Comment by SuperShibe

Comment by SuperShibe 2 days ago

17 replies

View on Hacker News

Every few months I come back to this repo to check if they finally got Tailnet lock running or if someone security audited them in the meanwhile. Unfortunately neither of these things seem to make any progress and thus, I’ve grown uncertain in how much I can trust this as a core part of my infrastructure.

The entire premise of Tailscale SaaS builds on creating tunnels around your firewalls, then enabling the user to police what is allowed to be routed through these tunnels in a intuitive and unified way.

Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal, but can they also fulfill the second part by providing enough of their own security to make up for anything they just bypassed, or will they descend to just being a tool for exposing anything to the internet to fuck around with your local network admin? To me, not giving your Tailscale implementation any way for the user to understand or veto what the control server is instructing the clients to do while also not auditing your servers code at all sure seems daring…

nativeit 2 days ago

> Headscale seems to have nailed down the part of bypassing the firewall and doing fancy NAT-traversal

Did they really roll-their-own for those functions? I thought this was just a control layer on top of Tailscale’s stock services on the backend, are they facilitating connections with novel methods? Apologies if I’m asking obvious questions, I use ZeroTier pretty regularly, but I am not too familiar with Tailscale.

Reply View 6 replies
gpi 2 days ago

One of the maintainers work for tailscale now.

Reply View 4 replies
  • wutwutwat 2 days ago

    maintainer's employment != security audit

    Reply View 3 replies
    • gpi 2 days ago

      My thinking is their time is divided now and could lead to less efforts spent on headscale.

      Reply View 2 replies
      • palotasb 2 days ago

        Not compared to the previous state where he worked for an unrelated company and only had his free time to contribute to Headscale.

        Reply View 0 replies
      • kradalby 13 hours ago

        Person with split time here,

        I definitely have more time to spend on it now, I have half a work week vs sometime in the evenings or weekends if I had excess energy after having my other job.

        Reply View 0 replies
bananapub 2 days ago

tailnet lock seems way way less important for headscale than tailscale, given you personally control the headscale infra.

Reply View 3 replies
  • codethief a day ago

    Depends on your threat model. Mine definitely includes one of my servers getting compromised. (Which, tbh, is probably more likely than Tailscale getting hacked.)

    Reply View 0 replies
  • SuperShibe a day ago

    only until someone finds a zeroday in headscale (remember, it never got audited) or until the server running headscale itself gets compromised. Especially in countries where getting a dedicated public IPv4+IPv6 from your ISP is hard-impossible and you‘d have to rely on a server hosted externally (unless you’re large enough to make deals with the ISP) some company hosting your server still retains at minimum physical control over your headscale infra. For why this is a problem, see the recent Oracle cloud breach.

    Reply View 0 replies
  • botto a day ago

    This is my thought as well, if you are in control then you also control which nodes go on your tailnet

    Reply View 0 replies