Ok, so creating the accounts were the most painful step since I wanted to use a separate account. It took me about 2 hours 
:
I tested the solution and it works well!
I’ll report back for speed and what not after a month.
Ok, reporting back. I’ve only used it twice. Once in my home country and it worked great on device.
The second time, it was lagging way too much. I was away from my country and I also used a chromecast. I should have tested without the chromecast to see which was the culprit between distance and chromecast.
I’ll report back in a couple months as I don’t use it often.
By default, when you start tailscale, it overwrite linux dns by its own to offer you its magicdns first. Its allows to expose yourtailscalemachine.tailnetname.com to the tailscale ip. It it cause you issue, you can disable it with a tailscale set dns cli command. I had to disable it somewhere because it interfered (think it was my dns server machine).
Two things make me pause re: Tailscale and privacy:
I believe this line does a LOT of heavy lifting in the Privacy Policy:
Please note that Tailscale does not process, or have the ability to access, the content of User traffic data transmitted through the Tailscale Solution, which is fully end-to-end encrypted
Considering that they conveniently offer Tailscale DNS as a default to all free/paid users, they already capture incredibly detailed browsing metadata from headers alone like:
Host: headers with full domain namesReferer: headers showing navigation patternsUser-Agent: strings revealing software/versionsProclaiming to not read internet traffic while likely profiting off of being a DNS resolver is akin to someone saying, “I don’t read your mail, I just track every person you correspond with, how often you communicate with them, and cross-reference that with the rest of the population to make educated guesses about you”
Let’s look at their approach to logs:
For more evidence, look at the post before this one. Their default install behavior is to conveniently overwrite your network DNS with tailscale DNS. If I’m understanding things correctly, that means that even non-tailscale traffic ends up being routed back to tailscale servers. Boy they sure are skilled at stumbling into sending themselves even more ‘support logs’ that they’ll never use…
…Or, by acting as a DNS server and resolving your queries, coupled by a steady drip of metadata from your logs, they now have access to your internet browsing history, your connected devices, your home network and your travel patterns IRL, this arguably gives them the ability to combine the patterns in your cyber life and offline life in a scope that is rivaled only by Google.
I have been dragging my feet on setting up a VPS, but the more I think about it, the more that headscale seems like the obvious choice from a privacy perspective.
Woah… Your reply is scary. So you’re implying that they gather all this data to sell it afterwards?
A lot of people here and elsewhere seems to have the CEO in high regards as an honest person.
I don’t have industry-specific knowledge and there’s nothing definitive to say they’re using the data for nefarious purposes, so take my perspective w/ a grain of salt.
I will say that on this board, we are all familiar to varying degrees of privacy-friendly software such as Debian, OpenWrt and GrapheneOS. The question I asked myelf is if tomorrow, any of them rolled out a mesh app with a logging feature that was auto opt-in, required on my mobile device, pinged my devices +50x/day (even when I wasn’t using a device) and sent all the data back to their server, would we call it a privacy-friendly/privacy-respecting app?
Back to tailscale specifically, I want to reiterate that as far as we know, everything is above board. Tailscale is a very security-focused company, but security != privacy, which is likely why security is prominent in their docs, while privacy is overlooked/ignored.
AFAICS, reflecting on their unique setup, the amount of personal data tailscale can ‘theoretically’ use to create a profile exceeds typical VPNs (traditionally limited to one device, doing web browsing during an individual VPN session) and ISPs (only know what you do on your home network) and mobile networks (limited to mostly phone usage).
I am open if someone more informed on the topic refutes my perspective and wants to push back btw.
To my mind, the logs are pretty innocuous and the DNS data is no different from what any other VPN/ISP can collect, plus it’s very easy to edit the DNS server in their web interface. No more difficult, let’s say, than editing it in your router’s settings page.
Note that Tailscale do provide support to free tier users - I’ve used it several times in the past - so log collection can have its uses.
IMHO, having Tailscale + pihole/Nextcloud + Mullvad is a lovely combination. Perhaps not the most private, but it allows custom DNS filtering, access to your self-hosted contacts/files plus a VPN.
My main gripe with Tailscale (and WireGuard more generally) is the lack of post-quantum encryption.
That is a DNS leak.
Not with Mullvad as the upstream DNS…
You would need to reroute Pihole’s upstream DNS requests back into the same Mullvad VPN tunnel, otherwise your choice of DNS server would stand out from other users. Simply choosing Mullvad’s public DNS servers as upstream is not enough
The question is if an enterprise is paying for 1000 users, does it count as one user or 1000 users?
What makes you think that the company’s own comparison is better than LLM generated? Consider Tuta’s privacy list which does not even mention proton. They prepare it to buy their product. 