Casey LissOct 28

This is super hot. I had been relying on the excellent, but seemingly abandoned, TSDProxy. Happy to see an equivalent come in-house.

https://tailscale.com/blog/services-beta

tl;dr: expose a particular service on your tailnet, with full ACL grant support.

So, I could have Tailscale expose…

https://n8n.fancy-name.ts.net/

…with full TLS/SSL and ACL support, even though in actuality the _real_ address for this service is

http://synology.fancy-name.ts.net:8089/

Very cool.

Tailscale Services: Define resources on your tailnet, with granular controls

Tailscale Services is a new way to define available resources on your network and expand the granularity of your access controls to resources that may not have Tailscale installed on them.

Show threadCasey Liss
I don't _love_ that this requires serving devices to be tagged (and thus no longer user-owned), but I do understand it. Makes me a little nervous to dive in, though. 🫣
Oct 28 at 3:18pmIvory for Mac
Show threadCasey LissOct 30

Update: I have now switched over all the services on my Tailnet that were previously hosted by TSDProxy to the new Services approach that @tailscale debuted this week, and it's 😗👌🏻

Had no issues switching my Synology from user-owned to tagged, either.

Recommended for those of you running internal services on your Tailnet.

Show threadJon MullinsOct 30
@caseyliss @tailscale It's on my to-do list for this evening. I'm just upset that I'm learning about TSDProxy just now. 😵‍💫
Show threadCasey LissOct 30

@jxmullins You gotta pay attention to @ironicbadger! He knows all the good shit!

https://www.youtube.com/watch?v=5lJrXEXF8eM

No more docker sidecars! TSDProxy for Tailscale

YouTube
Show threadVictorOct 30
@caseyliss @tailscale I was literally waiting for your follow up before diving in, glad it was a solid launch. Making these sorts of changes always gives me a ton of anxiety.
Show threadSteven Op de beeckOct 30
@caseyliss
Show threadLeon CowleOct 30
@caseyliss @tailscale Do you think this will help exposing Plex as a "local" machine into my tailnet, to allow for streaming from anywhere (which is only allowed -- by default, without a subscription -- on your local LAN)?
Show threadCasey LissOct 30
@leoncowle Potentially? But I'm not sure what this would get you over just using your tailscale IP, other than a cutesy FQDN.
Show thread CalebOct 30
@caseyliss @tailscale I did attempt this yesterday with one service. It *appeared* “successful” but didn’t actually work so I ended up rolling it back.
Show threadCasey LissOct 30

@ccunning Oh? I've had no issue across 14 services. Wonder why.

I will say that the first one or two times you make a request, it's doing the LetsEncrypt SSL dance, and seems like your service is just ghosting you. Give it a couple minutes and then it's good.

Show thread CalebOct 30
@caseyliss I’m sure it was user error - I’ll probably give it another go eventually. Maybe after it’s less new and more how-tos. My documentation literacy is low.
Show thread CalebOct 31
@caseyliss Ok - I swear I did the exact same thing as yesterday, but today it’s working
Show threadElie ايلي 🇵🇸🏳️‍🌈 (He/Him)Oct 30
@caseyliss I just found out @tailscale is a Canadian company, much more likely to look into using their services now
Show threadPhilippOct 30
@caseyliss id love for you guys to explain on ATP what exactly this does
Show threadJimOct 28
@caseyliss That's an immediate turn-off for me, I do run services on tagged devices but tagging my home servers would completely mess a load of things up for me. I'm happily using my own domains with a mix of Cloudflare Tunnels for public stuff and Caddy for my internal stuff so I see no reason to change that.
Show threadCasey LissOct 28

@lnlyssg Genuine question: why do you say that'll mess things up?

I ask because that was *definitely* my gut reaction as well. But I can't put my finger on anything I think would *actually* get hosed up…?

I'm not sure if my gut reaction was wrong or if moving to tagged is a ticking time bomb.

Show threadJimOct 28

@caseyliss I’d need to put a ton of ACL rules in place.

Edit: which isn’t insurmountable but having switched a device from my ownership to tagged in the past it was quite a lot of work, especially finding every single port I needed etc.

Show threadCasey LissOct 28

@lnlyssg So for me, I only *just* started sharing my very first node. That, coincidentally, is my primary host device.

That said, I think I can get everything locked down pretty quickly/easily. And I'd argue it shouldn't really be necessary anyway, since the node is basically wide-open [internally] right now.

I think I sound like I'm arguing; apologies if so! I'm really trying to think through my own situation out loud, and I'm worried I'm about to make a grave mistake, haha

Show threadJimOct 28
@caseyliss As an example of one of the acl rules I had to put in place… this is a VPS that runs Grafana and a host of monitoring tools. As it’s a VPS I wanted to ensure it was quite locked down so it could only access what it needed. If you’re less paranoid than me you could just put a simple acl rule in place for all ports of course
Show threadCasey LissOct 28

@lnlyssg Yeah, I gotcha. I think we're saying the same thing, actually. 🍻

This is helpful; thank you!

Show threadJon_AlperOct 29
@caseyliss Can you help me understand ‘no longer user owned’? Tailscale needs admin level perms in Synology DSM?
Show threadCasey LissOct 29

@jon_alper no no; this is a Tailscale thing.

Basically a node is either owned by a user or owned by a tag. Infra is generally considered to be tagged; actual user machines are owned.

This is basically all about Tailscale Access Control Lists (ACLs) and how they manage access between nodes.

Show threadJon_AlperOct 29
@caseyliss Thank you!
Show thread CalebOct 29
@caseyliss As a basic-ass tailscale user I really have no clue what implications this has buuuut I think maybe I’m shelving this idea for now 😅
Show threadCasey LissOct 29
@ccunning Honestly I think I'm clutching pearls for no reason.