Getting remote access to things that aren’t on the Internet has traditionally been very challenging. Using sledgehammer solutions like port-forwarding can be risky and might not work. Virtual private networks (VPNs) can help, but they’re difficult to get right. Even then, you’ll probably have to load some bulky software on your computer to use them.
I’ve built some VPNs in the past, typically to get access to my home network from afar. I’d grit my teeth and figure it out, and come up with something passable, right up until I found it was insufficient in some way. But that was all before I discovered Tailscale.
Tailscale uses the WireGuard protocol, which is lightweight and fairly universally respected. What it does differently from basic WireGuard, though, is make it almost effortless to build and configure.
More Than Just a Server Connection
All you have to do to connect two machines (such as your home computer and your phone) is download Tailscale, sign in with Google, Microsoft, or GitHub, and… it just works. They can see each other no matter where they are just like they were on the same network.
Right away, that’s taking away all the “fun” I used to have setting up VPNs. I don’t even need a server, and crucially, Tailscale isn’t one—rather, it directly connects your machines to one another with individual peer-to-peer connections. They call this a “tailnet“.
Tailscale can do so much more, though. Right away — and you’ll appreciate this if you’ve ever tried to build any network, let alone a virtual one – you can reach other machines on your tailnet just by using their names, via MagicDNS. For example, I can connect to my Mac mini’s screen-sharing service just by going to matties-mac-mini.
There are also other really useful features, like Taildrop—an easy way to send files between your Tailscale-connected machines. You can also have machines designate themselves as exit nodes and selectively use them to route all your Internet traffic through, which is great for situations like public Wi-Fi. This is all just a couple of clicks away.
In fact, it was the ease of setting up an exit node that made me first say “Tailscale takes all the fun out of VPNs.”
Connecting
If you add more people to a tailnet — like folks sharing a GitHub organization — you can do some more neat stuff. For example, if you’re on a team of developers, you can run a development server on your computer and hand out the address to whoever you’re working with so they can try it too, no matter where they’re working.
If you don’t want to share a whole tailnet with someone, but would like to give them access to a server you’re running, you can also share just that one machine with someone else. It doesn’t give them access to your entire tailnet, and they don’t give your server access to theirs.
Everything I’ve talked about until now has required you to install a Tailscale client on all the machines you want to use. But there’s one more feature I’ve found invaluable — subnet routers.
Subnet routers are machines that have the Tailscale client installed and explicitly advertise that they’re willing to route traffic for another network. Nothing else in this network needs Tailscale. Other Tailscale clients can choose to use this feature and can connect to machines on that network transparently.
Locking It Down
About now, the security-minded folks may be feeling their heart rate rise a bit. These features give a lot of access that wasn’t there before, and they’ll want to control it.
ACLs are how you do this. You can write policies to control access. For example, here’s a simple one, a variation of which I use on my personal tailnet:
{
"tagOwners": {
"tag:server": ["[email protected]"],
},
"acls": [
{"action": "accept", "src": ["[email protected]"], "dst": ["*:*"]},
],
}Let’s break down what this policy says.
First, it says that I ([email protected]) am a “tag owner” for the “server” tag. This simply means that I’m allowed to tag any machine as a server.
Second, it says that any traffic from machines that I registered but that haven’t been tagged (more on that in a moment) is allowed to initiate connections to any other machine on the tailnet.
What it doesn’t say is as important as what it does: machines that I’ve tagged as a server are not allowed to initiate connections to any other machine, because they have no rule saying they can.
The way tags work seems strange at first, but bear with me. When I register a machine with Tailscale, it’s considered owned by me. When I tag a machine, it’s no longer considered mine, but rather it’s now part of that tag.
Therefore, by tagging it, I am taking away its right to use the ACL rule that can connect anywhere. Instead, I’m defaulting it to having no ACL rule.
There’s a lot more you can do with ACLs, like both manual and automatic grouping, and allowing some machines to do things like advertise themselves as an exit node or a subnet router without requiring administrator approval.
Tailscale is well-documented, and there’s a lot to explore.
We’re all connected.
I use Tailscale almost every day. I even use it between machines already on the same network (Tailscale will just directly connect them with WireGuard) because it’s convenient. I’m also looking into leveraging it more with clients with needs such as accessing their private cloud networks on the go, just because it’s so simple to use.
I hope you can use Tailscale to solve one of your… ahem… “fun” networking problems. Let it get the messy stuff out of the way and focus on what you do best.