I haven’t used Tailscale but reading the description, it’s identical to ZeroTier. I’ll just mention ZeroTier from now on.
ZeroTier is an easier alternative to VPN to create secure connections between any of your systems, without setting up servers, without even caring if the device doesn’t have a static IP, DNS registration, etc. ZeroTier is free to use if you have less than 50 devices, and Tailscale if you have less than 20. Perfect for self-hosters. The TLDR of how they work:
You install the ZeroTier client on all devices that need to talk to one another. They support all OSes, as well as some NAS like Synology. It creates a virtual network interface, just like VPNs.
Each client periodically communicates with ZeroTier’s public handshake servers to give it your current WAN IP (public/Internet IP), and also as a ping check. You can self-host the handshake server if you want, but I didn’t bother.
Each device gets a unique ID
You create a new secure network on ZeroTier’s website, which is simple. Network has a unique ID. Using the desktop client, you join this private network by entering its ID. Then on the web interface, you see “deviceXYZuniqueid wants to join this network”, you say yes, and bam, you got your secure comms up.
From now on, devices in the same network can see each other, no matter their IP, location, etc. So your laptop can ssh to your home server just by doing “ssh user@zerotier-ip-of-server”, check web interfaces by browsing to https://zerotier-ip-of-server, etc (they have a DNS tool for nicer names but I haven’t used it). All traffic between them is secure and encrypted. Connections are peer-to-peer via UDP STUN magic with the help of the public server.
Other notes:
It’s open-source and I think zero-knowledge encryption on ZeroTier’s part, so in theory no need to worry about your precious data being sniffed by ZeroTier employees
Since communication is P2P (as opposed to passing through ZeroTier’s servers), there’s no performance penalty. I was able to use this for playing multiplayer games in an emulator with someone else in a different city, using the emulator’s LAN multiplayer. I saw someone’s informal benchmarks and it only added 5ms to ping latency and 5% bandwidth throughput penalty compared to without ZeroTier.
ZeroTier is great. It’s not for some but it is dead simple to setup and works with cgnat. I can understand the those that want to host everything themselves, but evaluate the service on its merits.
Or you could use something like Nebula or plain old Wireguard or Wireguard based stuff like innernet, headscale instead of using a proprietary closed source cloud based service like Zerotier or Tailscale.
Just saying since you know, this is a self hosted subreddit.
Even easier is Cloudflare Argo Tunnel. Only one lightweight daemon/service on your network and that’s it. No clients on each device outside the network. It’s also now free.
Nothing says privacy than having to continually ping a cloud server owned by a private company letting them know your IP address on each device multiple times a day. Na, I’ll stick to my WireGuard server. It took all of 2 seconds to setup up with Docker.
Tailscale is a good product and made by smart people but it’s Open Source only in marketing speech. User applications for Linux are open source, Win and Mac are closed source. But Control plane software is closed source, so you can’t use it without doing all authentication through their central servers. And I didn’t even touch upon their reliance on Google or Microsoft for authorization. Headscale project could be an answer to that but it’s grassroots and unverified. So maybe stick to plain Wireguard or use Zerotier
Why would I use a third-party if I can just run WireGuard myself?
IMHO, this post doesn’t fit r/selfhosted, since the Service ZeroTier provides strips away the “selfhosted”-aspect. It’s WireGuard without any work, or hosting.
Having worked on a few big projects, being 100% honest none have had super strict repo policies or etiquette beyond fix your merge conflicts and don’t break stuff but the general thought being that is your merge breaks something it’s your job to fix it.
So with that background, I may be biased, but the general approach to the situation that you’ve highlighted is like everyone else has said cherry-pick is your friend, albeit a little manual, but it is the cleanest way to address your issue
Dunno about ZeroTier, but as far as I can tell, Tailscale doesn’t help with having my subnet connect out to my tailnet. I can ssh from a tailnet device to a server on my network thanks to subnet routing, but I can’t go the other way. Subnet routing as implemented on Linux appears to use SNAT in order to not have to set up routing tables and stuff like that on the rest of the network, which makes it super easy to do, but unidirectional.
Also, related to this, I don’t think I can use Tailscale to set up site-to-site VPN.
but the general thought being that is your merge breaks something it’s your job to fix it.