Hacker Remix

An open source, self-hosted implementation of the Tailscale control server

319 points by quyleanh 1 day ago | 76 comments

SuperShibe 1 day ago

Every few months I come back to this repo to check if they finally got Tailnet lock running or if someone security audited them in the meanwhile. Unfortunately neither of these things seem to make any progress and thus, I’ve grown uncertain in how much I can trust this as a core part of my infrastructure.

The entire premise of Tailscale SaaS builds on creating tunnels around your firewalls, then enabling the user to police what is allowed to be routed through these tunnels in a intuitive and unified way.

Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal, but can they also fulfill the second part by providing enough of their own security to make up for anything they just bypassed, or will they descend to just being a tool for exposing anything to the internet to fuck around with your local network admin? To me, not giving your Tailscale implementation any way for the user to understand or veto what the control server is instructing the clients to do while also not auditing your servers code at all sure seems daring…

nativeit 23 hours ago

> Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal

Did they really roll-their-own for those functions? I thought this was just a control layer on top of Tailscale’s stock services on the backend, are they facilitating connections with novel methods? Apologies if I’m asking obvious questions, I use ZeroTier pretty regularly, but I am not too familiar with Tailscale.

bingo-bongo 21 hours ago

They have a really great in-depth blog post describing how they do it: https://tailscale.com/blog/how-nat-traversal-works

jacobtomlinson 15 hours ago

This is a fascinating read!

throawayonthe 21 hours ago

i think they mean headscale's implementation specifics

xrd 15 hours ago

Can you share why you use ZeroTier over Tailscale? I run several headscale control planes and it really is nice to self-host. But, I'm curious about other options.

password4321 12 hours ago

Not OP but I'm on ZeroTier because it was one of the best free tiers available before Tailscale could run as a Windows service.

Also I believe it implements a lower layer of the network stack so more options are supported, though I haven't needed to investigate in detail.

password4321 10 hours ago

More ZeroTier 3 years ago: https://news.ycombinator.com/item?id=30283987#30284754

bananapub 19 hours ago

tailnet lock seems way way less important for headscale than tailscale, given you personally control the headscale infra.

codethief 15 hours ago

Depends on your threat model. Mine definitely includes one of my servers getting compromised. (Which, tbh, is probably more likely than Tailscale getting hacked.)

SuperShibe 14 hours ago

only until someone finds a zeroday in headscale (remember, it never got audited) or until the server running headscale itself gets compromised. Especially in countries where getting a dedicated public IPv4+IPv6 from your ISP is hard-impossible and you‘d have to rely on a server hosted externally (unless you’re large enough to make deals with the ISP) some company hosting your server still retains at minimum physical control over your headscale infra. For why this is a problem, see the recent Oracle cloud breach.

botto 16 hours ago

This is my thought as well, if you are in control then you also control which nodes go on your tailnet

gpi 24 hours ago

One of the maintainers work for tailscale now.

wutwutwat 24 hours ago

maintainer's employment != security audit

gpi 24 hours ago

My thinking is their time is divided now and could lead to less efforts spent on headscale.

palotasb 21 hours ago

Not compared to the previous state where he worked for an unrelated company and only had his free time to contribute to Headscale.

themgt 24 hours ago

c.f. https://github.com/juanfont/headscale/issues/2416

Happily2020 19 hours ago

If you're interested in self-hosting your orchestration server, you can look into Netbird. It's a very similar tool, but has the server open sourced as well. So you have a self-hosted control server with a nice GUI and all the features the paid version does.

https://netbird.io/knowledge-hub/tailscale-vs-netbird

mynameisvlad 9 hours ago

I've been slowly moving everything over from Tailscale to Netbird and aside from some shenanigans with Tailscale taking over the entire CGNAT route, it works wonderfully!

Tailscale is still running for now, but I'm getting closer and closer to decommissioning it and switching entirely to Netbird.

davidcollantes 14 hours ago

Compared to Headscale, Netbird has so many moving pieces! It looks robust, and powerful, and featureful... yet, self-hosting Headscale is super simple, and less demanding.

unixfox 7 hours ago

No IPv6 though. Which is real deal breaker: https://github.com/netbirdio/netbird/issues/46

yamrzou 16 hours ago

Does it do the fancy NAT-traversal Tailscale does?

mrbluecoat 13 hours ago

Yes: https://www.netbird.io/knowledge-hub/netbird-network-routes

infogulch 12 hours ago

I think it would be neat if headscale allowed peering / federating between instances. (Maybe after the ACL rework.) One of the main problems is address collisions.

So here's my proposal: commit to ipv6-only overlay network in the unique local address (ULA) range, then split up the remaining 121 bits into 20 low bits for device addresses (~1M) and 101 high bits that are the hash of the server's public key. Federate by adding the public key of the other instance and use policy and ACLs to manage comms between nodes.

I think it's a nice idea, but the maintainer kradalby said it's out of scope when I brought it up in 2023: https://github.com/juanfont/headscale/issues/1370

telotortium 1 day ago

Should add the project name, Headscale, to the title

Headscale has been on HN many times.