Casey LissOct 28

This is super hot. I had been relying on the excellent, but seemingly abandoned, TSDProxy. Happy to see an equivalent come in-house.

https://tailscale.com/blog/services-beta

tl;dr: expose a particular service on your tailnet, with full ACL grant support.

So, I could have Tailscale expose…

https://n8n.fancy-name.ts.net/

…with full TLS/SSL and ACL support, even though in actuality the _real_ address for this service is

http://synology.fancy-name.ts.net:8089/

Very cool.

Tailscale Services: Define resources on your tailnet, with granular controls

Tailscale Services is a new way to define available resources on your network and expand the granularity of your access controls to resources that may not have Tailscale installed on them.

Show threadCasey LissOct 28
I don't _love_ that this requires serving devices to be tagged (and thus no longer user-owned), but I do understand it. Makes me a little nervous to dive in, though. 🫣
Show threadJimOct 28
@caseyliss That's an immediate turn-off for me, I do run services on tagged devices but tagging my home servers would completely mess a load of things up for me. I'm happily using my own domains with a mix of Cloudflare Tunnels for public stuff and Caddy for my internal stuff so I see no reason to change that.
Show threadCasey LissOct 28

@lnlyssg Genuine question: why do you say that'll mess things up?

I ask because that was *definitely* my gut reaction as well. But I can't put my finger on anything I think would *actually* get hosed up…?

I'm not sure if my gut reaction was wrong or if moving to tagged is a ticking time bomb.

Show threadJim

@caseyliss I’d need to put a ton of ACL rules in place.

Edit: which isn’t insurmountable but having switched a device from my ownership to tagged in the past it was quite a lot of work, especially finding every single port I needed etc.

Oct 28 at 4:38pmWeb
Show threadCasey LissOct 28

@lnlyssg So for me, I only *just* started sharing my very first node. That, coincidentally, is my primary host device.

That said, I think I can get everything locked down pretty quickly/easily. And I'd argue it shouldn't really be necessary anyway, since the node is basically wide-open [internally] right now.

I think I sound like I'm arguing; apologies if so! I'm really trying to think through my own situation out loud, and I'm worried I'm about to make a grave mistake, haha

Show threadJimOct 28
@caseyliss As an example of one of the acl rules I had to put in place… this is a VPS that runs Grafana and a host of monitoring tools. As it’s a VPS I wanted to ensure it was quite locked down so it could only access what it needed. If you’re less paranoid than me you could just put a simple acl rule in place for all ports of course
Show threadCasey LissOct 28

@lnlyssg Yeah, I gotcha. I think we're saying the same thing, actually. 🍻

This is helpful; thank you!