)
Thanks for this, I'd love to see a more in depth dive into it. Maybe talk about the privacy concerns mentioned elsewhere in the comments too.
Found your video extremely helpful. Is there anyway to access shared folders from your pc over tailscale through the internet. Thanks
Yes just point the client at the PC's tailscale IP - in Windows \\000.000.000.000 with the zeroes being the tailscale ip in the explorer address.
Any idea if it's any way/solution that Tailscale can be used/ran from a browser?
Very helpful Video thank you for sharing Lon 👍
Hey Lon! Great video. Could you use this to do a hyper backup between 2 Synology units that are remote from each other?
Yes that is a great use case ! Synology also has their own vpn server you can run on each of you wanted a diy
@@LonSeidman it'd be cool to schedule that too like 5 minutes before backups are scheduled to kick off. Is that possible?
@@kellymatthew That's a good question .. I bet you could probably issue a cron command to trigger it but I haven't experimented with that myself. This person has an example of it here: mickderksen.wordpress.com/2016/06/08/how-to-schedule-a-vpn-connection-on-synology/
Yes! I have done this successfully! 😎👍🏻
More tailscale please.
Please review Headscale is fork open source
this was very thorough! thanks for the video
Thanks, very informative Video. I want to ask a few things. I am a new to HomeLab. Currently running a TrueNas Scale Os on my server. I want to get remote access for few things like Nextcloud, sync photoback up, Plex/Jellyfin, along with commercial VPN running at that server for qBittorrent and 'arrr' applications.
Is there any way, that i can get remote Access with tailscale Tunneling or is there better way?
As for Info, i am looking for a simple approch, as i am not an IT Guy.
Thank you. Appreciate your Help.
Thank you for the video Lon. You've now given me ideas/procedures for multiple projects ie. livestreams, recording, cloud gaming... huge help, thanks so much, have a great new year.
Can you make a remote device such as an android box with Tailscale loaded, use a specific app to stream all data thru the exit node or subnet? To make that remote device look like it’s streaming from your home network?
I'll stick to a self hosted vpn. Seems a lot of faith and trust in 1 provider.
Good job. Well done.
The problem with Tailscale is your can't use your own domain name with https you have to use the name they give you. You can put that 100 IP in your ip address were you have your domain name hosted. But then can only go to http not https.
how does this compare to Synology's OpenVPN?
I want to see how can you use this as a VPN step by step.
Since one of the missing features of the gen4 Tablo DVR is the remote access for viewing recorded or live video, would Tailscale allow a remote user to overcome this deficiency until Tablo revises their system?
I know it’s been a while, but I was wondering the same thing. I just bought a Tablo tv 4th gen and would like to watch and set up recordings when away from home.
How would you say Tailscale compares to Synology’s Quick Connect with regards to security ?
While it has a relay available for the most part Quickconnect relies on UPNP or having open ports. So I'd prefer Tailscale's approach which keeps it behind the firewall and invisible to network scans.
Maybe I missed it, but can it be used as a traditional VPN where I simply want to go out on the internet and my ISP internet IP address is hidden?
No it’s private only unless you set up an exit node on a cloud server.
What is good laptop for gaming and not expensive
Does Tailscale change your ip address, like a traditional VPN?
I think your tailscale IP is locked for that device but if you did an OS reinstall or something it'll likely cycle it.
Does Tailscale run on AndroidTV devices like the ONN boxes from Walmart?
It does!
@@LonSeidmanThis seems like a better value proposition as long as it offers similar performance and features (active during sleep mode, throughput, etc.)
I don't know, wireguard seems better and certainly easy enough, especially with the docker image.
Do you think an average consumer is going to do that ?
@@LonSeidman I would agree that an average consumer no, but anyone watching this channel would have no issues. I am not sure if you ever reviewed Firewalla, but I switched to this from using a home Untangle license and found Firewalla to be a lot easier. Comes with WireGuard server built in too. Without learning more about Tailscale, which I’m going to check out, I am still concerned a 3rd party is involved and could be a point of compromise.
Tailscale uses wireguard itself and also provides many features that plain wireguard doesn't.
I couldn’t find tutorials to setup Wireguard on a Mac. I don’t want to use a Docker image.
Anyone know how to map a network drive using tailscale for Windows?
Will this work with Plex without opening Plex to remote connection?
Yes.
Is there a way I can get this work with NordVPN I’m using NordVPN to keep my IP safe and I want to use tailscale to get remote access to my jellyfin server to watch outside my network
Wish I could get it working.....
They lost me on two points. Any service that forces a connection with a provider rather than email is bad. That means two companies are allegedly spying. Tailscale says they will put cookies on the browser for advertising. That means we are being tracked. Likely explains why the free service is generous. They are making money on the free accounts. They say just turn off do not track on the browser. That is a request to the website. They are not required to honor it. I would never use this service.
A permanent VPN connection is important. Just about all iot devices cannot install vpn. The reason for putting iot on a separate network. The VPN really belongs on the router or an external firewall. With a kill switch if it goes down not to reveal the IP address.
That dude lost his data not only because his nas had a vulnerability, but also because he didn't have a backup.
Twingate-Zero Trust better than Tailscale
Not for me. I do not want to go through and rely on any third party, especially handing out my identity information.
I have been using the VPN supplied with my low-end Synology NAS. It was reasonably easy to set-up and has been reliable. The primary issue has been a result of Comcast's limited upload speed. I tried setting up a VPN on the PI (Lon's video) but for me the performance was poor. I did not spend time fussing with it since the Synology was working well and just dropped the Pi.
Can't get anything to work with this thing .. Don't know what's all the hype about.
Soooooo ... what happens when Tailscale abandons the 'free tier' and starts to charge for it. "Evernote" anyone .... LOL
The free service is likely already being charged by allowing them to get data to advertise and possibly sell.
As they say, when it is free we are the product. Unfortunately we are still the product in most cases even when we pay for a product.
They have a good explanation on that point here: tailscale.com/blog/free-plan/
@@LonSeidman excellent explanation and they sound good. I just can't get pass the privacy statement regarding adding cookies for advertising purposes. As well as forcing people to use social media logins to join. This suggests we really don't know what they are doing with our activity. They may not be able to view our pc data but this suggests they maybe viewing our actions. Telemetry and metadata is just as important and often more important than data.
So Tailscale is not like a traditional SSL VPN solution then, because let's say if a company has 1000 servers, does that mean I have to install Tailscale on all of them 1000 times??(this is gonna be a little crazy) where on traditional SSL VPN solution, once a client connects with a VPN client on their computer, then they can access whatever those 1000 servers they want. (I know the SSL configuration on either router/firewall is a little complex, but once IT administrator done this, it's gonna be worry free, of course all end users don't really care, they just use it)
Love the video. Would love a video on more that can be done with tailscale.