(david.coffee)

311 points eustoria | 1 comments | 16 Nov 25 17:39 UTC | HN request time: 0.696s | source

Show context

plantinthebok ◴[16 Nov 25 19:52 UTC] No.45947870[source]▶

What's the actual win here? Avoiding relay latency in the rare cases Tailscale can't punch through NAT? If that's it, a $3 VPS running Headscale seems simpler. The complexity feels like you're optimizing for the 5% case while adding permanent vendor lock in. What am I missing?

replies(6): >>45947999 #>>45948012 #>>45948016 #>>45948087 #>>45948806 #>>45952600 #

1. k_bx ◴[16 Nov 25 20:21 UTC] No.45948087[source]▶

>>45947870 #

$3 VPS running Headscale is not simpler since you won't be able to run both headscale and tailscale on your end user machines, I don't recommend it.

The solution we've found is running a white IP container (or VPS) which looks like regular Wireguard outside, while inside it "forwards" to your existing tailscale network.

I don't remember if we use https://github.com/gravitl/netmaker or https://github.com/juhovh/tailguard

Also see: https://tailscale.com/blog/peer-relays-beta

↑

I finally understand Cloudflare Zero Trust tunnels