Could anyone ELI5 to me why I might use tailscale? If I don't have a use case for a VPN is there any use case for this product, or if I did want a VPN, why this and not some other service like Nord?
Asking from a place of curiosity, I don't quite understand this company. I suspect it solves a lot of issues related to provisioning your own networks ... Which would explain why I don't quite get it because I've never done that.
I have some services running on my home network (e.g Kubernetes and some stuff on a Raspberry Pi) that I'd like access when I'm away from home. Tailscale made that really easy. I just setup their client on the devices that need to communicate, and that's it. I can access those devices on my home network from my Macbook when I'm out and about. What's really neat is I can even set my Raspberry Pi as a DNS server for devices in my Tailscale mesh (using their DNS features) and use Pi-hole to setup custom DNS rules for those devices. Wrote a short piece about it here: https://evanshortiss.com/crc-tailscale
Many good answers here. I'd say tailscale is useful if you want an "actual" VPN - that is, a virtual network, which is private. You can have VM or rented server somewhere and use it for backups, a media library - and you can connect to it securely over tailscale VPN over 4/5G - and you can connect with your laptop on wifi etc. Maybe a backup box at a friends place, or maybe that server/vpn runs an instance of gitlab and/or a personal wiki etc.
Tailscale unfortunately uses user-space wireguard still - other than that I think it's a strict "value-add" on top of manually configuring wireguard.
The option to route traffic through an exit-node can also be useful (make your phone behave as if it connects through your corporate VPN, with the fixed IP address that your clients white-list for access, for example) - but it's not the primary usecase.
While "VPN Services" like Nord are really anonymizing internet access providers routers - and while technically using VPN-technology, they're not really enabling Virtual Private Networks in a meaningful way - it's just your computer, and their exit-node - a tiny network of two - and they don't have anything to talk about - the exit node doesn't run a web site or a service - it's just a router.
I've wondered this as well. Everyone seems to rave about it, but I run my own wireguard and don't find it too hard to add devices to the network. I think maybe you can use it to expose certain things to the internet easily? I don't have a lot of trouble doing that either. I've scrolled around their marketing site for a few minutes before and I just don't really get what all the fuss is about. I'm sure I'm missing something.
I will say, and I think this is right, the proposition here isn't a VPN like Nord which you'd use to hide your traffic from your ISP or masquerade into a different geolocation, but rather a VPN for connecting to your own devices.
I can see that it's easier to setup for someone who doesn't know how to use WireGuard, but not how it would benefit me personally. I guess SSO is nice.
I think it's more like... "What's the value in Dropbox when I'm already running Nextcloud?"
It's very easy to run your own WireGuard, and if that's all you want, by all means, do that. A lot of work went into making WireGuard the easiest-to-configure VPN --- it's deceptively sophisticated (the best kind of sophisticated).
Tailscale is also deceptively powerful, and that's why people love it. In particular: getting WireGuard deployed across a whole team with a single source of authentication truth and role-based default-deny ACLs is not, in fact, very easy to do. The massively more common pattern in tech companies with access VPNs is something like OpenVPN, with separately-managed credential stores (that get desynced and lock people out --- or accidentally retain access for separated team members) and default-allow network policy that gives anyone with access to the VPN direct access to Redis, databases, staging instances, and stuff like that.
I don't just like Tailscale. I fucking hate Tailscale for how simple they've made one of the larger problems in corpsec. It's maddening.
That's true, the ACLs are pretty huge. I've heard about Tailscale almost exclusively in the context of /r/selfhosted, and this post is about the free plan which guided my response. It's not hard to see why this would be useful at my job. Honestly I wish they'd pay for it, OpenVPN is such a pain for my users.
If your ISP does CGNAT a typical WireGuard setup won’t work without a public IP address. Tailscale makes it possible to use a VPN without a public IP. I use Tailscale with Starlink which uses CGNAT.
Tailscale has three main pieces of functionality over vanilla Wireguard: Automatic peer configuration, NAT holepunching, and network ACLs.
I won't talk much about ACLs since if you're the only user on your VPN, they don't matter. E.g. I use Tailscale but I don't use ACLs because who am I going to block from connecting to what? Am I concerned about my server trying to compromise my Raspberry Pi? (Maybe I should be, but life's too short so I don't bother.)
Automatic peer configuration is a pretty killer feature, though. If you're just running plain vanilla Wireguard, then you have to manually copy keys between every pair of devices that need to be able to talk to each other. That's fine if you only have a few devices, or if you have a large number of devices but you're happy to use a hub-and-spoke model where each "client" only talks to the hub, and the hub routes all traffic. But once your number of devices starts to grow, or you decide you want direct links instead of hub-and-spoke, it can start to get unpleasant.
NAT holepunching may seem unnecessary if you're used to having a VPN hub and just port-forwarding to it. But it opens up a whole set of possibilities that would just be non-starters without it. Just off the top of my head, here are some things that I would consider easy with Tailscale but cumbersome-to-impossible without:
1. Not having to worry about static IP assignments on my LAN. Admittedly, this is more of a convenience than a true barrier to anything, but with vanilla wireguard one of the devices needs to be able to initiate the connection, meaning that the other has to be able to receive unsolicted traffic on some port. Normally I'd do that with port forwarding, but all of the port forwarding I've ever done requires a fixed internal IP to which to forward the port. Instead, with Tailscale, you can just plug in your server/RPi/whatever and forget about it.
2. Similarly, you can take advantage of this to get a window into a network that you don't control. (It sounds bad when I put it that way.) Say you've got a relative a long ways away, and they're constantly calling you for help with their network and you're constantly walking them through how to fiddle with their router settings or something - with Tailscale, you could just preconfigure a Raspberry Pi, ship it over, and not have to worry about being able to connect to it once they plug it in. Voila, you have an entrypoint into Grandma's network or whatever.
3. Self-hosting afficionados like myself tend to turn to "can I put a thing on a server somewhere" as a solution to many problems involving cross-device communication: file synchronization is an obvious example. But what if all the devices could seamlessly talk to each other, anywhere and anytime? Then you could pop, say, Syncthing on each device and not have to worry about having a server up.
Tailscale also has some extra goodies like being able to share a device to someone else's Tailnet, so if you run (say) a Plex server and you want to let someone else talk to it without exposing it to the greater internet that's pretty easy.
Their "Magic DNS" feature is also quite convenient - I used to pride myself on being able to remember all the IPs I had assigned to all my network-connected stuff and therefore not needing DNS, but since I've started using Tailscale I've found myself defaulting to DNS names more and more without ever even consciously deciding on it. Words are just more memorable than numbers, there's no need to fight it.
All that said, if none of those use cases seem compelling to you then maybe Tailscale just isn't for you. Different strokes for different folks.
This is all great stuff, and reasons to respect Tailscale, but honestly the killer feature for their big-money customers, and the reason I have such strong feelings about it, is much simpler: Tailscale does SSO login, and does it extremely well. If you're running a security practice for a growing tech company, one of the most important early jobs you have is getting all your services migrated to SSO. VPNs are notoriously annoying to SSO (I have seen some janky Okta integrations for OpenVPN).
It’s atrocious. We are using OpenVPN with Okta LDAP and you have to type “password,totpcode” as your password. Alternatively you can type just your password and wait for it to send a push to your phone while OpenVPN is completely blocked waiting. You have a yubikey? That’s a damn shame.
Training and support for this for our entire company was a pain in the ass. I also felt embarrassed having my name on rolling out something so janky.
We are trialing Tailscale now and onboarding is two minutes and practically doesn’t need a guide (Download the app. Click login. Okta auth however you want). Our OpenVPN guide is like 8 pages.
I think the pitch here is “Semi-managed WireGuard peer provisioning and NAT punching as a service” usable by anyone who may not otherwise have a clue how WireGuard works (eg. friends sharing access to a file/media server), within 5 minutes or less from download/login to “done”
I struggled with a use case at first as an individual user, but now I'm using it in a few different places.
I have a Synology on my home network which I use for Time Machine backups among other things. My Mac has a Tailscale client and I can backup to my Synology from anywhere.
I have a number of random servers I keep for hobby stuff, a mix of hosted bare metal, VMs and VPS. None of them have SSH open to the internet. My access is all over Tailscale. It was super easy to setup, and now I never have to touch it. Occasionally I'll see that the Tailscale daemon was updated on some host.
If I were starting a company today, as soon as I had any resources that needed any kind of remote access for the team, I'd use Tailscale to provide that access.
A service like Nord VPN or other such VPN providers setup a connection between your device and an exit point that they manage (a server to keep things in a client-server structure). So the idea there is that no one monitoring your traffic should ideally see what websites you visit, what things you download or what devices you connect to (I'm keeping this broad and very surface level to be able to reach a common point of understanding and if anyone adds to this, by all means, let's clarify this as it's quite a complex topic).
So let's say the local government blocks access to certain content, you can connect to a VPN provider's network, select an exit point (a server) and your traffic is routed through them. But this can be monitored by that provider and I read an article recently that highlighted a lot of free VPN providers cannot be tracked down to companies, so you couldn't say who is running those servers. Which means, you don't know if all your traffic isn't actually recorded in the end and sold on to someone.
This brings me to the first difference - you can setup your own server (at home or more likely through an infrastructure as a service provider like Hetzner, Ovh, DigitalOcean, etc) and install Tailscale on it and on your device(s). This way your connection is secured to the server and the server is the exit point now. Your provider in this case, cannot see what your server is serving you. The added control here is that the server IS YOURS, so you can clear logs, take it down and setup another one and so on.
The second difference is that a VPN in most canonical cases has a client-server construction. But this means that there is a hierarchy and that all your devices use that server as a gateway of sorts. If I understand it correctly, Tailscale acts as a mesh that is laid on top of your existing connections, but it means that devices that you connect to the same mesh, behave as if they were on the same LAN network, but over the internet. So let's say you're on holiday, you can connect to your home computer (assuming your device and your home system have Tailscale, an internet connection and are running ofc) as if it was on the same network. Because it is. It's on a virtual network where Tailscale creates these connections and manages the IPs on the network. So you can view your movies, copy over your pictures from your phone to your home computer and so on.
You could also maybe have a home server which might be running a number of services. Enabling SSH over the internet has it's risks, but Tailscale could alleviate a lot of these risks because you would have a fixed IP on this virtual network and so does your server. So suddenly, you can define a rule on your server firewall that says "hey, block everyone, except THIS ip".
Lastly, you could maybe even just share pictures, documents and whatever else with friends, family or anyone else who is running on the same Tailscale network.
I really hope I haven't completely misunderstood the service and I'd be happy to get more clarity or some better examples. These are SOME of the use cases I can think of, but there are probably more! Btw, I don't use Tailscale, I am considering it after having considered other mesh networks like Yggdrasil as that's the part I'd be interested in...
Asking from a place of curiosity, I don't quite understand this company. I suspect it solves a lot of issues related to provisioning your own networks ... Which would explain why I don't quite get it because I've never done that.