Hacker News new | ask | show | jobs
by codethief 1159 days ago
I've been looking into using Tailscale/Headscale but I've been struggling[0] to find in-depth information about what security risk the coordination server poses (should it get hacked). Yes, the node list can be locked but the ACL cannot(?) So if I, say, run the Headscale coordination server on one of the devices that are part of my Tailnet, wouldn't an attacker that controls the coordination server automatically get access to my entire Tailnet, including SSH access to every device? So is the conclusion

- Always lock your node list, whether you use Tailscale or Headscale.

- If you use Headscale, run the coordination server entirely separately from your Tailnet.

?

[0]: https://forum.tailscale.com/t/tailscale-security-what-if-the... )
1 comments
sconi 1159 days ago
Curious why you want to run Headscale? Is it purely to avoid the risks of the coordination server?
link
codethief 1159 days ago
Yes, and because Tailscale requires me to use a third-party identity provider.
link
andrew-d 1158 days ago
As of about a month ago, you can self-host your own OIDC identity provider; for example, Ory Hydra is open-source.

https://tailscale.com/blog/custom-oidc/

link
codethief 1158 days ago
Thanks, I did read that blog post but adding yet another dependency to my stack just for authentication of a single user (me)? I don't know… Then I might as well just install Headscale.
link
sconi 1158 days ago
Got it. Makes sense. A big part of why we're building Bowtie. https://bowtie.works . We stay out of the critical path.
link