As in, would they be able to access your server?

  • Thomas@discuss.tchncs.de
    link
    fedilink
    arrow-up
    48
    arrow-down
    1
    ·
    24 days ago

    If you do not trust Tailscale as a company, here is an open source re-implementation of the server called headscale. Some/all clients are open source as well. So, you can review all components yourself or pay for a professional third-party review. Otherwise, if you take a binary blob from any origin, including Tailscale, and have it run with privileges on your server, there are few limits on what this blob can do. Yes, backdoors are technically possible, but probably bad for Tailscale’s business if that ever came to light.

    • jqubed@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      23 days ago

      I’ve never heard of professional third-party review of open source code. That’s a service people offer?

    • Tinkerer@lemmy.ca
      link
      fedilink
      arrow-up
      4
      ·
      24 days ago

      I’ve always wanted to do this however do I understand it correctly that I need to host headscale on a vps server that is not in my tailnet/home network?

      • uzay@infosec.pub
        link
        fedilink
        arrow-up
        5
        ·
        23 days ago

        It can be on your home network, but it needs to be reachable via HTTPS through the internet. So yeah, a vps is probably the best option.

  • Unmapped@lemmy.ml
    link
    fedilink
    arrow-up
    28
    arrow-down
    1
    ·
    24 days ago

    From what I understand tailscale is basically wire guard but made convenient. And how they do that is by managing you wire guard keys for you. So I would have assumed they could use the keys to access your network. HOWever while trying to look into this just now I found out tailnet lock exist and it says “When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet.”

    • Quail4789@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      23 days ago

      How is NAT travelsal handled if you want to connect two devices via WG? That’s what Tailscale primarily does.

      • Unmapped@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        23 days ago

        Yeah true, that’s part of making wire guard more convenient. You have to have a 3rd connection for that I think. In tailscales case it the headscale server.

  • a1studmuffin@aussie.zone
    link
    fedilink
    English
    arrow-up
    11
    ·
    23 days ago

    If you’re concerned about privacy I don’t know why you’d use Tailscale over Wireguard directly. The latter is slightly more fiddly to configure, but you only do it once and there’s no cloud middleman involved, just your devices talking directly to each other.

      • czardestructo@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        22 days ago

        Yes and because wiregurad is stateless you’ll need a script that checks if your DNS endpoint has updated and restart the wireguard interface so it pulls the fresh DNS/updated IP address. I had to make said bash script for my nodes.

      • kadotux@sopuli.xyz
        link
        fedilink
        arrow-up
        1
        ·
        23 days ago

        Nope, just an open port. Works directly with public IP. I guess if some ISPs IP lease time is short and they keep changing it regularly, it might become a hassle.

          • kadotux@sopuli.xyz
            link
            fedilink
            arrow-up
            2
            ·
            23 days ago

            I’m afraid if you’re behind CGNAT it won’t work. Your router should have unique public IP. I’m not too well versed though…

  • Quail4789@lemmy.ml
    link
    fedilink
    English
    arrow-up
    7
    ·
    23 days ago

    Your question more relates to security rather than privacy. Tailscale cannot read any of your traffic. It’s all E2EE. Now, is it possible that they’re distributing binaries not built from the open source that contain a backdoor? Sure. But it would be an absolute shitshow, not because you and me but because of the many enterprise customers they have. So I don’t worry about that. Same goes for them going rogue and accessing your devices. For that, there’s Taillock which makes your devices not trust traffic from a device not signed by a trusted node in your Tailnet.

    I’d much rather make use of zero-config WG, exit nodes, relay servers, not having to worry about DDNS, solid NAT travelsal, etc. than to worry a company will lose their mind and attack free-plan users.

  • ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    23 days ago

    for authentication you need an account at one of their supported SSO providers (which is mostly a big tech brand) or at an OpenID service.

    the bigger problem is that (I think) the choosen SSO provider will be able to impersonate you, and so they could reconfigure your network or connect to it

  • devfuuu@lemmy.world
    link
    fedilink
    arrow-up
    9
    arrow-down
    3
    ·
    23 days ago

    The official service is bound to need a SSO login from bad privacy related providers. They insist in not allowing a simple account creation with just email and password.

    • milliams@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      23 days ago

      You can relatively easily set up a self-hosted OIDC sever like like Keycloak or Kanidm.

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      23 days ago

      Tailscale is very convenient if your home network is behind a CGNAT.

  • Fijxu@programming.dev
    link
    fedilink
    arrow-up
    2
    ·
    23 days ago

    Not a response, but I used to use taikscale with my own headscale server without problems but for some reason it just started to fail (I didn’t even updated tailscake nor headscake at all) and the speeds with direct connection were some unbelievable 0.00Mbps over direct connection.

    I searched for another MeshVPN and I found something called NetMaker, you can Selfhosted it too and it works really well. The speed is better than Taikscale too because it uses kernel wireguard instead of user space. They still lack some features like an Android client but I don’t care. I just want to connect servers securely. It’s pretty new software so it can have some bugs.

  • GravitySpoiled@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    23 days ago

    I use zerotier and afaik they can’t access it, hence, I assume it’s the same for tailscale