Every few months I come back to this repo to check if they finally got Tailnet lock running or if someone security audited them in the meanwhile. Unfortunately neither of these things seem to make any progress and thus, I’ve grown uncertain in how much I can trust this as a core part of my infrastructure.
The entire premise of Tailscale SaaS builds on creating tunnels around your firewalls, then enabling the user to police what is allowed to be routed through these tunnels in a intuitive and unified way.
Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal, but can they also fulfill the second part by providing enough of their own security to make up for anything they just bypassed, or will they descend to just being a tool for exposing anything to the internet to fuck around with your local network admin? To me, not giving your Tailscale implementation any way for the user to understand or veto what the control server is instructing the clients to do while also not auditing your servers code at all sure seems daring…
Should add the project name, Headscale, to the title
Headscale has been on HN many times.
How does headscale hold up when you're streaming video over jellyfin/plex?
Does it run on Plan 9?
Love headscale, we just took it to production and it’s been great
As in you rolled out an internal service for the whole company?!
I’d love to see a write-up on that.
Especially in the unlikely event that you used Nix for the deployment.
Headscale has been serving me well for half a year now. It is great, to the point I have no idea how I lived without a tailscale network before.
It is packaged in openbsd, and that package is the server I am using.
Keep in mind that for many use cases (mobile access, GUI on macOS), this relies on the official Tailscale clients keeping the ability to set the control server.
The moment the inevitable enshitification will start at Tailscale, this feature will go away.
I’m saying this as a currently super happy Tailscale customer who was burned multiple times in the past by other companies being sold or running out of VC money
arent most of the the tailscale clients open source aside from the gui portion of the non open source os's?
This looks interesting! What's the added value over wireguard + openwrt setup?
Your devices will connect to each other peer-to-peer (even behind complex NATs) with no manual configuration, subject to ACLs you centrally manage. It just works.
People sometimes dismiss Tailscale as "just" a WireGuard orchestrator, but it's actually much more than that - From a product perspective, WireGuard is just an implementation detail.
it's wireguard that doesn't make me hate myself :)
It's a mesh VPN, so peers communicate directly without additional delay.
I opted for Netbird myself because Headscale's UI felt too basic for me back then. Has that improved over the years probably?
How is netbird? Is it more stable than tailscale/headscale? How is your performance while streaming a video?
wonder if some of the bugs with self-managing it have been worked out :)
> Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal
Did they really roll-their-own for those functions? I thought this was just a control layer on top of Tailscale’s stock services on the backend, are they facilitating connections with novel methods? Apologies if I’m asking obvious questions, I use ZeroTier pretty regularly, but I am not too familiar with Tailscale.
c.f. https://github.com/juanfont/headscale/issues/2416
One of the maintainers work for tailscale now.
maintainer's employment != security audit
My thinking is their time is divided now and could lead to less efforts spent on headscale.