I’m wondering if I’m starting to outgrow Tailscale… my wife keeps having networking issues on Android due to Tailscale, the Nvidia Shield kills the Tailscale app randomly, and my parents’ TV doesn’t have a Tailscale app…
I feel like the time is approaching to publicly expose some of my services to the internet…
Any other tips?
Exposing services to the internet is a whole other game. Try wireguard first, i never had issues and use it mostly from my tablet.
I am kinda interested in WireGuard, but how does it work with multiple non-PC devices on different networks? Tailscale runs seamlessly on my Arch laptop, but Android, TVs, and streaming sticks have hiccups from time to time.
I have services that I want to share with my non-techie family. If a service stops working, they suck at debugging and fixing the issue on their own.
Tailscale is WireGuard under the hood, if you didn’t know. It’s an overlay network that uses WireGuard to make the actual connections, and has some very clever “stuff” to get the clients actually to connect, even if behind firewalls without needing port forwarding.
Using WireGuard directly basically just changes the app you use, which may or may not help with your issues. But the connecting technology is the exact same.
I’ve never used tailscale but use wireguard extensively.
There’s not much of a learning curve for you as the administrator. You have to discard some misconceptions you might bring from other VPNs but really after 30 minutes of looking at configs you’ll get it.
I use wireguard for my small team of 5 people to access self hosted services. You install wireguard, load the config, and then it just works.
The trick, if it can be called that, is using public dns for private services.
On your server, suppose you have service-a service-b and service-c in containers with ip addresses in the 10.0.2.0/24 range. Then you’d have a reverse proxy like traefik at 10.0.2.1. You’d also create a wireguard container with an IP in that same 10.0.2.0/24 range, and configure it’s wireguard adapter to be 10.0.12.1 or soomething so you have “2” for the containers and “12” for the wireguard clients.
Then in wireguard configurations you direct all traffic for 10.0.2.0/24 through the tunnel but everything else just uses their devices normal internet connection.
Finally create a public dns record pointing to the reverse proxy like *.mydomain.com > 10.0.12.1
now whatever.mydomain.com will resolve to your reverse proxy but is still only available to devices connected to the wireguard container on your server.
DuckDNS is great for this. Been using it for years.
I use tailscale for my non-tech family.
I run a rPi with tailscale, pihole and nginx on it in their house. They connect to the their WiFi, get adblocking for free. They go to “http://homarr.sever/” pihole captures the request, sends it to nginx which reverse proxies to a homarr LXC on my server. From there they can click links to the services which are at “https://service/######.xyz”. Again, pihole captures the request, sends it to nginx which reverse proxies it over Tailscale to the appropriate LXC.
One poor soul runs a mini pc with 2 mirrored ssds attached, it runs everything above plus Syncthing. They have the privilege of running the remote back up for the server.
For apps on their phone, I intend to set their phone up with Tailscale and then just have the app go to “http://dockge:1337/”… Just as soon as I learn to write the access controls to allow admins to access everything, users to access services, and services to access nothing. I just looked and there’s a gui now so I could maybe do it this winter.
Bookmarked this to try this setup next weekend!
Honestly, I wouldn’t.
I only run it this way because a VPS had 0 WAF, and I’m terrified of opening ports. VPS is the well trodden ground, there’s tonnes of guides. Mine’s a hack job borne of necessity, it works though, and I am proud of what I cobbled together.
It was my first time solving my own problems. I had my meager skill set, a basic idea of what I wanted, some vague notion of how I was going to achieve it, and a thick forehead to smash against the problem till it gave way for me.
I am going to keep running it this way though. To access my server you need to HAVE a relay rPi, and you need to KNOW a password. That’s two authentication factors right there, just built in.
My primary scare is wg being another potential single point of software failure, preventing remote access
You can run it on two servers at once. I have WireGuard running on my router (which can’t give full speed) and my server (which can run at full speed). Also running on another machine for fun.