I still think that the level of Tailscale’s logging is excessive to the point of it having an ulterior motive, but the article does make an attempt at allaying privacy concerns. Interesting read, thanks for sharing.
There’s some other options but a password isn’t one of them, all external accounts.
I feel like most people do not actually benefit from the easy mesh networking Tailscale provides, and could just use a simple central WireGuard server, either on a VPS or at home. I’ve mainly switched back to this setup (well, sort of) and it’s been no problem.
If you actually do need an easy mesh VPN, Netbird might be solid as a self-hosted alternative. I never got a chance to really use it but I know other people who do.
Tailscale is probably “best” if your needs are too complex for WireGuard, and you’re not savvy enough to install Netbird, but between both things that seems like a pretty small percentage of people…
Speaking of not being an anonymity service, I stumbled across this ticket on Tailscale’s GitHub. It’s been open for 3 months with no response:
When “Use Tailscale DNS settings” is checked in macOS, Tailscale additionally records all your system’s DNS queries. This means that when this box is checked, on machines where it is installed, Tailscale will collect metadata about your laptop’s routine web browsing, such as when you visit Google.com, and when your server retrieves updates from Ubuntu, your AWS account ID, your EKS endpoints, and other private hash information that appears in domain names. This is your “Internet browsing metadata”.
I’m currently exactly in that situation, currently considering giving a try to Netbird because:
having a Wireguard-only setup will require me to have an external VPS or expose my LAN to the Internet
or give all my anonymity to Tailscale
or limit it somewhat by using Headscale (but the setup is not the most friendly/stable)
Turns out, Netbird looks like a better solution overall because it’s fully FOSS and not a hacky community backend-compatible solution.
But maybe I missed out a basic feature of WG that would allow me to skip opening any kind of ports on my router? A buddy told me to maybe do some port knocking but that idea doesn’t sound too exciting tbh.
Is there a way to have a native access to my LAN from outside my home ala Tailscale with only WG?
I self-host netbird and don’t have any ports open on my LAN because I host it on a VPS (costs $1/mo). Port knocking was excessive for my setup, but my VPS is running fail2ban + ufw + I moved my sshd away from port 22 towards something more obscure port.
IIRC, if you aren’t a self-hoster, you can use netbird’s cloud version for free and avoid opening any ports a la Tailscale
I am not a security sysadmin and do not believe that I can harden a VPS enough to the point of making it bullet proof, and no I do not consider fail2ban + ufw + obscuration to be a safe enough solution.
Hence, an entry point outside of my LAN is a no-go. No system exposed to the Internet is trustworthy IMO especially if you need to trust the VPS provider.
But I can probably manage to selfhost it myself without too much issue. Mostly wanted to know which one to pick: Headscale or Netbird. It was trickier than expected to make the first one work out properly because of all the Docker networking (still new to it).
But was also curious to know if WG only could solve my problem because I started to reach the end of my networking knowledge.
