[HN Gopher] Choose your own IP ___________________________________________________________________ Choose your own IP Author : darthShadow Score : 126 points Date : 2023-12-07 17:29 UTC (5 hours ago) (HTM) web link (tailscale.com) (TXT) w3m dump (tailscale.com) | evntdrvn wrote: | Thank you to everyone at TS involved in this feature!! It will | solve a big pain point for us re reserved CGNAT ranges that were | causing conflicts. Cheers | wheybags wrote: | The one feature I feel is missing now is attaching to multiple | tailnets from the same client. Since you can configure address | ranges, I could set up non-overlapping ranges on my personal and | work tailnets, and then use both on my phone, for example. | arittr wrote: | "One thing you can rely on with IPv4: whatever the problem, | Network Address Translation is part of the solution." | | NAT... the cause of, and solution to, all of life's problems. | BLKNSLVR wrote: | I thought it was always DNS? | H8crilA wrote: | I thought it's BGP? Or maybe that's just the cause of all | problems, hmm... | Affric wrote: | My understanding of BGP is that it's so old (and was | relatively well designed) that it could now be considered | an arcane magic once widespread but now only known by some | old wizards. | 0x457 wrote: | Yes, but it's also an issue with IPv6. NAT is nearly always | involved with whenever you touch IPv4. | AdamJacobMuller wrote: | > To address this (no pun intended), | | Liars, you definitely did. | | I was a bit surprised when I learned tailscale was addressing out | of a single global pool and wondered how they would fix it when | they ran out of IPs (and I knew they would, Tailscale was and is | obviously that good to me). I vaguely suspected this would be | kind of solution they would employ because it's really perfect | from an end-user experience point of view, but, thought they | might not because it's definitely more complex on their side. | Shame on me for misunderestimating the tailscale team. | hughesjj wrote: | Hot take: The Tailscale team is the highest concentration of | leading network engineers from any company in the world today, | at least when it comes to consumer products. If we ever get a | true 'next gen' internet that removes the protocol cruft we've | layered on over the years, I could see it coming out of them | moreso anyone else. | moduspol wrote: | I just set up Tailscale for work last week. I've been really | impressed with it. | MuffinFlavored wrote: | What does it give you that Wireguard doesn't (or OpenVPN)? Just | easier to configure + setup + a nice UI? Just making sure I'm | not missing something, not trying to knock Tailscale. | | Do the "minimalist" people have good reason to prefer | "anything-else" other than "heavy feature-rich Tailscale"? | anderiv wrote: | For me the key additions are: 1) integration with our org | Identity Provider 2) NAT traversal + DERP relay fallback 3) | Tailscale's ACL functionality. | tptacek wrote: | Certainly, don't use OpenVPN in 2023 if you can avoid it. | WireGuard is much faster and more secure, and significantly | easier to set up. | | If you're a home user, the advantage to Tailscale is that | it's going to "just work", with a couple clicks, on any | supported device (of which there are lots). There's no | configuration to get started and, for a lot of users, no | configuration ever after that. The onboarding experience is | spooky; it's _upsettingly_ good. | | If you're a corporate user, the advantages are drastically | greater: you get SSO integration (this is historically one of | the annoying pain points of corporate access VPNs, to the | point where a significant fraction of pre-Tailscale netsec | teams just punted on this problem and hand-provisioned VPN | creds for people, which is a nightmare) and trivially simple | group-based access control. | mato wrote: | The combination of 'it just works' and 'SSO integration' is | a killer. | | To be honest, in 20+ years of working in IT, I never | understood the point of the latter until recently, on a gig | salvaging systems for a client with ~650 users after their | sole IT guy unexpectedly resigned after 20 years and left | for the mountains. | | IRL, SSO is gold. Many hackers, like me, underestimate it. | moduspol wrote: | And not just SSO, but OIDC. You don't even have to be an | admin on your domain to set it up. If you have a Gmail or | Office 365 e-mail address @mycorp.com, you can set up SSO | for it on your tailnet in seconds. Your team members | authenticating for the same domain will join your tailnet | automatically. | | And that's for the free and cheap tier. If you want the | fancy stuff (like SAML and automatic user provisioning / | filtering), they've apparently got that, too, but it's in | the more expensive tiers. | 0xbadcafebee wrote: | Worth pointing out that "just use Wireguard" is way | different than "just use Tailscale". The latter has | solutions for common problems, the former is not even | remotely comparable feature-wise to OpenVPN. If the only | choice is between OpenVPN or Wireguard, often OpenVPN is | the only acceptable option, because it has all the features | you need. | zikduruqe wrote: | > What does it give you that Wireguard doesn't | | Less battery life on your iPhone. :) | | I have both in my home network and love both. | | At work, I have used Tailscale in my Kubernetes clusters to | allow devs to get into the private subnets, so that is | awesome, and way better than trying to give a group wireguard | key pairs. | greenicon wrote: | Yes, the battery drain on iOS is also the thing stopping me | from having it on my iPhone. Wireguard is way better in | that regard, but has other issues (e.g. no split dns, no | dns re-resolve for dyndns or for network changes). | | Other than that tailscale is really great. It just works. | zikduruqe wrote: | Yep, I have my Wireguard client connect when I am off my | network and I split DNS so I can continue to use my ad | blocker when off my network and on the macro network. For | that it is perfect. | xoa wrote: | > _What does it give you that Wireguard doesn 't (or | OpenVPN)? Just easier to configure + setup + a nice UI? Just | making sure I'm not missing something, not trying to knock | Tailscale._ | | I personally haven't deployed it though I've toyed with it, | but I think as well as UI and integrations a core topology | differentiator is that, like Nebula, Tailscale does/can do | meshing. Plain vanilla Wireguard is pure classic hub-and- | spoke, which is 100% fine for a basic VPN use case like "I'm | out somewhere on the WAN and want to talk to this LAN stuff" | or "I want to tunnel some/all my traffic through some | specific alternate exit". | | But say you've got main site A which has a public static IP | and is where support is for administrating others, site B | which has a full backup server but no public IP, and then | sites C/D/E/etc where people are doing work and having | significant on-site storage and comms needs, all of which are | behind typical ISP NAT from multiple different ISPs with no | static IPs. Everyone wants to be able to do high bandwidth | things like video chat directly together, or back up/restore | to site B. Plain WG could do that, but would funnel it all | through site A's link which isn't very scalable and likely to | become a choke point in a hurry. A meshing VPN can let two | private sites talk directly with a public address only | serving to facilitate hole punching and setting up the | connection each time. It's definitely of real value. Another | thing would be not bandwidth but latency. If you're within a | few hundred miles on land that probably is irrelevant. But if | different sites/people are across continents adding an | unnecessary extra hop may become a very big deal even for | simple web apps. Resiliency also enters the equation, what if | site A goes down? A mesh can help with those too. | | Then Tailscale adds a lot of cool QoL on top. Meshing does | raise new challenges in terms of access control vs when | everything is funneled through a single convenient point. But | regardless, other topologies can be of basic interest too | even without extra sugar. | megous wrote: | > Wireguard is pure classic hub-and-spoke | | No it's not. You can do any to any just fine (and any | topology in between these extremes). | xoa wrote: | Nice job skipping the explicit qualifier of "plain | vanilla"? Being able to build your own version on top | isn't the same as an existing tested product. | moduspol wrote: | It does OIDC integration out-of-the-box and for their free | and cheap tiers. OIDC is like the "login with Google" stuff | that doesn't require any setup. So I was able to have SSO | setup immediately with our Office 365 domain without | bothering to setup SAML or anything. | | The VPN clients for Mac and iOS are on the App Store, which | may not mean much, but having developed VPN apps for both, | what it means is: it is far less likely break or muck with | your OS's networking in practice because it's sandboxed and | can only use Apple's SDK for interfacing with the OS. This is | compared to every OpenVPN client I've used on various | platforms, which must run as root and often is setting up and | tearing things down with shell scripts that can get hairy as | you add more complexity / moving parts. | | (Note that this is also true for Wireguard's client, just not | OpenVPN) | | The first three users are always free, so we're able to demo | it easily. It's also listed on AWS marketplace, so as we move | to start buying some licenses, it's billed through our AWS | bill (i.e. I don't need an act of Congress to get a credit | card number entered and a new monthly invoice reconciled | within my company). | | You can configure how often it forces reauthentication, which | is probably the biggest benefit over vanilla Wireguard. | Wireguard doesn't have mechanisms for expiring and replacing | keys, so it solves that. | | There's also an open source implementation of the master | service (called headscale) that you can run on your own, and | I was able to fairly easily set it up and get the existing | Tailscale apps from the App Store to be reconfigured to | utilize. | | Honestly it's the cleanest VPN experience I've had if you | need to deal with any kind of SSO and/or dynamic user/client | provisioning. If you're just setting up point-to-point | between a few of your own servers and clients that won't | change, maybe just stick to Wireguard. But once you start | needing anything more than that--I'd give Tailscale a shot | first. | tonyarkles wrote: | Yeah, I think "Just" is doing a lot of heavy lifting in that | question :) | | I've never configured Wireguard from scratch but I have | managed an OpenVPN deployment in the past. One of the most | fabulous aspects of Tailscale is that it's very self-served; | we configured our Tailscale account to allow email addresses | from our main domain name with O365 integration. When someone | wants to bring a new node online, they log in with their O365 | credentials and magically new keys are assigned to the node | and associated with the user who created them. In the past | with the OpenVPN deployment, it would usually take me 15-30 | minutes to get a new node online (generating keys, getting | them handed off to the user, helping them debug, etc); now it | takes me 0 minutes because the user can just generate their | own keys and I can be completely hands off, while still | having a nice view that I can use to revoke keys if needed. | belval wrote: | To be fair, Wireguard is incredibly easier to setup and | maintain than OpenVPN, pretty much not comparable. I don't | know how easy it is with Tailscale though so I can't | comment as to how much harder Wireguard is compared to it. | tsujamin wrote: | My mum could probably install on her phone, and configure an | exit on her computer, without knowing what Wireguard or `-j | MASQUERADE` means ;) | wharvle wrote: | You can set it up on most of your devices, including mobile, | with a couple clicks/taps, and not having to read any | manpages. You can achieve having e.g. an Apple TV as a VPN | network gateway with similar ease. | | A technical person who's familiar with what a VPN is and does | but has never configured one can have it working on a bunch | of their devices in like 30 minutes flat, with no notable | ongoing maintenance to worry about. | | If you're already configuring your home networking with | Ansible or Helm or something, it's probably not a win. | freedomben wrote: | Tailscale is basically automation and | authentication/authorization and UI on top of Wireguard. You | could do it all manually, but you'll need to know the details | of how to configure raw wireguard exactly how you need it, | which for many people is above their heads. There are a _lot_ | of things that tailscale automates, so you have to know a | great deal in order to configure a wireguard net yourself to | the equivalent | sleepybrett wrote: | https://tailscale.com/compare/wireguard/ | | Here is what I will say. I manually setup wireguard for my | home network, it was annoying but doable. Then when tailscale | started to get interesting I just decided try it out using a | free account and rolled back my wireguard configuration... | and never went back. It's so much less fiddly. | GauntletWizard wrote: | 1:1 Nat is a great solution... except in cases where IP Addresses | of peers are transmitted as part of the protocol, like in Gossip | structures or (Not that anyone should be using this!) FTP. Most | games do this, though explicitly to get around NAT so they | understand which packets are coming from where. | | Honestly, in none of my use-cases will it matter - I can't see | myself running a gossip protocol across servers that I do and | don't control. | jakedata wrote: | I hope they are working on improving firewall traversal. Lots of | firewalls don't allow symmetrical UDP NAT ports, causing clients | to fall back to DERP relays on TCP port 443. It's a lot slower. | It is possible to work around this by statically mapping inbound | UDP ports but that is clearly not an ideal situation. I generally | love Tailscale though, amazing work all around. | incahoots wrote: | Oh I wasn't aware of this, thanks for sharing this. | wtatum wrote: | Do you know of a straightforward way to identify that this is | happening: where one node is using DERP or one link between | your nodes is falling back to DERP? | cassianoleal wrote: | `tailscale status` should tell you which nodes do or don't | have a direct connection. | incahoots wrote: | Tailscale is needed if you require site to site connectivity via | something like Starlink. | | I may be putting my ignorance on display here, but I recently | completed a site-to-site network between two farms in rural | America, no other ISP can serve these farms, and they needed to | communicate cow data between the different farms. Tailscale did | the majority of the heavy lifting thankfully, and we were able to | get them all sorted out. | | I could not get Wireguard to work, and that may be down to my | limitations in networking, but I was sucessful with tailscale, so | make of that as you will. | howeyc wrote: | If I had to guess, it's probably the NAT hole-punching or use | of tailscale servers as an intermediary. | | If you signed up for a $5 VPS to forward packets you probably | would have been fine. | toomuchtodo wrote: | Tailscale is free for 3 users and up to 100 devices, so it's | a fine solution vs running your own VM for hole punching. | Consider your time value. You can even pay for Mullvad exit | node access for devices in your net and configure the | coordination layer accordingly. | nijave wrote: | Looks like Starlink supports IPv6 but you'd probably want | dynamic DNS updater to keep a DNS record with the correct IP in | case it ever changes. | freedomben wrote: | Lack of Wireguard docs/tutorials is unfortunate, because I'm in | the same boat. I'm using Tailscale now because I just don't | know enough about linux networking to figure out why my packets | aren't going where they should. I suspect it's a very simple | config error, but I don't know how to debug or where to look. I | like Tailscale, but I'd much rather use real wireguard and | eliminate a dependency on tailscale, but I can't find | guides/tutorials/etc. | | If anyone knows of a Wireguard walk-through to bridge two | separate LANs together, I'd love to see it | candiddevmike wrote: | Create a wireguard interface on each end, add the keys to | them, open up the allow list for each subnet, assign a IP | from a /30 (or /31) subnet on each end, set static routes to | point to other end or use a dynamic routing protocol. | | There are tools to automate this like wg-quick and systemd- | networkd, depending on your preference. | drdaeman wrote: | > Lack of Wireguard docs/tutorials is unfortunate | | The thing about Wireguard is that it's very simple and | minimal. It does just one thing, and that is - establishes a | layer 3 tunnel for sending IP packets between local machine | and some other peers. It doesn't do mesh, it doesn't do | routing (it just knows the IPs of its direct peers and that's | all it does), it doesn't do bridging - all this stuff is done | by other pieces such as Linux kernel, but not Wireguard | itself. | | > Wireguard walk-through to bridge two separate LANs | | Same or different subnets for those LANs? If they're | different and non-intersecting, and if you don't need cross- | LAN broadcast or multicast, the simplest option is to | establish a Wireguard connection between those LAN's default | gateway routers (assuming you can do this), and on each of | those routers set up a route that sends opposite LAN's | traffic to the opposite gateway (in case of iproute2: `ip | route add my.other.lan.subnet/mask via my.other.lan.gw`, how | to make this persistent depends on your distro). Then, on | each gateway, allow packet forwarding between Wireguard and | LAN interfaces (with e.g. iptables or nftables or whatever | you use there). | | If you can't run Wireguard on gateways, the overall principle | holds, but you'll need to distribute routes to your | respective LANs via Wireguard-running routers through DHCP or | whatever you use for routing on your LANs (e.g. OSPF). | | And if your LANs both have the same subnet, or if you need | multicast, things get significantly trickier (plus, there's | inevitable question of what should happen if two machines on | different LANs have the same IP). You'll probably need to run | something like L2TP or GRETAP (or something else that can | encapsulate you layer 2) over Wireguard. | | Or maybe just use OpenVPN in TAP mode (if you want all stuff | independent of any third parties) or Tailscale (because it | already works). | hhh wrote: | The end of your comment "or use Tailscale" sums up why I | would use Tailscale here. | drdaeman wrote: | Of course. Picking a tool is always a matter of what one | already knows. If you've already learned Tailscale and it | fits all your requirements - that means you go with it, | unless you have some reasons not to do it (which is | rare). | | And Tailscale surely has one benefit here - it's one | single product, with essentially no variations, so it's | (I presume, I haven't ever used Tailscale myself - never | needed it) easy to write a step-by-step instructions for. | Generic "GNU/Linux software router with Wireguard" is an | extremely vague target that impossible to give | instructions for, unless you spend a lot of time | describing the problem in finer detail. | rollcat wrote: | > I like Tailscale, but I'd much rather use real wireguard | and eliminate a dependency on tailscale, but I can't find | guides/tutorials/etc. | | You could use Headscale, which is an open-source/self-hosted | reimplementation of Tailscale control plane, so you can eat | your cake and have it too. | | Curious to know, why does distrust towards Tailscale come up | so often around here? They seem extremely transparent about | their strategy and incentives. | drdaeman wrote: | > Curious to know, why does distrust towards Tailscale come | up so often around here? | | I have a guess - I suspect it's because in the domain it | addresses, attitudes are towards self-reliance, privacy and | autonomy. | | If someone uses Tailscale in some cloudy (aka all someone | else's computers) setup, they probably don't bother. They | already shift trust and rely on other people. | | But Tailscale is infrequently used to manage own devices, | which is why it clashes with self-reliance attitudes. If | you run your own private hardware and networks, all or many | of those in your own castle, it may bug you to introduce | (or I'd rather say trust) a third party unless you're | forced to. Not because it's not trustworthy, but because of | the self-reliance attitude and desire to have full control | over what you think of your own systems. | | Sure, you're forced to trust your electricity provider (but | you have an UPS) or network uplink (and even then you make | security precaution), but trust in Tailscale is kind of | optional (it's not irreplaceable), and not everyone feel | like they want it. | | Pretty much the same why a lot of people frown upon IoT | stuff, even if it's from rare vendors who go extra mile to | make things reliable - because of the hypothetical "but | what if?" and feeling that you're losing the control here. | | Just a guess, though. Others' mileage may vary. | BonoboIO wrote: | On my synology ds418j Tailscale was faster than WireGuard | over the same interface. WireGuard used 30 to 50 percent more | cpu. Was strange, but not a real problem. Just an anecdote. | mschuster91 wrote: | > but I recently completed a site-to-site network between two | farms in rural America, no other ISP can serve these farms, and | they needed to communicate cow data between the different | farms. | | This may be verging on off-topic, but it's too good an | opportunity to not deliver this very fitting reminder: in 2018 | Anja Karliczek, then-Minister of Science of Germany, made | headlines for the quote "5G nicht an jeder Milchkanne | notwendig" [1] ("you don't need 5G on every milk jug") aka the | rural areas (that had been left behind even with prior mobile | phone/data and even landline DSL deployments) didn't have | enough need for fast Internet access. | | So, to answer her question, what exactly are these farms doing | that they need to exchange cow metrics? Tracking of milk | production per cow? | | [1] https://www.spiegel.de/politik/deutschland/anja-karliczek- | br... | 0x457 wrote: | I don't think you need Tailscale for this. | | You need tailscale when: | | 1) You have a lot of road-warriors | | 2) You need decent ACLs that isn't just IP based. | | 3a) You don't ability to directly connect to a site (just one | needs to be accessible) | | 3b) You can't add 3rd site to relay traffic or punch holes in | NAT. | | 4) You're afraid of terminals and/or text editors. | | Here is a good write-up on the subject: | https://www.procustodibus.com/blog/2021/11/wireguard-nftable... | jabroni_salad wrote: | > no other ISP | | I live in Iowa and we partner with a fixed wireless provider to | get decent fixed wireless service to clients in places that | don't have anything decent. They lease space on top of | basically every tall structure in the region (grain elevators) | and agriculture is their main line of business. | | We are specifically using them for private backhaul, but they | do normal internet access too. | cyrnel wrote: | > We all know how well IPv6 adoption has gone | | What frustrates me is that people keep building solutions like | this that heavily rely on IPv4, even when forward-compatible | options exist. With clever use of IPv6 transition technologies, | you could have retained support for legacy devices while | generally using IPv6 everywhere else. | sgjohnson wrote: | Tailscale supports IPv6. But their IPv6 support is useless to | you if your ISP doesn't support IPv6. | | This is a needed feature if you have no IPv6 AND are stuck in | CGNAT hell. | | And I'm an IPv6 evangelist. | H8crilA wrote: | No, Tailscale creates both IPv4 and IPv6 connectivity over .. | well pretty much anything. If there's IPv4 - it will use it, | if there's IPv6 - it will use it. If there's some traversable | NAT - it will use it. I think we should dig out the old meme | about ADSL running over a pair of wet strings. | cyrnel wrote: | If you have an agent installed on every node that can already | traverse NAT, you don't have to care about what your ISP | supports. | | There are many more IPv6-centric solutions to their problem. | Sounds like they didn't even try to think of alternatives and | instead reached straight for NAT. That wasn't necessary, at | least from the amount of information we can glean from this | one post. | timenova wrote: | I'm glad they released this feature. There are databases/services | which require you to input the IP address to listen on instead of | the network interface. This will greatly simplify configuring | those services. | jedberg wrote: | What is the advantage of using the CGNAT range instead of 10/8? | chrisfosterelli wrote: | That'd probably have a lot of conflicts with people's LANs. | rollcat wrote: | You're much more likely to be already using 10/8 as a part of | your setup, whereas 100.64/10 has only really been a thing for | residential/mobile ISPs. (I have no idea what happens to | Tailscale when your carrier gives you a 100.64/10.) | BonoboIO wrote: | Next thing: Vanity 100.xxx.xxx.xxx IP addresses. ___________________________________________________________________ (page generated 2023-12-07 23:00 UTC)