Get the top HN stories in your inbox every day.
tinalumfoil
maxmouchet
One downside of using tailscale cert, or LE for "private" records is that it writes the domain name in a public Certificate Transparency Log [1]. So make sure that the name doesn't contain any sensitive information.
An alternative is to issue wildcard certificates with LE, so that the subdomains names are kept private.
[1] https://crt.sh/
xena
Yes, that's why we came up with the random-hex.ts.net domains and the tails-scales.ts.net domains. This makes less publicly recognizable things like `shark-harmonic.ts.net` get put into the certificate transparency log instead of something like "mycorporationname".
ehPReth
On a side note, is there a story behind acquiring ts.net or how much it cost to do so?
therein
> An alternative is to issue wildcard certificates with LE, so that the subdomains names are kept private.
They'll still show up on crt.sh, though, won't they? All my LE subdomains are visible (non-wildcard) but also my non-LE paid-for 1-year wildcard ones are also showing up with all the subdomains.
Edit: Actually, nevermind, those are Cloudflare. My paid-for wildcard doesn't show up. Well, that's a good reason to pay up I guess.
psYchotic
If a certificate has been issued for a domain, and that domain doesn't show up in the certificate transparency logs, that's not something I'd cheer for: that issuer could just as well hand out certificates for your domain to others without you ever knowing about it.
Conversely, if a domain shows up in the CT logs, then there have been certificates issued for those domains, even if there exists a wildcard certificate that is valid for that domain. If that happens, check your settings, because there's probably something requesting certificates you're not aware of.
mholt
Just wait'll you see what's possible with Caddy+Tailscale (currently, and coming soon)!
michael_j_ward
> (1) I can have multiple domains for the same device, say gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to the same device
I tried setting up caddy on a machine and then using caddy to reverse-proxy requests to each service i.e. `grafana.my-machine.tail-hex.ts.net` and `controller.my-machine.tail-hex.ts`
Obviously, `caddy` has no problem with the reverse proxy bit, but I did fail at being able to point multiple routes or subnet routes at the same machine via tailscle / magic-dns.
I'm sharing because it feels like something I should be able to do, and feel dumb not being able to figure it out.
xena
This is exactly what we've been working on. Stay tuned ^^
philsnow
I'm just running a dnsmasq and using that to alias machines / workloads. For my network I needed to make sure a route to the dnsmasq IP is advertised by a subnet router and then I told tailscale to "override local dns" and make all tailscale clients use that dnsmasq IP as their DNS server.
I have a mix of bare machines and load-balanced workloads behind an nginx-ingress, all with names specified in the dnsmasq config, and because everything on the tailnet resolves names through dnsmasq (and routes through tailscale), everything works beautifully.
I'm still looking forward to this caddy integration, though.
moontear
Do tease!
mynameisvlad
Tailscale has supported real certificates via LE for over a year now:
zacwest
Tailscale's certs are 1-per-machine so if you want to do any kind of SNI-based certificate handling, you're out of luck and need to drop back to real public certificates anyway.
rrix2
a cool thing you can do with MagicDNS: Set your "global nameserver" to a host within your tailnet and run your own resolver accessible "anywhere".
It's easy enough to set up pi-hole.net on a machine on your LAN and configure your home router to hand out DHCP records that will instruct LAN machines to use it, but if I wanted to have DNS-based ad-blocking at the coffee shop or library or elsewhere I previously had my pi-hole listening on a public IPv4's port 53 and deal with resolve.conf etc... and boy howdy does running an internet-accessible DNS resolver suck! My server would receive millions of requests, weird reflection attacks like [1], probes, the whole nine, it made the dashboarding useless for personal tracking.
But now my pi-hole only listens on my LAN network and its tailnet address, and any machine connected to the tailnet including my phone will use the pi-hole without configuration on any network via MagicDNS.
[1]: https://www.linuxquestions.org/questions/linux-newbie-8/ther...
kinduff
I have a similar setup but deployed my PiHole in Fly.io using a custom Docker image behind Tailscale. This way I can just connect to Tailscale and I have ad blocking automatically using their custom DNS servers.
Very useful and I use it all the time on my mobile devices including my laptop when I'm using guest wifis.
archb
I have the same setup! Very happy with the Fly pihole + Tailscale combo, but I recently tried the Tailscale + NextDNS combo and I might move to it altogether. Only problem is that NextDNS seems blocked at my university and I am not sure how to solve that yet. Using pihole on Fly with Tailscale works fine.
shmoogy
Is this on fly.io free tier? How's latency to resolve on something that low end?
archb
Yes, is possible using the free tier: https://fly.io/blog/stuff-your-pi-hole-from-anywhere/
O_H_E
WOW, that is brilliant.
asymmetric
Just as a side note, I used to do this with plain WireGuard on a Hetzner node. I switched to NextDNS because of latency issues, but if this is not a concern, then it was a great setup, and Tailscale makes it even easier!
moontear
Great setup! But you didn’t say anything about MagicDNS, did you? You just set your global Nameserver to something on your tailnet and could disable MagicDNS for this use case?
rrix2
I set my global nameserver within the MagicDNS configuration to use the pihole IP. If I didn't use magic DNS i would have to do this for each device, and on devices like Android etc each network i connect to. This requires no-thought for each device, just `tailscale up`
donatj
Very exciting news.
I have been using Tailscale for about two weeks now and I am SOO happy with it. It's genuinely joyful software like I haven't used in years. A modern version of the old Hamachi.
atonse
Glad to see someone else remembers Hamachi :)
Tailscale feels as magical as Hamachi did.
artdigital
Love tailscale! Set it up a couple weeks ago and it’s very fun to use. MagicDns is great! I can go http://macmini anywhere and it just works
Just wish they offered more subnet routers. I’m as much hobby as hobby can be, and already hit the limit (one on my mini k8s cluster, one at home, that’s it. They don’t allow you to have more). Been stuffing the sidecar awkwardly into everything to get around it
If someone from tailscale is reading this - please consider upping the limit of subnet routers. I’ll have to switch to ZeroTier once I want another one which doesn’t have those restrictions.
Even paying for the hobby pro plan is just upping it from 1 -> 2
dfcarney
(co-founder here)
We're definitely considering it. We introduced the limits a while back as an experiment. In most cases, I believe the current limits don't make a lot of sense. Fundamentally, we were hoping to encourage the deployment of Tailscale to end devices (partially to increase users' security, partially to get a better idea of how widely Tailscale is actually being used). Unfortunately, the limits introduce the kinds of headaches that you're describing (and for IoT it can be a showstopper). The net effect across all users could be to actually discourage people from having fun and tinkering with Tailscale, which is the last thing we want.
Would you mind describing some of the other use cases you have for subnet routers? Do you have other mini k8s clusters you want to use them for? Other things? I'd love to learn more.
artdigital
thanks for the explanation!
> Fundamentally, we were hoping to encourage the deployment of Tailscale to end devices (partially to increase users' security, partially to get a better idea of how widely Tailscale is actually being used).
that makes sense, I also got the feeling that's the recommended way to run tailscale, and it's nice to be able to address services directly by their dns name
> Would you mind describing some of the other use cases you have for subnet routers? Do you have other mini k8s clusters you want to use them for? Other things? I'd love to learn more.
Yes that's mainly it. I am probably an edge case because I have mini k8s clusters for different things. I have 2 main networks: My network at home, then my main k8s for my personal cloud stuff, those 2 are pretty constant (but want to spin up a separate IoT network soon that may or may not need a router). Then depending on what I work on, I might spin up other k8s clusters
(I'm one of those odballs that really enjoys working with k8s for personal stuff)
I think for me it's mainly to have piece of mind to not run into limitations later on, after I'm already locked in and need to rip-out tailscale to replace with ZeroTier
dfcarney
Thanks! This is helpful. We need to make some changes to our pricing/plans and every bit of input will shape that.
smackeyacky
I think most people who are using the limit of the free account should really be paying. I am extremely happy paying for Tailscale, pandering to freeloaders is nice and fun but I really don't think it hurts anyone to charge for what the service is worth.
It's brilliant, and worth paying for.
xena
Tailscalar here. For what it's worth there's no hard limit on subnet routers at this time. My personal tailnet is using 8 of them.
dfcarney
(co-founder here)
To xena's point, we're not currently enforcing the limits :) We've been very cautious about that since, as I mentioned in a comment elsewhere, the limits have always been an experiment.
artdigital
wow TIL! That makes me less anxious about that hobby pro restriction. Gonna get another subnet router deployed later :)
chipsa
The Github team org plan (for connecting friends and family) had a subnet router limit of 5, if you want to legitly get a higher limit rather than just ignoring the limit that they don't check.
artdigital
Oh what, is the limit not being enforced? I didn’t even bother trying to spin up another one because everything goes through that admin console, so I was sure there’d be a “you hit your limit” message
Dang now I know what I’ll be doing tonight
chipsa
AFAIK, they've publicly said they don't enforce any of the limits, at this time, because it's not worth it to do the engineering yet, and might never be worth it.
diegs
Is this still incompatible with split horizon DNS? Whenever I'm connected to my corporate tailnet I can no longer resolve hostnames that are registered on my personal, DHCP-assigned DNS server, breaking access to my home network. This also leads me to believe that all my DNS requests are being routed through the magic DNS server which is not cool IMO.
dave_universetf
It sounds like your corporate tailnet checked the "override local DNS" setting and provided their own default nameservers, so those are the ones that get used. They could also not do that, at which point your LAN resolver would get consulted, but I presume there's a policy reason in play?
You say "the MagicDNS server" like it's a quad-8 thing out on the internet. That server lives in the tailscale process on localhost. In some configurations on some OSes, we do have to route requests through that in order to polyfill missing OS features (usually, implementing split-DNS policies that the OS cannot represent natively, or transparently upgrading to DoH for upstreams that support it). You can inspect the logic that decides how to implement DNS policy depending on the policy and OS in https://github.com/tailscale/tailscale/tree/main/net/dns, as well as inspect what the in-process DNS forwarder does (extremely boring: match query suffix in configuration, forward packet to appropriate upstreams).
diegs
Weird, I asked our TS admin to disable "override local DNS" and he claimed the option was disabled out, seemingly due to magic DNS being enabled or something. I'll see if I can get access myself to try and change it. Thank you for the reply!
dave_universetf
If things still aren't behaving, write in to support@tailscale.com and we'll sort you out. It sounds like the corporate setup wants to just push some custom DNS routes for specific suffixes and leave everything else alone, which is definitely a supported configuration.
bradfitz
Most of the Split DNS issues should be fixed now.
If you're on Linux, you want systemd-resolved, as it's the only Linux DNS resolver that's really any good, regardless of your opinions on systemd overall (See https://tailscale.com/blog/sisyphean-dns-client-linux/)
In any case, file a bug with details and we'll fix it up if there are still issues.
trashburger
You're right for most setups, but when Docker also comes into play, systemd-resolved+Tailscale+Docker interacts really badly and containers cannot resolve anything anymore. This caused some serious hair-pulling at work a few months ago.
sally_glance
How did you solve it?
I want to be prepared if it happens, spent too much time figuring out weird Docker - DNS/network interactions on hotel wifis and the like...
ethanpil
As a long time ZeroTier user I want to point out that they have some interesting DNS solutions as well.[1]
(Personally, have not felt the need to change something that has a great free tier, self hosting controllers, etc, and has been working reliably for years... Tailscale looks cool though)
[1]https://www.zerotier.com/2022/04/11/the-zerotier-dns-story/
Melatonic
This is cool but.....don't tons of DNS software already do this and for many many years?
erdaniels
It is! But the usual thing with Tailscale is that this just works out of the box. Any new person starting where I work has Tailscale installed by default. Once they log in, they can access any of our pis/servers that are setup with names like rpi1.
Furthermore, you've got ACLs + Tailscale SSH. That means you can start day 1 and do ssh root@rpi1 and it just works. It's amazing and worth so much money.
Edit: I just really wish they would allow more than being tied to Google SSO. I want to invite people outside of my domain easily :o)
xena
I wrote a giant diatribe about this here: https://tailscale.com/blog/magicdns-why-name/
It's not just a DNS server, it's everything _around_ the DNS server.
VTimofeenko
Yeah, it's totally possible to configure a stack like that. I roll my own stack of unbound+nsd as adblocking split-horizon DNS for LAN, roaming and management WG network.
Tailscale value prop as I understand it - they can manage this whole thing for you.
mdeeks
MagicDNS is really cool, but it seems like it is only a useful for ssh-ing into hosts or for tiny home networks where you run a service on a single box. And maybe that is totally fine! I just don't see how to use it in a larger environment beyond `ssh <hostname>`.
In larger environments we never have any kind of internal web site or service running on one host so we can't really have MagicDNS short names for things. It would be nice for users to just be able to type `https://deploy` to get to our deployment tool for example. But that web interface runs across many nodes behind a load balancer so there is no way to use MagicDNS here.
I wonder if some day we can register duplicate hostnames and have it do DNS load balancing? I'm not sure how that would work with the tailscale cert command either. Each node would need the private key.
Anyway, we'll probably start using it but the only real use cases I see right now are for ssh and for users accessing their remote dev boxes.
cschmatzler
The way I have it set up is my Tailscale pod redirecting all requests to an ingress controller, and then all subdomains CNAMEd to the Tailscale DNS. That way, all requests are going Tailscale pod -> nginx ingress controller -> service, no matter which node everything is running on.
jrootabega
"[[Tailscale automatically assigns IP addresses for every unique device in your network | https://tailscale.com/kb/1033/ip-and-dns-addresses/ ]], giving each device an IP address no matter where it is located."
That phrasing is a little off. It implies there are situations where your location will affect whether or not you get an IP address. Reading the link makes it clear: it assigns IP addresses that are independent of the device's location. The same device will keep the same IP address even when it moves to another network location, which is not surprising when you are familiar with wireguard configuration.
edumucelli
If anyone at Tailscale read this: your product is insanely good. I use it and it is delight to set up.
syats
What is tailscale?
I don't like the world where every time someone launches a feature on their product they get to top of HN by calling it "generally available".
simonw
In this particular case I think Tailscale has been discussed thoroughly enough on Hacker News in the past that it's OK that they didn't include the "what is Tailscale" bit (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...) - but I agree, it's always better to start a blog entry with a reminder. Fly.io are great at this, e.g. https://fly.io/blog/introducing-litefs/
jrootabega
a dynamic peer-to-peer layer on top of wireguard
vczf
I hadn't heard of tailscale before this, but this system is what I have always wanted for my devices. I just finished setting this up and it works amazingly well. Now I've got samba/nomachine/syncthing restricted to the tailscale network with aesthetically pleasing device names. Better security and I can roam now.
This is awesome stuff.
Get the top HN stories in your inbox every day.
While this is cool I've had luck just purchasing a domain (not that expensive), and manually setting up DNS through that.
Some advantages that this doesn't look like this would replicate, (1) I can have multiple domains for the same device, say gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to the same device (2) I can get real HTTPS certificates for those domains which I consider necessary nowadays if only just to prevent errors (3) it's "real" DNS so when my browser decides to ignore my system settings and use DNS-over-HTTPS instead everything still works.
EDIT: It looks like (2) is solved by the tailscale cert command. I'd replace that point by saying owning the domain is important to controlling the certificate for me. All that said, the more I read into this, this looks like a really well thought-out feature.