The New Internet

I love Tailscale, but this post gives me the creeps. The internet succeeded because it was built on standards and was completely free. With Tailscale, I get wireguard is open source and we have things like Headscale. But the whole everyone gets an IP, doesn’t it depend on Tailscale owning a massive ip address space? We can all wait until full ipv6 rollout, or we can depend on centralized ipv4, and servers and proprietary stuff. Maybe a bit hypocritical?

100.64.0.0/10 is a reserved IP block for carrier-grade NAT.

More info about Carrier-Grade NAT (for others who, like me, are only encountering this term for the time):

https://en.wikipedia.org/wiki/Carrier-grade_NAT

Can anyone elighten me regarding what is different or special about 100.64.0.0/10 vs say, 192.168.0.0 or 10.0.0.0.

Edit: Answered my own question by digging into more wikis, there is a helpful table of reservations and intentions here: https://en.wikipedia.org/wiki/Reserved_IP_addresses

If you had to move off of tailscale, what would you move to?

Zerotier is I think the obvious answer? I haven't used it though; it's more proprietary, not less.

I use WireGuard. As you add more keypairs, it becomes a bit of a nightmare to maintain, though Vim with syntax highlighting helps a lot.

Because of this, I'll be switching to Headscale + Tailscale.

AFAIK, Zerotier is about equally proprietary, more-free (as in beer), and has been doing the node-to-node mesh thing instead of spoke-and-hub longer than Tailscale has been in existence.

And if I remember correctly, ZT was initially created to provide something like this "New Internet" concept that Tailscale has apparently recently discovered, except they called it "Earth" and abandoned it in 2023.

(Some things don't change, I guess.)

> Can anyone elighten me regarding what is different or special about 100.64.0.0/10 vs say, 192.168.0.0 or 10.0.0.0.

A bit of context: if an ISP cannot get enough IPv4 addresses for the WAN-side of people's home routers, some problems exist:

* something in 192.168/16 is generally used for the LAN-side of people's home routers, so that cannot be used on the WAN side

* 10/8 is used for business/enterprise corporate networks, so it also cannot be used on the WAN side because if people VPN connect to the corporate, then the router may get confused

* similarly for 172.12/12: often used for corporate networks

So the IETF/IANA set aside 100.64.0.0/10 as it had no 'legacy' of use anywhere else, and is specifically called out to only be used for ISPs for CG-NAT purposes. This way its routing does not clash with any other use (home or corporate/business).

    IPv4 address space is nearly exhausted.  However, ISPs must continue
    to support IPv4 growth until IPv6 is fully deployed.  To that end,
    many ISPs will deploy a Carrier-Grade NAT (CGN) device, such as that
    described in [RFC6264].  Because CGNs are used on networks where
    public address space is expected, and currently available private
    address space causes operational issues when used in this context,
    ISPs require a new IPv4 /10 address block.  This address block will
    be called the "Shared Address Space" and will be used to number the
    interfaces that connect CGN devices to Customer Premises Equipment (CPE).

* https://www.rfc-editor.org/rfc/rfc6598.html

I think nebula is the obvious FOSS competitor? With the unfortunate exception of the Android client being closed source.

You can self-host a Tailscale control sever with Headscale[1]. It's not quite at feature parity with Tailscale, but it supports most if not all the current feature set and its improving every day. One of the lead devs is even paid by Tailscale to work on it, IIRC.

I run it for my personal self-hosted infra, and it works really well. Setting a custom control server URL is relatively easy (at least on Windows and Android which I use).

I use taildrop, I serve docker containers to the tailnet, etc. headscale works really well and is worth a go.

1: https://github.com/juanfont/headscale

Interesting, I thought docker uses 172.*.

Cool! Any important features you miss when running Headscale?

Nothing that I've noticed. I actually have never run vanilla Tailscale without Headscale so I'm not sure.

I think auto TLS requires some extra config, and DNS rules. I don't use it so I'm not sure.

The question is: how long will Headscale be supported in the official clients - how long will the incentives of Tailscale's VC's align with the freeloaders?

The official clients (most valuable: the polished mobile apps easily installed from the default app stores) are one auto-update away from cutting ties when push comes to shove, the same as all commercial VPNs with a free tier.

It does; 172.16.0.0/12 is just another RFC1918 internal subnet.

Edit: I should say, a subnet that docker carves smaller subnets out of for its networks.

I think clients are the least to worry about. They can be built by someone else if the need arises.

I use Nebula because its iOS client does not drain my battery. Tailscale has had that known bug for years and they never managed to fix it, which is a major deal breaker.

Kinda? It works great in practice. You can run your own controllers if you want which completely disconnects you from the proprietary service. But the code is BSL.

The clients are the open source part of Tailscale. They can be forked and built by someone else if required.

However I do not think Tailscale is going to remove the custom control URL feature from their mobile clients. For one, I think there are legitimate "Tailscale Enterprise" use-cases for the custom login server.

Additionally, I have heard that Tailscale has been supportive of the Headscale project, providing assistance to the devs.

Further, Tailscale seems fairly committed to keeping their clients open sourced, and engaging in the developer community. Of course as you can say this can change at any time.

I didn't mean to suggest it doesn't work well, as I said I've not used it.

It's still proprietary if you self-host it, I was thinking in particular that tailscale uses Wireguard and Zerotier uses something custom, i.e. proprietary. Note that the context was:

> The internet succeeded because it was built on standards and was completely free. With Tailscale, I get wireguard is open source and we have things like Headscale. But [...]

to which the commenter I replied to asked of alternatives. So I wasn't saying tailscale great and open and standards compliant, and Zerotier not; I was saying it's the obvious competitor but if that's your problem with tailscale then it's if anything worse in that regard.

Yes, 172.18/16 by default.

And that actually was a problem at a previous job I was at: when COVID hit our VPN address range just happened to be set to be in that range, and so a bunch of developers were having issues. (IIRC, we re-configured the VPN appliance to use something else.)

>But the whole everyone gets an IP, doesn’t it depend on Tailscale owning a massive ip address space?

No, because Tailscale isn't "the Internet", it is a bunch of disconnected moats. The IP space needed by Tailscale only has to be as big as the largest moat. And you can only be connected to a single moat at a time.

Tailscale does p2p, not hub-spoke, with additional DERP system which combines various NAT bypasses with worst case hair pinning over HTTPS - you can host all components yourself.

Mostly support for features relevant to multi tenancy - official tailscale stuff does things like separate "tailnets" that belong to different accounts which have different SSO, but you can share access to hosts between tailnets with ACL rules, etc. Also tailscale funnel which uses tailscale-hosted service to provide ingress to host behind VPN.

And of course the API used to manage the official server, so the rare things that depend on it won't work, but it's more a case that the project doesn't have the need to work on it

I think Nebula is much much closer to the "new internet". Lighthouse nodes can serve as untrusted brokers that help to connect everyone securely. No need in a central authority with God-like importance, as the Tailscale CEO obviously wants to have.

They have released a slew of updates recently to fix this, and they did a complete rewrite of the Android app

DoH DNS support (beyond the single existing NextDNS option)

NetBird is a promising option. OpenZiti is another. ZeroTier hasn't evolved much, IMHO. Would also love to see someone breathe new life into https://github.com/omniedgeio/omniedge

…and it’s a perfect display of the technical competence of Docker Inc. :) they do stuff like that, in all kinds of domains, all the time.

You're absolutely correct.

I didn't intend to leave to implication the fact that Tailscale is node-to-node, or that it is is not hub-and-spoke.

(I even had this up in a browser tab when I wrote that previous comment: https://tailscale.com/blog/how-tailscale-works)

It depends on your use case. I use wg back to two geographically independent locations, keys are managed via our ipam.

I don’t need EW traffic over the VPN, very NS based. Something like Headscale or another SDWan solution (automatically establishing vpn routes) would make sense if I needed to transport a lot of traffic E-W, that’s just not a requirement

OpenZiti would be another - https://openziti.io/. I work on the project. 1 issue with Nebula is the provisioning new clients with identities. Its not completely open sourced by the Nebula company.