tailscale VS headscale

Still the most reliable setup, honestly. SSH into your machine over Tailscale (or Mosh if your connection is rubbish), reattach your tmux session, carry on. Free, works everywhere, been around forever. The downside is it's all terminal and you need to know your way around. Not exactly mobile-friendly either. Typing SSH commands on a phone keyboard is proper painful.

The entire system runs on three machines connected via Tailscale mesh VPN:

Should note that Tailscale does not work natively with hdhr for mpeg television streams b/c wireguard doesn't natively support udp multicast/broadcast. Also can't directly port forward b/c hdhr sets a default ttl of 2.

My understanding is that most VPNs in general don't support udp multicast due to operating on the network layer rather than data link, though iirc OpenVPN supports multicast traffic through its virtual TAP (Layer 2) rather than TUN (Layer 3).

Tailscale does create a TUN/TAP virtual network[0], though udp multicast is still not natively supported.

[0]: https://tailscale.com/docs/concepts/tailscale-osi#data-link-...

https://github.com/tailscale/tailscale/issues/1013

https://github.com/tailscale/tailscale/issues/11134

The Tailscale client (non-GUI) is open source: https://github.com/tailscale/tailscale

And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): https://tailscale.com/opensource#encouraging-headscale

I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.

ClickHouse's BYOC also uses an outbound-only channel for management traffic. Control-plane connectivity from the ClickHouse VPC to the customer's BYOC VPC is provided over a Tailscale connection that is outbound-only from the customer's BYOC VPC. ClickHouse engineers must request time-bound, audited access through an internal approval system; they can only reach system tables and infrastructure components, never customer data.

Tailscale builds on WireGuard to create a Layer 3 mesh VPN. It handles IP-level routing with automatic peer-to-peer connections, MagicDNS for name resolution, and centralized ACLs. The coordination server manages key exchange and device discovery.

As I age, I become increasingly cautious about my privacy. The slope the world is sliding on is also a big, unfortunate incentive. I have been eying Pi-hole for some time: in this post, I want to explain what it does, how to install it on a Raspberry Pi, and how to integrate it with Tailscale.

Headscale on GitHub - https://github.com/juanfont/headscale

Headscale is an open source alternative, I haven't read the code but it might be a good place to start: https://github.com/juanfont/headscale

wget https://github.com/juanfont/headscale/releases/download/v0.26.1/headscale_0.26.1_linux_amd64 chmod +x headscale_0.26.1_linux_amd64 sudo mv headscale_0.26.1_linux_amd64 /usr/local/bin/headscale sudo mkdir -p /etc/headscale sudo headscale config generate > /etc/headscale/config.yaml

Basic version is it's a sort of developer focused zero trust network service.

Encrypted overlay network based on wireguard tunnels, with network ACLs based around identity, and with lots of nice quality-of-life features, like DNS that just works and a bunch of other stuff.

(Other stuff = internet egress from your tailscale network ('tailnet') through any chosen node, or feeding inbound traffic from a public IP to a chosen node, SSH tied into the network authentication.

There is also https://github.com/juanfont/headscale - which is a open source implementation of some of tailscale's server side stuff, compatible with the normal tailscale clients.

(And there are clients for a very wide range of stuff).

Tailscale's control server is proprietary and has limits for free users. That's fair since it's how they make money. But the open-source community built an alternative: Headscale. It's become the main open-source option for self-hosted Tailscale setups.

The control plane of Tailscale can even be self-hosted via the Headscale project:

https://github.com/juanfont/headscale

As for backups, I like both https://github.com/restic/restic and https://github.com/kopia/kopia/. Encryption is done client-side, so the only thing the offsite host receives is encrypted blobs.

You can use headscale [1] (open source) as the mothership, and all the published clients (AFAIK) support pointing them to an alternative mothership.

I set it up, and it worked, but regular Tailscale works so well out-of-the-box that I just used that instead of maintaining headscale.

[1] https://github.com/juanfont/headscale

Self-hosting is cool and is what I already do for myself, but suggesting it is not relevant here because it's not feasible for a ton of people who might not even have one particular machine that can run 24/7 to self-host control plane. Think about a person who has three laptops and two phones or whatever, where if any two of them are online they should be able to communicate over the mesh.

The post I was replying to is suggesting paying-for-Tailscale-mesh as a substitute for paying-for-NordVPN-mesh to which I say “yes, but”. It is a total non-starter to try and push most people into “install all this software, register a domain, set up this TLS automation, write this Headscale config, know what the config keys mean†, keep this machine up 100% of the time, stay on top of updates, don't get haxx0red” compared to “install this app, log in, and enter your credit card details”.

† Do you really expect the app-and-credit-card crowd (who are totally valid and deserve working mesh networking!!) to know what even one of the keys in this config means? Really? https://github.com/juanfont/headscale/blob/main/config-examp...

# Download Headscale wget https://github.com/juanfont/headscale/releases/download/v0.26.1/headscale_0.26.1_linux_amd64 chmod +x headscale_0.26.1_linux_amd64 sudo mv headscale_0.26.1_linux_amd64 /usr/local/bin/headscale # Generate config sudo mkdir -p /etc/headscale sudo headscale config generate > /etc/headscale/config.yaml