Is there any latency introduced by using Tailscale, and I assume that you are reliant upon the uptime of the Tailscale server to get access to your own network, although they do seem pretty robust - https://status.tailscale.com/
Yes, more and more web services require TLS encryption or they won't work. I use "hairpin" NAT on my router to give me access to routes that work outside and inside and where the inside route stays local. Along with a spare domain name. Then I have a multi-domain wildcard Lets Encrypt cert that is managed using their super simple Acme tool on a CRON schedule. It actually does a couple of different certs for different reasons. I use DNS verification rather than opening an inbound port 80 so no open ports.
Ngrok simplifies networking by creating secure ingress to any app, device, or service with a single command or line of code. It's an ingress-as-a-service platform that decouples ingress from infrastructure, removing the hassle of getting code online without provisioning proxies or VPNs.
NGROK does have some strong authentication features but I'd have to say that by the time you are getting into those weeds, you might be better off with Cloudflare ZT which, though harder to get started with, once started, is dead easy to add various authentications to. It also has up to 50 users on the free tier instead of NGROK's 5.
The NGROK free tier supports OAuth so you can use things like GitHub, Google, etc for identities. You can secure different end points to different groups/ids.
So both NGROK and CF ZT will let you create different endpoints with different authentications and authorisations.
Well, other than the problem you've already identified - it doesn't seem that bad - other than the fact that it is a VPN solution. These tend to come with their own set of vulnerabilities. But still, most likely good enough for home use & is a fairly well-tried solution.
But, I can't see that it is any less complex than CF ZT. Indeed, since you have to deal with your own certificates, you could say that it is more complex. ZT will also have a few advantages should you ever get a denial of service attack - unlikely as a home user - or one of the other attacks that CF automatically mitigate on their endpoints. ZT only requires an agent to run on your Pi. The terminology they use takes a bit of head scratching but once learned isn't too bad and the docs are OK.
Hey @Paul-Reed,
I forgot to mention above that Tailscale is not like a classic VPN, where all traffic passes through the central servers. Tailscale is a P2P (peer to peer) mesh network, where all the Tailscale agents communicate directly to each other. So normally you don't go via the central Tailscale servers.
Only when the agents cannot communicate directly to each other (e.g. due to some very strict enterprise firewall), then the agents setup a relay connection via the central Tailscale servers:
I am running this now for about 6 months and I had no problems at all. It is always fast, i.e. I don't notice any delay. Even my google home - which passes via the central Tailscale servers - works fine. I don't do any latency measurements. Just my experience...
P.S. I have also added the LetsEncrypt keypair, which is generated and renewed periodically by the Tailscale agent. And the agent uses it to setup https connections.
If that is the case I have a completely incorrect vision about CF ZT. I had quickly looked at some youtube videos, and one of my colleguas at work showed his home setup. It looked all very complex to me. Absolutely nothing that I can see my familly maintaining...
But perhaps I have been looking in the wrong places.
I assume a DOS attack on my Node-RED dashboard (or flow editor) is not possible, since I access it only from within my virtual private mesh network. It is not exposed as a public endpoint.
On the other hand there are public endpoints, e.g. for Google Assistant. I thought that Tailscale would offer some DOS attack protection, but I can't really find anything quickly. So I assume indeed that CF does a better job in that area...
Sorry to ask another question, but...
How about when you are away from home, do you still have access to node-RED etc? presumably via the Tailscale server?
You see on my drawing that on my Android phone there is a Tailscale agent app installed. Via that app my smartphone is part of my Tailscale virtual network.
When I navigate in my Chrome browser to https://mytailnet.ts.net/mydashboard, the request goes (see diagram) automatically to the Tailscale agent on my smartphone. The tailscale agent on my smartphone sends the request directly to the Tailscale agent on my Raspberry, which forwards it to Node-RED. So I stay entirely within my tailnet: i.e. I don't go via the central Tailscale servers, and there is no public endpoint required.
So it doesn't matter if you are at home or on the other side of the world. The tailscale agents can communicate directly to each other, through your firewall (see explanation) without any need for port forwarding! So I have no ports open in my firewall anymore!
Just to really annoy everyone - i will throw in Wireguard Easy as a VPN solution - comes as a docker container - very easy to setup and manage and can be deployed as a stack with Reverse Proxy services as well
He lists a script he has made (which i have checked and gone through) and it does nearly everything out of the box for you - with good step by step instructions.
Craig
On the contrary. All insights are welcome. If I have an overengineered solution, I am happy to switch to something more easy...
Is there a central server involved or just that docker container? Is port forwarding required? How do you access e.g. a Node-RED dashboard from a smartphone (that is not inside the LAN)? How can you access your Node-RED from an external service, like e.g. in my case Google Assistant ?
A little (quick drawn) scetch would help me to understand your setup...
Bart,
Its just docker containers that do everything for you.
Yes you port forward the port for VPN traffic only to the docker container - i.e. nothing is allowed from outside your network unless it goes over the VPN and to the docker container only
You access NR with the same IP addressing internally as externally
Not sure about google assistant - have not tried that - but could not see a reason it would not work.
I will try and get a sketch done in the next day or so (i do not use this for my home network - i actually use it for a couple of friends and clients as they are very network illiterate and wanted something that just worked. They use it for their Frigate and Home Assistant access as well as a dedicated alarm panel and an NVR system.
On my home network i use Wireguard in native mode (as i have to support it) on my home OpnSense router - i moved to this from Zerotier as i found the performance of Wireguard to be much higher
Craig
For anybody interested in this topic...
I had again a look at my security setup, because it is FAR too complex to explain to my boys.
But I find it far from easy to create a secure setup that is understandable...
-
Ngrok tunnels will be published at another url, every time you restart your raspberry. In their free account they only offer 1 static url, but I need two (one for my dashboard and one for my Google Assistant). Moreover their (shared) certificate is being used in the public endpoint, and not in their local agent. Which means that (e.g. for web push notifications) I always need to go to the internet, which is not what I want.
-
Netbird seems to be a decent alternative for Tailscale, but I don't think they offer public tunnels (which I need for Google Assitant). I have asked the question, but no answer yet. The nice thing is that their control server (backend) is also open source, which is not the case for Tailscale.
-
For Tailscale my above issue is still not solved. I tried to analyze their code, but did not find the root cause. Don't have time to investigate it in more depth. So I visualized this part of their Go code (see here) in a desparate attempt to get some help from their developers. Because due to this issue, I need to have have a Caddy reverse proxy, which is kind of ridiculous...
BTW if anybody is interested in the Tailscale approach, you can always give a thumb up in the first post of the above Github issue (like Paul already did...). Don't know if it helps, but you never know...
This is the issue Bart referred to;
Might not help but Cloudflare Zero Trust has a lot more on offer for the free tier. It is more complex to initially set up but once done is fairly straight-forwards to document.
Not sure I quite understand that issue so not sure whether CF ZT would help there.
I had tonight another (desperate) attempt to read through the relevant part of the Tailscale Go-based codebase, and suddenly it became clear to me how it works. It looks that I found the root cause and the solution. No fix should be required...
I can now publish services public on the internet, and private services within my tailnet (only accessible by devices within my virtual tailnet). Both types of services are automatically secured via LetsEncrypt certificates out of the box, which are automatically renewed periodically. This way I have LetsEncrypt certificates all over the place, even within my LAN
I have asked the folks from Tailscale to review my solution, because it needs to be waterproof of course. After all, I am not a security expert like @TotallyInformation ...
In the next days I am going to try to simplify my setup at home. For example ditch my Caddy reverse proxy, and so on...
If everything goes well, I will create soon a tutorial about how to use Tailscale to secure Node-RED.
Quick comparison of Tailscale with NGrok, because that was mentioned above a couple of times:
- I don't have the limitation of 1 static domain name, so I don't need to buy a custom dns name.
- All data passes (in this peer-to-peer virtual netwerk) between my own devices, so no restriction of 1 Gb per month, which is interesting if you are dealing e.g. with video streams from camera's.
- Only devices in my tailnet have access to my private services, which is an extra layer of security. There is also an ACL, which allows me specify which device can access services on other devices.
- The LetsEncrypt certificates belong to the agents on my devices, and not to the public endpoints in the Tailscale servers. So you also have LetsEncrypt certificates available within your LAN.
BTW I tried to reduce my enthousiasm tonight, but I failed to do that. Because the agony to arrive at this point was a bit too long
I came across another solution - it is quite bizarre how it works, but it works by means of holepunching via DHT (distributed hashtable) - ie. bittorrent protocol.
It is called holesail, free, very easy to setup, no domains needed.
Run a command on the server side, it generates a QR, scan QR with the holesail app on your phone or on some server somewhere and you are connected and then you can connect to the 'local' url in your browser.