I’ve been using this in alpha for a while and it’s pretty much flawless. Previously, some of my home services that needed public external access (matrix homeserver, mostly) got there via a reverse proxy on a tiny fly.io instance, but the funnel is far easier to manage. I’m a fan.
It would be really nice if you could use this for non-http protocols. The example that comes to mind is temporarily exposing a dedicated server for some game (normally raw udp connections) to play with friends. Maybe they specifically want to avoid that though.
The working answer for game servers would be to share the machine to “guests”. Each player would need a Tailscale account and the host needs everyone’s contact information.
I don’t normally post company announcements (and I’m not affiliated with Tailscale). I found this interesting because AFAIK it’s the first service of this exact kind—the ability to self-host behind NAT on HTTPS:443 without your own IP/VPS, terminating your own TLS, using open source local tools. I’d like to see more of this kind of thing. Plus it’s free (and they’ve previously waxed lyrical about how that’s possible).
I believe ngrok can do this. However ngrok does various heuristics to try to make sure you’re not serving illegal content, or just using too much bandwidth.
That plus traefik doing letsencrypt is a fully self-contained open source option.
A homelab implementation that I’ve used uses the free cloudflare tunnels and zerotier (but obviously they are free of cost commercial services):
https://github.com/khuedoan/homelab
Why not simply run the service on a wireguard network and connect to that? Why pipe you private data through some unknown entity when you don’t have to?
Then you should run it on a proper server in a proper datacenter!
This is solely a question of scale, and not everything on the internet has to be scaled for millions of users, any more than every telephone number needs to be answered by a call center.
I keep a copy of my wedding video on a site that is accessible outside my private network (with appropriate credentials), because sometimes I want to show it to others. I don’t want it to be publicly accessible, I don’t want it hosted on youtube which will complain about copyrighted background music, and I certainly don’t need it often enough that it’s worth paying someone else for hosting.
Accepting these sorts of services is, I think, a key to building a more decentralized internet. I’ve been obsessed with availability and uptime forever - I remember bragging posts about uptime on usenet - but actually, those things don’t matter in the way I expect when the set of affected users is small.
Tailscale Funnel is a proxy built on top of Tailscale to share without needing an endpoint on consumer site (i.e., anyone could access the content). Tailscale is a SaaS version of Wireguard. Wireguard is a better VPN in the similar vain that ZeroTier is a better VPN.
One thing I don’t understand and am too lazy to strace is: why does tailscaled use so much cpu in the background while I’m not even doing any io between the computers?
Not that it necessarily justifies all the resource usage but NAT/firewall punching relies on constant traffic between the nodes to keep the connections open. See this excellent blog post: https://tailscale.com/blog/how-nat-traversal-works/
I’ve been using this in alpha for a while and it’s pretty much flawless. Previously, some of my home services that needed public external access (matrix homeserver, mostly) got there via a reverse proxy on a tiny fly.io instance, but the funnel is far easier to manage. I’m a fan.
It would be really nice if you could use this for non-http protocols. The example that comes to mind is temporarily exposing a dedicated server for some game (normally raw udp connections) to play with friends. Maybe they specifically want to avoid that though.
I work on an open source alternative called zrok. Our 0.4 version with have support for low level tunneling such as TCP/UDP - https://blog.openziti.io/the-road-ahead-for-zrok
The working answer for game servers would be to share the machine to “guests”. Each player would need a Tailscale account and the host needs everyone’s contact information.
I don’t normally post company announcements (and I’m not affiliated with Tailscale). I found this interesting because AFAIK it’s the first service of this exact kind—the ability to self-host behind NAT on HTTPS:443 without your own IP/VPS, terminating your own TLS, using open source local tools. I’d like to see more of this kind of thing. Plus it’s free (and they’ve previously waxed lyrical about how that’s possible).
I believe ngrok can do this. However ngrok does various heuristics to try to make sure you’re not serving illegal content, or just using too much bandwidth.
Pagekite has done this since 2010 and is open source, so you can self host: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-pagekite-front-end-server-on-debian-9
That plus traefik doing letsencrypt is a fully self-contained open source option.
A homelab implementation that I’ve used uses the free cloudflare tunnels and zerotier (but obviously they are free of cost commercial services): https://github.com/khuedoan/homelab
That solution is exactly what this does.
Why not simply run the service on a wireguard network and connect to that? Why pipe you private data through some unknown entity when you don’t have to?
So the public at large can connect to your service?
Then you should run it on a proper server in a proper datacenter!
why should I when I could use tailscale funnel and its easier?
This is solely a question of scale, and not everything on the internet has to be scaled for millions of users, any more than every telephone number needs to be answered by a call center.
I keep a copy of my wedding video on a site that is accessible outside my private network (with appropriate credentials), because sometimes I want to show it to others. I don’t want it to be publicly accessible, I don’t want it hosted on youtube which will complain about copyrighted background music, and I certainly don’t need it often enough that it’s worth paying someone else for hosting.
Accepting these sorts of services is, I think, a key to building a more decentralized internet. I’ve been obsessed with availability and uptime forever - I remember bragging posts about uptime on usenet - but actually, those things don’t matter in the way I expect when the set of affected users is small.
How is this comparing to ZeroTier? With ZeroTier I can funnel all TCP connections. Does it only support http?
Tailscale Funnel is a proxy built on top of Tailscale to share without needing an endpoint on consumer site (i.e., anyone could access the content). Tailscale is a SaaS version of Wireguard. Wireguard is a better VPN in the similar vain that ZeroTier is a better VPN.
One thing I don’t understand and am too lazy to strace is: why does tailscaled use so much cpu in the background while I’m not even doing any io between the computers?
Not that it necessarily justifies all the resource usage but NAT/firewall punching relies on constant traffic between the nodes to keep the connections open. See this excellent blog post: https://tailscale.com/blog/how-nat-traversal-works/