zlacker

Docker + Immich + Tailscale is the killer replacement to Google & Apple Photos, it's simply that simple

>>oliyou+(OP)
Can you elaborate? What role does Tailscale play? I selfhost and have heard about Tailscale but couldn't figure out how it's used.

>>vvpan+i
Not GP. My guess is that they’re self hosting this at home (not on a server that’s on the internet), and Tailscale easily and securely allows them to access this when they’re elsewhere.

>>AnonC+C
Even if you are self hosting in the cloud or on a rented box, Tailscale is still really nice from a security perspective. No need to expose anything to the internet, and you can easily mix and match remotely hosted and home servers since they all are on the same Tailnet.

>>vvpan+i
In my words, I use Tailscale at home but not for this (yet). Tailscale is a simple mesh network that joins my home computers and phones while on separate networks. Like a VPN, but only the phone to PC traffic flows on that virtual private network.

>>oliyou+(OP)
I want to love Tailscale on mobile, but it conflicts with Adguard and regularly disconnects.

I keep Tailscale but switched over to Pangolin for access most of my self-hosted services.

>>oliyou+(OP)
I don't get the appeal of Tailscale for simple homelab use. I have OpenVPN and it's trivial. Hit the toggle and I'm connected, no fuss.

>>vvpan+i
Tailscale gives me access to my home network when I'm not at home. I can be on a train, in another country even, and watch shows streamed off the Raspberry Pi in my home office.

>>nights+g6
Tailscale uses wireguard, which is better in a lot of ways compared to OpenVPN. It's far more flexible, secure, configurable and efficient. That said, you probably won't notice a significant difference

>>vvpan+i
Tailscale can give you domains + ssl for local services with basically no effort.

>>nights+g6
Tailscale is much more reliable in my experience. OpenVPN isn't very reliable in my experience as a network admin. And IPsec is an abomination.

>>vvpan+i
With tailscale on your server and endpoints you can access the server from anywhere without even having to open any ports. It is like magic.

>>nights+g6
Tailscale (and similar services) is an abstraction on top of Wireguard. This gives you a few benefits:

1. You get a mesh network out of the box without having to keep track of Wireguard peers. It saves a bunch of work once you’re beyond the ~5 node range.

2. You can quickly share access to your network with others - think family & friends.

3. You have the ability to easily define fine grained connectivity policies. For example, machines in the “untrusted” group cannot reach machines in the “trusted” group.

4. It “just works”. No need to worry about NAT or port forwarding, especially when dealing with devices in your home network.

>>vvpan+i
Tailscale routes my mobile device dns through my pile back at the home. I have nginx setup with easy to remember domains (photos.my domain.com) that work when i’m away as well without exposing anything to the open internet.

>>turtle+t4
Any reason you didn't just set tailscale DNS to ad guard? I have set it to controlD

>>Cyph0n+68
Also it has a very rich ACL system. The Immich node can be locked out from accessing any other node in the network, but other nodes can be allowed to access it.

>>turtle+t4
With pangolin you are exposing it otside your private network right? Its public website. That might be undesireable for security.

>>nights+g6
OpenVPN is far from "no fuss", especially when compared to Tailscale.

I like to self host things so I also self host Headscale (private tailnet) and private derp proxy nodes (it is like TURN). Since derp uses https and can run on 443 using SNI I get access to my network also at hotels and other shady places where most of the UDP and TCP traffic is blocked.

Tailscale ACL is also great and requires more work to achieve the same result using OpenVPN.

And Tailscale creates a wireguard mesh which is great since not everything goes through the central server.

You should give it a try.

>>oliyou+(OP)
I'm using it with Dokploy, which takes care of Docker+Tailscale for me, it's quite convenient

>>Jnr+Vo
Why not just use wireguard directly? The configuration is fairly trivial

>>sva_+3x
With Tailscale you don't have to learn anything, you just install apps and click.

One value of Tailscale for a ton of simple use-cases is that people don't have time / don't want to learn.

>>sva_+3x
Wireguard is great, I have personally donated to it and have used Wireguard for years before it became stable. And I still use it on devices (routers) where Tailscale is not supported. But as Jason stated - it is quite basic and is supposed to be used in other tools and this is what we are seeing with solutions like Tailscale.

Tailscale makes it simple for the user - no need to set up and maintain complex configurations, just install it, sign in with your SSO and it does everything for you. Amazing!

>>sva_+3x
Even more trivial with Tailscale, so why wouldn’t I use Tailscale to configure wireguard for me?

>>oliyou+(OP)
So, I wanted to use tailscale for a few local services in my home, but I run a few of them on the same device, and have a simple reverse proxy that switches based on hostname.

Afaict I can't use a tailnet address to talk to that (or is it magic dns I'm thinking about? it was a while since I dug in). I suppose I could have a different device be an exit node on my internal network, but at that point I figure I may as well just keep using my wireguard vpn into my home network. I'm not sure if tailscale wins me anything.

Do other people have a solution for this? (I definitely don't want to use tailscale funnel or anything. I still want all this traffic to be restricted like a vpn.)

>>AnonC+C
I host at home and can access the things at home just fine by having the server as DMZ in the router, or whatever it is called these days. This doesn't really answer what Tailscale does more than port forwarding. If it punches NAT, that sounds like it actually makes you rely on a third party to host your STUN, i.e. you're not self hosting the Tailscale server?

>>nickth+Pb
Why not call it VPN if that's what it is? In your case, it sounds like configuring your "pile" (is that a DNS server, short for pihole maybe?) on your phone would do the same thing, but if the goal is to not expose anything to the open internet, a VPN would be the thing that does that

>>tjpnz+o6
That's called a VPN

Is this like "Band-Aid" that used to be a brand name but now people just use it generically?

>>UltraS+O7
If you don't open ports, how can it reach your internal services to allow you access to them?

>>lucb1e+ug1
by using a wireguard tunnel and NAT traversal

https://tailscale.com/blog/how-nat-traversal-works

>>UltraS+3F1
Ah, by using their servers:

> How do we break the deadlock? That’s where STUN comes in. [...] In Tailscale, our coordination server and fleet of DERP (Detour Encrypted Routing Protocol) servers act as our side channel