I am toying with the idea of using one of my Tailscale instances as traditional VPN, using the exit node features. I think I have that part down to a note as far as what has to be done in order for this to happen.
My question is if there are any security risks or security provisions that need to be made to keep the envelope secure. I am the only user of my Tailscale network, so I don’t have to worry about another user jacking things up. However, I am concerned about the implications of the visibility of the exit node I would be connecting to.
You must log in or register to comment.
As someone that struggles with networking, I’d love to hear what you’ve found and how
Ok my brother, I’m back with great news. It is as easy as everyone in this thread has said it was. Honestly, it wasn’t the set up that I was concerned with. My question was more concerned with any additional security considerations I may have to deploy before setting Tailscale up as an exit node and thus using it as a traditional VPN.
First, I am going to assume you already have Tailscale deployed on your server & laptop or desktop. That’s going to make it a lot easier…hurr hurr.
So fire up your terminal and point it at your server. You can run
sudo tailscale statusto check the current status of Tailscale. After which you will need to issue this command:tailscale up --advertise-exit-node. This does what it says and tells Tailscale to use the current server as an exit node.Having done that, in the Tailscale console online click the [Machines] tab. Click the […] option at the far right of your server listing and select [Edit Route Settings]. This brings up a dialogue box. Check [Use As Exit Node].
Assuming a Windows laptop/desktop, click the Tailscale tray icon. You should see your server listed under [Recommended]. Choose that one.
You should now be connected to the server exit node. Check your IP Check your speed. Not too shabby. Conduct a DNS Leak Check
There you go. Jack’s a doughnut, Bob’s your uncle. To put your server back, use
sudo tailscale up --advertise-exit-node=falseSomebody fact check me. LOL
How about I do the set up first, take my normal notes as I do, and then report back to you. That way I’ll have a firmer grip on what needs to be done.
https://tailscale.com/kb/1017/install
It really is super simple
It’s pretty much a complete feature. There’s nothing really else to consider. The only consideration is that this exit node will now have the traffic of all of your other devices. The only privacy consideration is the ISP of the exit node will have all of the traffic from all of your devices. Other than that, it’s basically it.
Visibility how? You don’t need to open any ingress ports on the VPS instance unless you plan on reverse proxying something back to your client node. Your client visibility will be to any endpoint you connect to, and any DERP servers you get proxied through from Tailscale.
The way I understand it, there’s 2 use cases for a VPN, with different concerns and providers:
- having access to your private home network from anywhere, through an encrypted tunnel (Tailscale, Wireguard on the router, etc)
- having your outgoing traffic to the internet go through an anonymized exit node so that your ISP can not watch or sell what you are doing (ProtonVPN, Mullvad VPN, etc)
Is Tailscale fit for the second? I thought not, as the exit node is not an anonymized VPN server but one of your own machines.
If you create little solar-powered micro computers and toss them onto the roof of a bunch of random businesses with public Wi-Fi, then run them as exit nodes then you could bounce your connection around through a random set.
I didn’t come up with this, I think it was a plot point in some novel I read.
That’s crazy and genius!
“I don’t do cloud computing, I do solar computing”
Yes, OP understand that, which is why he is asking about security to the exit node on a Tailnet.
I’m sorry…I’m just asking all the stupid questions up front.
They’re good questions. I wasn’t being rhetorical 🤣
It’s hard to know exactly where your concern about visibility lies, hence my question 😉
Nah, it’s good. I do have a knack for asking silly, basic questions. I certainly don’t have the networking prowess and certifications that some of the group here has, and I just want to be cautious, perhaps overly cautious when implementing what I have proposed. I know what an overlay vpn does, and I know what a traditional vpn like say, PIA, does. I just want to proceed with caution because the end use has serious implications if improperly deployed. At the very least I want to make myself confidant that I have covered all bases.
Well if it demystifies Tailscale a bit, just think of it like a traditional VPN with specific controls over the traffic flow. It’s e2e encrypted between every node, and you control the exit node. You’re use-case would work just like OpenVON, for example, where your client traffic exits where you decide (your VPS).
If you really want a deeper understanding, have a looke at Headscale and maybe set it up on your VPS. You use your same Tailscale client, and just register it with the Headscale instance on your VPS. Just setting it up will give you a tutorial on how Tailscale works in general. You can ping me with questions, or the Discord is really active and responsive.
Tailacale sucks as tradicional vnp, the derp are a mess and they have a lot of latency and is very slow. Even achieving a point to point connection, the back end makes the performance horrible. I heard headache is far better, but never tried it, it’s a little messy with setup and certs.
I loved Tailscale for about a year but am moving away from it because having multiple exit nodes with each redirecting traffic via commercial VPNs with DNS-based ad blocking and App Connectors grew way too complex.
I’m not saying you’re doing all this but if you do get to a point where you’re directing traffic to multiple countries Tailscale turns into nightmare to manage.
What are you moving away to? I’m assuming you’re still keeping your VPNs and DNS ad-blockers etc?
I’m just using WireGuard on a VPS with multiple interfaces. I’m still doing heavy ad/tracking blocking via DNS too.
As for App Connectors I’m working on a script (compiled program hopefully down the road) that can query a specific hostname using a specific interface (say, a US-only website using DNS over a US-based VPN) then create a virtual IP address that directs to that same IP using the correct tunnel.
My reasoning for the virtual IP address is that I don’t want to redirect every website on the host to the other tunnel—lots of servers have an array of websites on them.
What I found disappointing about Tailscale is I had to do a lot of “hacks” to make things work—DNS on each exit node had to match perfectly (despite using different exit tunnels)—then the shit would only work like 20% of the time. One day traffic for the US tunnel worked, the next day it was going out of the exit node. I also never got it working correctly in Docker so I was running multiple VPS servers.
If I remember correctly with App Connectors your client would query the App Connector for the domain, then it would return an IP address. The IP address would be set up to always go through the defined exit node. So if your DNS was off or you were accessing another website on the same server you were screwed. On top of that, it just didn’t work.
