Tailscale uses Wireguard, but offers so much more on top. I used to think the same, but I think I was mixing it up with Zerotier; had a play with it and now think it's pretty great.
For example, you can set ACL rules for which devices can access which others (or the internet, if you have explicit exit nodes) - it's using Wireguard for networking, but you can't do that with (just) Wireguard, it's not just 'make Wireguard easier to set up', as you said that doesn't really need doing.
Yeah, definitely worth mentioning that Wireguard is actually super easy to manually configure, especially if you don't have a bazillion hosts or need to integrate with auth domains. I think a lot of the stuff individuals end up setting up Tailscale/Zerotier for (they obviously have a lot of other stuff going on, but the relevance to individual/small group users may be limited) would be equally well-served by plain old Wireguard.
If you use Wireguard only to route to/from to a central hub that has a static IP address then what you have is perfectly fine.
Tailscale works well for situations where you have lots of roaming devices that perhaps want to talk to each other as well as to central hubs or you want to gate all of this behind some kind of SSO.
Given there are numerous other options for wireguard management, what does Wag provide that the others do not?
Additionally, given tailscale (and headscale) exist and are fairly established, the main value proposition of a different provider would be something that tailscale couldn't do/can't be (due to design considerations). Is there something where you've chosen to do something different (e.g. given this is linux-only, why not use named network namespaces)?
Wireguard config is few lines (interface addresses, keys, AllowedIPs, post up and down). Simpler than SSH. You can run it on a cloud instance close to users.
Tailscale is still simpler and provides additional features. A small team or startup will appreciate Tailscale’s access controls.
I'm not, but you could use vanilla Wireguard either directly to the exit node, or to another device (a little Pi or something) running Tailscale as a ..relay node I think they call it.
Actually, I find that a simple wireguard tunnel giving boring old IP routing to my home network is a far simpler setup than every device having its own opaque tunnel back to its vendor which I have to use a vendor-specific method of connecting to. Tailscale is also more complex, though a nice product. So far I haven't encountered any context where I couldn't connect to my wireguard tunnel, but YMMV.
This is what we (https://tailscale.com) are working on! WireGuard is incredible, but adding some key management (that integrates with your IAM system) and NAT traversal really helps to round things out. I'd love to hear suggestions and feedback on what we're building.
Tailscale seems like a great product however I do not want 3rd party to be able to add a key to my ACL. Running a custom control plane server is possible, but then there is little benefit for me compared to direct wireguard with a central peer on a VPS. If it would be possible to use just the NAT traversal without key management, that would be it!
Curretly I am running a tiny VPS as a wireguard server, but I do not trust it to be part of my network. Therfore I run one wireguard tunnel to be able to access my router (has no public ip) and second tunnel inside the first to connect through the router to my home network.
Theoretically, it should be possi le with single wireguard tunnel if I set a route to home router via wireguard gateway - but I never managed to make wireguard encrypt a packet if it came from the same wg interface. Can anybody help?
Indeed, this is why I won't use it either. I settled on Slack's Nebula [0] instead of wireguard because it handles direct p2p communication between nodes automatically.
There also exists an open source implementation of the tailscale control server [1] that you could self host.
I haven't used tail scale, but I'm confused.
I thought wireguard had a simple config where you can just place a range of IPs and it basically just sends anything to those IPs over wg - effectively split tunneling.
So why couldn't you just have a different range for another subnet? Is it just because tail scale made everything needlessly complex? Or is it a base wireguard problem?
They customized it some, but it's all more or less upstream condoned code that Jason built.
Also, if you want to access your tailscale network, but don't have permissions to create a tun or wg device, the fully userspace implementation can work in that situation, which seems like a nice property to have.
Plain Wireguard would require more work to replicate this feature, but I remembered hearing that Tailscale offers a beta feature to provision certificates, which I still need to try out sometime.
I think you've got it. Tailscale is installing WireGuard. You have to have privileges to install Tailscale. They can tell the OS to route packets through their virtual interface.
We could too! This is all in `wireguard-go`. But we'd have to prompt users to escalate privileges every time they tried to SSH somewhere (or, worse, install a long-term resident thingy, just to SSH to things). We don't want to own your VPN connections!
This is an end-run around all of that; we just take responsibility for all of TCP/IP, in our dumb little command line program.
Wireguard is great. Checkout Tailscale to manage key exchange for you automagically. I just set it up across my home network and devices and it’s shockingly easy. For personal/hobby projects it’s free.
I was doing a lot of work with SSH tunnels, but it seems Tailscale is an easy way into WireGuard.
For now I just have one node running on my office setup to access everything there and it seems to work pretty well from home. More convenient than mapping ports anyway.
Although...I don't quite grok how it might be more secure than something like certificate based SSH, seems like the Tailscale attack surface might be bigger even though you can go back and close off the firewall stuff that allows SSH to work. Would seem that instead of concentrating on breaking your (probably obscure) public IP address / port combo, an attacker would simply go to Tailscale and attack that instead.
For example, you can set ACL rules for which devices can access which others (or the internet, if you have explicit exit nodes) - it's using Wireguard for networking, but you can't do that with (just) Wireguard, it's not just 'make Wireguard easier to set up', as you said that doesn't really need doing.
reply