this post was submitted on 07 Sep 2023
175 points (98.3% liked)

Privacy

31982 readers
278 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

From the article:

Since Tailscale was founded in 2019, customers have been forced to choose between either Tailscale or Mullvad without the ability for them to co-exist.
Today we announce a partnership with Tailscale that allows you to use both in conjunction through the Tailscale app. This functionality is not available through the Mullvad VPN app. This partnership allows customers of Tailscale to make use of our WireGuard VPN servers as “exit nodes”. This means that whilst connected to Tailscale, you can access your devices across Tailscale’s mesh network, whilst still connecting outbound through Mullvad VPN WireGuard servers in any location.

Announcement also on Tailscale blog.

all 31 comments
sorted by: hot top controversial new old
[–] [email protected] 40 points 1 year ago (3 children)

I've never even heard of these guys, but I see that they have a native client on fdroid so that tells me they care about degoogled operating systems which is very important. It means they go out of their way to prioritize privacy even for app stores that aren't profitable.

[–] [email protected] 25 points 1 year ago

Mullvad is awesome

[–] [email protected] 5 points 1 year ago (2 children)

Tailscale or Mullvad? I also haven't hear of Tailscale yet.

[–] [email protected] 18 points 1 year ago (3 children)

Tailscale is a very cool way of seamlessly creating a private network spread out geographically. Devices sign into the Tailnet from anywhere. It's very big in the selfhosted community (it has a generous free tier). For example my home servers are signed in, so I'm able to stream from my media server to my phone over my private Tailnet tunneled through the internet. I also have an offsite backup location with another server connected to the Tailnet for accepting automated backups.

The underlying technology is Wireguard. It is very smart about figuring out the most effective route - If I'm on my laptop in my home wifi, trafffic from my servers is direct, if I'm away somewhere, it's piped though the net securely. What Tailscale adds is ease of setup and native apps for each device.

The privacy angle is that I'm able to get rid of all the cloud services I used to rely on. For example I don't want my CCTV system connected to a cloud provider, but with Tailnet I can connect to my cameras over the internet without having to expose the system to a data mining corporation.

[–] [email protected] 4 points 1 year ago (2 children)

If Wireguard wasn't so easy, and if I was just a little less interested in playing with setting up my own VPN, I would have use Tailscale. It's what I'll recommend to family members when they eventually come asking for a VPN.

That said, setting up a VPN with multiple nodes is pretty trivial for anyone with basic networking knowledge. IME it's also extremely low maintenance; I have far more issues with the containerized apps I'm running occasionally barfing and needing tending than my little 7-node Wireguard VPN. I use Mullvad for the exit nodes and bandwidth (so as not to swamp my little VMs), but Tailscale doesn't offer me much value.

Still, as I said, for non-technical people, Tailscale is pretty cool.

[–] [email protected] 2 points 1 year ago (1 children)

I'm probably a medium-techincal people :-) Wireguard won't do the NAT traversal right? I can't do the port forwarding thing because of the CGNAT for my connection.

[–] [email protected] 1 points 1 year ago

It will, as long as you have an exit node outside your NAT. I allow access to my home LAN from our phones through Wireguard, but I hop through a VM in the cloud. All you do is set a keep-alive on the node(s) in your LAN.

[–] [email protected] 1 points 1 year ago (1 children)

I had it set up pretty well with OPNSense as the wireguard gateway into my home and the official wireguard client on my lineage phone and it was working great for a year but something changed recently where it's become really unreliable. The problem is not OPNSense, but my phone. Not sure if it's the client or lineageos causing problems.

[–] [email protected] 0 points 1 year ago (1 children)

My WG Android client is so stable that I forget I have it on. I'm not running Lineage, though, so maybe that helps? Why are you sure it's not OPNSense? Also, there have been rumors of some carriers subtly sabotaging VPN connections; have you eliminated that?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

It might be OPNSense, but the problem occurs when I leave my house. My network connectivity dies when it switches from wifi to mobile data, only to recover when I disable then re-enable wireguard. This indicates to me that the android client is not properly updating routes or DNS settings during the network change, or lineage OS is doing something wonky, but I could be wrong.

[–] [email protected] 1 points 1 year ago (2 children)

Interesting. Underlying network changes shouldn't make a difference to WG; TCIP routing is dynamic.

But you may be onto something about DNS. If, when you switch networks, the OS is overwriting the DNS server information that WG set up, that would do what you're describing. Restarting WG would re-assert the DNS serves that are configured. The one hitch is that normally this would only cause leakage, not failure to resolve... overwriting WG's DNS servers with public ones should still work.

Still, it's a good intuition, and if it were me, that's where I'd look.

[–] [email protected] 1 points 1 year ago

You know what, I think you are right, it is almost certainly a DNS. I have Adguard setup at home, so I route all my DNA requests through wireguard even though I'm using a split tunnel. That would explain why everything dies, even traffic that shouldn't be going through the tunnel.

I'll keep pulling on that thread, thanks for the insight.

[–] [email protected] 1 points 1 year ago (1 children)

Ok, it's not DNS. I opened a Termux terminal and tried pinging an IP on my network. No luck. Stopped and restarted the wireguard connection, and was able to ping the machine.

[–] [email protected] 0 points 1 year ago (1 children)

Good idea! Weird. I wonder if one of the networking apps could provide some diagnostics.

If you're using Termux, you could install the whole suite of common Linux networking tools, like traceroute. I haven't gone down this route before; I don't know how far you can go.

I'm also unfamiliar with OPSense, and don't know how the two apps interact. Good luck!

[–] [email protected] 1 points 1 year ago
[–] [email protected] 3 points 1 year ago (1 children)

So basically it's a easier to set up VPN tunnel for your home network combined with a reverse proxy or did I misunderstand something. I still haven't quite figured out the self-hosted aspect of it.

[–] [email protected] 5 points 1 year ago (1 children)

That's a good description, yes. The self-hosted aspect is that it makes serving things from home, rather than a VPS, trivial.

For example I replaced Dropbox with an app called Syncthing. Previously to do this I would run Syncthing on a VPS so it was accessible from anywhere, or I would have run it at home but used a VPS with a reverse proxy over OpenVPN back to my house.

With Tailscale running on the Syncthing server at home I have a Tailscale IP address for that, which I use on my laptop to access Syncthing. No need for the VPS (especially important for a high storage requirements app), no complicated VPN setup, reduced attack surface, and the benefit of fast access when I'm at home.

[–] [email protected] 3 points 1 year ago

Thanks. That's pretty much what I was looking for a year ago.

[–] [email protected] 1 points 1 year ago

So its Hamachi?

[–] [email protected] 5 points 1 year ago

Tailscale, though Mullvad also has an fdroid client too.

[–] [email protected] 4 points 1 year ago (1 children)

They provide useful tools for self-hosters (I x-posted this to [email protected])

[–] [email protected] 4 points 1 year ago

Where would I be without Tailscale as a CGNAT user? I think I would have taken the path of evil.

[–] [email protected] 12 points 1 year ago

https://github.com/tailscale/tailscale-android

My kind of crazy, never played with tailscale before, but I'm looking forward to it

[–] [email protected] 9 points 1 year ago

This is cool! I've been very pleased with Mullvad as a company and with their products. (now if only they hadn't gotten rid of port forwarding, but I get it...)

[–] [email protected] 6 points 1 year ago (1 children)

This is a dream come true. Also it's not working at all for me but I imagine they'll work out the kinks over the next few weeks

[–] [email protected] 1 points 1 year ago (1 children)

Did you enable it in the client on the device? I found that step not very clear in the docs.

[–] [email protected] 1 points 1 year ago (1 children)

Yes. I filed a bug report.

[–] [email protected] 2 points 1 year ago

Actually, I'm finding the service to be patchy at best.

[–] [email protected] 5 points 1 year ago

I just use wireguard

[–] [email protected] 3 points 1 year ago

Well, I'm beginning to regret using ZeroTier for my setup now 🙁