this post was submitted on 12 Oct 2024
74 points (100.0% liked)

Privacy

31981 readers
230 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

As in, would they be able to access your server?

all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 49 points 1 month ago (2 children)

If you do not trust Tailscale as a company, here is an open source re-implementation of the server called headscale. Some/all clients are open source as well. So, you can review all components yourself or pay for a professional third-party review. Otherwise, if you take a binary blob from any origin, including Tailscale, and have it run with privileges on your server, there are few limits on what this blob can do. Yes, backdoors are technically possible, but probably bad for Tailscale's business if that ever came to light.

[–] [email protected] 6 points 1 month ago (1 children)

I’ve never heard of professional third-party review of open source code. That’s a service people offer?

[–] SteveTech 6 points 1 month ago

I've heard of it, but I didn't think it was financially viable for an individual to pay for though.

[–] [email protected] 4 points 1 month ago (2 children)

I've always wanted to do this however do I understand it correctly that I need to host headscale on a vps server that is not in my tailnet/home network?

[–] [email protected] 5 points 1 month ago

It can be on your home network, but it needs to be reachable via HTTPS through the internet. So yeah, a vps is probably the best option.

[–] [email protected] 2 points 1 month ago

I dont think so. It would just require some ports open.

[–] [email protected] 27 points 1 month ago (1 children)

From what I understand tailscale is basically wire guard but made convenient. And how they do that is by managing you wire guard keys for you. So I would have assumed they could use the keys to access your network. HOWever while trying to look into this just now I found out tailnet lock exist and it says "When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can’t send or receive traffic on your tailnet."

[–] [email protected] 11 points 1 month ago (2 children)

If you're concerned about privacy I don't know why you'd use Tailscale over Wireguard directly. The latter is slightly more fiddly to configure, but you only do it once and there's no cloud middleman involved, just your devices talking directly to each other.

[–] [email protected] 3 points 1 month ago

Yes, fair. I was just attracted by the no-hassle method of Tailscale.

[–] [email protected] 6 points 1 month ago (1 children)

for authentication you need an account at one of their supported SSO providers (which is mostly a big tech brand) or at an OpenID service.

the bigger problem is that (I think) the choosen SSO provider will be able to impersonate you, and so they could reconfigure your network or connect to it

[–] [email protected] 6 points 1 month ago (1 children)

The official service is bound to need a SSO login from bad privacy related providers. They insist in not allowing a simple account creation with just email and password.

[–] [email protected] 0 points 1 month ago

You can relatively easily set up a self-hosted OIDC sever like like Keycloak or Kanidm.

[–] [email protected] 5 points 1 month ago (2 children)

The biggest downside, as I understand it, is that it's difficult to convince others to use your tailnet

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

Just curious: what's the usecase of others joining your tailnet? Filesharing/Private cloud services?

[–] [email protected] 2 points 1 month ago

Yeah, that's why I use TailScale at all. I host services for my close friends to enjoy

[–] [email protected] 1 points 1 month ago (1 children)

You can enable Funnel, which doesn't require others to have the TS client.

[–] [email protected] 1 points 1 month ago

Had no idea that existed, I wonder what the security is like

[–] [email protected] 2 points 1 month ago (1 children)

Why not a direct VPN/WireGuard link to your home network? Works flawless.

[–] [email protected] 3 points 1 month ago

Tailscale is very convenient if your home network is behind a CGNAT.

[–] Fijxu 2 points 1 month ago

Not a response, but I used to use taikscale with my own headscale server without problems but for some reason it just started to fail (I didn't even updated tailscake nor headscake at all) and the speeds with direct connection were some unbelievable 0.00Mbps over direct connection.

I searched for another MeshVPN and I found something called NetMaker, you can Selfhosted it too and it works really well. The speed is better than Taikscale too because it uses kernel wireguard instead of user space. They still lack some features like an Android client but I don't care. I just want to connect servers securely. It's pretty new software so it can have some bugs.

[–] [email protected] 1 points 1 month ago
[–] [email protected] 1 points 1 month ago

How about netbird, all open source and self hostable

[–] [email protected] 0 points 1 month ago* (last edited 1 month ago)

I use zerotier and afaik they can't access it, hence, I assume it's the same for tailscale

[–] [email protected] -1 points 1 month ago (1 children)

The WireGuard encryptions stops when data reaches their servers and the data is re-encrypted to be sent to the client. So, theoretically, they can look at all the data being passed through.

Read more here about TLS termination and TLS passthrough. https://blog.aiquiral.me/bypass-cgnat