I've been using tailscale in my home setup for a while and really appreciate the simplicity. It has just worked in my experience. Before taking the leap for tailscale I was semi-struggling with a vault + wireguard + consul-template approach which was pretty cool and fun to setup but a bit unnerving to be unsure if I got anything wrong and the chances of me being exposed.
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?
I went all-in on Tailscale couple of years ago but slowly (and painfully) moving away from it.
It's a fantastic service but with a big flaw: its iOS app eats battery like crazy. I didn't know about it until I accidentally saw it one day: IIRC, it had consumed 20-25% battery averaged out over 10 days. (I used to keep it running in the background all the time, only to route DNS requests to pihole on a home server.) When I googled, it seems like a known problem on their forums for a long time.
At first it felt ‘magical’ being able to reach self-hosted services from my phone regardless of my location, but I quickly noticed the battery drain as well. I believe it has to do with an always-on ‘VPN’ and I don’t expect any improvements soon.
I’ve decided that Tailscale works perfect for all my computers (e.g., Raspberry Pi, Synology NAS, laptop and VPS), but not for my mobile devices. To mitigate this I use cloudflared on my VPS to route internet traffic over tailscale to any internal services that I often use on my phone.
Cloudflared has good options for securing a tunnel by using MFA methods, for example Google authentication.
For the rare occasion that I need to access something else I can always temporary join the Tailscale network from my phone.
It is not caused by an always-on VPN, but by Tailscale. Having e.g. plain Wireguard enabled 24/7 doesn't cause the battery drain or the other issues Tailscale on iOS has.
Unfortunately, Wireguard on iOS doesn't work very well with dyndns, as it doesn't re-resolve dns and thus silently loses the connection when public home IPs change.
What are you hosting from your phone? Personally, I think upcycled phones plugged into USB drives are the future of selfhosting, but the software's not there yet.
It also eats a lot of data, I recently had around 3gb eaten in a day just for maintaining the connection. On a metered mobile connection with 6gb/month a tad too much.
I‘d really like to use it, but in this state it’s really unusable for me.
For that they need a certificate. They have two options of obtaining that:
a) They request one from a CA. This will be logged in Certificate Transparency logs, and thus you could detect it by comparing the certs logged with the ones your local machine generated
b) they could have their software upload the certificate from your machine. That would need effort to detect (deeply inspecting the software and/or its traffic), but if a whiff of such a "feature" were to be found by anyone it couldn't really be explained away. (and aren't their clients app open-source? then at least it'd be reduced to source inspection and compiling yourself, which makes hiding stuff harder)
Thanks, you're right yeah, I've oversimplified things a bit.
Re: macOS and the Network Entitlements shenanigans: if I understand correctly, it is possible to just run tailscaled unsigned [1] via /dev/utun instead of Apple's APIs. Would it be possible to get this into the GUI so that if you want, you can compile it from source and don't have to do the Apple dance?
tailscaled isn't particularly stable on my machine though, so I guess I'll roll back to the closed source version. However, this could be a starting point for a Linux client!
This looks like yet another feature that fits my use case and reduces my security burden. Though learning a few things from this post the first being that I should have replaced my use of haproxy with rinetd ages ago. The other about Certificate Transparency logging. Still going through the wiki pages to understand how that works, but would it really log an event such as Tailscale terminating the request, dumping the data, and re-encrypting them before sending us the request? Or is it possible for a bad actor to hide the logging?