Completely off-topic, but try Zerotier instead. It’s a Layer 2 solution (as opposed to Layer 3 services like WireGuard, OpenVPN, and other IP-based solutions), so you get a lot of LAN functionality, including mDNS for free working out of the box. No configuration of any kind required on routers.
Tailscale isn’t complex, it does basically the same thing as ZeroTier (has NAT traversal) but uses the more lightweight wireguard protocol, is more widely supported (dead easy to install on Linux and routers etc.), better documented, and IME far more robust. It even has an optional SSH service built-in, and Magic DNS.
While ZT reduced device cap under the free tier from 50 to 25, to 10 - Tailscale increased theirs from 20 to 100. You can self-host both, and there are many similar solutions (Netbird, Twingate), but IMO the writing is on the wall with them. The fact they still don’t have SSO on the free tier says a lot.
I don’t remember specifics, but I have had various connectivity issues with Tailscale and none with Zerotier. So ymmv. I’m sure it works fine for some. It is better supported in various OSes as well, being a “regular” vpn and all, and has more polished UI.
If you need mDNS support however — Tailscale is plain not a contender. It won’t work for you. In the modern network mDNS is a must — unless you like messing with ip addresses and unicast dns entries. So I don’t see who is target audience for Tailscale in the home users realm.
This is irrelevant to the discussion. Those who need more should pay more. Complaining that amount of free cheese is reduced is not productive.
I don’t know what does it say, and I don’t see a problem with either of those things. It was setup once and works. I try Tailscale from time to time and I don’t like it at all. Sure, UI is better, but it’s also irrelevant — I can live with less than stellar experience during a one-time setup.
Tailscale gets a lot of hype but that’s it. For most home users site to site VPN and that provided by their gateways is the way to go anyway, Tailscale here just adds a layer of complexity that is not necessary.
Magic DNS supplants the need for any of that, it just works. Plus you can weave in your own nameservers, with your own domain. It contends very well.
Overlay network VPNs aren’t terribly complicated, they don’t need constant resources once authentication and direct tunnels have been punched through. So I dunno why any sane person would argue to pay for lesser features when there’s a (still free) less restrictive alternative, but you do you.
Tailscale literally creates a site to site (more like device to device) VPN, without the need to expose ports on a gateway. If that’s not less complex, I dunno what is. If complexity bothers you, know that ZeroTier is basically doing the exact same thing, but with a proprietary protocol, so I dunno what the point is there.
If you think the ‘UI is better’ and somehow its best feature, I submit to you, you haven’t really tried Tailscale enough at all. The UI allows the minimalist of controls for the user, on non-headless systems, that’s it. Most of everything else is done centrally. On Linux, you can install, authenticate and join the tailnet with a single (generated) command and no UI is ever involved.
Hype is irrelevant, ‘home users’ are using Tailscale in the droves for a reason. I’m not shilling for 'em, I just happen to use it a lot - on more than a couple dozen devices - so know how it works. So each to their own, but when you say Tailscale isn’t a contender, when you don’t know about the SSO tax, that does indeed say a lot.
I’m aware, zerotier offers similar service, ZeroNSD, but it’s not what I’m talking about. Name resolution is just a small part of service discovery (DNS-SD) that works over mDNS, which Tailscale does not support.
Obviously, because the less restrictive alternative does not support a feature that sane person needs.
Also, because a reasonable person would prefer paying for services they are using. If some service is offered for free there must be a good understanding of why it is so, and what exchange of value actually takes place.
When cloudflare offers you free CDN for personal projects – I don’t have a problem using it for free, because they explain why do they offer it and how it benefits them.
When company like zerotier offers free service – I understand that this is essentially a trial, with the expectation that you will convert eventually to a paying customers, and they are losing money on you until you do. So I become a customer, even if my current usage actually fits into free tier. Because I don’t want to be freeloading.
And yet, this is outside the discussion of merits of each platform.
It was not zerotier vs tail scale. It was tail scale vs site-to-site VPN between gateways.
Proprietaries of a protocol is also entirely irrelevant.
For what reason?
And do you have the source for the statistics for “in droves” claims? And why would that matter in the first place? You can’t make technical decisions based on popular vote.
It isn’t, because it does not support mDNS. So you don’t get DNS-SD. It may work for some users, they must have some customers, just not for those who need DNS-SD specifically. i.e. most windows and macOS users.
What does it say? I can’t read minds. Please elaborate with words, not just allusions.
I don’t see it as “SSO tax”. I see a commercial company charging customers as much as customers are willing to pay. Good on them. That’s how market works. I don’t know why would you complain that free service does not offer some feature that you think it should? It’s literally free, you are not paying anything, you are not a customer, you are being gifted something of value and you can’t demand anything more. If you need SSO – it’s available. $5/month is hardly a burden.
Back to technical discussion: I do prefer interface and integration of TailScale: for example, on some devices tail scale endpoint does show up as a real network adapter, and zerotier does not. But this is a fallout from the functionality offered – mulicasts dns is not support on TailScale and you can’t do anything about it. It’s a fact.
Next, in my opinion, for home users DNS-SD, Bonjour, AirPrint, Time Machine, are a must. So, Tailscale is not a contender. If your users are the type that like to type hostnames and/or ip-addresses – all the power to you, perhaps they haven’t experienced properly setup network yet and don’t know that they don’t have to do all that.
No ordinary user needs mDNS in conjunction with a mesh VPN. I know Apple might use it like a crutch, but it’s just a convenience protocol - not something to be relied on. I’ve never consciously needed, wanted, or lacked mDNS in any scenario with or without such an overlay network. Totally unnecessary when most gateway routers have a built-in DNS server. Notoriously very spammy too, impacting WLANs especially.
Tailscale’s security model doesn’t even align with such a feature - given it’s a device to device mesh network by default, and subnetting / exit nodes are concious decisions which something like mDNS should never play a part in (since it’s not particularly secure let alone efficient).
So no, I certainly wouldn’t be relying on mDNS in a properly set-up network.
I literally already said:
I stand by the claim. Going by what you’ve said, recommending ZeroTier over Tailscale - to a user who’s already got it up and running, for free I might add - strongly suggests you haven’t used it very much, when you diss it for somehow being ‘more complex’… than wireguard, yet somehow ZeroTier… isn’t?
Was it? Coz I’m pretty sure the problem specification had nothing to do with gateways, and was simply to connect Duplicacy client with a storage backend, which the person had already solved the networking part. <shrug>
I mean, that’s my point entirely. I’m not demanding anything of ZeroTier, they already lose out to Tailscale as they offer what ZT doesn’t, and for free.
In addition, the clients - particular the mobile apps - are far better. The ease of integrating it with docker and Linux-based microservices, is more than just hype.
As I said, I already have SSO, for free in Tailscale. I can even use my own OIDC provider, again for free.
Charging extra for SSO is a massive con, screw those who lock it behind $$$ when it isn’t even their resources being used! They lose. That’s how the market works…
Built-in DNS server won’t make AirPrint printers available or shared disks pop up in the UI.
I’m not trying to conserve traffic. I’m trying to maximize convenience. Modern WiFI is sub-1ms latency, it can handle broadcasts just fine.
That is the decision that shall be left to the user. Tailscale cannot support that, even if the users wants to.
My definition of “properly setup” is “maximum convenience for the user”. If this results in 10x broadcast traffic – so be it.
I don’t follow. I’ve played with tailscale for 5 minutes, and never claim to be an expert in it – just it does not suit basic needs – but how does it related to SSO tax and “say a lot”?
This:
This precisely what I meant when I said it has better UI.
- Most users dont’ need this
- I don’t see any difference in difficulty between the two.
They lost a non-paying customer who jumped ship because they did not wanted to pay even $5. How is that a loss? It’s a win for the business.
Sounds like an Apple-only problem to me. Who’da thunk throwing out common protocols and building a walled garden around the basic functionality of printing and file shares, wouldn’t lead to more vendor lock-in and less convenience. 
Which is doubly ironic, since I just saw iOS doesn’t support multicast / mDNS either, and therefore ZT cannot support that, even if the user wants.
There’s a workaround for AirPrint, but the exact same hack works with Tailscale too, and for all other multicast traffic, a local DNS server (e.g. Pihole) and Magic DNS solves easily. After all, it should always be possible to use direct IP addressing.
Aside from that, I’d love to see a single use-case for mDNS and a VPN, which also can’t be solved in better ways. In 40 years of printing, I don’t think I’ve ever not needed to be in the same building as the printer.
Most users don’t need a mesh VPN - as if some solution in need of a problem.
Look at it the other way around - containerisation is pretty common now - and for connecting them, there’s mesh VPNs. Tailscale makes it dead easy.
Actually only partially true.
For instance, Tailscale’s model is aimed at businesses, which is why they give away nearly all of the main features for free to home users. Because they know many of us work in IT departments, and may recommend the product to the company. (In addition to having intimate knowledge of how it works.)
The strategy has already proven to work in my case since I have one (just one atm) small client that recently started buying user licences, after having trialed it with the 3 free users for a few months without limits. Had ZT not pulled the rug (twice), they might’ve had my business.
1 Like
hehe 
No, the alternative/concervative/manual_IP way of course also works – as you pointed out for AirPrint one can distribute the configuration profiles, and for time machine one can connect manually once and macOS will remember. Of course, it’s not critical, and not a dealbreaker. However when you start from zero and look at these two solutions – with one you don’t have do to it, and with the other you do. So, for example, for my parents to back-up to my home server across the pond with Time Machine I’ve setup ZeroTier. They need to click Time Machine and the target is offered immediately. Low friction.
In the origanization I assume you would not use time machine in the first place, and distributing profiles via MDM is also a no-brainer, so perhaps in these scenarios TailScale is much better – being better integrated into various OSes and what not.
Time Machine over the internet is the use case. mDNS is the best case for UX.
Indeed.
I have various instances on oracle connected with zerotier to my other locations. Just as easy, if not easier.
Ease of setup is not a problem, it’s ease of use that is. And for containers it does not matter. My only gripe is with end user experience. users that don’t need to be IT experts to do things effectively.
Good point.
1 Like