https://en.wikipedia.org/wiki/Carrier-grade_NAT
Can anyone elighten me regarding what is different or special about 100.64.0.0/10 vs say, 192.168.0.0 or 10.0.0.0.
Edit: Answered my own question by digging into more wikis, there is a helpful table of reservations and intentions here: https://en.wikipedia.org/wiki/Reserved_IP_addresses
And if I remember correctly, ZT was initially created to provide something like this "New Internet" concept that Tailscale has apparently recently discovered, except they called it "Earth" and abandoned it in 2023.
(Some things don't change, I guess.)
A bit of context: if an ISP cannot get enough IPv4 addresses for the WAN-side of people's home routers, some problems exist:
* something in 192.168/16 is generally used for the LAN-side of people's home routers, so that cannot be used on the WAN side
* 10/8 is used for business/enterprise corporate networks, so it also cannot be used on the WAN side because if people VPN connect to the corporate, then the router may get confused
* similarly for 172.12/12: often used for corporate networks
So the IETF/IANA set aside 100.64.0.0/10 as it had no 'legacy' of use anywhere else, and is specifically called out to only be used for ISPs for CG-NAT purposes. This way its routing does not clash with any other use (home or corporate/business).
IPv4 address space is nearly exhausted. However, ISPs must continue
to support IPv4 growth until IPv6 is fully deployed. To that end,
many ISPs will deploy a Carrier-Grade NAT (CGN) device, such as that
described in [RFC6264]. Because CGNs are used on networks where
public address space is expected, and currently available private
address space causes operational issues when used in this context,
ISPs require a new IPv4 /10 address block. This address block will
be called the "Shared Address Space" and will be used to number the
interfaces that connect CGN devices to Customer Premises Equipment (CPE).
* https://www.rfc-editor.org/rfc/rfc6598.htmlI run it for my personal self-hosted infra, and it works really well. Setting a custom control server URL is relatively easy (at least on Windows and Android which I use).
I use taildrop, I serve docker containers to the tailnet, etc. headscale works really well and is worth a go.
The official clients (most valuable: the polished mobile apps easily installed from the default app stores) are one auto-update away from cutting ties when push comes to shove, the same as all commercial VPNs with a free tier.
Edit: I should say, a subnet that docker carves smaller subnets out of for its networks.
However I do not think Tailscale is going to remove the custom control URL feature from their mobile clients. For one, I think there are legitimate "Tailscale Enterprise" use-cases for the custom login server.
Additionally, I have heard that Tailscale has been supportive of the Headscale project, providing assistance to the devs.
Further, Tailscale seems fairly committed to keeping their clients open sourced, and engaging in the developer community. Of course as you can say this can change at any time.
It's still proprietary if you self-host it, I was thinking in particular that tailscale uses Wireguard and Zerotier uses something custom, i.e. proprietary. Note that the context was:
> The internet succeeded because it was built on standards and was completely free. With Tailscale, I get wireguard is open source and we have things like Headscale. But [...]
to which the commenter I replied to asked of alternatives. So I wasn't saying tailscale great and open and standards compliant, and Zerotier not; I was saying it's the obvious competitor but if that's your problem with tailscale then it's if anything worse in that regard.
And that actually was a problem at a previous job I was at: when COVID hit our VPN address range just happened to be set to be in that range, and so a bunch of developers were having issues. (IIRC, we re-configured the VPN appliance to use something else.)
No, because Tailscale isn't "the Internet", it is a bunch of disconnected moats. The IP space needed by Tailscale only has to be as big as the largest moat. And you can only be connected to a single moat at a time.
And of course the API used to manage the official server, so the rare things that depend on it won't work, but it's more a case that the project doesn't have the need to work on it
I didn't intend to leave to implication the fact that Tailscale is node-to-node, or that it is is not hub-and-spoke.
(I even had this up in a browser tab when I wrote that previous comment: https://tailscale.com/blog/how-tailscale-works)
I don’t need EW traffic over the VPN, very NS based. Something like Headscale or another SDWan solution (automatically establishing vpn routes) would make sense if I needed to transport a lot of traffic E-W, that’s just not a requirement