Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
The subtle magic of tsnet (tailscale.dev)
54 points by xena on July 13, 2023 | hide | past | favorite | 22 comments


I see a lot of mention of folks of using tailscale for their friend group to access stuff.. but the free plan seems to max out at 3 users, with an exception for foss projects.

What am I missing? How do I use tailscale for my 10ish friends and me to play minecraft without paying hundreds a year?


Tailscalar/talk author here. Set up a GitHub org. That has a 25 user limit for free. That's what my husband and I use (our tailnet predates the new free plan details here: https://tailscale.com/blog/pricing-v3/).


I do not really see this. On a new github organization tailscale account i only see three users only. Maybe you were grandfathered that plan...?


Have each person create their own account, and share nodes: https://tailscale.com/kb/1084/sharing/


I’ve been playing with Netbird lately and it’s been working well. They have a free plan for up to 20 nodes, and a self hosted option if you want to eject from their cloud offering.


Netbird looks like a great option. Thanks!

Yeah having all my users have to be on github or sign up for a third service is a non-starter, but plain wireguard is just a bit much. Netbird looks like a good path.


An interesting article overall, but I think authenticating a user based on their IP address is probably the worst security advice I've seen. It's probably ripe for attack with ARP poisoning, IP spoofing, etc.


(I work at Tailscale)

It only authenticates it _after_ all the WireGuard bits. So it's not really auth by IP address, but auth by wireguard key identity, from which we know your identity. There's no IP spoofing possible. And ARP isn't even in the picture for an L3 protocol.


How do you prevent other processes (or other apps on mobile) from connecting to the service?

A malicious game on my phone can't ssh to my server if I do normal authentication, but with this IP/WG authentication it can...


You can configure ACLs. By default devices that aren’t tagged with an ACL tag are available to other devices authenticated by the same user. If you tag a device, you have to write explicit ACLs to permit access from other users/devices.


How does this solve the problem of a malicious process inside the whitelisted device.


That would of course be beyond the scope of the network layer itself.


Could be I'm old, but I read the beginning, recognized the problem like YES that is hard... and then ended up reading about solutions that just made it all even more complicated?


OP kindly made a streamlined version of same post for those who prefer: https://tailscale-dev-git-xe-no-fun-allowed-tailscale.vercel....

All: please focus on the content now. (See https://news.ycombinator.com/newsguidelines.html re "tangential annoyances—e.g. article or website formats [etc.].")

Edit: looks like that's now the version at the official URL so I will cause this comment to plummet to the depths.


I love Tailscale posts, but I don't feel like the slide -> blog conversion has gone very well here. It reads more like a Twitter thread. In one of the slides, they even admit the imagery is sloppy, but do nothing to supplement it with a better one.


Love both Tailscale and Xe's writing as well, and indeed, all these (rather irrelevant) images are just breaking the flow of reading/skimming the content. I guess I'll just watch the video instead.


Yeah, they definitely need to spend 5 minutes to remove the spurious slides that don't actually provide any information.


This took me more than 5 minutes, but do you mean something like this? https://tailscale-dev-git-xe-no-fun-allowed-tailscale.vercel...


Thanks! I've pinned that link to the top of the thread along with a request to stop being distracted by formatting now.


Yes! This is way more readable, thank you.


The fix is rolling out shortly.


Perfect, thank you!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: