I Traced My Traffic Through a Home Tailscale Exit Node

(tech.stonecharioteer.com)

42 points by stonecharioteer3 hours ago

3 comments

devilbunny2 hours ago
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
- gpm1 hour ago
 While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
 - devilbunny41 minutes ago
 This may very well be the system in use.I've seen this effect in several places, not just my work.Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
 - gpm31 minutes ago
 I suspect there's less thought put into it than that.There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
 - devilbunny14 minutes ago
 Well, yeah, they didn't roll their own. Offhand, I forget the product, but it's definitely off the shelf.My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.
- mrsssnake58 minutes ago
 My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.And the ossification continues.
 - dheera56 minutes ago
 A TCP over websockets VPN would be fairly simple to write, or ask an AI to write for you
- stonecharioteer1 hour ago
 Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?
 - devilbunny54 minutes ago
 Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
 - blactuary41 minutes ago
 When I work at the local coffee shop I cannot SSH to my remote servers for work on their wifi, but if I connect to Tailscale and use my exit node at home I can. Lifesaver
comrade12341 hour ago
Tailscale is interesting. It's built on top of wiregaurd but is different in that it creates a mesh of vpn connections between your devices, rather than just a connection from client to server.I haven't used it because I use witeguard the traditional way and haven't needed a mesh of devices. Also I haven't taken time to investigate the private company offering it and what sorts of my information is vulnerable if I use it.
- socalgal254 minutes ago
 This is my question too... It's concerning to me that everyone one seems to be using tailscale (and maybe cloudflare access) and that I don't see mention of open source alternatives. I'm sure for some network experts the alternatives are obvious? Setup a server somewhere publically available that runs ??? and have it be your auth/rendezvous server.people complain about github being proprietary but I haven't seen much complaint about tailscale being proprietary.I assume I'm just being overly paranoid? It's certainly convenient to just sign up and have things just work.
 - jonah-archive34 minutes ago
 The Tailscale client (non-GUI) is open source: <a href="https://github.com/tailscale/tailscale" rel="nofollow">https://github.com/tailscale/tailscale</a>And they collaborate with Headscale to provide an open-source coordination server (with, unsurprisingly, a more limited featureset, but it works fine with their closed-source GUI client): <a href="https://tailscale.com/opensource#encouraging-headscale" rel="nofollow">https://tailscale.com/opensource#encouraging-headscale</a>I use the combination myself and it works quite well, but of course is less convenient than using their product (which I also do in a different context). Overall I'm pretty happy with their open-source stance.
 - giobox39 minutes ago
 There is a well documented opensource alternative to Tailscale - Headscale. The tailscale client is already opensource, Headscale is opensource drop in replacement for the control server which isn't, and fully compatible with Tailscale clients:<a href="https://github.com/juanfont/headscale" rel="nofollow">https://github.com/juanfont/headscale</a>If you can be bothered running the headscale container, you generally don't need to pay for tailscale. It's been pretty well supported and widely used for a number of years at this point. Tailscale even permit their own engineers to contribute to headscale, as the company sees it as complimentary to the commercial offering.
 - kurante16 minutes ago
 > Headscale is ... drop in replacementI've been really happy with headscale, but I wouldn't call it a complete drop in replacement as I would with vaultwarden. Some features (e.g. Mullvad integration, ACL tests, etc) are missing.Upgrading also requires upgrading every minor version or you run into db migration issues, but that comes with the territory of running your own instance.I would recommend folks look up if headscale suits their needs (like it did for me for many years) before switching over.
- dig116 minutes ago
 You can also build a mesh network using standard wireguard. While manual configuration requires exchanging keys and settings between devices, many ansible playbooks can automate this process with minimal effort.
gsmiznith3 hours ago
Interesting article; do you have any details on the performance differences?
- stonecharioteer2 hours ago
  Differences between openvpn and tailscale exit nodes? I can run some tests this weekend.