I've realized how easy it is to just actually run a network rather than half ass it with tailscale. I recommend this, it's fun.
this post was submitted on 09 Jun 2025
751 points (100.0% liked)
Selfhosted
46677 readers
502 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I never really understood the point of using Tailscale over plain ol' WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won't be complex beyond a regular old wireguard config
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
load more comments
(2 replies)
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it's a known-to-them freemail address. And it was by design "to reduce friction".
I don't think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
load more comments
(3 replies)
So glad my router supports WireGuard/OVPN server hosting, doing it this way also relieves resources off your homelab and for whatever reason your homelab shuts off or loses network access you can at least rely on your router to re-establish the VPN server without further intervention.
I always knew it was too nice to stay non-shitty forever.
Guess it's time for me to pester my ISP to let me open some ports
Meh. I will keep using it
Question: if I setup Headscale on my network, I would have to open a port on my router to connect to it right? And also if I setup Headscale with some cloud provider, could they theoretically go and use the setup to get to my home network? I know its unlikely, I just mean if the technology is like e2e from clients to my home network, or if the cloud headscale 'centre' would be also an unguarded entry point (from the perspective of cloud admins). I hope I am clear 😀 Thanks (btw you probably guess why I currently use Tailscale 😀)
if I setup Headscale on my network, I would have to open a port on my router to connect to it right?
The way I understand it is:
I would have to open a port on my router to connect to it right?
Yes
if I setup Headscale with some cloud provider, could they theoretically go and use the setup to get to my home network?
If they are able to authorize their own node to your Headscale server, then their node gets on your network. If they take over the Headscale node, they might also be able to access your network, either by changing Headscale's config to auth another node or perhaps if the Headscale node is part of the network, which it might be, I don't recall. But I think that's immaterial. If someone takes over the Headscale machine, they can get on your network either way.
load more comments
(1 replies)
What is even the point of tailscale? What can it do that other VPN solutions don't? I feel like this is a problem that was solved like 20 years ago and still we're coming up with novel solutions for some reason. At my company they want to start using tailscale and I don't see why we don't just set up wireguard on a node in our k8s cluster instead
Because I can have 3 phones, 2 tablets, 3 computers and 4 server on the same Tailnet in 15 minutes when starting from scratch
load more comments
(3 replies)
If you are capable of setting up your own personal VPN, you don't need Tailscale. You still may want to use it though, depending on how much of a novelty Network Fun is for you in your spare time.
For me, the main advantage to Tailscale et al is that it is on a per device basis. So I can access my SMB shares or Frigate setup remotely while still keeping the rest of my internal network isolated( to the degree I trust the software and network setup). You CAN accomplish that with some fancy firewall rules and vlanning but... yeah.
load more comments
(1 replies)