I see a lot of love for Tailscale, but I'm curious what people use Tailscale for? Is it mostly to access services running on an internal network? Do you use it for work or for fun?
The use case I can see is streaming from my personal Plex server from anywhere outside my home, but maybe I'm not thinking big enough.
- I have a bootmod3 WiFi adapter plugged into my street/track car with a combo 5G/Linux unit in the car connected to my Tailscale that streams continuous telemetry about the car whenever its turned on. I could in theory re-flash the ECU via this.
- Using https://tailscale.com/kb/ondemand-access/ alongside node/subnet grouping to create a very neat first step towards auditing access to sensitive production services/environments.
- I use server-based dev environments to keep my portable laptop as clean as possible with no source code on it. VS Code remote + Coder server are fantastic over Tailscale.
+ others. Tailscale I think solves the problem of node-to-node-to-subnet connectivity at a convenient and flexible layer.
"- I have a bootmod3 WiFi adapter plugged into my street/track car with a combo 5G/Linux unit in the car connected to my Tailscale that streams continuous telemetry about the car whenever its turned on. I could in theory re-flash the ECU via this."
Do you have a writeup or more details you can share around this? This sounds interesting.
That sort of stuff is pretty common. Car guys have lots of disposable income. I'm certain there are devices out there that provide levels of telemetry that was only accessible to top-end racing teams just a decade or two ago.
> Entire site-to-site tunneling/routing. I didn't have to do anything for my parents I just dropped a subnet router at their place.
Can you elaborate? What do your parents need tailscale for? I mean my parents have internet purely by the telco dropping a router at their place and it just works, what is my family missing?
Best guess is OP is hosting files or services that are shared with less tech-savvy parents. Similar to our setup. My son is away at college but still wants access to his music and movie collection on our NAS at home along with some other services. He setup a Tailscale connection and everyone is happy. I don't have to manage any of it and he doesn't have to work around the school's firewall and network architecture.
Mostly standard VPN use cases. They can access my Plex server, Mealie instance and in turn I can remote access their devices without something like TeamViewer when they need IT Support or their home automation stuff is acting up.
Would their lives fall apart without it? No. But it makes my life as the family SRE much easier.
This is no longer a problem for me since I switched my parents from windows to mac, but remote desktop login to troubleshoot their problems would be a huge bonus.
Other cool things I could do if I dropped a raspberry-pi w/ tailscale onto their network:
- Need another public IP to test something? Route my laptop through their network for awhile.
- share files with them or backup some of their devices to a fileserver I control.
- send print jobs to their printer, I don't keep a printer but they do because.. and I shit you not, they hate doing crosswords on their ipads, they print the damn things out every morning and work them on paper.
- Put it on their phones and have them route their requests through one of my exit nodes.
In my case that's actually multiple functions: remote login without using TeamViewer and also for general remote support, and I have a small backup server at the place for my off-site backups.
It provides a consistent IP address (in the CGNAT range) that the end-device is always reachable at. On top of that you can use MagicDNS or regular DNS records to refer to it.
That IP is usable regardless of how that device and your device actually reach the internet. Further, no one device acts as a “server” and needs a stable public IP thanks to NAT traversal and the DERP fallback path. Keys are handled automatically with an option to not trust Tailscale infra in doing that (Tailscale lock) and I just need to auth devices with my Google Workspace/Gsuite SSO.
Plain vanilla wireguard involves a bunch more faffing about with wg, wg0 and keys. With Tailscale, you (can just) install the software on each computer and then log in. There are also more advanced things you can do with Tailscale, but I chose Tailscale because of wanting to not have to deal with the setup like Wireguard (or OpenVPN) have.
Tailscalar here. One of the main things I use Tailscale for is accessing my development box from anywhere in the world. I can't really develop on Windows so I'm used to ssh-ing into a NixOS machine that runs all my compilers. Tailscale makes accessing it so easy that I can just leave hundreds of emacs buffers open in various tmux panes and reconnect back when I want to do development again.
I also run some internal services over Tailscale, a lot of my personal projects have tsnet embedded into them so that my Prometheus machine can scrape and monitor them. My husband also uses one of those services daily to monitor some information that I publish there.
I also run the development instance of my blog over Tailscale and use Funnel to share it with people to review my writing before it goes live.
At work we use it a lot to let people poke around with changes to development instances of websites (like https://tailscale.dev) without having to push them to the cloud and wait for preview deploys. It is _stupidly convenient_.
Turns out you can do a lot of things with networks when you don't have firewalls making everything complicated.
Now that I think about it, there's also some other things I use it for. I embedded the Tailscale API into my VM manager waifud (https://github.com/Xe/waifud) so that I can pass a `--join-tailnet` flag to `waifuctl create` and plunk new virtual machines onto my tailnet with Tailscale SSH enabled. It makes testing things on arbitrary versions of Ubuntu so easy that it feels like I'm cheating.
My hypervisors are also subnet routers so my VMs can connect to eachother like they're on the same network. All the fun of static routing without any of the "fun" of static routing!
Speaking of Funnel, a holy grail use case is to be able to host one-off game sessions to an untrusted stranger who do would not trust this "Tell-scale thing" you require him to install or register an account for. Most frequently these kinds of spontaneous interaction happens over Discord, where perhaps you want to quickly show someone what you're building in Minecraft and have him make some suggestions in-game or something. Is there any possibility that Tailscale can improve on reducing friction for some of these more "social" use cases where the target demographic is not tech-savvy and distrustful?
As a consumer, I use it for two things and it does it well and very simply across all platforms:
1) When traveling, you can use one of your home computers as an "exit node" so you can watch Netflix, etc. abroad very easily. Much more reliable than using VPNs which can be blocked.
2) Accessing your internal network from wherever you are for Plex, Homebridge, IP cameras, or whatever.
I don’t have space for servers at home, so I use Tailscale to expand my home lab with a couple of VPS; the nice thing is that I can just block all ingress traffic in my provider’s control panel (Hetzner in my case) and just use these machines as they were part of my LAN, and I don’t have to worry about things like Docker exposing stuff to the public internet
Personally:
- I have a few raspberry Pis and PCs around the house. This lets me SSH into them for maintenance/etc. It’s also good for projects and stuff to use their DNS. Eg I can use “http://nas/photos” to get to my photo library instead of an IP address. No TLD is kinda cool (it’s just a net search group afaik so reproducible without them) but very memorable for the family. I’ve also gone as far as to embed their library in a go project I made - it means the same IP address and host name regardless of where the binary is running which is cool. This also means the binary knows who is who when accessing the website it hosts. The ease of doing this makes me feel like projects like OpenZiti bay be the future of zero trust and networking - embed the security into the code via a library and get all the global routing you need for free.
Work:
I work at a tiny company (5 of us). We do IOT stuff, and we have a lab with a bunch of equipment, mostly controlled by Raspberry Pis or similar. We’re small so we work in a private room in a coworking space. We use tailscale to manage the RPIs and keep consistent IP addresses when we don’t have control over the overall network. We also run some internal stuff in AWS over tailscale (eg our staging servers etc). It’s hands down the easiest option to onboard people too. It lets us access equipment from home if needed, and it’s super lightweight compared to other VPNs I’ve used.
I have my first year Pi running Diet Pi with Adguard Home and was just happy that I found a use for such an old machine that I was considering throwing.
The speed test in Diet Pi said that the latest Pis can complete them in a few seconds versus the minutes it took mine to setup, so figured it would be useless but had been working flawlessly as a dns at home and blocking all ads on all devices.
Adding Tailscale took it to the next level and now all my devices have ad blocking on LTE, public wifi, friends houses, everywhere.
I subnet advertise my entire home network, which I consume from my phone and laptop on the go. Primarily to access home assistant, plex and SSH without advertising any of those to the internet - people can and do get hacked both via plex and SSH :)
When travelling internationally, I use the exit node functionality to optionally switch on and off sending all my traffic back home to either work around geo-blocks for my home streaming services or as a pseudo-vpn replacement for particularly dodgy networks.
Accessing servers without the need to open their ssh port to the public internet. This is the main point for me. Such functionality could be achieved with other means of course but tailscale makes it so easy and reliable that I don't think any other solution can compete with it.
After I install the tailscale client on the server and do some very simple configuration on the tailscale web app to identify the new node I know I'll be able to access it no matter of any firewalls the node may be behind!
Standard VPN stuff really. Set it and forget it. Accessing my NAS and home machine without opening them up to the world mostly.
The most specific use aside from "it's my network, wherever" I've got is setting it up with NextDNS for adblocking no matter where I am in the world and regardless of what network I'm on https://tailscale.com/kb/1218/nextdns/
I am doing a lot of what people here said they are doing with tailscale but I just use plain wireguard. As I understand it tailscale makes various configurations automatic, management easy and provides features like authentication that wireguard does not have. But for a small number of hosts, it's fine to run wireguard itself and manage manually.
I have a NAS in my home, and my parents have a NAS in theirs. Everything is on Tailscale and I can SSH into either machine whenever I need. I've needed to do this a few times when I am on the road, but more commonly when I use Tailscale when I do a little remote tech support for my parents.
I don't expose anything to the internet and use it to access my Synology or my Unraid NAS, to stream Plex music to Plexamp, to check my home network when I am away, and in some cases I have used it to circumvent filtering Proxies by tunneling HTTP/HTTPS.
I found Tailscale for a specific reason, having a network where my various services can talk to each other without going thru HTTP for everything, i.e. ssh, scp, direct schemas for DBs.
And I use it for screen sharing my mac computers over the internet while traveling.
We use it at work. All our services run on private IPs on our own vnets, and we access them with Tailscale. We don't need to run a VPN tunnel, or manage public IPs and firewall rules.
Technically maintaining your Tailscale ACLs is the same as maintaining “firewall rules”. If you’re allowing any-any on your tailnet you are in a world of hurt if any endpoint gets compromised by e.g. ransomware.
We use Tailscale at $dayjob and the fact that we can ensure that marketing machines can’t access any engineering resources is the big win. And it “just works” through NAT.
Plex provides remote access without needing any additional services. Just enable it in the settings and you can access your library anywhere when you log in to plex.tv.
The use case I can see is streaming from my personal Plex server from anywhere outside my home, but maybe I'm not thinking big enough.