[Lammy]

Tailscale spy on all of your traffic/behavior by default, so this isn't a great recommendation to people who used NordVPN for privacy reasons without the disclaimer that they will need to opt out of Tailscale's spying by setting a special environment variable on every single machine in their Tailnet: https://tailscale.com/kb/1011/log-mesh-traffic

“Each Tailscale agent in your distributed network streams its logs to a central log server (at `log.tailscale.io`). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

[neodymiumphish]

But Tailscale never sees the device keys, so what they obtain and log is, at best, metadata. They have no capacity to decrypt any Tailnet traffic.

I'd be interested to know which competing services exist that DON'T do the exact same thing in order to evaluate issues reporting by users or observed across multiple customer environments.

ETA: Not that it's probative, but here's an example of how Tailscale wildly differs from other VPN/Mesh networks: https://www.linkedin.com/posts/apenwarr_zscaler-ceo-just-ann...

[Lammy]

> But Tailscale never sees the device keys, so what they obtain and log is, at best, metadata. They have no capacity to decrypt any Tailnet traffic.

https://news.ycombinator.com/item?id=44853709

[neodymiumphish]

so it's either go to the store naked, or don't leave the house at all, I guess...

[nirav72]

If you’re concerned about logs being sent by each node in a tailnet , then you’re better off just self-hosting your own tailscale control plain using headscale . You can run it as a container in a NAS.

https://subnetsavy.com/wp-content/uploads/articles/headscale...

[Lammy]

Self-hosting is cool and is what I already do for myself, but suggesting it is not relevant here because it's not feasible for a ton of people who might not even have one particular machine that can run 24/7 to self-host a control plane. Think about a person who has three laptops and two phones or whatever, where if any two of them are online they should be able to communicate over the mesh.

The post I was replying to is suggesting paying-for-Tailscale-Mullavad-mesh as a substitute for paying-for-NordVPN-mesh to which I say “yes, but”. It is a total non-starter to try and push most people into “install all this software, register a domain, set up this TLS automation, write this Headscale config, know what the config keys mean†, keep this machine up 100% of the time, stay on top of updates, don't get haxx0red” compared to “install this app, log in, and enter your credit card details”.

† Do you really expect the app-and-credit-card crowd (who are totally valid and deserve working mesh networking that doesn't spy on them!!) to know what even one of the keys in this config means? Really? https://github.com/juanfont/headscale/blob/main/config-examp...