Is anyone familiar with Tailscale?

Not strictly Node-RED, but we have had some discussion here about securing remote access to NR servers. This product

was recommended to me, and it looks like the free option would be enough for my needs on some small projects. There are enough VPN and VPN-like offerings out there that I'm not sure there is an obvious choice. Any thoughts on what to look for and what to avoid?

As you say, there are now a multitude of options all with different advantages and disadvantages. Tailscale seems to fall into the middle ground

The main thing to note is that with all of these tools, you do have to put some trust in the vendor. However, with things like Tailscale and possibly Cloudflare Zero Trust, that is somewhat mittigated by the use of open protocols and tools. Tailscale uses WireGuard for example which is a well respected modern VPN tool.

Note that the private key never, ever leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a WireGuard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It’s important to keep that in mind: Tailscale node connections are end-to-end encrypted (a concept called “zero trust networking”).

This is important to note. You MUST protect every private key. This is true for all certificate based security of course. If the key is ever compromised, your security disappears. Worse, you might not know for years. One of the major downsides of public key encryption.

However, we don’t handle user authentication ourselves. Instead, we always outsource authentication to an OAuth2, OIDC (OpenID Connect), or SAML provider. Popular ones include Gmail, GSuite, and Office365.

This is the other key point. The advantage of CloudFlare's Zero Trust tooling is that the free tier includes 50 users (though those users can offload their login to OAuth if you allow that). With Tailscale it seems you will also have to use a different OAuth provider?

(Both those are from How Tailscale works · Tailscale)

Interestingly they have a "Community on GitHub" plan which might be worth looking at.

Their docs seem easier to follow than CloudFlare's but I think that the CloudFlare service may be more comprehensive, especially on the free tier. In particular, the CF tooling offers a number of purely web-based access points - I couldn't spot that on a cursory look at the TS docs. That is particularly useful if needing access from a locked-down PC remotely - for example, if using a corporate/enterprise device or an internet-cafe/library device.

Either way, certainly a big step up in security and flexibility from something like NGROK.

A word of caution: I have used both zerotier and tailscale. Both of these systems utilize bandwidth while idle. We utilize LTE for our edge devices so this became extremely costly for us. Zerotier (at the time we were using it: Spring of 2022) had about 10 times the bandwidth usage as Tailscale. So we opted to remain with Tailscale. Having said that, we also did not like the overhead cost of Tailscale, so we established a secure method to turn Tailscale on and off at the edge devices. So we only turn it on when needed. (Using node-red of course. )

That's useful to know.
I switched to Zerotier from Wireguard when I transferred to mobile broadband. Don't like the idea of it consuming my bandwidth unnecessarily, I'll have to look more closely at the traffic.

Thanks, Julian. That's very helpful. I understood most of the Tailscale documentation, but had no way to put it into a wider context. I will probably give it a try, just because it seems so easy to get started.

Can you be more specific? Any mobile system will use some bandwidth to maintain network connectivity, so the questions are quantitative. What is Zerotier doing that makes it so much greedier than Tailscale? How much bandwidth are you saving by turning off Tailscale, and what causes that extra usage? How does that excess compare to the data used by other services such as text or e-mail that might be running on the edge device, assuming that it is a mobile phone or the like and not a dedicated iot device?

Sorry to bother you with the quiz. Please feel free to tell me that the answers are proprietary.

Our edge devices are iot devices. We do have tailscale on all of our cloud servers and our phones running all of the time. But on our phones we have unlimited data. With zerotier we estimated that the "idle" bandwidth was costing us about $80 per device/mo. With Tailscale it went down to about $10 per device/mo. But once we implemented the enable/disable capability it obviously went down to zero $/mo.

There are many articles available talking about the overhead of zerotier and tailscale.

Because they are iot devices there is no text or email.

Happy to answer any additional questions...

Would be interesting to see if the Cloudllare Zero Trust service had similar issues. All my DNS is with Cloudflare now and all my web sites are fronted by cloudflare as well so for me, their service makes sense. Having 50 users free is also nice.

Everyone deserves a LMGTFY answer once in a while. Actually, I had done some searching and found mainly issues on GitHub, including some with comments from you. Still, no clear answer as to exactly what Zerotier is doing (perhaps finding available or best available routes to certain hosts) or why it takes an order of magnitude more data than Tailscale. Apparently, Zerotier is aware of the situation but does not have any improvements to offer. Have I missed anything important?

The only other thing to be aware of is that as these "free" services evolve they typically start to reduce the number of free devices on a network to start recouping some of their investors money - Zerotier initally went from 100 to 50 and no recently to 25 - and i hear rumours that this will drop to 10 by mid next year

Tailscale do seem to have a nice cheap entry level plan for home use that should get you arounf this limitation - not sure on Cloudflare's pricing model

I have used all 3 of them (and continue to do so) - i find that Cloudflare is the hardest to setup initially whilst Zerotier is the easiest and quickest.

Craig

Well, their free models seem to have been very stable over the years. Mostly they have increased them rather than cutting back. It helps that they built up their paying content delivery business first. Their paid services are not the cheapest but they have become one of the foremost CDN's on the globe. Sensibly branching into related services as they built up so they started offering edge security for web services and continued from there. So they seem to have hit upon a sensible approach.

Yup, I certainly agree. Took me a while and several experiments to get the hang of the CloudFlare Zero Trust stuff. Not helped by them changing the service name, portal, etc along the way. But it seems stable now and it seems to work well though I've not used it to any great degree - not having much need for remote access to my home servers in recent years given that my office is in the same room! Still, today marks my first work trip for a long time - a visit to Apple's offices in London. So maybe I'll need remote access again before too long.

LOL, sorry about that. I recommended that you look because the folks at zerotier told me that they realized they had an issue and were going to work on improving it. I have not kept up with any progress in half a year. I thought there might be new news.

What they actually do with all of that traffic was never a concern for me as IMHO, it was what it was. There was no impact that I could control.

That's a healthy attitude -- unlike some of us who ask questions and don't know what to do with the answers.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.