I was looking for remote access software to help family with their PC and came across RustDesk(https://rustdesk.com/) but it needs a server. Found out it can work without a server if you have Tailscale installed. No fees for any of this and works on many platforms.
Tutorial for Rustdesk + Tailscale setup for remote desktop access: https://www.youtube.com/watch?v=27apZcZrwks
Edit: Noticed some sibling comments asking effectively the same thing as me. I've been meaning to write a blog post covering the basic networking knowledge needed to DIY with just Wiregaurd. My impression is that many people don't realize just how easy it is or don't have the requisite background information.
Plus, I have the option of spinning up a random EC2 box whenever I want and instantly joining it to the network with basically no fuss.
I can completely understand using Tailscale for enterprise networks, but it seems very overengineered for my personal VPN needs.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
And the ossification continues.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.
I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.
Check out Nebula (created by Slack) - https://github.com/slackhq/nebula
Fundamentally very similar to Tailscale. I've been using it for years and it has been flawless. It doesn't have as many bells and whistles as Tailscale but it does what it does very well.
https://github.com/juanfont/headscale
If you can be bothered running the headscale container, you generally don't need to pay for tailscale. It's been pretty well supported and widely used for a number of years at this point. Tailscale even permit their own engineers to contribute to headscale, as the company sees it as complimentary to the commercial offering.
I've been really happy with headscale, but I wouldn't call it a complete drop in replacement as I would with vaultwarden. Some features (e.g. Mullvad integration, ACL tests, etc) are missing.
Upgrading also requires upgrading every minor version or you run into db migration issues, but that comes with the territory of running your own instance.
I would recommend folks look up if headscale suits their needs (like it did for me for many years) before switching over.
And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): https://tailscale.com/opensource#encouraging-headscale
I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
But, as you know, you can also manage this configuration yourself, either via traditional config mgmt tools, helpers like wg-meshconf, or even plain shell scripts, if you like. I'm aware this is a very HN-Dropboxy comment, but it's really not that complex[1], and is easily manageable for a small deployment.
Another VPN tool I used before WG gained momentum was tinc, which supports mesh networking out of the box. It's even easier to configure and maintain, and supports all platforms. It does run in userspace, which should make it slower than WG, but I found the performance acceptable for my modest use cases. Highly recommended.
[1]: https://www.procustodibus.com/blog/2020/11/wireguard-point-t... (this blog is a great WG resource!)