This interlude is some thoughts about Tailscale. I am mostly happy user of it. I will perhaps write more about Kubernetes next.

My background, pre-Wireguard solutions

I have been involved on and off with VPNs for 25 years and change. I even co-authored some IPsec standards on the topic, and I also worked on multiple implementations of it as well.

IPsec has been to some extent superseded by the various TLS VPN solutions due to ease of deployment (presumably), and interest in mostly securing just TCP traffic, for which typical TLS VPNs are just fine.

Wireguard

Wireguard is more recent - it is ‘only’ less than 10 years old (earliest recorded commits are from 2016), and it got to Linux kernel only in 2020.

It is fascinating experiment in ‘simpler’ secure networking, which is against typical security protocols’ design - most notably there is no negotiation/cipher suites - what you see is what you get. This leads to issues with quantum safety, as the chosen set of algorithms is not quantum safe. The algorithms were ‘ok’ (at the time), but they are not hardware accelerated for most part, which leads to actually them being less efficient (at least power wise if not speed wise) than some ‘legacy’ IPsec or TLS solutions which use AES which has hardware acceleration almost everywhere.

It is hard to say how much market share it has, but a lot of recent entrants in VPN business are based on that. It seems to have much more mindshare also in the open source community compared to e.g. IPsec.

Wireguard itself provides just point-to-point secure channel between two nodes (with optionally tunneled traffic for other nodes), and the added value products build something else on top of it - typically mesh network.

Tailscale

Tailscale is commercial Wireguard based mesh network. It has clients available for most operating systems.

Neat features

Tailscale solves many pain points that Wireguard (or plain IPsec VPN) struggle with:

  • It handles clients with dynamic IP addresses fine - the identity is bound to the client and not to the IP address; this is facilitated by servers that handle location of the clients
  • It works across all NATs - with central servers so even devices that are both behind NAT can talk to each other using the relay
  • ACLs - it is possible to configure which nodes can interact with particular ports of other specific nodes
  • MagicDNS - DNS for your wireguard nodes
    • It is pretty low effort way to deal with names instead of IPs
  • On-demand feature in many clients (can be triggered to be only when accessing resources in the mesh, or in specific wireless or cellular networks)
  • Egress support (can tunnel all traffic through specific node)
    • This is simple with most IPsec clients, but slightly tricky with vanilla Wireguard (I had hack for that - forcing routing all traffic to another Wireguard peer, and then ensuring it does appropriate NAT etc, but how well this worked in practice varied by client)

What could be improved in Tailscale?

ACL system kind of sucks

I am not a fan of the ACL system. If you do not set any ACLs, it defaults to accept all. However, all ACLs you set change default to deny, and then all you can specify are accept rules. This is quite awkward in practice. It would be much better with e.g. ordered list of accept/deny rules.

What is wrong with list of accept rules? Let’s assume I have one specific node for which all except 4 ports are allowed, and for every other node I want full access.

With accept+deny system, this means about 5 rules (4 denys and one accept with what is not allowed being very explicit). With accept-only and default-deny, I need to have:

  • IPs below the node IP = accept
  • node IP, ports below port 1 = accept
  • node IP,, ports between port 1 and port 2 = accept
  • node IP, ports between port 2 and port 3 = accept
  • node IP, ports between port 3 and port 4 = accept
  • node IP, ports above port 4 = accept
  • IPs above the node IP = accept

This is 7 rules, and ones that don’t really explicitly enumerate the 4 not allowed ports, but instead list port ranges which are related. In other words, it is pain in the ass to maintain.

It gets even worse if e.g. source matters, becuse then you may wind up listing instead of few deny rules, an order of magnitude more accept rules.

But but, it is commercial software..?

Yes, it is. But it also has relatively generous free tier, and you can self host Headscale which providers the server side for free if you wish to (and I do). There are some warts, though, e.g. client logging by default sends logs to Tailscale even if you are not using their servers (but you can disable it - TS_NO_LOGS_NO_SUPPORT=true ).

Closed source - no go?

There are also more open Wireguard mesh solutions such as Netbird (their server side is also open source). However, I am happy enough with Tailscale for now so I have not looked even very hard at replacing it.

If it works, don’t break it by touching it 😏