←back to thread

The New Internet

(tailscale.com)
517 points ingve | 4 comments | 26 Jul 24 18:29 UTC | HN request time: 0.001s | source
Show context
metadat ◴[26 Jul 24 22:43 UTC] No.41082987[source]
I really enjoy and appreciate the tailscale service, but this article didn't click for me. I love an inspiring CEO rally speech as much as the next early adopter, and agree that there is a ridiculous amount of developer friction and complexity in computing, but tailscale still has its own friction and isn't on track to solve the big picture issues _at all_.

As a concrete example, a few weeks ago, I invited my dad to my tailnet with the intent of using remote desktop into his machine to help him fix something. He accepted the invite, and then I couldn't ping his machine despite it appearing in my TS domain web interface.

Now he hates tailscale, and I lost credibility because prior I told him how awesome it is. In his view, it wasted his time and doesn't "work right", and metadat is a fool.

replies(4): >>41083249 #>>41083822 #>>41084909 #>>41085409 #
Cyphus ◴[26 Jul 24 23:31 UTC] No.41083249[source]
Is your dad running Windows? Windows firewall is known to block icmp traffic, a problem that neither Tailscale nor any other p2p VPN can solve.
replies(1): >>41083470 #
metadat ◴[27 Jul 24 00:08 UTC] No.41083470[source]
Maybe, but even ICMP pings? He also couldn't ping my systems, it seemed really broken.
replies(1): >>41083615 #
eddythompson80 ◴[27 Jul 24 00:33 UTC] No.41083615[source]
Ping uses ICMP. Windows blocks ICMP by default, so yes `ping <windows-host>` doesn't work by default. Is your system your father was trying to ping a Windows system as well?

The other thing to check is if he was running another VPN on his machine at the same time. Running multiple VPNs at the same time (both Windows and Linux) requires extra fiddling to map the routing correctly to prevent their rules from overlapping/breaking each. https://tailscale.com/kb/1105/other-vpns

replies(1): >>41083762 #
metadat ◴[27 Jul 24 01:08 UTC] No.41083762{3}[source]
No other VPN, but my windows machine firewall is on and it pings fine.

Anyway, tailscale still has more to go. Inviting someone to your tailnet doesn't seem to be the same as adding a machine yourself.

replies(1): >>41083958 #
1. eddythompson80 ◴[27 Jul 24 02:00 UTC] No.41083958{4}[source]
Oh yeah, forgot to mention. On a given tailnet, users can only reach their own machines. Each machine that joins the network has an “owner” shown under the machine name in the admin portal. By default users can only reach their own machines, not everyone’s else’s. As the network admin you can manage that through the ACLs tab.
replies(1): >>41084251 #
2. metadat ◴[27 Jul 24 03:28 UTC] No.41084251[source]
And this is why tailscale isn't solving the fundamental issues of connectivity. Thanks and cheers eddythompson80.
replies(1): >>41084639 #
3. idle_zealot ◴[27 Jul 24 05:37 UTC] No.41084639[source]
What is the alternative, here? Letting all machines on a tailnet talk sounds like a security issue. Maybe a better onboarding flow that prompts you to set ACLs when inviting a new user?
replies(1): >>41084684 #
4. metadat ◴[27 Jul 24 05:50 UTC] No.41084684{3}[source]
It seems you're assuming the firewall or my machine configuration was the issue rather than a tailscale "sharing" feature issue.

I am, among other things, a network engineer, and previously I shared my tailnet with my brother's windows machine by logging him into my account directly, and it worked flawlessly.

I want TS to win, but they've got product and engineering work to do if they're serious.