I really like using Tailscale, as it allows me to access my NAS from my computers, and it allows my phones (Samsung and iPhone) to “Taildrop” to each other, similar to Airdrop. I also really like that I can block all sorts of really specific things through NextDNS. However, I want to make sure that I’m actually protecting myself fully from privacy invasive items.
I tried using the Mullvad integration with Tailscale, but it broke too many sites for me, and I found that I was constantly turning the exit node on and off, so that is not an option for me.
I also have access to Proton VPN. I know it has Netshield, but that doesn’t allow me to block specific domains like NextDNS does. I’ve tried entering the DNS servers into Proton VPN, but if I do that, it doesn’t do anything until I re-link the IP address in NextDNS. And I have to do that every time the VPN stops and starts. In addition to this, it also steals the linked IP from all of my other devices.
So far, nobody at NextDNS or Proton has really been able to help me solve either of the above issues, so my current two options are Tailscale + NextDNS, or using ProtonVPN with Netshield on. Tailscale provides some extra functionality that I like. However, if privacy is MUCH better with a VPN than with the Tailscale + NextDNS combo, I’d be willing to give up that functionality. I’m hoping to hear from some people who are more experienced here.
Can you elaborate on what benefits this would provide relative to the options OP is considering or what problem it would solve?
If I understand correctly (?) @DutchBaby’s fundamental issue is that Tailscale works well at addressing one set of problems for them, and a VPN works well at addressing a different set of problems for them. But they have not found a way to effectively combine the two or solve both sets of problems at the same time (further complicated by NextDNS possible).
I’m very much a Tailscale newbie, so I don’t have any solid advice, but I do have a similar conflict in my own personal situation (haven’t yet figured out a way to simultaneously combine the value I get from Tailscale, from an always on VPN, and from DNS filtering). I haven’t fully explored all the options and possibilities yet, but it feels there are substantial downsides/tradeoffs and added complexity whichever direction I choose to go.
@DutchBaby one thing to explore would be setting up a VM on your NAS or a home server that is used as an exit node, and setting up an always on VPN on that VM.
YogaDNS is handling DNS queries on kernel level and you can use both Proton and Yoga at the same time without needing to link your IP to NextDNS. You can add secure DNS to Yoga like DoH3 and use with Proton.
Thanks for the advice! I hadn’t thought about setting up a VM on my NAS. I have a Synology, but Tailscale’s documentation shows that there’s no way to use a NAS as an exit node. But if I had a VM running Linux…that might actually solve the problem.
Still not sure if it’s more “secure” than Proton VPN, but hopefully it would get me a little bit closer! I really do not want to give up Tailscale’s benefits here.
I would stick with Tailscale + NextDNS since the DNS-based blocking available on NextDNS is far superior to what’s available through Proton. Given that pretty much every website is encrypted these days, VPNs have lost some of their usefulness. I only use them when I am on a wifi network (or in a country) I consider hostile.
Anyway, it is entirely possible to use your Synology NAS running the Tailscale app as an exit node. I’ve done so myself and it works just fine. I’m just using the official Tailscale app on my Synology NAS…no funny business. Just open the Tailscale app from your Synology NAS UI and tell it you want it to be an exit node.
Not a VPN replacement but Control D with Redirect feature can be an option instead of NextDNS + Proton VPN combo. It is redirecting sites via their own proxies.
Thanks! That’s a good point, I forget how much https and other site security improvements have been made. And thank you for actually sticking to my question in my post. Apparently, that’s not a given around here lol.
It’s “more secure” only in that it allows you to not expose your homeserver/homelab to the open internet. Tailscale won’t make your general web browsing, or your personal devices more secure, but if it keeps you from needing to open some ports on your home network and home server, that is beneficial to the security of your home network and home server.
On your own trusted home network the VPN wouldn’t be providing much security (but it would be providing privacy). @Anonymous95 is correct that forcing HTTPS and encrypted DNS would accomplish much (but not all) of the privacy benefit gained from a VPN. The two downsides I can think of compared to a VPN would be (1) partial/imperfect protection from your ISP / a MitM (2) A VPN hides your true IP (and rough location) from the websites you visit, HTTPS only cannot.
I think if you were to setup a VPN on your Tailscale exit node, it’d mean you wouldn’ve have to choose between VPN and Tailscale + DNS filtering, so you could have most of the benefits of each. But it may be more complicated, or there may be downsides i’m not considering or seeing.
Yes, setting up the home-based NAS as an exit node and using it when out of the home is essentially the same as using a home-based Wireguard VPN server for general internet use. If you aren’t worried about your home ISP knowing what IPs you’re hitting, then this is the answer. As an added bonus, your home IP will not be on random IP blacklists frequently and randomly used by various sites/services online. The same cannot be said of public VPN IPs.