NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
Apple TV, now with more Tailscale (tailscale.com)
judge2020 276 days ago [-]
> Finally, the new Tailscale client allows an Apple TV to be an exit node itself for other machines in your tailnet.

Pretty huge. Many non-techy users don't like the idea of keeping a computer on 24/7, but a smart TV is just fine.

Also, the Apple TV 4k only draws 0.5 watts at idle and less than 3 watts when streaming movies[0], so I imagine it pulls less than 1 just tunnelling traffic. Computers pull 15W+ at idle, and that's with low end components.

0: https://www.apple.com/environment/pdf/products/appletv/Apple...

lnxg33k1 276 days ago [-]
So far I’ve used it to get vpn on apple tv and i dont think i am going to change, also considering how apple leaks vpns like there’s no tomorrow https://www.amazon.nl/GL-iNet-GL-MT300N-V2-Reiserouter-Repea...
close04 276 days ago [-]
Can second the recommendation for the Mango travel router. I always prefer to take the VPN out of the “hands” of the client device to avoid any leaks. With 2 such devices connected via Wireguard VPN any other device I connect to that client router’s WiFi is safely communicating through that VPN. A sort of site to site VPN that works for devices that could never otherwise use a VPN client.

But of course this is a different use case and not always an option. Not if you want to use Tailscale. Probably unless that Apple TV is already connected to one of this “VPN WiFi” with Tailscale on top (no idea what the functionality or performance impact is).

matthewaveryusa 275 days ago [-]
Don't know about the mango, but the gl.inet I have works with tailscale (albeit still in beta) https://www.gl-inet.com/products/gl-axt1800/
sda2 275 days ago [-]
also seems to work with 'tailscale up --advertise-exit-node' if you ssh into the router instead of using admin console.
addsubtract 275 days ago [-]
Ordered one - I will be traveling and would be nice to switch exit nodes as needed while on the go. Not that I need to hide the fact I’m out of country, but seems like a good way to connect up the work laptop to appear on my home IP.

Anyone using glinet routers for that purposes and have any tips?

close04 274 days ago [-]
I don’t use it for work but on every trip I am actually connecting “at home”. I have a WG server at home (you can use one glinet as an easy to configure VPN server) and a travel glinet as the client. Whenever I reach a hotel I connect the client glinet to the hotel hotspot (or cable), it connects to the home VPN, and all my devices connect to this client glinet WiFi and through that VPN tunnel. Everything is seamless with the only manual step being to connect the travel router to whatever internet pipe provided.

The Mango I have is on the slow side, specs say max 45Mbps over WG as a client, and I measured ~25Mbps when using a Mango as the server. But it’s tiny and very low power so perfect for travel.

matthewaveryusa 274 days ago [-]
Yes. I've traveled abroad and connected my work laptop to our home server through the glinet so I wouldn't need to deal with any hassle of having a foreign IP address even though I disclosed my location to my employer. In fact I keep my work gear always connected to the glinet, even at home.

No tips, it just works, but test it out before you leave for your trip!

telotortium 275 days ago [-]
aaomidi 276 days ago [-]
I had not convinced the use case of using this as an exit node. Fuck this simplified so much.
copperx 276 days ago [-]
Tailscale also runs on Android TV. If you don't have an Apple TV and want a cheap device just to have an exit node, you can buy a $20 Android TV thingy.
vosper 276 days ago [-]
Beware that a lot of cheap Android TV boxes come pre-loaded with heaps of malware. You don't want them in your network.

Linus Tech Tips has a video about it: https://www.youtube.com/watch?v=1vpepaQ-VQQ&themeRefresh=1

copperx 275 days ago [-]
That's true. However, Walmart's $20 Onn 4k Streaming Box has no malware, apparently.
metadat 275 days ago [-]
I abandoned the Google TV thingy because it was great when it was new a year or so ago, but now after all the updates it frequently stutters when playing media from Netflix, Disney+, HBO Max, etc. Apple TV is silky smooth and works perfectly.

At $200, it was 4x the price, though.

icelancer 275 days ago [-]
The expensive Nvidia Shield Pro is dogshit as well for streaming performance at $150-200. Ridiculous.
nirav72 275 days ago [-]
You're the first one I've read that has had issues with streaming performance on the Nvidia Shield. I have the non-Pro nvidia shield and its been rock solid for streaming external content and local content. Including 4k. I even ran it as a plex server for a while. Are you using wireless or plugged into ethernet?
johnmaguire 275 days ago [-]
Works great for me?
joshspankit 275 days ago [-]
It’s most likely just because of new codecs. If you got a newer cheap device it would probably not stutter (until the next round of codecs, but Apple TV requires the same upgrades)
metadat 275 days ago [-]
I don't think so, x264 and x265 haven't changed in the past 12 months, or even the last 2+ years. My suspicion is Elgoog releases Android system updates without thoroughly testing them on existing released hardware.

My friends have Apple TVs that don't stutter, for 3+ years.

joshspankit 274 days ago [-]
If it were my machine I’d also investigate the audio streams. Audio decoding can be surprisingly heavy
mjs 276 days ago [-]
It … kind of does, but if you filter the reviews by "TV" you'll see there's quite a few issues with it: https://play.google.com/store/apps/details?id=com.tailscale..... Not sure why the back button issue hasn't been fixed, that makes it very inconvenient to set up. (Also: are you sure it can be used as an exit node? That wasn't supported a few months ago.)
e12e 275 days ago [-]
Why, apparently it finally does - since when? Last time I checked, I'd have to sideload it on my Nvidia shield?
tiffanyh 275 days ago [-]
How will this work?

My Apple TV constantly goes to sleep.

Is Tailscale doing some type of “busy wait” to prevent tvOS from going to sleep?

lathiat 275 days ago [-]
It’s not truly asleep. The display parts are but it’s always connected to wifi to act as a home hub, receive airplay requests, etc.
crazygringo 275 days ago [-]
You can change your Apple TV settings to not to go to sleep.
angott 275 days ago [-]
This is not really necessary, there is no need to change any settings. Even when the device enters sleep mode, VPN apps can remain active, just like on iOS.
jondwillis 276 days ago [-]
Neat, maybe I can sell my M1 mini server
8fingerlouie 275 days ago [-]
Nah, you'll still need that to synchronize iCloud content locally so that you can make backups of it, as Apple stubbornly refuses to allow TimeMachine (or anything else) to actually backup stuff that is only stored in iCloud, and provies no easy, scriptable way, of doing so otherwise.

It may just be a problem for me, but as i have ~3TB of photos in iCloud (2 x 2TB), and unless i want to buy laptops with 2TB storage, there is no practical way of backing up the contents of iCloud, so i use a Mac Mini M1 with an external drive, syncrhonize data locally, and then back it up from there.

tornato7 274 days ago [-]
Couldn't you expert icloud to Google photos and then use something like Google takeout to back that up?


yardstick 275 days ago [-]
I need to backup my iCloud data soon too. How sure are you that the data is all downloaded from the cloud when you copy it to the external drive?

Do you use any special tools?

8fingerlouie 275 days ago [-]
I just configure each users account on the Mac Mini to download everything from iCloud, and then backup each users directory.

It does require each user to login again every time the mac mini is rebooted, but fortunately that only happens when new releases come around, so 3-4 times every year.

I do periodically check if new photos have been downloaded. I care less about documents as the relevant documents are more likely to also be stored on the laptops, and thus backed up through the normal backup routine on the laptops.

I do wish Apple would come up with a solution to this problem though. The official instructions[1] feels like something from 2003.

[1]: https://support.apple.com/en-us/HT204055

joshspankit 275 days ago [-]
> I do wish Apple would come up with a solution to this problem though.

That wish is in the opposite direction of Apple’s brand identity: “let us handle everything for you with our white glove service [you can pay, right?]”

8fingerlouie 274 days ago [-]
I would argue that it is exactly in line with Apple's brand identity.

Pretty much everybody agrees that you need to backup your cloud storage as well as your local computer, and Apple even backs up your i-devices to the cloud, and yet, there is no automated way of backing up your iCloud storage.

About a decade ago, Google initiated the Data Transfer Framework[1] that allows you to transfer data from one cloud provider to another, directly from provider to provider instead of downloading it first. It sadly appears to not have gotten enough traction to be of any use.

[1]: https://github.com/google/data-transfer-project

joshspankit 274 days ago [-]
> Pretty much everybody agrees that you need to backup your cloud storage as well as your local computer, and Apple even backs up your i-devices to the cloud

I don’t think I’ve ever seen Apple say that you need to back up your Apple Cloud data.

> I would argue that it is exactly in line with Apple's brand identity.

I’m not following you. Can you explain what you mean by that?

8fingerlouie 273 days ago [-]
> I’m not following you. Can you explain what you mean by that?

Usually when Apple does something, they make it so it "just works" and usually stays out of the way of the user. To bake iCloud backups into Time Machine would do just that, backup your cloud data without bugging you.

tonyaiken 275 days ago [-]
If it’s iCloud Photos you can try icloudpd, works pretty well from my Synology NAS
MuffinFlavored 275 days ago [-]
> Many non-techy users

Why would a non-techy user want to volunteer to be an exit node?

giobox 275 days ago [-]
I have setup Pis in family member homes to allow me to get residential IP VPN exit node in their respective countries - cheap and easy way to get access to foreign TV streaming services without a monthly fee. I used to run my own exit nodes in AWS/DigitalOcean in those regions, but virtually all streaming services block VPS/cloud service IPs at this point. Having an exit node in an actual "real" residential internet service is vastly more flexible.

This potentially would be even easier for me, given they all have Apple TVs already. This isn't a public exit node - it's only available to other users (i.e. people you know and have granted access to) of your own TailScale setup.

Same for non-techy folks who have second homes in foreign countries, or even just travel a lot - an Apple TV running this new app back in their main property will allow them for free to browse the web as if they are actually at their main property, including any TV services they enjoy.

fragmede 275 days ago [-]
This isn't Tor, being an exit node just means the non-techy user can access Netflix while travelling internationally.
userbinator 275 days ago [-]
Blame Tor for popularising the term "exit node" to mean "public proxy".

The terms "VPN gateway" or "VPN server" are still valid and less easily confused with Tor's use of "exit node".

giobox 275 days ago [-]
Yes and no... A VPN Gateway or VPN server doesn't have to be an exit node, and may route onwards to actual exit nodes. Some nodes may not "exit" at all - see setups where you are just trying to reach your private networks.

In a tailscale setup, an "exit node" has specific meaning and the term makes sense as far as I'm concerned:


Operyl 275 days ago [-]
It’s not a public Tor exit node. It’s a personal node you can use to route your own traffic.
KoftaBob 275 days ago [-]
So that when they're overseas, they can route their internet traffic through their Apple TV at home in the US, and any streaming service they use will think they're in the US and not give them trouble about "Hulu isn't available in your location".
275 days ago [-]
Mandatum 276 days ago [-]
I live reading copy that’s obviously written by nerds. This is the least corporate announcement I’ve seen from a corporation in a long time.

No mention of how much they live trust and privacy or how they’re going to make your experience more delightful.

ant6n 276 days ago [-]
Yeah, sounds like a bunch of tech gobbledigook. I guess it’s written for the users of these services, and they know what all this jargon means.
cstrahan 275 days ago [-]
Tailscale is a company that provides a VPN (“Virtual Private Network”) service. If you don’t find yourself thinking “man, I really wish this one computer over here could share the same network with that computer over there, despite not being on the same WiFi access point or physical Ethernet network”, then their service (and the news regarding it) aren’t for you.

Why would someone want a VPN? There are a bunch, but here are some examples:

1) You want to connect to one of your machines at home while you’re at a coffee shop, or on vacation. Maybe so you can check security cameras, I dunno.

2) You’re on vacation outside of your home country, and you would like to watch a video stream that is blocked in the country you’re vacationing in. I experienced this in the Bahamas — If I recall, I was wanting to watch a UFC fight, but the UFC app refused to stream to the Bahamas (it was this and/or other Disney/Hulu whatever services refusing to play in the Bahamas). By routing traffic through your ISP back home: problem solved. (This what “exit node” is referring to — a computer through which internet traffic flows on your behalf)

3) You want to play a game with a friend that only supports multiplayer play on the same network, but your friend isn’t physically there with you in the same house. So just put the two of you on the same virtual network and now you can play together.

ant6n 274 days ago [-]
I bet they run a useful service. But their post doesn’t really speak well to people who don’t already use the service, because it doesn’t define the used names (e.g. it’s only implied that the service is a VPN, why not just say it up front). That’s why I think it’s not a great press release.
cstrahan 263 days ago [-]
Their homepage literally says it is a “Zero-config Business VPN”. Not “implied” — directly stated.

> That’s why I think it’s not a great press release.

Press release? This a blog. It should be self evident that this is for customers and other already interested parties.

When you visit friends and family, do you regularly reintroduce yourself? I’m going to guess you probably don’t. If someone did that, it would both be weird and wasteful of everyone’s time.

Blogs work similarly. The majority of traffic is expected to be people already following you, in which case reiterating who you are, what you do, etc, would all be a waste of everyone’s time — with the minor exception of the occasional person that stumbles upon your blog for the first time. Even then, such individuals usually end up on an unfamiliar blog because they are explicitly searching for something topically relevant, and thus are already familiar with what is being described.

It’s kind of bizarre, IMO, to arbitrarily follow links from a link aggregator (Hacker News, in this case), with no prior knowledge of the related topic, skim through a blog on said unfamiliar topic, and then complain that the author didn’t spell out what 99% of their readership already knows. Like… why? If you like exploring things you don’t know, why not check out their homepage? You already clicked one link without knowing what you were getting into, what’s one more click to go to the very page that describes what they do? Or if you don’t like discovering new things, what compelled you to click a link, when the link text was completely foreign to you?

Car maintenance books don’t describe the usefulness of cars.

Calculus books don’t assume you have zero familiarity with numbers and counting.

Recipe books don’t remind you that, as a human being, you need food to survive.

The Netflix tech blog doesn’t tell you what Netflix is, describe “streaming” in the abstract, nor explain what movies are and why people watch them.

How little familiarity would you recommend that Tailscale expect from the reader of their blogs? Should plumbers be able to understand what’s being talked about? If they should tell you that they are a VPN service, should they also describe what a computer network is, what you can do with a network, and why they’re useful? Do they need to describe what a computer is?

I just… I just don’t get it.

ant6n 262 days ago [-]
I didn’t read your ad hominem essay about corporate blogs, just wanted to add…

> I just… I just don’t get it.

…better luck next time.

bawana 275 days ago [-]
but why is this better than running a vpn client on your pc? For example,when I want to watch streams restricted in my country, I fire up the ExpressVPN client on my laptop, connect to Switzerland, and then my restrictions disappear. Why should get another piece of hardware, wires and complexity (what happens when this box doesnt connect to the internet but it has no keyboard,, display or mouse to guide troubleshooting?)
cpuguy83 275 days ago [-]
Because Tailscale is a [1] direct connection. No middleman service with access to your traffic.

[1] In some cases this is not possible and there are relays setup to help route traffic. What's in the traffic is opaque to these nodes. You can also choose to use your own nodes. If you are interested here is a great post on how this works: https://tailscale.com/blog/how-nat-traversal-works/

lxgr 275 days ago [-]
Most streaming services block commercial VPNs and even data center IP ranges at this point.

Some VPN vendors bypass that by reselling access to residential IPs (witting or unwitting on the side of the person paying for the ISP service), but even that is hit and miss.

> Why should get another piece of hardware

Many people already have an Apple TV or Android TV streaming box.

aspenmayer 275 days ago [-]
The GL.iNet routers have a mobile and desktop config site and buttons to configure/reset the device as well as a two-position hardware switch, the function of which is configurable also. This is not to mention they can run OpenWRT/LEDE and there are vendor created “clean” firmware images to do so. They’re one of the best devices for this use case and price point. I don’t think the situation you’re worried about is a reasonable concern for someone already expected to be competent to manage the router generally to begin with, and if they also want to do the things Tailcale does, they can and should be able to troubleshoot the problem space. The stock firmware is a modified OpenWRT with a web GUI and some optional extras, but it’s the most functional consumer router I’ve used.
bawana 273 days ago [-]
thank you for your replies but I think my density is getting the better of me.When ii want to pretend I am in Switzerland, my vpn client connects to an exit node there through an encrypted tunnel between my machine and the vpn service's exit node. If I have an Apple TV in my home running tail scale, how can I make it talk to the internet through an exit node in Switzerland ? My understanding is that I cannot. If I run tail scale on my Apple TV and then travel to Switzerland , can I connect to my Apple TV and watch shows in Switzerland from it? But how can I get through my home firewall / NATted router to my Apple TV? is there a tail scale client that I run on my laptop that finds my Apple TV running tail scale?
mc10 271 days ago [-]
Tailscale recently announced an integration with Mullvad [1] that is probably what you're looking for: Mullvad's VPN servers act as Tailscale exit nodes, and they have servers in countries around the world. This lets any of your existing Tailscale nodes route traffic through Mullvad.

[1]: https://tailscale.com/blog/mullvad-integration/

miki123211 276 days ago [-]
> With up to three users available on our Free plan, you’ve got tools to make a media drive available to other trusted people in your life. You can share a collection of family photos and home videos into a faraway relative’s tailnet, without worrying about locking down the server for public internet access.

It's important to point out here that, in addition to this, the free plan also lets you send invite links to specific devices, which other people can add on their own accounts. That way, nobody has to go for the (quite expensive and obviously company-focused) free plan, you can share your device with as many friends as you like, and you're not sharing anything else beyond that single device.

Operyl 276 days ago [-]
Using it as an always-on exit node is actually a pretty nifty feature, I hadn’t thought about that as a viable feature before now.
cube2222 276 days ago [-]
This is by the way kind of how remote access with apple home works.

The Apple TV serves as a local gateway relaying all the commands to your local IoT devices.

On a side note, tailscale is lovely. I have nothing but good things to say about them.

Operyl 276 days ago [-]
Yup, either a HomePod, Apple TV, or iPad left at home can act as a HomeKit hub.
ericswpark 276 days ago [-]
Just an FYI, but iPads can no longer be used as a HomeKit hub as of last year: https://support.apple.com/en-us/HT213481

(Yes, you can technically use an iPad as a hub if you are on the old Home architecture)

Operyl 276 days ago [-]
Good change, then! It wasn’t a great experience for most people. iPads are rarely static home fixtures now, and they were the only ones capable of dying.
drcongo 275 days ago [-]
Yeah, that was always a weird choice. The one time I went on holiday without first checking to see which device was acting as my primary home hub it turned out to be my iPad, which I'd taken with me, and all my security cameras were "unavailable" for the week. I'm sure the system is supposed to just switch to a different primary hub in that situation (I have about 15 candidates), but it didn't.
ignoramous 275 days ago [-]
> This is by the way kind of how remote access with apple home works.

Apple killed Back to My Mac, which sounded a lot like Tailscale exit nodes: https://datatracker.ietf.org/doc/html/rfc6281

dimgl 276 days ago [-]
Tailscale continues to be one of the more impressive services I've ever used. Going to install this on my Apple TV immediately. I often travel and use public Wi-Fi, so this is massively useful as my PC and my laptop are not always on (so I can't use them as an exit node). Pretty genius honestly.
aaomidi 276 days ago [-]
I’ve been working on bringing tailscale into container networking through a driver, it’s still a work in progress but people might already be interested in trying it out:


nirav72 275 days ago [-]
Thanks for sharing this. I'm thinking this might be useful to run on a VPS and tie to a reverse proxy container. So I could expose services externally without opening up port on my wan side.
drexlspivey 276 days ago [-]
The bigger news is that you can add VPNs on Apple TV with tvOS 17, I had to run it on my router before
fmajid 275 days ago [-]
Still better to run it on your router. Apple’s had VPN leaks, and also exempted its own services from VPN or Little Snitch firewalling. Separation of roles means not having to trust Apple.
ignoramous 275 days ago [-]
Wait until Apple bundles in 5G eSIMs for connectivity for just Apple apps to bypass the physical firewalls.
fmajid 275 days ago [-]
I think SmartTV vendors will get there first.
FireBeyond 276 days ago [-]
I don't care either way, but I did note the ignorance of the elephant in the room as to why 99% of people would care about Tailscale and native VPN support on their Apple TV... and it's not "avoiding sketchy wifi networks".
fotta 276 days ago [-]
> With a Tailscale exit node, you’re in control and you get the internet connection you’re used to. This new feature could come in handy if you’re traveling with your Apple TV and want to access the same geo-restricted channels you can see from home.

They do call this out towards the end.

cassianoleal 276 days ago [-]
How's this supposed to work? If I'm travelling with my Apple TV and use it as an exit node, it's as geo-restricted as I am, wherever I am.
ezfe 276 days ago [-]
This blog post isn't just for using it as an exit node. Traveling with the Apple TV and using Tailscale lets you exit-node back to your house.

Traveling without the Apple TV and the exit-node can be your Apple TV.

cassianoleal 275 days ago [-]
Perhaps the blog post isn't, but the quoted text is:

> With a Tailscale exit node, you’re in control and you get the internet connection you’re used to. This new feature could come in handy if you’re traveling with your Apple TV and want to access the same geo-restricted channels you can see from home.

ezfe 275 days ago [-]
Yes, but the tail scale exit node referenced in that quote isn't necessarily the Apple TV.
Larrikin 276 days ago [-]
You designated a device at home as the exit node and are using that on your Apple TV in a different location.
unstatusthequo 276 days ago [-]
Because say I want to connect to my own private remote network. I have a server hosted in a datacenter because I self-host. I'd much rather have VPN capabilities than deal with a proxy server and publicly open ports with rules. This is a much tighter way to do things, IMHO.
meowtimemania 276 days ago [-]
The main use case I see is sharing streaming services like youtube TV with family.
zikduruqe 276 days ago [-]
I run my own DNS server at home, and have Tailscale installed on it also. I use this so when I am away from home, I can continue to use it via Tailscale and/or an exit node for full on VPN-like solution.

I can now, move Tailscale off that server, and put it on my Apple TV to use as my network for my DNS server when I am away from the house.

radicaldreamer 276 days ago [-]
You can already do that officially... but maybe not region-locked sports
drewnick 276 days ago [-]
Definitely not region locked sports. My YT TV account is based on the other side of the country and I can't watch our local teams quite frequently. I've been using wireguard and a dedicated wifi network to tunnel through a fiber connection "back home" and it then thinks I am local and all works well. This is much cleaner with tailscale!
sangnoir 276 days ago [-]
It's cheaper if everyone is in the "same household" (i.e. sharing the same public IP as main account)
LoganDark 276 days ago [-]
It's a way to access it remotely without having to forward a port to the whole world. There are other ways to do this, but a VPN is usually the most straightforward option.

It's also a way to proxy your connections through a device at home, of course. Whether the Apple TV is the client or the exit node.

copperx 276 days ago [-]
For sharing Netflix accounts?
fragmede 276 days ago [-]
Arrr, it not be for Netflix.
tredre3 276 days ago [-]
Tailscale isn't useful for piracy. Unless you really want your pirate traffic to always be routed through your home?
tshaddox 276 days ago [-]
The idea is that you host all your pirated media from home, e.g. on a NAS running Plex or Jellyfin, and your home server can stream any of your media to any device (including transcoding it to best fit the device and connection).

Tailscale isn't particularly useful for acquiring the pirated media in the first place, of course.

stirlo 275 days ago [-]
How is this different to running a Plex server on your NAS and streaming directly over regular internet?
FloatArtifact 275 days ago [-]
You do not punch holes through your routers firewall. There for it's is more secure as a mesh network.
ezfe 276 days ago [-]
Tailscale has Mullvad integration now, so it can be used that way too
nirav72 275 days ago [-]
So the exit node can route traffic through Mullvad VPN?
cellu 276 days ago [-]
I guess it’s more to be able to access the local are stack / jellyfin from everywhere?
unstatusthequo 276 days ago [-]
This is great news! Not only does this make a remote Plex / Jellyfin media server easier to deal with, the Apple TV can be an exit node. Solid work, TailScale!
maxmcd 276 days ago [-]
I'm a little unfamiliar with how Plex routing works. Would this make it so that your plex connected media servers don't need to be publicly routabel and the Plex app will know to connect through the tailscale network?

Would you need to reconfigure plex to use the tailscale ip addresses and then the Apple TX Plex app will stream over that address?

ecliptik 276 days ago [-]
I wrote up a guide [1] on using Plex + Tailscale + HTTPS last year to setup Plex so you don't have to expose it through the Plex relays or setup port forwards for other devices on a Tailnet.

I would assume with this announcement, you can keep Plex private to your Tailnet and an AppleTV also on the Tailnet could use it without any port fowarding.

1. https://forums.plex.tv/t/remote-access-using-tailscale-magic...

SV_BubbleTime 276 days ago [-]
>setup port forwards for other devices on a Tailnet.

Ah. Now I get it.

aaomidi 276 days ago [-]
Depends on how you’ve setup Plex, but you can give it custom access URLs. So you can expose both a public and a private endpoint. Or just a private endpoint, up to you really.
nickvanw 276 days ago [-]
This is useful - using an exit node with an Apple TV is useful as well for navigating around certain tools that are geo-blocked. Before, you'd have to handle it outside of the device which is much more difficult.

I'm going to play around with this later in the week.

mlfreeman 276 days ago [-]
Will this work with Headscale too?
angott 276 days ago [-]
Tailscale dev here: yes, you can set up a custom coordination server in the settings, just like on the iOS app. Open the tvOS Settings app, then scroll down to Tailscale.
vineyardmike 275 days ago [-]
Genuine question: Does tail scale want people using headscale?

I'm a free-tier personal user, and a little too cheap to give a for-profit corp money when I don't need to just because "I REALLY like the product". If I use headscale does that just cause a headache for the team, or is it good because it reduces traffic to prod?

I'm to cheap to pay when I don't need to, but its such a great product (esp for free) that I'd gladly change how I use the product to be less expensive or problematic.

hzia 275 days ago [-]
Thank you so much for that!! I wondered about this as well. Love how above and beyond you guys are going to support other OSS implementations <3
xeonmc 275 days ago [-]
Is it possible to transparently embed Tailscale into a game to only talk to your self-hosted Headscale server?

Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?

bananapub 275 days ago [-]
> Is it possible to transparently embed Tailscale into a game to only talk to your self-hosted Headscale server?


> Also, is it in theory possible to use WebRTC to negotiate Wireguard connections and not use any control plane?

you can write code to do whatever you want I guess, but that's nothing to do with tailscale

b555 276 days ago [-]
can anyone share documentation/paper/video with eli5 of tailscale?

i recently read this with mulvad too and feel stupid that I don't intuitively understand how it works, and what it does and why it's needed.

simonw 276 days ago [-]
It's WireGuard with a really nice UI.

WireGuard is an outstanding mechanism for building secure virtual private networks.

You can run WireGuard on a bunch of different machines (or virtual machines) spread all over the world and give them the ability to talk to each other as if they were on the same LAN, with every packet fully encrypted.

TailScale has productized this. They wrote software for a bunch of platforms that makes it trivial to connect those machines to your "tailnet" - effectively a WireGuard network which their software manages for you.

They tie this to SSO - so you can install their software on your phone and your home server, sign them both in using Google SSO or similar, and now they're able to talk to each other on a secure virtual network.

I suggest trying the TailScale setup process to really understand how good it is.

hot_gril 276 days ago [-]
So it's a VPN, right?
vineyardmike 275 days ago [-]
Its utility is as an "overlay network", but using traditional VPN technology. Yes, it is a virtual network, and it's private, but it's not intended to be used to exit to the internet in a controlled manner, as VPNs are often advertised as.
hot_gril 275 days ago [-]
Well, the original purpose of a VPN was more as a private LAN (as Tailscale seems to advertise itself as) than as a way to exit to the Internet somewhere else. And it does both still.

Seems like Tailscale is a very souped up VPN, though. You can add more nodes to the network easily, and even have multiple gateways to the Internet.

derefr 275 days ago [-]
> Well, the original purpose of a VPN was more as a private LAN

You're conflating two concepts.

An "oldschool" VPN connection (using e.g. IPSec) is something that allows your computer to remotely "join" a real, physical LAN. It's basically equivalent to running PPP over IP: your computer "dials up" a daemon running on a server somewhere; that daemon accepts a stream of raw packets from your computer's network stack; and then that daemon dumps those packets out through one of the server's NICs onto a local network segment — where those packets are then handled by the switch they run into as if your computer was directly plugged into that switch. So your computer can acquire an IP address for its VPN "bridge" interface via DHCP from the switch; can talk to other devices on that private network through the switch; can talk to the Internet via NAT through that switch; etc.

Tailscale, meanwhile, creates a software-defined virtual LAN on top of p2p mesh networking of the nodes. There's no actual network segment anywhere that your packets are being dumped out onto; the "switch" handling your packets is a shared distributed abstract-machine that's partly running on your Tailscale client, and partly running on the other nodes' Tailscale clients. That virtual LAN doesn't have a routing table + NAT on it to translate packets into Internet-bound packets. Nor does the LAN have the ability to host L2 services like DHCP. It's just a functional L3 simulation of an L1 network segment, not a faithful emulation of an L1 network segment.

hot_gril 275 days ago [-]
Ah, makes sense. I realized Tailscale was a virtual network but forgot that a VPN doesn't include that functionality.
ezfe 276 days ago [-]
It's kinda a VPN.

Tailscale on its own is a mesh network that allows your devices to communicate (in a VPN, technically, yes) between themselves.

If you have an exit node, then you can route your traffic to that exit node in the way most people think of a VPN.

It also has Mullvad integration, providing Mullvad servers as exit nodes.

If you use an exit node, then its functionally equivalent to a VPN with fancy features.

efxhoy 275 days ago [-]
It makes setting up your own peer to peer VPN between your devices.


SparkyMcUnicorn 276 days ago [-]
Tailscale is basically wireguard in a seamless UX wrapper, and a bunch of nice (optional) things added on top like ACLs/2FA/MagicDNS/ssh.


Larrikin 276 days ago [-]
You have a home server, could be home assistant, a Raspberry Pi, your desktop computer. Access that server and all services on your phone or laptop from anywhere without figuring out ports and worrying about your server being pwned. It all looks like local traffic.

Set the DNS server on your phone to a Pi running AdGuard Home and block all ads and trackers when on 5G, not just in the browser.

Travel abroad with your laptop and designate your computer at home as an exit node and now all the traffic on your laptop looks like it is coming from that country.

Those are just the use cases I am using personally.

angott 276 days ago [-]
This blog post is a very good technical read (and the diagrams are really cool too): https://tailscale.com/blog/how-tailscale-works/
rhinoceraptor 275 days ago [-]
It connects all of your computers and devices in a way that feels magical. For example, if I have a Plex server named myplex on port 80 at home, and if I want to access it from my laptop, I just go to http://myplex.

It doesn't matter if I'm at home or anywhere else, if I have internet then that just works. I don't have to open a port on my router, configure DNS, or anything like that, I just install and run Tailscale.

duped 276 days ago [-]
You're on a team of 10 people with 20 different machines between you and want to securely send/receive files, spin up servers and talk to them, etc.

Tailscale makes this really easy, and fast.

ecliptik 276 days ago [-]
It's a 90s LAN, but with encryption and accessible from anywhere.
idoescompooters 272 days ago [-]
This is pretty awesome, but only makes sense if you've already got an AppleTV. The price difference between the Apple TV and a Raspberry Pi is definitely non-negligible. Also, you probably want the Apple TV with ethernet which is extra $$.

Personally, I don't care about TV so I won't be using one anyway.


ShakataGaNai 275 days ago [-]
This is very cool, and very useful.

For the average, non-technical user, Apple TV as an exit node for other device while traveling is super cool.

But for someone who is out of the country for a duration, it's also super handy. Netflix knows all the popular VPN providers and ban hammers them on a regular basis. But being able to use my Apple TV to watch my normal Netflix (or whomever) from any other country... because they think I'm at home? Super win.

fragmede 275 days ago [-]
Network engineers watching rtt/packet latency very closely can still tell that something fishy is up, but Netflix doesn't really want to block VPNs, they just have to pretend to care enough so that the labels don't pull their content.
lstamour 275 days ago [-]
If one forwards traffic through iCloud+ proxy to mask IP address, I wonder if it’s still possible to tell a VPN, from, say, a perfectly legitimate SpaceX satellite signal received on a boat… ;-)
fragmede 275 days ago [-]
no comment
nose-wuzzy-pad 275 days ago [-]
I’ve installed this on a freshly updated AppleTV 4K with Ethernet and for the life of me I can’t get it to work using the Apple TV as an exit node. I’ve enabled it and approved it in the console.

Unfortunately I can’t ping any hosts through it or make any connections. This is in contrast to my other exit node, which is a docker container running tailscaled with user networking. It continues to work just fine.

Any ideas?


pomatic 275 days ago [-]
Are your clients set to use the AppleTV as a gateway? That's a fundamental requirement to ensure the packets your devices send in reply get passed back to the tailscale network.
nose-wuzzy-pad 273 days ago [-]
Yes, the clients I've attempted this with so far (iPhone running tailscale) I have configured to use the Apple TV as an exit node. When I do so, there is no internet connectivity. When I switch it to another exit node I have in my tailnet it works flawlessly.
lxgr 275 days ago [-]
That's amazing!

I've already been using it in a very similar way on a Chromecast (the one running Android TV), which made me use my Apple TV less and less, to the point where I actually unplugged it. This might just be its ticket back to an HDMI port :)

nirav72 275 days ago [-]
whoa. I'm going to try installing tailscale on the googletv chromecast dongle. Because one of the biggest issues with Chromecast was that it and the device casting from had to be on the same wireless LAN. So when traveling I had to either use a travel router or turn my phone/tablet into an AP. Tailscale might solve that. I already use tailscale for everything else. Just never thought about installing it on Googletv chromecast. Thanks for the suggestion.
lxgr 275 days ago [-]
You still won't be able to actually cast to a Chromecast device unfortunately, since that requires mDNS to work, which only works in the same broadcast domain (i.e. you'd need an L2 VPN, but Tailscale is L3).
Stem0037 275 days ago [-]
Cool! it sounds like a pivotal upgrade, offering both convenience and enhanced security features. I love using Apple TV as the router in my home, when paired with Headscale, it's simply perfect.
sohrob 276 days ago [-]
Awesome news and boosts the utility of the Apple TV tremendously.
Timber-6539 275 days ago [-]
I wish they would work on their Android client.

Its got a long standing request to add split tunnelling [0] (a standard feature on pretty much every VPN client you'll come across). But it seems in the spirit of re-inventing existing networking technologies, Tailscale also decided to re-invent what a VPN client does.

This alone makes me give this otherwise wonderful project a pass despite all the deservingly good press it gets.

[0] https://github.com/tailscale/tailscale/issues/6912

garyclarke27 275 days ago [-]
That's great tvOS now allows VPN - hopefully NordVPN will now release on Apple TV App Store. NordVPN runs great on Amazon Firestick - works for BBC Iplayer and ITVX when you're outside UK.
syntaxing 276 days ago [-]
Is it possible to run a plex or jellyfin server on an Apple TV like a Nvidia Shield? If so, I might seriously consider getting an Apple TV just to run as a media server.
billyhoffman 276 days ago [-]
Sadly an Apple TV can't also be the media server (at least for something like Plex). But just about anything else can run media server, and you can go really low end especially if you don't need it to transcode your media. Some software like Infuse will stream the original media file to the Apple TV, and the transcoding happens on device.
tshaddox 276 days ago [-]
True, but of course if you already have a media server, it can almost certainly already act as a Tailscale exit node.
syntaxing 276 days ago [-]
I more or less have running every through a N100 and it has been great. Would have been awesome to replace it with an Apple TV though
hapticmonkey 275 days ago [-]
AppleTV cant act as a media server. But as a client it's fantastic.

An AppleTV with an app like Infuse will flawlessly play back 4K HDR or Dolby Vision videos client side (no transcoding) as well as 7.1 lossless TrueHD audio. Unfortunately it wont do TrueHD Atmos.

zakki 276 days ago [-]
I wish there is Tailscale for LG TV.
tacticalturtle 275 days ago [-]
Switching from WebOS on my LG TV to the Apple TV as the primary interface was honestly one of the best consumer decisions I’ve made this year.

LG TVs get slower and more ad- laden with each update.

ilteris 276 days ago [-]
Never heard of tailscale before. Is it similar to Plex?
nerdbert 275 days ago [-]
Nope, it's a tool for building a private network among machines which can be geographically and internetically distributed. So, more or less a VPN, but not particularly in the sense that people use it today (which is effectively a glorified proxy server).
klinquist 276 days ago [-]
This makes it much easier to use the Xfinity Stream app on your "travel appletv" :)
Spooky23 276 days ago [-]
Can you use this to appear to be in another place for blackout avoidance purposes?
dangoodmanUT 275 days ago [-]
jedberg 276 days ago [-]
> But even if you don’t have a media server to connect to, you can use Tailscale’s Apple TV app to select another device in your tailnet ... to use as an exit node. This will route all your Apple TV’s traffic through that connection ... making your traffic appear to originate from the machine of your choice.

Oh look all of those family Netflix devices are in one home again!

275 days ago [-]
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 10:08:23 GMT+0000 (Coordinated Universal Time) with Vercel.