Tutorial - Secure your home automation with Tailscale

I am afraid I have dropped out at the very first stage.

image

But who is that gives me my identity, Google, Microsoft or Apple?

Google, Git, Microsoft & Apple all provide identity verification.
You could choose any of those, provided that you have an account with them.
For example - Google...
If you have a google account (gmail etc), select google. Google with then ask you if want to do this, and they will then verify your ID with Tailscale.

No problem. If you should have time to go through the tutorial and tell here which parts are not clear to you, then that will be an opportunity for us to make a security tutorial for a broader audience. Because I have written it with lots of technical details in the back of my head...

Based on Paul's feedback, I have added some extra remarks to that step:

If you have any suggestions to make the text more clear, please share it here!

While I do not fully understand the process by which Apple can reassure Tailscale of my identity, that's not why I backed away from the process.

Instead it was the whole idea of entangling a secure private network with these ravenous harvesters of private data.

I do have a gmail account, and the terms and conditions for it make clear that the contents of my mail will be read, analysed and stored indefinitely by them for their own purposes.

Will they similarly read and analyse the traffic over my tailscale network? If they could, I have no doubt that they would.

@jbudd - Google would not get access to your Tailscale, or any data, your logs, traffic or anything else that you published. All that they will know is that you have a Tailscale account and maybe the timestamp that Google verified your login, and that's it.
Nothing more!

1 Like

While I am absolutely no fan of Google or their behaviours. I have to agree with Paul here. All that they will get is that you did an authentication. Possibly they might know that you authenticated to Tailscale, I've not checked that.

This is using OIDC/OAuth which has been specifically designed to allow 3rd-parties to provide authentication services without having access to any details and to allow vendors to offer logins without having access to your personal identity details. It is very clever and even though I've been involved with it for years, I still barely understand the details. :rofl:

Personally, I still don't like using Google for authentication that much, I certainly won't ever use Facebook. I mostly still use individual id/password for most logins but where connected identity is advantageous to me, I tend to use GitHub (as most of it is related to dev type stuff anyway).

If you want something more independent, you can sign up for the free tier of Auth0 - they are good and you get 25k monthly active users which should be enough for most of us. :rofl:

I also use Tailscale for remote access.

Using the share feature, i can also give friend access to some side-projects :slight_smile:

1 Like

This is my Google account -

1 Like

As you can read here they only use an identity provider, because those have already implemented everything and the people from Tailscale didn't want to reinvent hot water again.

I have added Paul's comment to the tutorial:

So these ravenous harvesters of private data don't get permission to access your secure private network ...

There is also a self-hosted option for the control-plane of tailscale: headscale
Then you don't need an identy provider. You can use the regular clients from tailscale. I tested the windows, linux and android client without issues

Other implementations:

1 Like

Noting the wording though. :slight_smile: Doesn't say that they don't get to see when you log in to Tailscale. Shouldn't really be an issue but worth knowing.

True, but once you've verified yourself in the apps, they retain your login without going through verification again.

So if you manage to log in once, you can log in forever unless someone deletes you from Tailscale? Doesn't seem very safe! And not generally how OAuth works.

@BartButenaers, if I click the link at this step in your tutorial it takes me to the Github login, which many people do not have:
image

And if I do login, I get this surprise screen:

Is the URL correct?

I have another uncertainty you might consider clarifying, which is also relevant to Zerotier, PiVPN and other setups.
Once my laptop or tablet is set up to access my Node-red server from the internet, it can connect without any further verification. For example there is a shortcut on my phone which will open my Node-red editor from the beach via zerotier. While the connection is encrypted and safe over public wifi, if I lose my phone, the finder has root access to my server[s].

Thus whatever secure networking you install, it seems essential that Node-red is also protected by a login (of some sort), not just a list of authorised devices?

This is why any authentication should be dynamic and timed. While, for convenience, you might avoid re-authentication for a period - say 24hrs - after that you should be forced to reauthenticate. If you think that your home automation system requires more protection, simply reduce the session period. This is a common failing for VPN connections as well.

You should also be using multi-factor authentication as well so that even if someone records your passcode, they still need another factor to get in, typically from an authenticator app that itself requires authentication on every use (possible via a thumbprint though do note that in some backward countries such as the USA, police are allowed to force you to use a thumbprint but are not allowed to force you to reveal a passcode).


By the way, this discussion is why not many people are prepared to write security tutorials! There are so many edge-cases and possible issues.

So please lets give Bart some praise here for what he has undertaken, it isn't easy I can assure you.

2 Likes

Only if the finder can get into your phone, which is presumably finger print, PIN, or similarly protected.
Also how would the finder get root access? The only way to root access should be via sudo.

I didn't say forever!
I've no idea how long it lasts, but I haven't had to re-validate it again, despite several times I've accessed it yesterday and today.
The Access Time in my Google account still shows the access time when I initially validated.

No you have a cluster of Control Servers hosted by Tailscale. Via your identity provider you can login on those servers and manage your account via a web interface 'admin console'. In that web interface you can manage your devices, access control list, and so on. The control servers push the config to all your agents, so your tailnet can continue on its own.

So every time you login to that web interface, you need to login via your identity provider. But afterwards you can continue working locally within your tailnet without any need for oauth2.

It is explained here. I have added a section about Headscale to that page (although it is outside the scope of this tutorial). Thanks @kitori to remind me about that!

Ah yes. When I go in incognito mode in my browser, I indeed get a login screen for that page. Weird. Will need to have a look at that...

I will add that to the tutorial: when you loose your smartphone, it is/should be protected by a password. But you could immediately disable that gsm in the "Devices" tabsheet of your account. Then it won't be part of your tailnet anymore. You can enable it again when you find your smartphone again. But that is also one of the reasons why the tutorial advises still to add basic authentication for the flow editor.

1 Like

Yes of course. But my Pi user does have sudo access because there are exec nodes doing things like sudo systemctl restart nodered. It's insecure.

Are you using gmail on the phone? The same applies to gmail, that you don't get auto logged out. It is assumed that whatever login procedure you use to open the phone is sufficient. If you logout from google in the phone then I think you will lose the tailscale access from the phone too.

1 Like