First Impressions of Tailscale

Author Max Niederman
Published 2022-12-29
Tags
Description

My first impressions using Tailscale for my self-hosted services.

Until recently, I’ve used ZeroTier to remotely access the services I selfhost on my private home network without any port-forwarding. This is convenient and more secure than exposing services to the Internet, since I don’t need to worry about application-level authentication for anything.

ZeroTier is a pretty simple service; you run a daemon on every node you want to connect to the VPN, and each one gets a network interface with an IP address to communicate with other nodes. Although, one interesting thing that sets it apart from more typical VPN software like Wireguard is that it provides a virtual Ethernet network rather than a virtual IP network.

ZeroTier worked pretty well for me, but there were some features it misses:

Thankfully, I’d heard about Tailscale, a WireGuard-based solution which appeared to solve all of those problems. I also saw it had SSH support which would eliminate the need for me to ever manually copy a key pair again.

Setting Tailscale up was pretty easy, even with my somewhat unusual homelab. Tailscale already had a guide for NixOS, so I was able to copy and paste some configuration and got it running in no time. Installing on my personal computers was similarly easy.

I installed Tailscale on my Pi-Hole DNS server, which was as simple as running a bash one-liner from their documentation. Then, in the dashboard’s “DNS” tab, I added its VPN address as a nameserver with “Override local DNS” enabled. That was enough to get custom DNS working, and with MagicDNS, I also have hostname resolution.

ZeroTier’s Android app wasn’t very good and I had some issues with some of its features, so Tailscale’s Android app was also a pleasant surprise. It has all of the features I care about and was super easy to set up.

“Exit nodes,” which tunnel all Internet traffic over the VPN were also fairly easy to set up. I just had to add some flags to the tailscale invocation. I haven’t tested it thoroughly yet, but it seems to be working.

My one gripe is that the free tier only allows one user per year, and I can’t really afford to pay for the team plan just to share my Jellyfin instance with my friends. Unfortunately, that’s pretty important to me so I might have to use something else.

I highly recommend giving Tailscale a try if you need a simple way to securely connect devices across the Internet, but keep the vendor lock-in in mind.