Aaruni's Blog v 3.0

Tail-what?

Tailscale is a project by Tailscale Inc which creates a mesh network of your devices. It allows all the devices on your tailscale network, the “tailnet”, to talk to each other direclty, in a peer to peer manner. It does not matter if your devices are separated by the internet, or a NAT, or even a CGNAT: tailscale can break through and create a functional tunnel between each of your devices. It works by employing Wireguard behind the scenes to create a tunnel from each device, to every other device in your tailnet. For 9 devices, that means 90 tunnels have to be created and maintained, and without tailscale, this operation would be MANUAL! The full breakdown of exactly how Tailscale works can be found here.

The Great Lighthouse

Instead of a traditional hub-and-spoke VPN setup where any two nodes talk talk via a central server, a tailscale server acts as a lighthouse, keeping track of all nodes, introducing them to each other, and then letting them talk directly. This means you can have two devices in the same building connected via tailscale, and they only reach out to the Lighthouse to figure out where the other computer is, but then talk directly via the shortest direct path available between them, which can even the LAN. Practically, this means, for building a local network with fixed IPs, you can simply have them live on the same tailnet, and not faff about with router settings for DHCP leases and whatnot. Moreover, the tunnels created between your devices are secure, so you don’t have to worry about the secrecy of the data flowing between your devices against prying eyes.

The Color of Magic

What if you wanted this to be a more helpful setup. What if you wanted each of your taildevs on your tailnet to have an easy to remember name? Tailscale has you covered with the magic of MagicDNS. Tailscale allows you to refer to a machine by just its hostname. Tailscale also allows you to set up custom DNS entries, which are applied to all devices in your tailnet. So you can, for example, have a NAS accessible by tailnet, and it can be reachable by a simple name like nas-server.tld in addition to its actual hostname. This also removes the need of buying a domain name for services you want accessible only by the devices in your trusted network. Configure the network to point a name you fancy to the server, and all devices on the tailnet will now resolve this!

But My Beer

While the clients for tailscale are Free and Open Source Software, the lighthouse itself is only free as in beer, and only upto 20 devices. There are other projects, like Headscale or ionscale which provide a FOSS implementation of the tailscale lighthouse. The existence of these projects is not threatened by tailscale themselves. In fact, tailscale explicitly added support in the android app to select custom servers. So you can run your own private tailnet completely on your infrastructure. You can have your beer, and drink it too!