Tailscale - Part 1: What is Tailscale?
It's basically a Wireguard Mesh VPN
💡 I'm not an affiliate of Tailscale or any company related to it. I'm blogging about it because I think it's a really good idea. This post makes no money fromTailscale or any other affiliation
Normally when you're setting up a VPN for people or sites the traffic aims for a single point of entry (or multiple points of entry if you have failover).
This example has satellite sites and users connecting to the central VPN in the head office. If Traffic from NYC needs to get to Austin it goes via the VPN Hub. This VPN Hub may be a failover pair or cluster however from a connectivity standpoint it's not efficient.It's possible to use more traditional methods of connectivity to do this more efficiently using private networks, multiple VPN Endpoints and other methods, these start adding to complexity and cost.If I look at my own setup
Even with my two sites, I'd need to, in the traditional sense of networking add an external VPN device on each end and set that up as a point-to-point tunnel, add the routes in and firewall rules then monitor the logs. That's the cost (direct at the Cloud Provider end) and another box to maintain.
So what does Tailscale do differently?
With Tailscale each device on the Tailscale Lan is an endpoint, allowing for a mesh to be created. This removes the single point of failure and potential latency issues as there can be multiple paths to the same endpoint... This is all being done using an agent on servers rather than separate hardware.
There is a really good explanation on the Tailscale site about this and more about how it works.
As described in our blog post about how Tailscale works, the coordination server is the single, centralized component of Tailscale’s architecture. It is responsible for distributing public keys and firewall rules to all Tailscale devices on your network. However, if the coordination server goes down your Tailscale network will mostly continue to function:
Tailscale does not route any traffic through the coordination server. Instead, Tailscale makes the best effort to create a direct connection between each pair of devices communicating with each other. In cases where a direct connection cannot be established, devices will bounce traffic off of one or more DERP servers, located in different regions all over the world.
The devices’ keys are stored locally. Devices can continue to communicate with each other until one of the device’s keys expires. Note that the expiry time is device-dependent (based on the last time an authentication took place), which might be different between devices in a given network.
Firewall rules are cached and enforced on each device, meaning that your existing rules and ACLs will continue to function.
On the other hand, without the coordination server in place:
New users and devices cannot be added to the network.
Keys cannot be refreshed and exchanged, meaning that existing devices will gradually lose access to each other.
Firewall rules cannot be updated.
Existing users cannot have their keys revoked.
Tailscale - My Journey
When you put your services on multiple locations, you start to work in the world of cross-site routing, or linking sites to each other and making their work seamlessly together.
When I started looking into this my first inclination was to link the two sites (home and Cloud) using a Wireguard VPN Tunnel. the driver for this. It's usually more simple to set up than OpenVPN.
Doing this I fell foul of an issue I have at home because of a Double Nat environment I have set up. I went back to the drawing board and asked myself what was I looking to do?
I wanted all the servers at home and Vultr to be able to communicate with each other. After a bit of googling, I came across Tailscale, the answer to this and many other questions.
What is Tailscale?
Tailscale is a zero-config VPN.
A solution where an agent is installed on every device you want on a VPN mesh. This agent sets up a new network endpoint/card on that device and assigns a Tailscale managed IP unique to your login which is static (it's assigned by DHCP, but doesn't change) to each device running the agent.
Traditionally networking between sites would look like this
With Tailscale it looks like this
Because each device is running on the same IP network irrelevant of location, it's essentially one large network.
To get this all working log in and create an account at Tailscale.com
curl -fsSL https://tailscale.com/install.sh | sh
On a headless server, this will install and prompt you to run
This will on the initial run ask for a login to be run, provide a link, which is used to connect the device to your account and you are done.nnThere will be a new NIC on your server and you'll be able to ping any other Tailscale devices you have registered on their Tailscale IP
tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500link/none inet 126.96.36.199/32 scope global tailscale0 valid_lft forever preferred_lft forever
Tailscale runs as a service tailscaled and when installed it's set to enabled so the Tailscale network comes up on boot.
💡 I can use the Android app on my phone or the Chromebook to access the Tailscale network.
The web interface
This is a functional interface and has the obvious items in it. the ones which stand out are:
A list of servers attached to your subscription/Tailscale network.
These can be setup as groups for machines, identified by tags or networks.
The DNS was interesting, they have something called MagicDNS which at the time of writing was a list made up of the hostnames given by the machines in the machine list.
Tailscale also has deep integration with NextDNS
Where NextDNS provides a DNS key which can be used as the Tailscale Global Nameserver so you get all the protection of NextDNS and the local servers named how you'd like.
There is more...
I mentioned that when you run the Tailgated it creates a 100.x.x.x network, this is referred to as a tailnet.
There are a few reasons to use this address space in particular:
It doesn’t conflict with the commonly-used private addresses your network might already use (10.0.0.0/8, 192.168.0.0/16, etc).
The addresses are intended to be used for intermediate NATted traffic that is neither on your LAN nor on the public Internet. When a device on this network wants to reach the public Internet, they are expected to be NAT'ed once more. This matches how Tailscale uses the addresses.
The addresses are supposed to be used by Internet Service Providers (ISPs) rather than private networks. Philosophically, Tailscale is a service provider creating a shared network on top of the regular Internet. When packets leave the Tailscale network, different addresses are always used.
A tailnet is your private network. When you log in for the first time to Tailscale on your phone, laptop, desktop, or cloud VM, a tailnet is created.nnFor personal users, you are a tailnet of many devices and one person.
Each device gets a private Tailscale IP address in the CGNAT range and every device can talk directly to every other device, wherever they are on the internet.
💡 Your tailnet is your space. The internet cannot reach it. Think of it like a conference room with only people you have invited inside.
Your tailnet can be a safe network where you are free to explore without the rest of the internet watching.
It's possible on some devices you can't install Tailgate so for such an occasion there is the Subnet Routernnin some situations, you can’t or don’t want to install Tailscale on each device:
With embedded devices, like printers, which don’t run external software
When connecting large quantities of devices, like an entire AWS VPC
When incrementally deploying Tailscale (eg. on legacy networks)
In these cases, you can set up a “subnet router” (previously called a relay node or relaynode) to access these devices from Tailscale.
Subnet routers act as a gateway, relaying traffic from your Tailscale network onto your physical subnet. Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device.
A Community project
While you'll often hear it, Tailscale is actually about community, you can for their code, do stuff with it, report back, and they are really happy about it.
One of the founders Avery Pennarun is as mad as a box of ferrets, in the best way ever and a prolific writer of blog posts. Well worth a follow.
Because the underlying SW is Open Sourced and people love to fiddle with new technologies there are some great howtos like this one where someone has outlined how to get an Amazon Firestick working with
If you're interested watch this video
Tailscale falls for me under the category of systems like packer and ansible, in so much as if I'd had them years ago, I'd have saved many hours of pain in my life. It's a quick easy solution to an age-old problem, and it won't work for everyone. It will however solve problems for many forward-thinking individuals.