alt Hacker NewsWhat's the actual win here? Avoiding relay latency in the rare cases Tailscale can't punch through NAT? If that's it, a $3 VPS running Headscale seems simpler. The complexity feels like you're optimizing for the 5% case while adding permanent vendor lock in. What am I missing?
Replies
For many homelabbers, just being cheap and avoiding the $3 VPS, that's it
What does Headscale have to do with NAT hole punching? I believe what you actually mean is setting up a relay, see the link in https://news.ycombinator.com/item?id=45948806 .
$3 VPS running Headscale is not simpler since you won't be able to run both headscale and tailscale on your end user machines, I don't recommend it.
The solution we've found is running a white IP container (or VPS) which looks like regular Wireguard outside, while inside it "forwards" to your existing tailscale network.
I don't remember if we use https://github.com/gravitl/netmaker or https://github.com/juhovh/tailguard
I don't think you are missing anything. They have a bunch of half baked features like this that aren't as robust as real security vendors and lock you in just like you said.
Maybe I’m misunderstanding something…
But are you accusing someone of promoting vendor lock-in (cloudflare) while at the same time promoting vendor lock-in (tailscale)?
If you’re ok with vendor lock-in, shouldn’t you in theory be ok with any vendor?
Tailscale has what they call Peer Relays now to help solve this problem:
https://tailscale.com/blog/peer-relays-beta