| ▲ | SuperShibe 10 days ago |
| Every few months I come back to this repo to check if they finally got Tailnet lock running or if someone security audited them in the meanwhile. Unfortunately neither of these things seem to make any progress and thus, I’ve grown uncertain in how much I can trust this as a core part of my infrastructure. The entire premise of Tailscale SaaS builds on creating tunnels around your firewalls, then enabling the user to police what is allowed to be routed through these tunnels in a intuitive and unified way. Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal, but can they also fulfill the second part by providing enough of their own security to make up for anything they just bypassed, or will they descend to just being a tool for exposing anything to the internet to fuck around with your local network admin?
To me, not giving your Tailscale implementation any way for the user to understand or veto what the control server is instructing the clients to do while also not auditing your servers code at all sure seems daring… |
|
| ▲ | bananapub 9 days ago | parent | next [-] |
| tailnet lock seems way way less important for headscale than tailscale, given you personally control the headscale infra. |
| |
| ▲ | codethief 9 days ago | parent | next [-] | | Depends on your threat model. Mine definitely includes one of my servers getting compromised. (Which, tbh, is probably more likely than Tailscale getting hacked.) | |
| ▲ | SuperShibe 9 days ago | parent | prev | next [-] | | only until someone finds a zeroday in headscale (remember, it never got audited) or until the server running headscale itself gets compromised. Especially in countries where getting a dedicated public IPv4+IPv6 from your ISP is hard-impossible and you‘d have to rely on a server hosted externally (unless you’re large enough to make deals with the ISP) some company hosting your server still retains at minimum physical control over your headscale infra. For why this is a problem, see the recent Oracle cloud breach. | |
| ▲ | botto 9 days ago | parent | prev [-] | | This is my thought as well, if you are in control then you also control which nodes go on your tailnet |
|
|
| ▲ | nativeit 10 days ago | parent | prev | next [-] |
| > Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal Did they really roll-their-own for those functions? I thought this was just a control layer on top of Tailscale’s stock services on the backend, are they facilitating connections with novel methods? Apologies if I’m asking obvious questions, I use ZeroTier pretty regularly, but I am not too familiar with Tailscale. |
| |
| ▲ | bingo-bongo 9 days ago | parent | next [-] | | They have a really great in-depth blog post describing how they do it: https://tailscale.com/blog/how-nat-traversal-works | | | |
| ▲ | xrd 9 days ago | parent | prev [-] | | Can you share why you use ZeroTier over Tailscale? I run several headscale control planes and it really is nice to self-host. But, I'm curious about other options. | | |
| ▲ | password4321 9 days ago | parent [-] | | Not OP but I'm on ZeroTier because it was one of the best free tiers available before Tailscale could run as a Windows service. Also I believe it implements a lower layer of the network stack so more options are supported, though I haven't needed to investigate in detail. | | |
|
|
|
| ▲ | gpi 10 days ago | parent | prev | next [-] |
| One of the maintainers work for tailscale now. |
| |
| ▲ | wutwutwat 10 days ago | parent [-] | | maintainer's employment != security audit | | |
| ▲ | gpi 10 days ago | parent [-] | | My thinking is their time is divided now and could lead to less efforts spent on headscale. | | |
| ▲ | palotasb 9 days ago | parent | next [-] | | Not compared to the previous state where he worked for an unrelated company and only had his free time to contribute to Headscale. | |
| ▲ | kradalby 8 days ago | parent | prev [-] | | Person with split time here, I definitely have more time to spend on it now, I have half a work week vs sometime in the evenings or weekends if I had excess energy after having my other job. |
|
|
|
|
| ▲ | themgt 10 days ago | parent | prev [-] |
| c.f. https://github.com/juanfont/headscale/issues/2416 |
