The Magic of Tailscale

CyberSecurityTailscaleVPN
, , , ,

If you have multiple computers in your life including computer-adjacent things like network attached storage it’s likely you’d like to have access to each of those devices, always.

If I need to inspect a file on my Synology in my house while I’m a passenger in the car, I want to be able to do so.

The easiest way to do this is to expose the port(s) your device needs for remote access through your router/firewall.

Unfortunately, this exposes your device to the entire Internet and that’s undesirable.

Traditional VPNs

The easy solution to this problem is a Virtual Private Network, this means you run some sort of server inside your network that will allow devices outside the network to tunnel into the network.

Once a device is on the VPN it can access anything within that network.

Said differently, if your phone is on a VPN that is hosted in your house, then your phone can access all the devices in your house. Most corporate VPNs work this same way.

If you’ll permit some hand-waving and over-simplification, traditional VPNs tend to be a sort of funnel where there is one server running inside the network you wish to tunnel into, and all clients connect to that server. That makes setup easy, but generally, it’s sort of an all-or-none scenario, you’re either on the VPN or you’re not.

What if there was a better way?

Tailscale
Tailscale is a VPN service that makes your devices and applications accessible anywhere in the world, securely and effortlessly. It achieves this through encrypted point-to-point connections using the open-source WireGuard protocol.

Essentially, only devices within your private network can communicate with each other

Tailscale’s Approach

  • Decentralized : Avoids centralization by connecting nodes directly.
  • Lower Latency: Devices communicate directly, resulting in lower latency.
  • Higher Throughput: Traffic flows directly between machines, improving efficiency.
  • Key Exchange and Coordination: Tailscale manages the exchange of public keys and coordinates the connections between nodes.
  • Network Traffic: Traffic typically flows directly between nodes for the shortest path and best performance.
  • Ease of Use: Tailscale is designed to be user-friendly, requiring minimal configuration from the user.

By leveraging the WireGuard protocol and a decentralized network structure, Tailscale provides a secure and efficient way to connect your devices, no matter where they are located.

How it Works

Tailscale is fast and reliable. Unlike traditional VPNs, which tunnel all network traffic through a central gateway server, Tailscale creates a peer-to-peer mesh network (called a tailnet).

The central gateway may or may not be close to users, thus resulting in higher latency. Because traffic is centralized, it can also act as a bottleneck, slowing down connections further.

With Tailscale, each device is connected to the other directly, resulting in lower latency.

Who’s it for?

Developers can use Tailscale to publish experimental services to their team without the hassle of configuring firewall rules and network configurations.

Small business owners can provide their work-from-home employees with a secure way to access sensitive resources in minutes without spending thousands of dollars on traditional VPN solutions.

Enterprise leaders can reduce their security risk by drastically reducing the complexity of internal networks. By using Access Control Lists and your existing identity provider, each user has the exact level of access they need — your accountants can access the payroll system, your support team can access the bug tracker, and your developers can access servers and databases.

Terminology and concepts

Access control lists

An access control list (ACL) manages system access using rules in the tailnet policy file. You can use ACLs to filter traffic and enhance security by managing who and what can use which resources.

CL tags

A tag lets you assign an identity (that’s separate from human users) to devices. You can use tags in your access rules to restrict access.

Admin console

The admin console is the central location to view and manage your Tailscale network. You can manage nodes on your network, users and their permissions, and settings such as key expiry. The admin console also informs you if an update to the Tailscale client is available for your device. When you make changes from the admin console, the coordination server updates the changes to your tailnet immediately.

API

API is an acronym for application programming interface. APIs define a set of rules to interact with an application or service programmatically. The Tailscale API lets you manage your Tailscale account and tailnet.

CLI

CLI is an acronym for command line interface. The Tailscale CLI includes a robust set of commands with functionality that GUI applications might not have. The Tailscale CLI is installed automatically when you install Tailscale on Linux, macOS, or Windows.

Coordination server

A coordination server is a central server that maintains a connection to all machines in your Tailscale network. It manages encryption keys, network changes, access policy changes, and maintains a connection to all machines in your Tailscale network. The coordination server is part of the control plane, not the data plane. It avoids being a performance bottleneck by not relaying traffic between machines.

Device

A device is anything other than a user. It can be physical or virtual and sends, receives, or processes data on your Tailscale network.

Device key

A device key is a unique public and private key pair for a specific device. More than one user can use a device key, but each device can only have one device key. The combination of a specific user with a device key represents a unique node.

Firewall

A firewall limits what network traffic can pass between two points. Firewalls can be hardware-based or software-based. Tailscale includes a built-in firewall, defined by the domain’s access rules.

Identity Provider

An identity provider is a method for users to authenticate to a tailnet. Examples of identity providers include Google, Okta, and Microsoft. Tailscale is not an identity provider but relies other identity providers for authentication.

Key expiry

Key expiry is the end of the validity period for a cryptographic key. An expired key can no longer encrypt or decrypt data, nor authenticate a device to a Tailscale network.

Using Tailscale means you never have to manage encryption keys directly. Tailscale automatically expires keys and requires them to be regenerated at regular intervals. You can disable key expiry for long-lived devices from the admin console.

MagicDNS

MagicDNS automatically registers memorable hostnames for devices in your Tailscale network. It also extends and improves DNS functionality.

NAT traversal

NAT is an acronym for network address translation. NAT traversal is a way to connect nodes across the internet through barriers such as firewalls. Most internet devices can’t talk to each other because of firewalls and devices that do network address translation. NAT traversal works around these barriers, allowing data to traverse the network.

Network topology

A network topology is an arrangement of nodes in a network. It shows the connections between them. Examples of network topologies include star, bus, hub-and-spoke, mesh, and hybrid.

Traditional virtual private networks (VPNs) use a hub-and-spoke topology. Each machine communicates with another in this setup by sending all traffic through a central gateway machine. Tailscale operates as a mesh topology where each machine can talk directly to others using NAT traversal.

Node

A node is a combination of a user and a device.

Peer

A peer is another node that your node is trying to talk to. A peer might or might not be in the same domain.

Relay

A relay is an intermediary server that passes data between two or more nodes in a network. Tailscale uses a special type of globally distributed relay server called Designated Encrypted Relay for Packets (DERP). DERP relay servers function as a fallback to connect nodes when NAT traversal fails.

SSO

SSO is an acronym for single sign-on. Single sign-on lets users log in to one site using the identity of another.

Tailnet

A tailnet is another term for a Tailscale network, which is an interconnected collection of users, machines, and resources. The network has a control plane and a data plane that work in unison to manage access and send data between nodes.

There are personal and organization tailnets. A personal tailnet is a shared domain single-user tailnet (like gmail.com). An organization tailnet is a custom domain tailnet (like example.com),

Tailnet policy file

The tailnet policy file stores your Tailscale network’s access rules, along with other tailnet configuration items. It uses human JSON (HuJSON) and conforms to the Tailscale policy syntax.

Tailscale IP address

A Tailscale IP address is a unique IP address assigned to each machine in your Tailscale network. It’s always in the form 100.x.y.z (for example, 100.101.102.103). It stays the same even when switching between your home internet connection, cellular networks, or coffee shop Wi-Fi networks.

Tunnel

In networking, a tunnel is an encapsulated connection between one or more points in a network. It lets users, nodes, or resources communicate securely over a public data network.

WireGuard

WireGuard is the underlying cryptographic protocol that Tailscale uses.

Without forgetting modern design of the clients available on MacOS, Linux, IOS, Android & Windows.

© 2024 — Sofiane Hamlaooui — Making the world a better place 🌎