Original link: https://wzyboy.im/post/1524.html
In the past month or so, I have used Tailscale, a networking tool, and I like it very much.
1. To network or not to network
In the idyllic era of the Internet, every computer that can access the Internet can be assigned an IPv4 address, and it is very easy to build a website on your own computer. In modern times, due to the shortage of IPv4 addresses, when people set up a home or office network, they often use routers for network address translation (NAT)—that is, devices in the local area network (LAN) use intranets such as 192.168.0.0/16 A network segment that shares one or a few public network IPv4 addresses with the outside world. This kind of deployment is enough for general web surfing, but since there is no public network routable address, it becomes inconvenient to build a website on your own computer for others to visit.
In order to solve this demand, modern home routers generally have a port forwarding function, that is, a certain port of the public network address obtained by it is forwarded to a port of a certain intranet device. For example, when an external visitor accesses port 443/tcp of the router, it is the Nginx server on a certain NAS in the intranet that finally receives and processes the request.
In addition to port forwarding, another way to allow devices not in the intranet to access intranet services is to set up a new intranet. For example, friends who don’t live together want to play games online, then they can set up a virtual local area network through a virtual private network (VPN), so that the two computers think they are in the same local area network.
Since I owned my first home server seven years ago, I have always used port forwarding as the main method to access services built at home from the outside world, and rarely used networking methods. Port forwarding only needs to be configured on the server side, and the client side does not need to be configured, so convenient. The networking tools are complex, fragile, and not environmentally friendly. The time spent on configuring the networking tools is really not worth it.
I heard that Tailscale became popular last year. I took a look and thought it was boring to use yet another networking tool. Later, under the repeated Amway of my friend, I finally tried it. I found that Tailscale is really the best networking tool I have ever used – lightweight, fast, rich in functions, and has a first-class user experience! Their company’s blog is also well written, which doubles my goodwill.
2. The savior of VPN, WireGuard
The most commonly used solution for networking is VPN. Open source solutions include OpenVPN, ocserv, and various swans (FreeS/WAN, strongSwan, Libreswan, Openswan). To be honest, these solutions are difficult to use.
In 2015, a lightweight VPN software called WireGuard was born. Compared with its predecessors, it does not have the heavy historical baggage, the code is streamlined, but the quality is so high that even Linus Torvalds admired it. In 2018, this Finnish old man who likes to spray people commented :
Can I just once again state my love for it and hope it gets merged
soon? Maybe the code isn't perfect, but I've skimmed it, and compared
to the horrors that are OpenVPN and IPSec, it's a work of art .)
Linus
Compared with OpenVPN’s 100,000 lines of spaghetti code, WireGuard implemented a modern kernel-mode VPN in only 4,000 lines of code.
Two years later, in 2020, WireGuard was merged into the Linux 5.6 kernel.
As early as 2019, several engineers from Google were keenly aware of the potential and commercial value of WireGuard, established Tailscale in Toronto, Canada, and began to develop networking software based on WireGuard. In 2022, Tailscale will become a unicorn with a $100M Series B round of financing.
3. Spoke structure and mesh structure
Traditional VPN networking schemes mostly adopt a spoke structure , that is, a central server is connected to multiple clients scattered in various places. If the clients want to exchange data, they must transfer the data from the server. This structure is not efficient for data exchange between clients (such as playing games online between friends), and it increases the data delay needlessly.
A model that is more suitable for data exchange between clients in the same virtual network is a mesh structure (mesh), that is, each machine is directly connected without going through a server. However, such an ideal model has two problems:
- It is no longer the idyllic era of the Internet. Various NATs make it difficult for machines in different homes to connect
- If there are N machines, a total of N * (N – 1) connections/key pairs are required, and the scalability is extremely poor
Through in-depth research on different NAT types , Tailscale solves problem one; thanks to WireGuard’s high performance and reasonable key distribution mechanism , Tailscale solves problem two.
Therefore, the ideal model of mesh VPN has become available.
4. Getting Started with Tailscale
Tailscale itself does not provide an IdP – you cannot create a Tailscale account, but can only log in through an external identity, such as your company’s Active Directory. For individual users, it also provides options to log in with GitHub.com, Google account, etc.
Tailscale provides support for all major operating systems . Among them, WireGuard will use the built-in WireGuard module in the kernel on Linux, while it runs in user mode on other platforms.
On Linux, Tailscale consists of the background resident tailscaled service and the CLI control tool tailscale command. The novice guide on the Tailscale website is very good. It will teach you step by step how to create and connect two machines, set up a network, and then let them ping each other.
The network composed of Tailscale is called tailnet. Each tailnet will get a domain name like foo-bar.ts.net , where foo-bar part defaults to two English words ( you can re-roll if you are not satisfied ), and it can also be customized.
Tailscale encourages mesh VPN, that is, Tailscale is installed on each device that needs to be networked, and then the devices are directly connected. But if you really need it (for example, there are really too many devices at home), it also provides the subnet router function, that is, configure a device as an intermediary and broadcast its route to other devices.
5. More than networking
Tailscale not only does a good job of networking, but also brings many considerate and practical functions.
MagicDNS
DNS for VPNs has always been a headache. Tailscale comes with split DNS , which will hijack local external DNS requests and be processed by stub resolver. If it is a tailnet domain name, it will return the tailnet address, otherwise it will be forwarded to the original nameserver before Tailscale starts. For the 10,000 ways to modify /etc/resolv.conf in Linux , they have also done detailed research and compatibility.
TLS certificate
Although the traffic inside the tailnet is encrypted, the browser doesn’t know it. When you visit a website through a tailnet domain name, browsers led by Chrome will display an unsafe warning and even disable some functions. To solve this problem, Tailscale considerately provides the function to help you obtain Let’s Encrypt certificates . Because the domain name of ts.net belongs to their family, it is natural to use DNS verification to obtain a certificate.
Public network reverse generation
Now that there is a certificate, the public network traffic can also be encrypted? Tailscale uses their own public network server to provide a simple reverse generation function , so that your HTTPS service in tailnet can be accessed by the whole world.
file transfer
Files can be transferred between two devices connected via tailnet like AirDrop!
Built-in HTTP and SSH server
Probably because HTTP and SSH are the two most commonly used protocols, Tailscale has these two services built in. Tailscale’s built-in SSH uses the ACL configured in tailnet instead of distributing SSH pub keys on each machine; the built-in SSH server even has a screen recording audit function.
6. Tailscale application example
Nodes can also be shared between tailnets. My Tailscale friend shared his Plex/Jellyfin node with me. Not putting Plex on the public network can effectively avoid the tragedy of LastPass .
Although my SSH service prohibits password login, it is annoying to be scanned too much, so I installed Fail2ban . With Tailscale, you can consider withdrawing services such as SSH/RDP that are often scanned from the public network, and Fail2ban can also be turned off.
For some services that are difficult to authenticate but want to share on a small scale, you can also share them through Tailscale, such as dictd and DNS servers with ad filtering.
Some protocols originally designed for intranet use, such as NFS, can be shared through Tailscale. The Tailscale blog has an example of Steam Deck playing games from a NAS drive in another city .
The address of this article: https://wzyboy.im/post/1524.html . Please indicate the source.
This article is transferred from: https://wzyboy.im/post/1524.html
This site is only for collection, and the copyright belongs to the original author.