Hmm, lots of reading to do 
1 Like
Just to say, I'm slowly rebuilding my server from scratch and using Tailscale from Bart's excellent guide.
So far, I'm really liking it, as most things work without any drastic changes, and it's great that I can now view my dashboard without having to login each time, which has been a PITA for years!
As node-RED security has increased over the past few years, various things have been implemented that I can now relax a little, for example I can use static endpoints as I'm not using auth on my endpoints now and relying upon my phone's fingerprint security to keep things reasonably safe.
Also, I can now carry out admin functions via an exec node, restarting NR, shutting down, rebooting, stop/start mosquitto, etc... instead of using shell commands.
..and speaking of Mosquitto, it works as usual, no ports, tunnels or anything to set up, and works great with my external devices (that are not in my Tailnet).
It got a very big Golden star from me!
1 Like
I actually don't think Tailscale is ideal for that scenario though I believe it would work. But, as already Identified, Tailscale creates a private network over a public one - similar to a VPN but not quite the same.
In the case of getting remote access to an individual server on a private network, you may find Cloudflare Zero Trust more appropriate. That has the advantage of creating pure web endpoints and can even deliver a web SSH terminal which is convenient for remotely updating the server OS without having to actually expose the SSH port.
Thanks for pointing that out!
Of course Tailscale also offers web ssh in your browser via your secure tailnet out of the box (see article here) 
Perhaps I should add a short overview of all kind of other Tailscale stuff in the tutorial...
Thanks for the extensive feedback Paul!!
If you ever find some time to explain me that, I think it could be a useful addition to the tutorial.
2 Likes
My mission will only be completed on the day that Julian ditches his Cloudflare Zero Trust into the garbage bin, and replaces it by Tailscale 
5 Likes
Haha, it might happen - though you know that I'm a Cloudflare fanboi right? 
I do need to take a closer look again though now that you've done all the hard work! 
PS: The potential advantage of Zero Trust here is that it is not a VPN and therefore you do not need an app for your client devices accessing the server. For a 1-off connection, this may be a more comfortable experience if providing occasional remote support.
1 Like
I've just hit a snag following this guide, has anyone else seen this?
My new phone (Android 14) is set to use a "private DNS provider" - base.dns.mullvad.net.
After installing Tailscale as the first device in the tailnet, and logging in I get "Network has no internet access - private DNS server cannot be accessed" and also "Tailscale cannot connect to the Paris relay server, your internet connection may be down"
Indeed, I can't load any website while Tailscale is enabled.
I use Proton VPN on my phone, but whenever I enable Tailscale, it automatically disables Proton and loads it's own Tailscale VPN instead (which is just for Tailscale).
However, I'm not too concerned, I just fire up proton now when I'm doing something sensitive, such as banking, otherwise Tailscale is running 24/7.
Being a VPN is one of the downsides of Tailscale. VPN's on mobiles in particular can get a bit tricky. Chose a service that doesn't use a VPN if this is a problem Cloudflare Zero Trust or NGROK for example.
OK but I'm not using a VPN, just a different DNS provider.
Actually I'm not certain that's what I want to be doing because at home I'd prefer to use my own PiHole for DNS.
It does seem that any non-standard DNS provider breaks at least setting Tailscale up,
Maybe the problem disappears when PiHole is in the tailnet.
Don't think so though, Android does not seem to let me say "Use this DNS server in this network, otherwise that one"
I see here on Reddit that Brad Fitz (from Tailscale) has been in contact with Google, but the problem is not solved yet. After a quick Google search I found some possible workarounds from other users, but no idea whether those could work.
Well tracked down Bart!
I'll have to reconsider my DNS strategy.
One of the workarounds you will find all over the place (which does not seem to work for everybody) is to disable MagicDns in your tailnet. Which I 'think' is completely ridiculous: because then you don't have - easy to remember - virtual hostnames anymore for your devices. And as a result I assume you also won't have LetsEncrypt certificates anymore, because those are linked to the virtual hostnames. So in fact you would end up with using virtual ip addresses and no certificates, which means a very primitive setup.
I did not read very much about the DNS part of Tailscale. Would be nice if some folks could do that and share there thoughts here, so I can add a drawing to the tutorial that can increase our understanding of how stuff works internally (in some "advanced" section). Then perhaps we can easier find solutions if somebody is stuck...
For example it is possible to override local DNS. I have no clue at all if something like that could e.g. be a workaround for the case from @jbudd to use a private DNS provider...
