RECOMMENDATIONS TailScale VPN

[w1ve]

Hey Folks,

I have discovered TailScale, a mesh VPN, and I find it incredibly easy to use, and it runs everywhere. It's free for a single login, and a 50-login license can be had, for, I believe $48/yr (Many nodes can use same login). It uses Oauth for Login, which is simple. It is a worldwide mesh network, and it is very fast. They have clients for pretty much every OS -- Linux, Mac, Windows, IOS and Android. What is very cool, is that it has automatic routing for subnets... so don't just connect your computers -- everything in a subnet can be exposed simply by advertising the subnet (does not work from a Windows host yet). The other very cool feature is End-Point routing. You can turn that on, and all Internet traffic for all clients will flow through that node. Simple On/off via web control panel. Tailscale won't mess with any other part of your network, or DCHP, etc. www. tailscale.com. Recommended.

 

[hawk#1]

Many here prefer to use the better known open source VPNs that are used by many users here. Thanks anyways for posting, but this is one I will pass on.

 

[billsimon]

better known open source VPNs

It's WireGuard in a pretty wrapper.

 

[Halea]

TailScale is an interesting service. The most accurate description for what it does would probably be: it allows you to extend your LAN over the Internet so that from many different physical locations you can interconnect your personal devices as if they are all connected to the same LAN. (These devices may be directly connected to the Internet with their individual public IP, or on a NATted LAN, or on WiFi, or still wireless broadband with or without NAT)
From there the traffic may remain entirely within your virtual LAN, or it can exit to the actual Internet over a "node" (one of your so designated devices). But (@hawk#1) its primary purpose is not to become an Internet access VPN.
It does a number of interesting things like dealing with all the NAT issues for all the nodes, DNS resolution (although that part has some issues), and the pseudo mesh concept (the handshakes and traffic control is, the actual comms are point to point). Thus (@billsimon) it's definitely a tad more than a wrapper around WireGuard.
We spent a little bit of time in my lab playing with it in a large scale configuration (Several fixed locations in North America, Europe, Asia and Australia). At times it worked well, at times we had weird issues. With mobile users we had lots of problems. (see update below)
For us it boiled down to bandwidth and access timing issues. But it's a promising effort which hopefully will get to full fruition.

Edit: Added clarification about device connections. See what's between parenthesis.

Update: It turns out that our problems on Android mobile devices were due to conflicts with Netguard firewall that we use on all our mobile phones. We are still troubleshooting one last conflict, but without Netguard TailScale works very well. Hopefully once I figured out the last conflict we will be able to use it behind Netguard.

 

[phinphan]

I played with it and it works fine so far on Android, Windows 10, 11 and Debian Buster 2021 Public. I have not been able to figure out how to connect a remote extension over the vpn using ip address instead of domain name.

For non voip use, its much faster to me than my office fortinet vpn, although I imagine my IT people will have a heart attack when they see I am bypassing fortinet!

 

[krzykat]

Any of these work in countries that have DPI to limit such attempts such as Egypt or China ?

 

[Halea]

Any of these work in countries that have DPI to limit such attempts such as Egypt or China ?

Your data is safe as it's encrypted. But the nodes are identifiable as transit/interconnection points for your virtual LAN. We could figure out how to detect them with standard tools like wireshark, much like one can do with WireGuard and OpenVPN. From there censorship is possible by shutting down your link. But I doubt that as of today there are tools to decrypt the traffic and spy on its content.

 

[KNERD]

Any of these work in countries that have DPI to limit such attempts such as Egypt or China ?

I once set up OpenVPN on a Yealink for a telephone to be used in Egypt which blocks VoIP. It never had a problem.

 

[hawk#1]

But (@hawk#1) its primary purpose is not to become an Internet access VPN.
It does a number of interesting things like dealing with all the NAT issues for all the nodes, DNS resolution (although that part has some issues), and the pseudo mesh concept (the handshakes and traffic control is, the actual comms are point to point).

@Halea, Thanks for confirming what it can do. Free opensource vpn's can handle all my needs. As stated multiple times on the forum, I'm retired and have no need to keep paying for software year after year. Many users here prefer the free methods also. So far I have not run into DNS resolution or NAT issues with any of the open source VPN's I have and currently use. Also I do not use open source VPN's as an internet access VPN either. So I still say, Thanks anyways for posting, but this is one I will pass on.

 

[krzykat]

I once set up OpenVPN on a Yealink for a telephone to be used in Egypt which blocks VoIP. It never had a problem.

How long ago was that? We tried OpenVPN about 6 months ago and had issues.

 

[KNERD]

How long ago was that? We tried OpenVPN about 6 months ago and had issues.

Couple of years ago.

 

[phinphan]

@w1ve I need to thank you for the tailscale recommendation. I am using it and am very happy with its performance. It has made my connection to the office seamless from all my devices in a way that fortinet made difficult and sometimes impossible. Now I just need to make sure that its security is up to par.