They support OIDC login now, so you don't need an Apple/Google/Microsoft account.

There's an open source server implementation called headscale that works with the tailsxale clients

I think it's interesting that all recent contributions to this "open source alternative" are done by a tailscale employee. Wonder what's preventing them from making the official client open-source

https://github.com/juanfont/headscale/commits/main/

I’m curious if anybody else sees tailscale / headscale in the same way that I do — I was avoiding signing up to tailscale because I didn’t want to be locked into a proprietary platform, but since learning that headscale exists and is “good enough”, I’m now happy to be a tailscale customer safe in the knowledge that I can fall back to self-hosting when needed.

(Yes the company _could_ do a sudden 180 and start intentionally breaking compatibility and forbidding that their clients be used with third-party servers - but the risk of that doesn’t seem much different than the risk of an open-source alternative being abandoned)

>Wonder what's preventing them from making the official client open-source

Probably having a full time job that people will actually support? Open source software doesn't reward effort.

Headscale does not have a nice UI, its basically all CLI usage. There's very good reason to use Tailscale for companies and there's also good reasons for Tailscale to support an opensource implementation of their control server, I've seen it from both ends as people go either way, it's a symbiotic relationship and probably one of the best examples in open source today.

It's more interesting that Headscale is officially "encouraged": https://tailscale.com/opensource/#encouraging-headscale

I haven't tried it yet, but you can use a Yubikey now.

https://tailscale.com/kb/1269/passkeys/

I tried, you can use a yubikey only to log in a existing enterprise account

Does this not work for you?

https://tailscale.com/kb/1240/sso-custom-oidc/

Casdoor seems to be a good fit as a free solution of SSO: https://casdoor.org/

For companies this is the way. But I guess for personal use a private Keycloak instance is a bit overkill?

You certainly don't need a full on Keycloak installation here, if you don't want to go that far. There's various OIDC providers, some more complex than others!

If you already have LDAP or some other backing auth, setting up Dex for OIDC is pretty easy. Took me less than an hour or so.

If you want something fancier Authelia isn't too bad, I got that running in an evening and hooking it up to Tailscale took another hour or two. Most of that spent figuring out how I want to do webfinger.

Curious, do you any blog/post that you used to guide your set up that you can share?

I haven't written one yet, but the provided docs are pretty easy to follow:

1. Tailscale has their custom OIDC docs that tell you everything you need, plus the Webfinger setup: https://tailscale.com/kb/1240/sso-custom-oidc/

2. I set up Webfinger first, so assuming you're setting it up from scratch you can either run a Webfinger server yourself, or just configure the paths in whatever web server you have for your base domain. I didn't feel like running Yet Another Server and since the Tailnet's only for me I just plugged the following section into Caddy:

  @webfinger {
    path /.well-known/webfinger
    method GET HEAD
    query resource=acct:MY@EMAIL
  }
  rewrite @webfinger /webfinger.json
  header @webfinger {
    Content-Type "application/jrd+json"
    Access-Control-Allow-Origin "\*"
    X-Robots-Tag "noindex"
  }

Where webfinger.json is file containing the response tailscale is looking for from their doc. You can verify it works right at https://webfinger.net/lookup/ .

3. For Dex you can just set it up like any OIDC connection; Authelia was about the same but they have their own page: https://www.authelia.com/integration/openid-connect/tailscal...

Took me about an hour or two, most of that being wishy-washy on how I wanted to serve Webfinger.

I setup authelia specifically for this and it was barely a morning's work, and works beautifully.

I guess I'm doing overkill then. I actually use Keycloak for Tailscale. It also serves as authentication for my Nextcloud and Mastodon instances, so maybe slightly less overkill.

I'd want to run the console myself anyway.

If the admin console is run by them, it's pretty trivial for them or an attacker to add nodes to my network. Zerotier suffers from the same issue.

Tailscale is cool and the third party login is also a problem for me, but the hosted service in general is a much bigger core issue with it for me that not only affects privacy but also security.

You can host the independently implemented OSS version yourself: https://github.com/juanfont/headscale

For me the headache of running my and maintaining my own server isn’t worth it (+ would still require a GCP/AWS account)

Cool, I didn't know this existed. It seems to be a third party server similar to what vaultwarden does for bitwarden?

But why would it need a gcp or aws account? It could run on any vps right? I'd run it on something much cheaper like scaleway.

It doesn't. You can run it on a VPS and you have an option to use SSO with OIDC integration.

No local logins? I don't really want that SSO stuff. Just a local username/pw combo would be perfect :)

By default, headscale doesn't have a web interface/login as such and all configuration is done via the CLI on the server running headscale. So, your login is effectively PAM. You use authkeys etc to add machines.