Tailscale: A Zero-Config VPN

What is Tailscale?

At its core, Tailscale uses WireGuard, a fast and modern VPN protocol. Tailscale is a mesh VPN that automates node authentication through OAuth or SAML and integrates with existing systems. Nodes connect to a coordination server, which facilitates network setup without routing traffic. Each node generates its own keys, sending only the public key to the server for a secure exchange. The system uses STUN to handle NAT traversal, allowing nodes behind NAT to establish direct connections (does not require opening ports like traditional VPN services).

Tailscale creates a full mesh network, where each node directly connects to others it needs to communicate with, eliminating central routing points. Subnet routers enable devices without Tailscale to access the network, and exit nodes can route all traffic through specific nodes for enhanced security. Magic DNS automatically assigns DNS names to nodes, and ACLs provide detailed resource access control. This setup simplifies VPN deployment and management, reducing latency and potential failure points. Although Tailscale provides a secure way to manage VPN connections, it operates by managing the keys within its infrastructure.

My setup already includes a WireGuard VPN server with DDNS on WAN 1. However, my UDM Pro router lacks automatic failover to WAN 2 for DDNS. This means if WAN 1 goes down, despite WAN 2 providing a fallback, DDNS does not switch to my WAN 2 IP. To counter this, I temporarily disabled the primary uplink and set up Tailscale with an active connection under WAN 2.

This setup ensures that even if my primary network goes down with WireGuard, the secondary uplink will still work with Tailscale.

Set up Tailscale:

• Create an account: Sign into Tailscale with SSO or create a new account.
• Install on Local Devices: Tailscale can be installed on any device on the network to create a direct connection to that machine. In my case, I used Home Assistant as this server is powered on 24/7, and I do not need to run another machine or container dedicated to Tailscale. Installation is straightforward:
  • Navigate to Home Assistant, access Settings > Addons, and select Tailscale.
  • Once downloaded, start the service and authenticate with the Tailscale account.
  • Enable Subnet routes to allow Home Assistant to act as a central node for devices that can’t directly install Tailscale. The add-on also enables it to function as an Exit node, routing internet traffic through this machine.
• Client Device Setup: Install the Tailscale client on your client device and authenticate.

Tailscale represents the cutting-edge of VPN services, building on advancements in usability and security brought about by the evolving VPN landscape. Even though I heard of Tailscale many years ago, I never imagined that setting it up would be so easy and that it would only take 5 minutes. We've certainly come a long way!