I can’t praise Tailscale and its developers enough… I discovered this do-it-yourself VPN solution about half a year ago and boy has it improved my life… Here is what I managed to accomplish with it.
I am running Tailscale on my old macbook air, henceforth referred to as my “server”, my two firesticks, and my phones.
*remotely=outside of LAN, so over internet*
-I can access my SMB shares remotely from my phones with OwlFiles and from my M1 Macbook air seamlessly through Finder. All I had to do was enter a simple command on my server in Terminal to add TCP/445 to “Services”. Tailscale then forwards incoming TCP connections on port 445 from within my tailnet to port 445 on my mac’s server. The result is that I am able to mount my 2TB share from anywhere I have internet and manage my files as though I was on my home network. I also have access to my entire media library from VLC installed on all my devices (once again, through SMB). If only I could somehow add my remote SMB shares to Kodi… But Kodi doesn’t seem to allow me to type in custom IP addresses when trying to add SMB shares. Let me know in the comments if you know how to add remote SMB shares to Kodi (the ones it does not detect automatically).
-Similarly, by adding a suitable HTTPS port to my server’s Tailscale services, I am able to manage the Transmission torrent client installed on my server remotely through Transmission’s web interface (while connected to Tailscale, of course).
-I can back up to Time Machine remotely and accessing my Time Machine backups remotely as well. There are a few caveats though. On my server, I had to add a shared folder (from Settings), allow access to it via SMB and mark it as a Time Machine backup destination. The process is pretty straightforward. The trick is to add it as a backup destination THROUGH TAILSCALE by typing in the Tailscale IP of your server or the Magic-DNS domain name. Also, you will not be able to access pre-existing time machine backups through Tailscale! Only the destinations that you initially add through Tailscale. This is why I have two backup destinations on my server - one that I back up to from my LAN and one that I use over Tailscale remotely. Works like a charm!!!
-I can control my server through VNC remotely and seamlessly as if I was connected to LAN. To do that, I had to add TCP/5900 to my server’s Tailscale services (which is akin to opening up TCP port 5900 to incoming connections from within the tailnet). This is particularly useful when I don’t have my M1 mac with me, but need to run Python code inside Spyder. I just turn on my bluetooth/trackpad combo, connect it to my S10+, jack myself into my tailnet, MultiVNC my way into my server and BAM.
-MagicDNS deserves its own praiseful review. Not only did it assign a permanent, simple domain name to all my Tailscale-enabled devices, but it allowed me to configure my own DNS server for Tailscale-connected devices. I was then able to choose custom DNS servers for specific domains, which let me block FireTV updates without compromising my security (The DNS server used for that looks a little sketchy so I don’t want all of my traffic to go through it) and also use AdGuard DNS without breaking Doordash’s Dasher app by routing doordash-specific DNS requests to Google’s DNS and not AdGuard’s. Solid win here, as Adguard’s DNS bricks the Dasher app. Let me know in the comments if you want to see my Magic-DNS configuration.
-FUNNEL: By running a funnel (proxy) on my home server, I am able to access my dad’s Bell Fibe TV channels through their web interface from anywhere on Earth - Bell treats my traffic as if it’s coming from my home network! It will NOT work if you use the mobile app, but works flawlessly from within Samsung Internet, Safari (on mac) and Grazing 3 (on iOS). Also, it’s quite neat to browse with my Canadian IP even when I am travelling (no more annoying “cookie consent” notices when in the EU). I suspect Netflix users could use this sort of setup to get around password-sharing restrictions. I am also running funnels on my firesticks just in case I need more bandwidth.
-SUBNETS: I am running a subnet on my home server so that I could adb into my firesticks and manage them remotely with scrcpy (update apps, install tweaks, etc). Yes, I am not a huge fan of the command line ^^’ . I can also access my wifi cameras remotely from my mac. The desktop app for the cheap chinese ones only allows you to manage them over LAN, but Tailscale takes care of that. Works like a charm!
I am beyond pleased with everything Tailscale enables me to do. It baffles me that this technology is somehow free to use. I am extremely grateful to be a part of the Tailscale community. Thank you!!
Share your ideas and questions in the comments.
Serious question, what makes tailscale so great? Isn’t it just vpn? I have been using wireguard for years and am now seeing everyone saying how great tailscale is but I can’t see any difference between them. If I already have wireguard setup and running, is there any point to look into setting up tailscale?
Not really, no. Tailscale uses wireguard under the hood. It has a nice user interface and makes setting up a split VPN super easy. It also provides relatively easy ways to do ACL between devices. If you already got wireguard set up, you can skip tailscale.
But it is not opensouce and free?
The client is not, no. Wireguard is open source and you can selfhost headscale, which is an open source server for tailscale, provided by tailscale themselves.
The core client code is open source at github.com/tailscale/tailscale. That repository contains the complete source code for the Linux client, and the core code used in all of the other clients. In general our clients are open source for open source platforms and closed source for closed source platforms, but all of them use that same core code. The closed source parts are essentially just signed GUI’s that talk to the same core.
Thanks for clarifying that :)
For the time being, their recent additions to wireguard-go have increased its performance by nearly double when compared to the kernel version.
From what I’ve read, the patches are currently under revision by zx2c4 for the kernel version.
Oh, that is crazy! I think I should do a bit of performance testing then :)
I have been running wireguard for a couple of years now, with a DigitalOcean VPS setup as the main server.
One thing I’ve noticed, is that specific wg clients will occasionally lose their connection to the wireguard network, and I’ll have to find some way to get to that machine and then a simple ping will re-establish it’s connection, and I can access that system again.
Started using tailscale a few months ago, parallel to the wg network, and have never ran into that issue with the tailscale daemons. I started using ts, as my backend remote to the wg locked out systems to get wg working again, but ts has been so reliable vs straight wg, that I’m now making it my preferred connection preference.
To be clear: I too am using tailscale for its convenience and reliability. While I havent had any issues with wireguard clients, it is interesting to see that there may be cases where switching from wireguard to tailscale can actually still make sense.
What also makes it great it’s the NAT traversal techniques. I’ve had trouble escaping my school network with plain wireguard (tried different ports and ideas). With tailscale I have never find a network I can’t escape.
It is simple. One click and done.
It’s just the ease of use, Tailscale sets everything up for you, keeps track of IPs so you don’t need to manually define endpoints, and handles NAT negotiation.
I was also using Wireguard (and OpenVPN) until my ISP let’s me share the ipv4 with my neighbors. Now I need Talescale.
If you’re already running wireguard and just want a VPN, there isn’t much that you’re missing out on except for convenience when it comes to device management and routing, automatic hostname DNS resolution, and also getting access to more advanced features like meshing and failover LAN/subnet sharing without needing to figure out how to do it in bare wireguard.
Honestly though, it’s free and makes for a great hassle-free backup VPN that just works. I use wireguard as my primary because it’s fully self-hosted, runs at the kernel level instead of within the userspace so it’s faster, and is more native than installing third-party solutions; with that said, I still run tailscale on all my servers as well in case I bork something while editing wireguard configs at any point.
any downsides to running tailscale? seems like it might just be adding risk (though minor) with little upside.
For my situation, as a backup/secondary VPN? I haven’t really noticed any downsides. It’s come in handy couple of times when I messed up the wireguard config on my wireguard server - it’s on an oracle cloud VM and it’s harder to get a local terminal in there in case you lose SSH/remote access, which I did.
One of the biggest things that it helps with is the double Nat dilemma that folks can run into if they’re either behind cgnat or don’t have control of their network management.
The 1st and main reason I use it for, is to avoid port forwarding.