FRESH

Hacker News

An open source, self-hosted implementation of the Tailscale control server

321 points by quyleanh

by SuperShibe

4 subcomments

Every few months I come back to this repo to check if they finally got Tailnet lock running or if someone security audited them in the meanwhile. Unfortunately neither of these things seem to make any progress and thus, I’ve grown uncertain in how much I can trust this as a core part of my infrastructure.
The entire premise of Tailscale SaaS builds on creating tunnels around your firewalls, then enabling the user to police what is allowed to be routed through these tunnels in a intuitive and unified way.
Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal, but can they also fulfill the second part by providing enough of their own security to make up for anything they just bypassed, or will they descend to just being a tool for exposing anything to the internet to fuck around with your local network admin? To me, not giving your Tailscale implementation any way for the user to understand or veto what the control server is instructing the clients to do while also not auditing your servers code at all sure seems daring…

by Happily2020

4 subcomments

If you're interested in self-hosting your orchestration server, you can look into Netbird. It's a very similar tool, but has the server open sourced as well. So you have a self-hosted control server with a nice GUI and all the features the paid version does.
https://netbird.io/knowledge-hub/tailscale-vs-netbird

by infogulch

0 subcomment

I think it would be neat if headscale allowed peering / federating between instances. (Maybe after the ACL rework.) One of the main problems is address collisions.
So here's my proposal: commit to ipv6-only overlay network in the unique local address (ULA) range, then split up the remaining 121 bits into 20 low bits for device addresses (~1M) and 101 high bits that are the hash of the server's public key. Federate by adding the public key of the other instance and use policy and ACLs to manage comms between nodes.
I think it's a nice idea, but the maintainer kradalby said it's out of scope when I brought it up in 2023: https://github.com/juanfont/headscale/issues/1370

by telotortium

0 subcomment

Should add the project name, Headscale, to the title
Headscale has been on HN many times.

by voxadam

1 subcomments

by mountainriver

2 subcomments

by aborsy

0 subcomment

How much is the risk of my devices being compromised if Tailscale coordination server is compromised, and tailnet lock is enabled?

by pilif

3 subcomments

Keep in mind that for many use cases (mobile access, GUI on macOS), this relies on the official Tailscale clients keeping the ability to set the control server.
The moment the inevitable enshitification will start at Tailscale, this feature will go away.
I’m saying this as a currently super happy Tailscale customer who was burned multiple times in the past by other companies being sold or running out of VC money

by 3abiton

5 subcomments

by snvzz

0 subcomment

Headscale has been serving me well for half a year now. It is great, to the point I have no idea how I lived without a tailscale network before.
It is packaged in openbsd, and that package is the server I am using.

by 1vuio0pswjnm7

0 subcomment

by udev4096

2 subcomments

by pluto_modadic

0 subcomment