| > VPN as a service sounds wrong from security perspective, as you are giving away all the keys. Tailscale’s Android and Linux clients are open-source[0] and based on WireGuard (which AFAIU is now part of the Linux kernel[1]). With other VPN software you may be owning the keys but you cannot verify what the program does. Tailscale requires a coordination server to function. This component is not open-source, but there is an open-source reimplementation called Headscale[2] that you can host on your own server. Additionally, there is "tailnet lock"[3]: > Tailnet lock lets you verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet. --- > These internal services that are annohnced are just... Services you can run on the Internet with TLS. I haven’t used Tailscale in a professional context, so I cannot comment on the usefulness there, but I am using it (with Headscale) in my homelab. It makes it very easy to access all the services spread onto multiple boxes from everywhere, let them all use the same AdGuard Home DNS server without having to configure them individually and tunnel all my traffic through my home internet connection using an exit node[4]. I normally use croc[5] for file transfers between boxes, but when I had to fetch some files from my Windows game streaming computer, it was easier to just use Taildrop because Tailscale was installed already. [0] https://github.com/tailscale/tailscale [1] https://en.wikipedia.org/wiki/WireGuard [2] https://headscale.net/ [3] https://tailscale.com/kb/1226/tailnet-lock [4] https://tailscale.com/kb/1408/quick-guide-exit-nodes [5] https://github.com/schollz/croc |
All of their client code is open source, save for the bits required to ship to/comply with any app store requirements. The "Linux" client also builds and runs cleanly on many other Unix-like OS's, and they've put a lot of effort to work around a lot of non-standardised stuff on various Linux distros to ensure smooth UX. It felt like hard work just reading about the issues they've ran into.
> based on WireGuard (which AFAIU is now part of the Linux kernel)
Tailscale has its own user-mode WG client library. In fact, you can use Tailscale as a library in a Go program, they have numerous examples for cool hacks such as authentication proxies (your VPN connection becomes your auth token, no other login required).
> I haven’t used Tailscale in a professional context, so I cannot comment on the usefulness [...]
I have and it's amazing. Stuff just works, and it naturally fills roles you wouldn't even expect it to, such as asset/inventory management (being THE source of truth to answer: "is this box even online"). We also use it to throw distributed LAN parties (not every game can be hosted on a headless box, sometimes there's nobody with a PC on a public IP, etc). It does something useful for everyone.