> Finally, the new Tailscale client allows an Apple TV to be an exit node itself for other machines in your tailnet.
Pretty huge. Many non-techy users don't like the idea of keeping a computer on 24/7, but a smart TV is just fine.
Also, the Apple TV 4k only draws 0.5 watts at idle and less than 3 watts when streaming movies[0], so I imagine it pulls less than 1 just tunnelling traffic. Computers pull 15W+ at idle, and that's with low end components.
Can second the recommendation for the Mango travel router. I always prefer to take the VPN out of the “hands” of the client device to avoid any leaks. With 2 such devices connected via Wireguard VPN any other device I connect to that client router’s WiFi is safely communicating through that VPN. A sort of site to site VPN that works for devices that could never otherwise use a VPN client.
But of course this is a different use case and not always an option. Not if you want to use Tailscale. Probably unless that Apple TV is already connected to one of this “VPN WiFi” with Tailscale on top (no idea what the functionality or performance impact is).
also seems to work with 'tailscale up --advertise-exit-node' if you ssh into the router instead of using admin console.
addsubtract 304 days ago [-]
Ordered one - I will be traveling and would be nice to switch exit nodes as needed while on the go. Not that I need to hide the fact I’m out of country, but seems like a good way to connect up the work laptop to appear on my home IP.
Anyone using glinet routers for that purposes and have any tips?
close04 303 days ago [-]
I don’t use it for work but on every trip I am actually connecting “at home”. I have a WG server at home (you can use one glinet as an easy to configure VPN server) and a travel glinet as the client. Whenever I reach a hotel I connect the client glinet to the hotel hotspot (or cable), it connects to the home VPN, and all my devices connect to this client glinet WiFi and through that VPN tunnel. Everything is seamless with the only manual step being to connect the travel router to whatever internet pipe provided.
The Mango I have is on the slow side, specs say max 45Mbps over WG as a client, and I measured ~25Mbps when using a Mango as the server. But it’s tiny and very low power so perfect for travel.
matthewaveryusa 303 days ago [-]
Yes. I've traveled abroad and connected my work laptop to our home server through the glinet so I wouldn't need to deal with any hassle of having a foreign IP address even though I disclosed my location to my employer. In fact I keep my work gear always connected to the glinet, even at home.
No tips, it just works, but test it out before you leave for your trip!
I had not convinced the use case of using this as an exit node. Fuck this simplified so much.
copperx 305 days ago [-]
Tailscale also runs on Android TV. If you don't have an Apple TV and want a cheap device just to have an exit node, you can buy a $20 Android TV thingy.
vosper 304 days ago [-]
Beware that a lot of cheap Android TV boxes come pre-loaded with heaps of malware. You don't want them in your network.
That's true. However, Walmart's $20 Onn 4k Streaming Box has no malware, apparently.
metadat 304 days ago [-]
I abandoned the Google TV thingy because it was great when it was new a year or so ago, but now after all the updates it frequently stutters when playing media from Netflix, Disney+, HBO Max, etc. Apple TV is silky smooth and works perfectly.
At $200, it was 4x the price, though.
icelancer 304 days ago [-]
The expensive Nvidia Shield Pro is dogshit as well for streaming performance at $150-200. Ridiculous.
nirav72 304 days ago [-]
You're the first one I've read that has had issues with streaming performance on the Nvidia Shield. I have the non-Pro nvidia shield and its been rock solid for streaming external content and local content. Including 4k. I even ran it as a plex server for a while. Are you using wireless or plugged into ethernet?
johnmaguire 304 days ago [-]
Works great for me?
joshspankit 304 days ago [-]
It’s most likely just because of new codecs. If you got a newer cheap device it would probably not stutter (until the next round of codecs, but Apple TV requires the same upgrades)
metadat 304 days ago [-]
I don't think so, x264 and x265 haven't changed in the past 12 months, or even the last 2+ years. My suspicion is Elgoog releases Android system updates without thoroughly testing them on existing released hardware.
My friends have Apple TVs that don't stutter, for 3+ years.
joshspankit 303 days ago [-]
If it were my machine I’d also investigate the audio streams. Audio decoding can be surprisingly heavy
mjs 304 days ago [-]
It … kind of does, but if you filter the reviews by "TV" you'll see there's quite a few issues with it: https://play.google.com/store/apps/details?id=com.tailscale..... Not sure why the back button issue hasn't been fixed, that makes it very inconvenient to set up. (Also: are you sure it can be used as an exit node? That wasn't supported a few months ago.)
e12e 304 days ago [-]
Why, apparently it finally does - since when? Last time I checked, I'd have to sideload it on my Nvidia shield?
tiffanyh 304 days ago [-]
How will this work?
My Apple TV constantly goes to sleep.
Is Tailscale doing some type of “busy wait” to prevent tvOS from going to sleep?
lathiat 304 days ago [-]
It’s not truly asleep. The display parts are but it’s always connected to wifi to act as a home hub, receive airplay requests, etc.
crazygringo 304 days ago [-]
You can change your Apple TV settings to not to go to sleep.
angott 304 days ago [-]
This is not really necessary, there is no need to change any settings. Even when the device enters sleep mode, VPN apps can remain active, just like on iOS.
jondwillis 305 days ago [-]
Neat, maybe I can sell my M1 mini server
8fingerlouie 304 days ago [-]
Nah, you'll still need that to synchronize iCloud content locally so that you can make backups of it, as Apple stubbornly refuses to allow TimeMachine (or anything else) to actually backup stuff that is only stored in iCloud, and provies no easy, scriptable way, of doing so otherwise.
It may just be a problem for me, but as i have ~3TB of photos in iCloud (2 x 2TB), and unless i want to buy laptops with 2TB storage, there is no practical way of backing up the contents of iCloud, so i use a Mac Mini M1 with an external drive, syncrhonize data locally, and then back it up from there.
tornato7 303 days ago [-]
Couldn't you expert icloud to Google photos and then use something like Google takeout to back that up?
I need to backup my iCloud data soon too. How sure are you that the data is all downloaded from the cloud when you copy it to the external drive?
Do you use any special tools?
8fingerlouie 304 days ago [-]
I just configure each users account on the Mac Mini to download everything from iCloud, and then backup each users directory.
It does require each user to login again every time the mac mini is rebooted, but fortunately that only happens when new releases come around, so 3-4 times every year.
I do periodically check if new photos have been downloaded. I care less about documents as the relevant documents are more likely to also be stored on the laptops, and thus backed up through the normal backup routine on the laptops.
I do wish Apple would come up with a solution to this problem though. The official instructions[1] feels like something from 2003.
> I do wish Apple would come up with a solution to this problem though.
That wish is in the opposite direction of Apple’s brand identity: “let us handle everything for you with our white glove service [you can pay, right?]”
8fingerlouie 303 days ago [-]
I would argue that it is exactly in line with Apple's brand identity.
Pretty much everybody agrees that you need to backup your cloud storage as well as your local computer, and Apple even backs up your i-devices to the cloud, and yet, there is no automated way of backing up your iCloud storage.
About a decade ago, Google initiated the Data Transfer Framework[1] that allows you to transfer data from one cloud provider to another, directly from provider to provider instead of downloading it first. It sadly appears to not have gotten enough traction to be of any use.
> Pretty much everybody agrees that you need to backup your cloud storage as well as your local computer, and Apple even backs up your i-devices to the cloud
I don’t think I’ve ever seen Apple say that you need to back up your Apple Cloud data.
> I would argue that it is exactly in line with Apple's brand identity.
I’m not following you. Can you explain what you mean by that?
8fingerlouie 302 days ago [-]
> I’m not following you. Can you explain what you mean by that?
Usually when Apple does something, they make it so it "just works" and usually stays out of the way of the user. To bake iCloud backups into Time Machine would do just that, backup your cloud data without bugging you.
tonyaiken 304 days ago [-]
If it’s iCloud Photos you can try icloudpd, works pretty well from my Synology NAS
MuffinFlavored 304 days ago [-]
> Many non-techy users
Why would a non-techy user want to volunteer to be an exit node?
giobox 304 days ago [-]
I have setup Pis in family member homes to allow me to get residential IP VPN exit node in their respective countries - cheap and easy way to get access to foreign TV streaming services without a monthly fee. I used to run my own exit nodes in AWS/DigitalOcean in those regions, but virtually all streaming services block VPS/cloud service IPs at this point. Having an exit node in an actual "real" residential internet service is vastly more flexible.
This potentially would be even easier for me, given they all have Apple TVs already. This isn't a public exit node - it's only available to other users (i.e. people you know and have granted access to) of your own TailScale setup.
Same for non-techy folks who have second homes in foreign countries, or even just travel a lot - an Apple TV running this new app back in their main property will allow them for free to browse the web as if they are actually at their main property, including any TV services they enjoy.
fragmede 304 days ago [-]
This isn't Tor, being an exit node just means the non-techy user can access Netflix while travelling internationally.
userbinator 304 days ago [-]
Blame Tor for popularising the term "exit node" to mean "public proxy".
The terms "VPN gateway" or "VPN server" are still valid and less easily confused with Tor's use of "exit node".
giobox 304 days ago [-]
Yes and no... A VPN Gateway or VPN server doesn't have to be an exit node, and may route onwards to actual exit nodes. Some nodes may not "exit" at all - see setups where you are just trying to reach your private networks.
In a tailscale setup, an "exit node" has specific meaning and the term makes sense as far as I'm concerned:
It’s not a public Tor exit node. It’s a personal node you can use to route your own traffic.
KoftaBob 304 days ago [-]
So that when they're overseas, they can route their internet traffic through their Apple TV at home in the US, and any streaming service they use will think they're in the US and not give them trouble about "Hulu isn't available in your location".
304 days ago [-]
Mandatum 305 days ago [-]
I live reading copy that’s obviously written by nerds. This is the least corporate announcement I’ve seen from a corporation in a long time.
No mention of how much they live trust and privacy or how they’re going to make your experience more delightful.
ant6n 304 days ago [-]
Yeah, sounds like a bunch of tech gobbledigook. I guess it’s written for the users of these services, and they know what all this jargon means.
cstrahan 304 days ago [-]
Tailscale is a company that provides a VPN (“Virtual Private Network”) service. If you don’t find yourself thinking “man, I really wish this one computer over here could share the same network with that computer over there, despite not being on the same WiFi access point or physical Ethernet network”, then their service (and the news regarding it) aren’t for you.
Why would someone want a VPN? There are a bunch, but here are some examples:
1) You want to connect to one of your machines at home while you’re at a coffee shop, or on vacation. Maybe so you can check security cameras, I dunno.
2) You’re on vacation outside of your home country, and you would like to watch a video stream that is blocked in the country you’re vacationing in. I experienced this in the Bahamas — If I recall, I was wanting to watch a UFC fight, but the UFC app refused to stream to the Bahamas (it was this and/or other Disney/Hulu whatever services refusing to play in the Bahamas). By routing traffic through your ISP back home: problem solved. (This what “exit node” is referring to — a computer through which internet traffic flows on your behalf)
3) You want to play a game with a friend that only supports multiplayer play on the same network, but your friend isn’t physically there with you in the same house. So just put the two of you on the same virtual network and now you can play together.
ant6n 303 days ago [-]
I bet they run a useful service. But their post doesn’t really speak well to people who don’t already use the service, because it doesn’t define the used names (e.g. it’s only implied that the service is a VPN, why not just say it up front). That’s why I think it’s not a great press release.
cstrahan 292 days ago [-]
Their homepage literally says it is a “Zero-config Business VPN”. Not “implied” — directly stated.
> That’s why I think it’s not a great press release.
Press release? This a blog. It should be self evident that this is for customers and other already interested parties.
When you visit friends and family, do you regularly reintroduce yourself? I’m going to guess you probably don’t. If someone did that, it would both be weird and wasteful of everyone’s time.
Blogs work similarly. The majority of traffic is expected to be people already following you, in which case reiterating who you are, what you do, etc, would all be a waste of everyone’s time — with the minor exception of the occasional person that stumbles upon your blog for the first time. Even then, such individuals usually end up on an unfamiliar blog because they are explicitly searching for something topically relevant, and thus are already familiar with what is being described.
It’s kind of bizarre, IMO, to arbitrarily follow links from a link aggregator (Hacker News, in this case), with no prior knowledge of the related topic, skim through a blog on said unfamiliar topic, and then complain that the author didn’t spell out what 99% of their readership already knows. Like… why? If you like exploring things you don’t know, why not check out their homepage? You already clicked one link without knowing what you were getting into, what’s one more click to go to the very page that describes what they do? Or if you don’t like discovering new things, what compelled you to click a link, when the link text was completely foreign to you?
Car maintenance books don’t describe the usefulness of cars.
Calculus books don’t assume you have zero familiarity with numbers and counting.
Recipe books don’t remind you that, as a human being, you need food to survive.
The Netflix tech blog doesn’t tell you what Netflix is, describe “streaming” in the abstract, nor explain what movies are and why people watch them.
How little familiarity would you recommend that Tailscale expect from the reader of their blogs? Should plumbers be able to understand what’s being talked about? If they should tell you that they are a VPN service, should they also describe what a computer network is, what you can do with a network, and why they’re useful? Do they need to describe what a computer is?
I just… I just don’t get it.
ant6n 291 days ago [-]
I didn’t read your ad hominem essay about corporate blogs, just wanted to add…
> I just… I just don’t get it.
…better luck next time.
bawana 304 days ago [-]
but why is this better than running a vpn client on your pc? For example,when I want to watch streams restricted in my country, I fire up the ExpressVPN client on my laptop, connect to Switzerland, and then my restrictions disappear. Why should get another piece of hardware, wires and complexity (what happens when this box doesnt connect to the internet but it has no keyboard,, display or mouse to guide troubleshooting?)
cpuguy83 304 days ago [-]
Because Tailscale is a [1] direct connection. No middleman service with access to your traffic.
[1] In some cases this is not possible and there are relays setup to help route traffic.
What's in the traffic is opaque to these nodes. You can also choose to use your own nodes.
If you are interested here is a great post on how this works: https://tailscale.com/blog/how-nat-traversal-works/
lxgr 304 days ago [-]
Most streaming services block commercial VPNs and even data center IP ranges at this point.
Some VPN vendors bypass that by reselling access to residential IPs (witting or unwitting on the side of the person paying for the ISP service), but even that is hit and miss.
> Why should get another piece of hardware
Many people already have an Apple TV or Android TV streaming box.
aspenmayer 304 days ago [-]
The GL.iNet routers have a mobile and desktop config site and buttons to configure/reset the device as well as a two-position hardware switch, the function of which is configurable also. This is not to mention they can run OpenWRT/LEDE and there are vendor created “clean” firmware images to do so. They’re one of the best devices for this use case and price point. I don’t think the situation you’re worried about is a reasonable concern for someone already expected to be competent to manage the router generally to begin with, and if they also want to do the things Tailcale does, they can and should be able to troubleshoot the problem space. The stock firmware is a modified OpenWRT with a web GUI and some optional extras, but it’s the most functional consumer router I’ve used.
bawana 302 days ago [-]
thank you for your replies but I think my density is getting the better of me.When ii want to pretend I am in Switzerland, my vpn client connects to an exit node there through an encrypted tunnel between my machine and the vpn service's exit node. If I have an Apple TV in my home running tail scale, how can I make it talk to the internet through an exit node in Switzerland ? My understanding is that I cannot. If I run tail scale on my Apple TV and then travel to Switzerland , can I connect to my Apple TV and watch shows in Switzerland from it? But how can I get through my home firewall / NATted router to my Apple TV? is there a tail scale client that I run on my laptop that finds my Apple TV running tail scale?
mc10 300 days ago [-]
Tailscale recently announced an integration with Mullvad [1] that is probably what you're looking for: Mullvad's VPN servers act as Tailscale exit nodes, and they have servers in countries around the world. This lets any of your existing Tailscale nodes route traffic through Mullvad.
> With up to three users available on our Free plan, you’ve got tools to make a media drive available to other trusted people in your life. You can share a collection of family photos and home videos into a faraway relative’s tailnet, without worrying about locking down the server for public internet access.
It's important to point out here that, in addition to this, the free plan also lets you send invite links to specific devices, which other people can add on their own accounts. That way, nobody has to go for the (quite expensive and obviously company-focused) free plan, you can share your device with as many friends as you like, and you're not sharing anything else beyond that single device.
Operyl 305 days ago [-]
Using it as an always-on exit node is actually a pretty nifty feature, I hadn’t thought about that as a viable feature before now.
cube2222 305 days ago [-]
This is by the way kind of how remote access with apple home works.
The Apple TV serves as a local gateway relaying all the commands to your local IoT devices.
On a side note, tailscale is lovely. I have nothing but good things to say about them.
Operyl 305 days ago [-]
Yup, either a HomePod, Apple TV, or iPad left at home can act as a HomeKit hub.
(Yes, you can technically use an iPad as a hub if you are on the old Home architecture)
Operyl 305 days ago [-]
Good change, then! It wasn’t a great experience for most people. iPads are rarely static home fixtures now, and they were the only ones capable of dying.
drcongo 304 days ago [-]
Yeah, that was always a weird choice. The one time I went on holiday without first checking to see which device was acting as my primary home hub it turned out to be my iPad, which I'd taken with me, and all my security cameras were "unavailable" for the week. I'm sure the system is supposed to just switch to a different primary hub in that situation (I have about 15 candidates), but it didn't.
ignoramous 304 days ago [-]
> This is by the way kind of how remote access with apple home works.
Tailscale continues to be one of the more impressive services I've ever used. Going to install this on my Apple TV immediately. I often travel and use public Wi-Fi, so this is massively useful as my PC and my laptop are not always on (so I can't use them as an exit node). Pretty genius honestly.
aaomidi 305 days ago [-]
I’ve been working on bringing tailscale into container networking through a driver, it’s still a work in progress but people might already be interested in trying it out:
Thanks for sharing this. I'm thinking this might be useful to run on a VPS and tie to a reverse proxy container. So I could expose services externally without opening up port on my wan side.
drexlspivey 305 days ago [-]
The bigger news is that you can add VPNs on Apple TV with tvOS 17, I had to run it on my router before
fmajid 304 days ago [-]
Still better to run it on your router. Apple’s had VPN leaks, and also exempted its own services from VPN or Little Snitch firewalling. Separation of roles means not having to trust Apple.
ignoramous 304 days ago [-]
Wait until Apple bundles in 5G eSIMs for connectivity for just Apple apps to bypass the physical firewalls.
fmajid 304 days ago [-]
I think SmartTV vendors will get there first.
FireBeyond 305 days ago [-]
I don't care either way, but I did note the ignorance of the elephant in the room as to why 99% of people would care about Tailscale and native VPN support on their Apple TV... and it's not "avoiding sketchy wifi networks".
fotta 305 days ago [-]
> With a Tailscale exit node, you’re in control and you get the internet connection you’re used to. This new feature could come in handy if you’re traveling with your Apple TV and want to access the same geo-restricted channels you can see from home.
They do call this out towards the end.
cassianoleal 304 days ago [-]
How's this supposed to work? If I'm travelling with my Apple TV and use it as an exit node, it's as geo-restricted as I am, wherever I am.
ezfe 304 days ago [-]
This blog post isn't just for using it as an exit node. Traveling with the Apple TV and using Tailscale lets you exit-node back to your house.
Traveling without the Apple TV and the exit-node can be your Apple TV.
cassianoleal 304 days ago [-]
Perhaps the blog post isn't, but the quoted text is:
> With a Tailscale exit node, you’re in control and you get the internet connection you’re used to. This new feature could come in handy if you’re traveling with your Apple TV and want to access the same geo-restricted channels you can see from home.
ezfe 304 days ago [-]
Yes, but the tail scale exit node referenced in that quote isn't necessarily the Apple TV.
Larrikin 304 days ago [-]
You designated a device at home as the exit node and are using that on your Apple TV in a different location.
unstatusthequo 305 days ago [-]
Because say I want to connect to my own private remote network. I have a server hosted in a datacenter because I self-host. I'd much rather have VPN capabilities than deal with a proxy server and publicly open ports with rules. This is a much tighter way to do things, IMHO.
meowtimemania 305 days ago [-]
The main use case I see is sharing streaming services like youtube TV with family.
zikduruqe 304 days ago [-]
I run my own DNS server at home, and have Tailscale installed on it also. I use this so when I am away from home, I can continue to use it via Tailscale and/or an exit node for full on VPN-like solution.
I can now, move Tailscale off that server, and put it on my Apple TV to use as my network for my DNS server when I am away from the house.
radicaldreamer 305 days ago [-]
You can already do that officially... but maybe not region-locked sports
drewnick 304 days ago [-]
Definitely not region locked sports. My YT TV account is based on the other side of the country and I can't watch our local teams quite frequently. I've been using wireguard and a dedicated wifi network to tunnel through a fiber connection "back home" and it then thinks I am local and all works well. This is much cleaner with tailscale!
sangnoir 304 days ago [-]
It's cheaper if everyone is in the "same household" (i.e. sharing the same public IP as main account)
LoganDark 305 days ago [-]
It's a way to access it remotely without having to forward a port to the whole world. There are other ways to do this, but a VPN is usually the most straightforward option.
It's also a way to proxy your connections through a device at home, of course. Whether the Apple TV is the client or the exit node.
copperx 305 days ago [-]
For sharing Netflix accounts?
fragmede 304 days ago [-]
Arrr, it not be for Netflix.
tredre3 304 days ago [-]
Tailscale isn't useful for piracy. Unless you really want your pirate traffic to always be routed through your home?
tshaddox 304 days ago [-]
The idea is that you host all your pirated media from home, e.g. on a NAS running Plex or Jellyfin, and your home server can stream any of your media to any device (including transcoding it to best fit the device and connection).
Tailscale isn't particularly useful for acquiring the pirated media in the first place, of course.
stirlo 304 days ago [-]
How is this different to running a Plex server on your NAS and streaming directly over regular internet?
FloatArtifact 304 days ago [-]
You do not punch holes through your routers firewall. There for it's is more secure as a mesh network.
ezfe 304 days ago [-]
Tailscale has Mullvad integration now, so it can be used that way too
nirav72 304 days ago [-]
So the exit node can route traffic through Mullvad VPN?
I guess it’s more to be able to access the local are stack / jellyfin from everywhere?
unstatusthequo 305 days ago [-]
This is great news! Not only does this make a remote Plex / Jellyfin media server easier to deal with, the Apple TV can be an exit node. Solid work, TailScale!
maxmcd 305 days ago [-]
I'm a little unfamiliar with how Plex routing works. Would this make it so that your plex connected media servers don't need to be publicly routabel and the Plex app will know to connect through the tailscale network?
Would you need to reconfigure plex to use the tailscale ip addresses and then the Apple TX Plex app will stream over that address?
ecliptik 305 days ago [-]
I wrote up a guide [1] on using Plex + Tailscale + HTTPS last year to setup Plex so you don't have to expose it through the Plex relays or setup port forwards for other devices on a Tailnet.
I would assume with this announcement, you can keep Plex private to your Tailnet and an AppleTV also on the Tailnet could use it without any port fowarding.
>setup port forwards for other devices on a Tailnet.
Ah. Now I get it.
aaomidi 305 days ago [-]
Depends on how you’ve setup Plex, but you can give it custom access URLs. So you can expose both a public and a private endpoint. Or just a private endpoint, up to you really.
nickvanw 305 days ago [-]
This is useful - using an exit node with an Apple TV is useful as well for navigating around certain tools that are geo-blocked. Before, you'd have to handle it outside of the device which is much more difficult.
I'm going to play around with this later in the week.
mlfreeman 305 days ago [-]
Will this work with Headscale too?
angott 305 days ago [-]
Tailscale dev here: yes, you can set up a custom coordination server in the settings, just like on the iOS app. Open the tvOS Settings app, then scroll down to Tailscale.
vineyardmike 304 days ago [-]
Genuine question: Does tail scale want people using headscale?
I'm a free-tier personal user, and a little too cheap to give a for-profit corp money when I don't need to just because "I REALLY like the product". If I use headscale does that just cause a headache for the team, or is it good because it reduces traffic to prod?
I'm to cheap to pay when I don't need to, but its such a great product (esp for free) that I'd gladly change how I use the product to be less expensive or problematic.
hzia 304 days ago [-]
Thank you so much for that!! I wondered about this as well. Love how above and beyond you guys are going to support other OSS implementations <3
xeonmc 304 days ago [-]
Is it possible to transparently embed Tailscale into a game to only talk to your self-hosted Headscale server?
Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?
bananapub 304 days ago [-]
> Is it possible to transparently embed Tailscale into a game to only talk to your self-hosted Headscale server?
> Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?
you can write code to do whatever you want I guess, but that's nothing to do with tailscale
b555 304 days ago [-]
can anyone share documentation/paper/video with eli5 of tailscale?
i recently read this with mulvad too and feel stupid that I don't intuitively understand how it works, and what it does and why it's needed.
simonw 304 days ago [-]
It's WireGuard with a really nice UI.
WireGuard is an outstanding mechanism for building secure virtual private networks.
You can run WireGuard on a bunch of different machines (or virtual machines) spread all over the world and give them the ability to talk to each other as if they were on the same LAN, with every packet fully encrypted.
TailScale has productized this. They wrote software for a bunch of platforms that makes it trivial to connect those machines to your "tailnet" - effectively a WireGuard network which their software manages for you.
They tie this to SSO - so you can install their software on your phone and your home server, sign them both in using Google SSO or similar, and now they're able to talk to each other on a secure virtual network.
I suggest trying the TailScale setup process to really understand how good it is.
hot_gril 304 days ago [-]
So it's a VPN, right?
vineyardmike 304 days ago [-]
Its utility is as an "overlay network", but using traditional VPN technology. Yes, it is a virtual network, and it's private, but it's not intended to be used to exit to the internet in a controlled manner, as VPNs are often advertised as.
hot_gril 304 days ago [-]
Well, the original purpose of a VPN was more as a private LAN (as Tailscale seems to advertise itself as) than as a way to exit to the Internet somewhere else. And it does both still.
Seems like Tailscale is a very souped up VPN, though. You can add more nodes to the network easily, and even have multiple gateways to the Internet.
derefr 304 days ago [-]
> Well, the original purpose of a VPN was more as a private LAN
You're conflating two concepts.
An "oldschool" VPN connection (using e.g. IPSec) is something that allows your computer to remotely "join" a real, physical LAN. It's basically equivalent to running PPP over IP: your computer "dials up" a daemon running on a server somewhere; that daemon accepts a stream of raw packets from your computer's network stack; and then that daemon dumps those packets out through one of the server's NICs onto a local network segment — where those packets are then handled by the switch they run into as if your computer was directly plugged into that switch. So your computer can acquire an IP address for its VPN "bridge" interface via DHCP from the switch; can talk to other devices on that private network through the switch; can talk to the Internet via NAT through that switch; etc.
Tailscale, meanwhile, creates a software-defined virtual LAN on top of p2p mesh networking of the nodes. There's no actual network segment anywhere that your packets are being dumped out onto; the "switch" handling your packets is a shared distributed abstract-machine that's partly running on your Tailscale client, and partly running on the other nodes' Tailscale clients. That virtual LAN doesn't have a routing table + NAT on it to translate packets into Internet-bound packets. Nor does the LAN have the ability to host L2 services like DHCP. It's just a functional L3 simulation of an L1 network segment, not a faithful emulation of an L1 network segment.
hot_gril 304 days ago [-]
Ah, makes sense. I realized Tailscale was a virtual network but forgot that a VPN doesn't include that functionality.
ezfe 304 days ago [-]
It's kinda a VPN.
Tailscale on its own is a mesh network that allows your devices to communicate (in a VPN, technically, yes) between themselves.
If you have an exit node, then you can route your traffic to that exit node in the way most people think of a VPN.
It also has Mullvad integration, providing Mullvad servers as exit nodes.
If you use an exit node, then its functionally equivalent to a VPN with fancy features.
efxhoy 304 days ago [-]
It makes setting up your own peer to peer VPN between your devices.
You have a home server, could be home assistant, a Raspberry Pi, your desktop computer. Access that server and all services on your phone or laptop from anywhere without figuring out ports and worrying about your server being pwned. It all looks like local traffic.
Set the DNS server on your phone to a Pi running AdGuard Home and block all ads and trackers when on 5G, not just in the browser.
Travel abroad with your laptop and designate your computer at home as an exit node and now all the traffic on your laptop looks like it is coming from that country.
Those are just the use cases I am using personally.
It connects all of your computers and devices in a way that feels magical. For example, if I have a Plex server named myplex on port 80 at home, and if I want to access it from my laptop, I just go to http://myplex.
It doesn't matter if I'm at home or anywhere else, if I have internet then that just works. I don't have to open a port on my router, configure DNS, or anything like that, I just install and run Tailscale.
duped 304 days ago [-]
You're on a team of 10 people with 20 different machines between you and want to securely send/receive files, spin up servers and talk to them, etc.
Tailscale makes this really easy, and fast.
ecliptik 304 days ago [-]
It's a 90s LAN, but with encryption and accessible from anywhere.
idoescompooters 301 days ago [-]
This is pretty awesome, but only makes sense if you've already got an AppleTV. The price difference between the Apple TV and a Raspberry Pi is definitely non-negligible. Also, you probably want the Apple TV with ethernet which is extra $$.
Personally, I don't care about TV so I won't be using one anyway.
For the average, non-technical user, Apple TV as an exit node for other device while traveling is super cool.
But for someone who is out of the country for a duration, it's also super handy. Netflix knows all the popular VPN providers and ban hammers them on a regular basis. But being able to use my Apple TV to watch my normal Netflix (or whomever) from any other country... because they think I'm at home? Super win.
fragmede 304 days ago [-]
Network engineers watching rtt/packet latency very closely can still tell that something fishy is up, but Netflix doesn't really want to block VPNs, they just have to pretend to care enough so that the labels don't pull their content.
lstamour 304 days ago [-]
If one forwards traffic through iCloud+ proxy to mask IP address, I wonder if it’s still possible to tell a VPN, from, say, a perfectly legitimate SpaceX satellite signal received on a boat… ;-)
fragmede 304 days ago [-]
no comment
nose-wuzzy-pad 304 days ago [-]
I’ve installed this on a freshly updated AppleTV 4K with Ethernet and for the life of me I can’t get it to work using the Apple TV as an exit node. I’ve enabled it and approved it in the console.
Unfortunately I can’t ping any hosts through it or make any connections. This is in contrast to my other exit node, which is a docker container running tailscaled with user networking. It continues to work just fine.
Any ideas?
Thanks.
pomatic 304 days ago [-]
Are your clients set to use the AppleTV as a gateway? That's a fundamental requirement to ensure the packets your devices send in reply get passed back to the tailscale network.
nose-wuzzy-pad 302 days ago [-]
Yes, the clients I've attempted this with so far (iPhone running tailscale) I have configured to use the Apple TV as an exit node. When I do so, there is no internet connectivity. When I switch it to another exit node I have in my tailnet it works flawlessly.
lxgr 304 days ago [-]
That's amazing!
I've already been using it in a very similar way on a Chromecast (the one running Android TV), which made me use my Apple TV less and less, to the point where I actually unplugged it. This might just be its ticket back to an HDMI port :)
nirav72 304 days ago [-]
whoa. I'm going to try installing tailscale on the googletv chromecast dongle. Because one of the biggest issues with Chromecast was that it and the device casting from had to be on the same wireless LAN. So when traveling I had to either use a travel router or turn my phone/tablet into an AP. Tailscale might solve that. I already use tailscale for everything else. Just never thought about installing it on Googletv chromecast. Thanks for the suggestion.
lxgr 304 days ago [-]
You still won't be able to actually cast to a Chromecast device unfortunately, since that requires mDNS to work, which only works in the same broadcast domain (i.e. you'd need an L2 VPN, but Tailscale is L3).
Stem0037 304 days ago [-]
Cool! it sounds like a pivotal upgrade, offering both convenience and enhanced security features. I love using Apple TV as the router in my home, when paired with Headscale, it's simply perfect.
sohrob 304 days ago [-]
Awesome news and boosts the utility of the Apple TV tremendously.
Timber-6539 304 days ago [-]
I wish they would work on their Android client.
Its got a long standing request to add split tunnelling [0] (a standard feature on pretty much every VPN client you'll come across). But it seems in the spirit of re-inventing existing networking technologies, Tailscale also decided to re-invent what a VPN client does.
This alone makes me give this otherwise wonderful project a pass despite all the deservingly good press it gets.
That's great tvOS now allows VPN - hopefully NordVPN will now release on Apple TV App Store.
NordVPN runs great on Amazon Firestick - works for BBC Iplayer and ITVX when you're outside UK.
syntaxing 304 days ago [-]
Is it possible to run a plex or jellyfin server on an Apple TV like a Nvidia Shield? If so, I might seriously consider getting an Apple TV just to run as a media server.
billyhoffman 304 days ago [-]
Sadly an Apple TV can't also be the media server (at least for something like Plex). But just about anything else can run media server, and you can go really low end especially if you don't need it to transcode your media. Some software like Infuse will stream the original media file to the Apple TV, and the transcoding happens on device.
tshaddox 304 days ago [-]
True, but of course if you already have a media server, it can almost certainly already act as a Tailscale exit node.
syntaxing 304 days ago [-]
I more or less have running every through a N100 and it has been great. Would have been awesome to replace it with an Apple TV though
hapticmonkey 304 days ago [-]
AppleTV cant act as a media server. But as a client it's fantastic.
An AppleTV with an app like Infuse will flawlessly play back 4K HDR or Dolby Vision videos client side (no transcoding) as well as 7.1 lossless TrueHD audio. Unfortunately it wont do TrueHD Atmos.
zakki 304 days ago [-]
I wish there is Tailscale for LG TV.
tacticalturtle 304 days ago [-]
Switching from WebOS on my LG TV to the Apple TV as the primary interface was honestly one of the best consumer decisions I’ve made this year.
LG TVs get slower and more ad- laden with each update.
ilteris 304 days ago [-]
Never heard of tailscale before. Is it similar to Plex?
nerdbert 304 days ago [-]
Nope, it's a tool for building a private network among machines which can be geographically and internetically distributed. So, more or less a VPN, but not particularly in the sense that people use it today (which is effectively a glorified proxy server).
klinquist 304 days ago [-]
This makes it much easier to use the Xfinity Stream app on your "travel appletv" :)
Spooky23 304 days ago [-]
Can you use this to appear to be in another place for blackout avoidance purposes?
dangoodmanUT 304 days ago [-]
LOVE THIS
jedberg 304 days ago [-]
> But even if you don’t have a media server to connect to, you can use Tailscale’s Apple TV app to select another device in your tailnet ... to use as an exit node. This will route all your Apple TV’s traffic through that connection ... making your traffic appear to originate from the machine of your choice.
Oh look all of those family Netflix devices are in one home again!
304 days ago [-]
Rendered at 08:26:09 GMT+0000 (Coordinated Universal Time) with Vercel.
Pretty huge. Many non-techy users don't like the idea of keeping a computer on 24/7, but a smart TV is just fine.
Also, the Apple TV 4k only draws 0.5 watts at idle and less than 3 watts when streaming movies[0], so I imagine it pulls less than 1 just tunnelling traffic. Computers pull 15W+ at idle, and that's with low end components.
0: https://www.apple.com/environment/pdf/products/appletv/Apple...
But of course this is a different use case and not always an option. Not if you want to use Tailscale. Probably unless that Apple TV is already connected to one of this “VPN WiFi” with Tailscale on top (no idea what the functionality or performance impact is).
Anyone using glinet routers for that purposes and have any tips?
The Mango I have is on the slow side, specs say max 45Mbps over WG as a client, and I measured ~25Mbps when using a Mango as the server. But it’s tiny and very low power so perfect for travel.
No tips, it just works, but test it out before you leave for your trip!
Linus Tech Tips has a video about it: https://www.youtube.com/watch?v=1vpepaQ-VQQ&themeRefresh=1
At $200, it was 4x the price, though.
My friends have Apple TVs that don't stutter, for 3+ years.
My Apple TV constantly goes to sleep.
Is Tailscale doing some type of “busy wait” to prevent tvOS from going to sleep?
It may just be a problem for me, but as i have ~3TB of photos in iCloud (2 x 2TB), and unless i want to buy laptops with 2TB storage, there is no practical way of backing up the contents of iCloud, so i use a Mac Mini M1 with an external drive, syncrhonize data locally, and then back it up from there.
https://support.apple.com/en-us/HT208514
Do you use any special tools?
It does require each user to login again every time the mac mini is rebooted, but fortunately that only happens when new releases come around, so 3-4 times every year.
I do periodically check if new photos have been downloaded. I care less about documents as the relevant documents are more likely to also be stored on the laptops, and thus backed up through the normal backup routine on the laptops.
I do wish Apple would come up with a solution to this problem though. The official instructions[1] feels like something from 2003.
[1]: https://support.apple.com/en-us/HT204055
That wish is in the opposite direction of Apple’s brand identity: “let us handle everything for you with our white glove service [you can pay, right?]”
Pretty much everybody agrees that you need to backup your cloud storage as well as your local computer, and Apple even backs up your i-devices to the cloud, and yet, there is no automated way of backing up your iCloud storage.
About a decade ago, Google initiated the Data Transfer Framework[1] that allows you to transfer data from one cloud provider to another, directly from provider to provider instead of downloading it first. It sadly appears to not have gotten enough traction to be of any use.
[1]: https://github.com/google/data-transfer-project
I don’t think I’ve ever seen Apple say that you need to back up your Apple Cloud data.
> I would argue that it is exactly in line with Apple's brand identity.
I’m not following you. Can you explain what you mean by that?
Usually when Apple does something, they make it so it "just works" and usually stays out of the way of the user. To bake iCloud backups into Time Machine would do just that, backup your cloud data without bugging you.
Why would a non-techy user want to volunteer to be an exit node?
This potentially would be even easier for me, given they all have Apple TVs already. This isn't a public exit node - it's only available to other users (i.e. people you know and have granted access to) of your own TailScale setup.
Same for non-techy folks who have second homes in foreign countries, or even just travel a lot - an Apple TV running this new app back in their main property will allow them for free to browse the web as if they are actually at their main property, including any TV services they enjoy.
The terms "VPN gateway" or "VPN server" are still valid and less easily confused with Tor's use of "exit node".
In a tailscale setup, an "exit node" has specific meaning and the term makes sense as far as I'm concerned:
https://tailscale.com/kb/1103/exit-nodes/
No mention of how much they live trust and privacy or how they’re going to make your experience more delightful.
Why would someone want a VPN? There are a bunch, but here are some examples:
1) You want to connect to one of your machines at home while you’re at a coffee shop, or on vacation. Maybe so you can check security cameras, I dunno.
2) You’re on vacation outside of your home country, and you would like to watch a video stream that is blocked in the country you’re vacationing in. I experienced this in the Bahamas — If I recall, I was wanting to watch a UFC fight, but the UFC app refused to stream to the Bahamas (it was this and/or other Disney/Hulu whatever services refusing to play in the Bahamas). By routing traffic through your ISP back home: problem solved. (This what “exit node” is referring to — a computer through which internet traffic flows on your behalf)
3) You want to play a game with a friend that only supports multiplayer play on the same network, but your friend isn’t physically there with you in the same house. So just put the two of you on the same virtual network and now you can play together.
> That’s why I think it’s not a great press release.
Press release? This a blog. It should be self evident that this is for customers and other already interested parties.
When you visit friends and family, do you regularly reintroduce yourself? I’m going to guess you probably don’t. If someone did that, it would both be weird and wasteful of everyone’s time.
Blogs work similarly. The majority of traffic is expected to be people already following you, in which case reiterating who you are, what you do, etc, would all be a waste of everyone’s time — with the minor exception of the occasional person that stumbles upon your blog for the first time. Even then, such individuals usually end up on an unfamiliar blog because they are explicitly searching for something topically relevant, and thus are already familiar with what is being described.
It’s kind of bizarre, IMO, to arbitrarily follow links from a link aggregator (Hacker News, in this case), with no prior knowledge of the related topic, skim through a blog on said unfamiliar topic, and then complain that the author didn’t spell out what 99% of their readership already knows. Like… why? If you like exploring things you don’t know, why not check out their homepage? You already clicked one link without knowing what you were getting into, what’s one more click to go to the very page that describes what they do? Or if you don’t like discovering new things, what compelled you to click a link, when the link text was completely foreign to you?
Car maintenance books don’t describe the usefulness of cars.
Calculus books don’t assume you have zero familiarity with numbers and counting.
Recipe books don’t remind you that, as a human being, you need food to survive.
The Netflix tech blog doesn’t tell you what Netflix is, describe “streaming” in the abstract, nor explain what movies are and why people watch them.
How little familiarity would you recommend that Tailscale expect from the reader of their blogs? Should plumbers be able to understand what’s being talked about? If they should tell you that they are a VPN service, should they also describe what a computer network is, what you can do with a network, and why they’re useful? Do they need to describe what a computer is?
I just… I just don’t get it.
> I just… I just don’t get it.
…better luck next time.
[1] In some cases this is not possible and there are relays setup to help route traffic. What's in the traffic is opaque to these nodes. You can also choose to use your own nodes. If you are interested here is a great post on how this works: https://tailscale.com/blog/how-nat-traversal-works/
Some VPN vendors bypass that by reselling access to residential IPs (witting or unwitting on the side of the person paying for the ISP service), but even that is hit and miss.
> Why should get another piece of hardware
Many people already have an Apple TV or Android TV streaming box.
[1]: https://tailscale.com/blog/mullvad-integration/
It's important to point out here that, in addition to this, the free plan also lets you send invite links to specific devices, which other people can add on their own accounts. That way, nobody has to go for the (quite expensive and obviously company-focused) free plan, you can share your device with as many friends as you like, and you're not sharing anything else beyond that single device.
The Apple TV serves as a local gateway relaying all the commands to your local IoT devices.
On a side note, tailscale is lovely. I have nothing but good things to say about them.
(Yes, you can technically use an iPad as a hub if you are on the old Home architecture)
Apple killed Back to My Mac, which sounded a lot like Tailscale exit nodes: https://datatracker.ietf.org/doc/html/rfc6281
https://github.com/aaomidi/ContainerScale
They do call this out towards the end.
Traveling without the Apple TV and the exit-node can be your Apple TV.
> With a Tailscale exit node, you’re in control and you get the internet connection you’re used to. This new feature could come in handy if you’re traveling with your Apple TV and want to access the same geo-restricted channels you can see from home.
I can now, move Tailscale off that server, and put it on my Apple TV to use as my network for my DNS server when I am away from the house.
It's also a way to proxy your connections through a device at home, of course. Whether the Apple TV is the client or the exit node.
Tailscale isn't particularly useful for acquiring the pirated media in the first place, of course.
Would you need to reconfigure plex to use the tailscale ip addresses and then the Apple TX Plex app will stream over that address?
I would assume with this announcement, you can keep Plex private to your Tailnet and an AppleTV also on the Tailnet could use it without any port fowarding.
1. https://forums.plex.tv/t/remote-access-using-tailscale-magic...
Ah. Now I get it.
I'm going to play around with this later in the week.
I'm a free-tier personal user, and a little too cheap to give a for-profit corp money when I don't need to just because "I REALLY like the product". If I use headscale does that just cause a headache for the team, or is it good because it reduces traffic to prod?
I'm to cheap to pay when I don't need to, but its such a great product (esp for free) that I'd gladly change how I use the product to be less expensive or problematic.
Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?
https://github.com/tailscale/libtailscale
> Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?
you can write code to do whatever you want I guess, but that's nothing to do with tailscale
i recently read this with mulvad too and feel stupid that I don't intuitively understand how it works, and what it does and why it's needed.
WireGuard is an outstanding mechanism for building secure virtual private networks.
You can run WireGuard on a bunch of different machines (or virtual machines) spread all over the world and give them the ability to talk to each other as if they were on the same LAN, with every packet fully encrypted.
TailScale has productized this. They wrote software for a bunch of platforms that makes it trivial to connect those machines to your "tailnet" - effectively a WireGuard network which their software manages for you.
They tie this to SSO - so you can install their software on your phone and your home server, sign them both in using Google SSO or similar, and now they're able to talk to each other on a secure virtual network.
I suggest trying the TailScale setup process to really understand how good it is.
Seems like Tailscale is a very souped up VPN, though. You can add more nodes to the network easily, and even have multiple gateways to the Internet.
You're conflating two concepts.
An "oldschool" VPN connection (using e.g. IPSec) is something that allows your computer to remotely "join" a real, physical LAN. It's basically equivalent to running PPP over IP: your computer "dials up" a daemon running on a server somewhere; that daemon accepts a stream of raw packets from your computer's network stack; and then that daemon dumps those packets out through one of the server's NICs onto a local network segment — where those packets are then handled by the switch they run into as if your computer was directly plugged into that switch. So your computer can acquire an IP address for its VPN "bridge" interface via DHCP from the switch; can talk to other devices on that private network through the switch; can talk to the Internet via NAT through that switch; etc.
Tailscale, meanwhile, creates a software-defined virtual LAN on top of p2p mesh networking of the nodes. There's no actual network segment anywhere that your packets are being dumped out onto; the "switch" handling your packets is a shared distributed abstract-machine that's partly running on your Tailscale client, and partly running on the other nodes' Tailscale clients. That virtual LAN doesn't have a routing table + NAT on it to translate packets into Internet-bound packets. Nor does the LAN have the ability to host L2 services like DHCP. It's just a functional L3 simulation of an L1 network segment, not a faithful emulation of an L1 network segment.
Tailscale on its own is a mesh network that allows your devices to communicate (in a VPN, technically, yes) between themselves.
If you have an exit node, then you can route your traffic to that exit node in the way most people think of a VPN.
It also has Mullvad integration, providing Mullvad servers as exit nodes.
If you use an exit node, then its functionally equivalent to a VPN with fancy features.
https://tailscale.com/kb/1151/what-is-tailscale/
https://tailscale.com/blog/how-tailscale-works/
Set the DNS server on your phone to a Pi running AdGuard Home and block all ads and trackers when on 5G, not just in the browser.
Travel abroad with your laptop and designate your computer at home as an exit node and now all the traffic on your laptop looks like it is coming from that country.
Those are just the use cases I am using personally.
It doesn't matter if I'm at home or anywhere else, if I have internet then that just works. I don't have to open a port on my router, configure DNS, or anything like that, I just install and run Tailscale.
Tailscale makes this really easy, and fast.
Personally, I don't care about TV so I won't be using one anyway.
https://kimbroughski.medium.com/how-to-use-a-tailscale-vpn-t...
For the average, non-technical user, Apple TV as an exit node for other device while traveling is super cool.
But for someone who is out of the country for a duration, it's also super handy. Netflix knows all the popular VPN providers and ban hammers them on a regular basis. But being able to use my Apple TV to watch my normal Netflix (or whomever) from any other country... because they think I'm at home? Super win.
Unfortunately I can’t ping any hosts through it or make any connections. This is in contrast to my other exit node, which is a docker container running tailscaled with user networking. It continues to work just fine.
Any ideas?
Thanks.
I've already been using it in a very similar way on a Chromecast (the one running Android TV), which made me use my Apple TV less and less, to the point where I actually unplugged it. This might just be its ticket back to an HDMI port :)
Its got a long standing request to add split tunnelling [0] (a standard feature on pretty much every VPN client you'll come across). But it seems in the spirit of re-inventing existing networking technologies, Tailscale also decided to re-invent what a VPN client does.
This alone makes me give this otherwise wonderful project a pass despite all the deservingly good press it gets.
[0] https://github.com/tailscale/tailscale/issues/6912
An AppleTV with an app like Infuse will flawlessly play back 4K HDR or Dolby Vision videos client side (no transcoding) as well as 7.1 lossless TrueHD audio. Unfortunately it wont do TrueHD Atmos.
LG TVs get slower and more ad- laden with each update.
Oh look all of those family Netflix devices are in one home again!