linsomniac a day ago

I've been running headscale for 2.5 years and it's been pretty good. We use our gmail domain for logging in, which gives a big benefit that users can self-serve their devices. Unlike with OpenVPN in the past where ops had to hand off the certs and configs. Really the only downside has been when they accidentally connect to the tailscale login server instead of our own and then can't figure out why they can't reach any services. We use user groups to set up what services users can access.

We are still running the old headscale, because we have some integrations that will need to be ported to the new control plane. According to "headscale node list | wc" we have ~250 nodes, most of them are servers.

One thing I really don't love about tailscale some of the magic it does with the routing tables and adding firewall rules, but it has mostly not been an issue. Tailscale has worked really quite well.

Reply View 0 replies
syntaxing 2 days ago

As in you rolled out an internal service for the whole company?!

Reply View 8 replies
  • cassianoleal a day ago

    As opposed to what? This seems pretty normal.

    We considered it as well but there was a feature missing that meant we couldn’t use it for one of our main requirements. Had that not been the case, we’d have rolled it out.

    Reply View 2 replies
    • mrklol a day ago

      Mind sharing which feature?

      Reply View 1 reply
      • cassianoleal a day ago

        Honestly I'm hazy on the details but we're running a fairly complex environment in GCP with PSC everywhere, connections to on-prem and other external environments, and something wouldn't quite work due to all that.

        Sorry I can't provide any more details but I really don't remember the specifics. We were in touch with Tailscale engineers and they offered some workarounds that we had already worked out but that wouldn't help us achieve what we were after.

        Reply View 0 replies
  • sshine 2 days ago

    I’d love to see a write-up on that.

    Especially in the unlikely event that you used Nix for the deployment.

    Reply View 4 replies
    • benley 2 days ago

      I've done exactly that: headscale in production at work, a few hundred client devices, infrastructure mostly powered by nix. What would you want to hear about it?

      Reply View 3 replies
      • squiggleblaz a day ago

        * Does it work well? * Do you recommend it? * Do your users care? * Is it difficult? Do you have to maintain it or is it basically set it and forget it? * What was memorable about setting it up? * Why did you go for Headscale vs Tailscale or Netbird or some other solution?

        Reply View 0 replies
      • sshine a day ago

        > headscale in production at work

          - How much effort do you put into key management compared to plain WireGuard?
  - How automated is the onboarding process; do you generate and hand over keys?
  - How do you cope without the commercial Tailscale dashboard?
  - Do you run some kind of dashboard or metrics system?
  - How long did it take to set up?
  - Were there any gotchas?
        Reply View 1 reply