How I use Tailscale

Original Article ↗ Hacker News Discussion ↗

Practical uses and benefits

  • Many comments praise Tailscale’s polish and “just works” setup compared to hand-rolled WireGuard or traditional VPNs.
  • Common use cases:
    • Remote access to media servers (Plex/Jellyfin) and file servers as if on LAN.
    • Using home exit nodes to route all mobile/public Wi‑Fi traffic through AdGuard Home/Pi-hole, or to appear from home country for streaming and banking.
    • Locking down SSH/Postgres on production servers to Tailscale-only access.
    • Using Mullvad integration as geographically diverse exit nodes without a separate VPN client.

Funnel, exposure, and security-by-obscurity

  • tailscale funnel is compared to ngrok; people like the convenience but warn it instantly attracts bots via certificate transparency (CT) logs.
  • Some see CT-based discovery as effectively “summoning a DDoS” onto residential dev servers, and recommend nonstandard ports, wildcard certs, or self-hosted CA to reduce discoverability.
  • Long subthread argues over “security through obscurity”:
    • One side says CT removes an important obscurity layer and materially increases exposure.
    • Others argue obscurity alone is not security and the real problem is exposing non-hardened services.

SSH integration and ACLs

  • Tailscale’s SSH feature (“if you’re logged into Tailscale, you can SSH”) worries some who prefer explicit keys; it’s clarified this is optional, not default, and still uses WireGuard per-device keys.
  • Some see it as a big win for team access; others insist on keeping traditional SSH auth for defense-in-depth.
  • A separate concern: even with ACLs, compromise of the control plane or one node could let an attacker alter ACLs; calls for signing/“locking” tailnet config to mitigate this.

Privacy, logging, and DNS behavior

  • Major thread on Tailscale’s default per-connection logging to log.tailscale.com:
    • Critics see always-on, real-time metadata logging (especially on iOS/Android where opt-out isn’t available) as invasive and potentially useful for profiling.
    • Defenders note enterprise needs (audit, intrusion detection) and argue intent isn’t mass surveillance, though they agree defaults may be wrong for purely personal use.
  • Discussion that Tailscale aggressively inserts itself as DNS resolver (via MagicDNS/Quad100), sometimes overwriting resolv.conf; opinions split between “convenient” and “too much control,” with suggestions to disable or self-manage DNS.

Self-hosted and alternative solutions

  • Several mention Headscale (self-hosted Tailscale control plane), NetBird, Nebula, Zerotier, or pure WireGuard as options for those unwilling to trust a third-party control server.
  • Some wonder how feature-complete these are versus Tailscale’s managed offering.

Operational caveats

  • Reports of high mobile battery usage and WSL resolv.conf breakage.
  • Advice not to host your custom OIDC provider behind the same tailnet it authenticates, to avoid lockout requiring vendor intervention.
  • Desire for Taildrop to send files to non-tailnet users.