How Tailscale Makes Managing Wireguard Easy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from lawrence systems and we're going to talk about tail scale now i just did a video on tail scale versus zero tier i'll leave that link down below i'm also aware of the other project that's referred to as head scale that somehow ties into the tail skill clients i will leave a link to that github project for those you interested in it but it's out of scope of this video but i am aware that it exists and i will leave links to it for those of you that would like to play with it it is currently not on my roadmap and also because i have not deployed commercially and outside of just my lab and testing any type of tail scale deployments my reason for doing this video is well i compared it to zero tier thought i'd do a dedicated video just to bring up exactly what tail scale is for an explainer and uh just because a lot of people seem to like the project and have mentioned it to me i know a lot of it people said they like it so i've heard good things about it is basically where we're at and of course i did my testing i found it relatively easy to set up but i do want to make sure it's clear tail scale has nothing to do with this video it's totally sponsored by me the opinions are my own i've not reached out or talked to anybody at tailscale i did tag them in twitter when i posted the video the other day and they retweeted it so there's that that's my uh complete affiliation with them just so we're clear up front of this video now we are going to talk about a few of the details a few of the service offerings and of course security concerns i have with this and really any other product and i brought that up in a previous video but i will be repeating that a little bit in this video just to make sure we're clear on where all that stands before we dive into those details first if you'd like to learn more about me and my company head over to lawrences.com if you'd like to hire us for a project such as network consulting there's a hiring button right at the top if you want to support this channel in other ways there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel now the first question i want to answer is how tail scale works kind of a general overview but don't worry if you want to dive deep into everything it is a very well documented system here so tail scale solves the problem of connectivity with wire guard but it doesn't work like a normal vpn system now i have videos about wire guard and how to configure it manually and for those of you that have not watched that it's a little bit more in-depth and it's not something that maybe the average dabbling user would say is easy now that's a very subjective whether or not something is easy to set up but wireguard is just a protocol and not necessarily a tool to manage users and devices easily it does allow for easy management with other tools and that's what tail scale is a tool that sits on top of wireguard to solve connectivity issues and they have demos of what a traditional vpn gateway might look like where you have clients on the outside some servers on the inside and a subnet everything traverses into this traditional gateway the way it works and we'll jump right over here to so to speak like the node here the wire guard protocol that they use allows it to add an extra network interface on each node that you add tail scale does all the orchestration to allow all these nodes to figure out where they are and we'll cover that when we get to the demos and each of these nodes can talk to another node essentially it's like having a statically assigned address that no matter where these nodes wander around whether it's double netted triple netted whether they move between networks it is always able to find them at that same note address that tail scale assigns the devices this is an important aspect to how this works and it will automatically as the picture depicts here just connect to the node and figure out the best path traversal to get there now this does not require any firewall rules this does not require any special settings tail scale takes care of that for you how does it do such magic actually this is a really solid right they hear i i this is just great reading if you want to understand nat traversal and how that works they dive deep into nat traversal as a topic including how their servers work and especially some really interesting when they're talking about picking at hard nat what they mean by each of those everything you ever wanted to know about nat they've done a good job of explaining and explaining how they absolutely figure out how it's going to work so one of the things they have in here as well for people asking like cgnat here's your double nap situation but one of the clever ones that they can do and this is when you're doing carry great net is create a loop between two separate home now routers within the same carrier-grade nat that it's able to get through a series of this nat traversal trickery that they use and it's well documented it almost looks like magic but you can read through and document how it works but they're able to without leaving the carrier to the greater internet get these devices talking to each other my demo i set up is going to work a little bit like that but in the case that there was no connectivity between there it does offer relaying and all this is done completely behind the scenes and facilitated by the tail scale system and we'll do a demo on how fast that works of course the next question that people want to know is pricing and i do have that pulled up here this pricing is as of right now august of 2021 and things can change because that's life and prices change but this is what they do have and if you are wanting to get started it's one user 20 devices one subnet secure peer-to-peer connections sso mfa sharing magic dns and more so pretty good feature set for hobbyists or people want to get started with it easy enough to do of note supported sso identity providers i like that they put this on here and this is an important thing to think about they do not have like your own identity management that they're doing inside of here they rely on you signing up with a third party to do this so they do support that but no however the tail scale never handles authentication itself you can enable these like mfa features with your identity provider this kind of gets them away uh from dealing directly with identity management and they do say right here we do not sign up with email addresses by design telescale is not an identical there are no tail skill passwords account recovery etc i actually kind of like that they've done this it puts them like away from it so they are uh supporting all these different sso providers and not dealing with usernames and passwords themselves i've no problem with that but it's something to note in case you're wondering how you sign up you'll either need if you're signing up for the free tier a google account will work a microsoft 365 account will work any of those identity management ones or you can also use a github account to sign up next question what does tail scale work on well telescale has clients for windows mac os ios and android so they've covered the major most common things that you'll run this on but they they have linux support which is really enough to say all right and when you go to the instructions this gives you quite a wide variety of devices because they don't just support one version of linux they support everything from the amazon arch scent debian fedora soucy oracle red hat raspberry pies so yes they do have if you want to include raspberry pi's in this because that's running on an arm processor they do have the ones specifically for that so it's not just linux but also raspberry pi's specific version of linux or specific compilation there and they do have the 32-bit 64-bit variants now once you've downloaded the client whether it's for linux or windows it generates a little url when you follow the instructions after you say tail scale up in linux or load the windows client really straightforward and then it joins you to the dashboard here now the dashboard is pretty straightforward and simple here's all the statically assigned ip addresses that tailskill assigned to each of these nodes and this is pretty automatic the all or external is an interesting feature of tailscale the external ones are when you share a device somewhere else and you can click on this so i have my debian lab 1 lab 2 my windows 10 lab i been testing this across a couple different things here and if i just want to say all right we're going to say edit machine name review route settings because you can build routes between there but share the machine would allow you to share it with someone else as in someone else with a tail scale account and you want to have your machine also available to them in that account i think this is a neat feature if you have a friend using tailscale if your couple home users want to be able to share one device in another network but not give them access to everything you can share and have access to it the services list is also interesting because what this allows you to do is see the services that tailscale has on the nodes running as in what it sees running so i have iperf that was running on this one and doing some speed tests we'll do that in the lab here ssh is running so it sees these ip addresses it can scan for services and say what is available on there and you can then click like copy ssh command kind of neat now what about access control yes they do have ways you can create rules between the devices so this is goes a little out of scope for diving into exactly how to create those rules i don't use tail scale commercially so i've never really played with it but they once again plenty of documentation on exactly how to create everything from acls to breaking down all the little traversal rules that you want of exactly how you want the nodes to be able to communicate with each other so they've completely covered all of that in here they also have some dns things that you can do said once again gets a lot of scope it's called their magic dns to register unique domain names or you can also push your own domain name servers in there which may be something that you want to do when you're dealing with a decentralized network essentially like this creates you can get really creative with all this is kind of my point down here all right now just by default all the nodes can talk to each other so we left everything at default for this lab we're going to set up here now let's talk about the lab now here's a little diagram of how the systems in our lab will be set up and how we're going to do the testing here is one cloud server that's actually sitting in digitalocean connected to the internet of course then here's our firewall at the office here's a lab firewall we have at the office so we have this firewall this firewall this firewall so we've double natted this and put it behind two firewalls and this is on a separate network so this is on the 1921683 network this is on the 172 1669 network and matter of fact let's uh put this little dot dot in here this can communicate with this so that i'm able to ping from db and lab 1 over to debian lab 2. but the reverse isn't sure that's why i put the little arrow on here to represent that it's kind of a one-way street i did this on purpose because this is something clever that tailscale can do because each of these devices that's what these red dots represent are beaconing out to tailscale tailskill then uses see the traversal article uh that i will be linking to that i mentioned earlier and it will use all the nat traversal tricks it can to figure out the best way for all these different nodes to communicate to each other and it does this very fast and dynamically so we're going to actually break the connectivity and show how it can recover very quickly and choose a different route and when no route is available which is including things we're going to break so we're going to make sure that these two devices cannot communicate with each other it will then result and fall back to relaying so that's one more trick it has up its sleeve if for some reason in in this case the reason being i create firewall rules that block these devices from acknowledging each other in any way then tailscale will relay it off of one of their external relay servers and that'll be part of the demo and that's what this right here right now exists a rule that does allow these to talk to each other and then we'll actually put a block rule in that says no they can't talk to each other but please note these are the different node ip addresses so the tail skyp will be the same 100 102 68.99 and then each of these has a local ip address screenshot if you want but trust me i'm doing all of these to show back and forth how it pings now we go back over here to the demo i've split the screens up using tmux here so we can show here's the debian lab cloud here's the debian lab 2. the debian lab 2 is the local one in my building here and then to see the connections on any device and this does work in windows as well it's tail scale status windows has a little ui that shows it in the bottom corner same concept when you're doing this but tell skill status it talks about the connection now we're going to watch the connection literally watch dash n1 which says update every second the tail sales tail scale status so right now we're gonna ping debian lab2 local address make sure we can ping it that's this computer up here and we can ping the local ip address proving that we have connectivity now the opposite is not true this is not able to ping back to this particular computer's address we can do ipa and it's 40.39 a completely different subnet and if we try to ping it it's going to fail and if we try to ping 3.217 that firewall that is behind it's also not allowed we've isolated this on a network which means it's essentially that like we said one-way communication so now we're going to go ahead and ping clear ping 192. oops actually we'll do it debian and we'll say uh lab2 tail scale ip address which is that 100 119 2115 and you can immediately see it created an active direct connection from this computer here through that firewall and is now talking to it over the ip address and we can see the data flowing back and forth matter of fact we can actually run iperfine here so we'll set this up as an iperf server so s so it's listening and we'll do iperf 3-c for client and we'll say wn lab2 tail scale and we're able to get pretty reasonable speeds on here just under the 300 megabits here so not bad what if we went local and i'll bring this up because if we contacted local iphones what is the potential that you could get across this network well these uh because of the devices they're routing through and the layers are going through it's only at one gig right now connectivity between them so yes they're able to talk at one gig with the overhead of tail scale on this local network they're able to talk at at the speed of these machines and how it's configured uh pretty reasonable speed right now and just under uh 300 so not bad in terms of speed and you're not always going to run into that where they're on the same network you're more likely dealing out devices that are in the cloud and it's not going to be absolutely the fastest transfers but there are some limitations based on cpu usage and things like that that you'll run into but that's these machines here i'm not going to get too deep into it because testing every scenario and every machine for their speed and what wire can do on each machine is going to vary just an fyi it's not a speed test video just connectivity now this active connection that we have here we're going to break now by the way even though we have this active connection if we wanted to say let's talk to this lab one we can't get to it via its local ip but just so you know while that connection is established i am able to whoops gotta type ping right ping it has no problem connecting to it even though as i pointed out it can't connect to the firewall or anything else but back over to the point here we're going to show how it uh breaks the connection and how it's going to move into relay mode so actually turn iperf 3 back on so we were getting you know about 300 here and uh that's for server so let's go back over to here and this is the rule that i have inside of pf sense well rule created but not enabled so you can enable that rule now of note depending on the firewall you're using having the rule doesn't necessarily mean it will automatically stop communicating matter of fact if i'm willing to bet that it's still working an active direct connection and just for those of you that aren't familiar with the way firewalls work you have states that are created and there's those states that we have and we want to make sure we kill those states off make sure i be able to just kill them like this there we go filter all right no more states just want to filter them find them destroy all states that were between there and now there is no more way for it to communicate we have force blocked it and that's what expires those states out was me forcing they'll die over time but sometimes when you create a rule unless you have your firewall configured to immediately kill those states they will stay up a little bit longer all right the rules are reloaded the connection is set to relay so now if we do that same speed test we're going out to their relay and it says nyc also means new york city so it's relaying out and coming back in which gives us a much lower connection speed uh it's probably hitting probably like i said just under 20 here but i also have restrictions on my network so my lab stuff can't take up too much bandwidth uh to that matter of fact if we go to the cloud here and we do another iperf test iperf 3 dash client and it will be debian cloud tail scale it's able to go out hitting very similar speeds but let me show you what happens when we hit the public ip of it and it's a little bit faster oh there's those drops again back down slower there's speed restrictions on here when it leaves my network a crowd out to the main internet that you know like i said it's a bandwidth restriction we have internally that we're doing so it's actually able to go faster but restrictions will keep it from going faster here so mileage may vary two factors are of course how fast is your isps internet how fast the internet on the other end and how fast is the machine to be able to handle all the wire guard packets but back to these connections here so we have another active direct connection here this one's in relay this is the part that i found really interesting and kind of have to split the screen to do this we're going to go ahead and get this rule ready to be applied we're not applying it just yet let's go ahead and kick off a speed test while we're doing it so i want to do it under load so to speak so iperf 3 c w lab 2 tail scale so we're doing the speed test here apply changes and it's taking a while in the background p.f sense reloading the rules and instantly it says nope we're able to go direct again it's kind of neat how fast tailscale was able to switch that i was playing with a few different scenarios on here i just want to cover this one for the video here but as fast as you set these rules it is able to re-establish those connections so i was overall impressed with that particular feature being able to go through change rules kill it change it actively and i didn't have to do any service stops reload or wait a few minutes literally seconds later it was able to figure out the best connection and redo that connection back to direct from relay so overall i thought that was pretty impressive with there and peeing other devices was not a problem either so if we go and we'll go ahead and ping this one and once again instantly establishes this is yet on another subnet again that i have the windows on it's on the 10.1337 network and no problems it is able to establish that by the way the 101337 network has no access back either at all so it's able to traverse this and you can do the same if i wanted to initiate from the wind10 lab network because tailscale's figuring out the best way to traverse all of these all the time so my overall on any of the testing i've done in my lab pretty impressed it seems to work quite well now that's all fine that i tested in the lab and as i said to begin the video i have not tested this commercially and my thoughts are though after testing it in a lab and breaking things and of course putting a few out in the cloud and going back and forth and playing with it just the last few days for the first demo that i did within zero tier and of course the demos i'm doing right now i think it's a pretty solid product in terms of functionality and how it works now let's get to the security topic because i don't want to leave you with that being unanswered and my thoughts are on security of using wireguard is a great idea wireguard is a great well-vetted vpn protocol they don't use the keys inside of tailscale and what i mean by that is tailskill does not have access to the device node keys so that means they don't have visibility into the traffic that's going there they know that there is traffic between node a and node b or any combination of them but they cannot see within the traffic so that's great for security where there is potentially your threat surface with these type of services and specifically tail scale but this is more than just healthcare i mentioned this one in the other video with zero tier is if someone were to take over that control plane someone else gets your single sign-on and gets into your tail scale people could add other nodes if those nodes are malicious then that could be a problem not to mention if any of your nodes become compromised that's the threat surface you always have to think about that if you have deployed this as a solution because well it's easier than setting up a vpn when you have a lot of people doing the work from home and you want them all they have connectivity if one of those nodes goes bad and you don't have acls that say no on talking to each other then that could be an attack node that still doesn't really change from other vpn solutions from that aspect but the thought of someone getting control of the control plane and adding potentially bad nodes in there uh that's something that has to be considered now one thing to say about that ip authentication or just knowing the ip address and being within the network that's just a layer that you're protecting against and obviously if they get inside one layer is peeled away but it should not be the only layer of security you have and i say it like that because let's say you have tail scale tied to some type of line of business application or whatever it is the thing you want to have access to your server of sorts that runs whatever things you want generally speaking you're not going to accept any connection you're going to accept connections that have been authenticated with username password or whatever challenge response setup you have in addition to so it's just something to think about it does overall make a pretty secure setup because you don't have to open up any firewall ports or do that configuration but there is of course that risk of if someone gets a hold of the control plane itself of adding those bad notes but you should be mitigating that just in general uh having username passwords the same thing with vpns where vpns keep people from being able to see some of those privatized applications but once you're in with the vpn you generally still have to authenticate again now this gets more complicated if you have a lot of windows nodes because the recent 2021 discoveries in windows that allow people to kind of easily as of right now in august of 2021 escalate things especially things like print nightmare and there's a lot more that can go wrong than we realized previously or maybe some of us that worked in security kind of knew there was something hanging out there with it so there is a lot of different things and considerations on there but that just goes out of scope of this video and topic it's not really a tail scale problem it's a hey how do you deal with someone getting on the network and being able to get to your domain server and do you have all the different services disabled that are potentially problematic that's topic for a different discussion just the thought about security in general overall despite not using this commercially all my testing with it has gone well i think it's a pretty neat product and hey you can't beat the price of free to check it out and test it out for yourself and see if it's a solution that works for you and as i said these are my own thoughts i have no affiliation directly tail scale there's no offers there's no affiliate link there's no nothing to sign up if you're interested click their single sign up systems and external identity and management system and sign up for an account and delete it if you don't like it that's about it all right thanks and to have a more in-depth discussion about this i'll can be reached over in the forums or say hi on twitter all right thanks all right tom here wanting to add one more little piece of information just so we're clear on this the lab systems are running on the same server and this server is a intel xeon e5 2670 at 2.6 gigahertz each of these do have 16 cores assigned to them and i wanted to uh do that because of the speed test thing and show you what it looks like with the cores so first we're going to do a local i have them on the same network right now not through any firewall so essentially direct connecting and not using tail scale they're able to achieve about 15 gigs a second between these two servers but when we go back to tail scale and even though they're local and on the same thing and these can talk at that rate and we're only getting here that same number right around 300 and this is what the processor usage looks like when you're doing that i i just wanted to add that little bit i didn't try every possible scenario but i figured 16 cores with this xeon processor is quite a bit of horsepower to add to it and i tried bumping the cores up uh it was the same at four cores it's the same as 16 cores the transfer rates aren't really any different here um and just so we're full disclosure on how it's done tail scale and status there's the connection active direct connected by 14 and we'll do this right here ipa and you'll see that this one is assigned that 172 14. so just to be clear on the testing side of it uh 16 cores each assigned to this and still no faster speed than that uh despite the ability of these two on this quiz currently for this they're on the same subnet able to talk to each other at the uh 15 gigs it seems to me just stops at about 300 megs a second versus the 15 uh gigabits it actually is capable of just wanted to add that in there um for those asking but yeah these are the hardware specs right here it's the intel xeon e5 2670 and uh hopefully that helps if you're curious about some of the specs in the lab equipment we're using all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you

Info

Channel: Lawrence Systems

Views: 22,319

Rating: undefined out of 5

Keywords: LawrenceSystems, tailscale, tailscale vs zerotier, tailscale tutorial, tailscale setup, tailscale wireguard, tailscale review, tailscale raspberry pi, tailscale ios, wireguard vpn

Id: bcRVkoeSN0E

Channel Id: undefined

Length: 27min 52sec (1672 seconds)

Published: Fri Aug 13 2021