I use a similar setup, but for anyone following this guide i would not recommend hosting your custom oidc server behind the same tailnet it authorizes.
Any configuration issues will lock you out entirely and you will need to have tailscale support re-enable an oauth provider and its not reversible.
I use an oauth provider to log in to tailscale and keycloak internally as an oidc provider for service to service auth.
Accidentally wiring everything to everything else sounds kind of scary.
There's 1 or 2 things I wouldn't mind securely exposing to the internet (like Plex) but nothing I need so desperately while I'm out and about that I'd even want to take that risk.
Speaking of SSH, Tailscale has special support for it whereby it handles any incoming connection to port 22 from the Tailscale network, and deals with authentication itself. No public keys or passwords: if you’re logged into Tailscale you can be logged into the machine. This is particularly handy when you SSH from a phone, as proper credential management is a bit of a nightmare there.
this has me worried. i would not want that. i use zerotier, not tailscale, but the principle is the same. i have my laptops and my phone connected to my servers. given that all of those machines are already on the internet, connecting them into a virtual network does not add any risk in my opinion. (at least as long as you don't use features like the above). all i get is a known ip address for all my devices, with the ability to connect to them if they have an ssh server running. when i am outside the primary benefit is that i can tell which devices are online.
You can use it like ngrok, and I'm sure you could configure wireguard and ngrok to give you something similar to what Tailscale does, but Tailscale does it out of the box, with polished and well built client and server apps.
I'm no infra guy, I'm just a former front-end eng, but it gives me the confidence to expose media centres and file servers etc to "the wild" without it being public.
Using Jellyfin to watch content from my home server on my iPad while I'm away from home is as "easy" as Disney or Netflix with Tailscale, just installed the clients and servers and .. voila?
Having all your mobile traffic routed through AdGuard Home (or PiHole) is a game changer. It's also nice using an exit node through my home network whenever I am on public wifi.
Sure, it's pretty simple. I had WG provided by an Deciso OPNsense router with an automatic VPN profile on most user devices. All of my infrastructure also had PKI. (I moved recently and have yet to set it up again.)
I use a similar setup, but for anyone following this guide i would not recommend hosting your custom oidc server behind the same tailnet it authorizes.
Any configuration issues will lock you out entirely and you will need to have tailscale support re-enable an oauth provider and its not reversible.
I use an oauth provider to log in to tailscale and keycloak internally as an oidc provider for service to service auth.
Sounds a bit like a fancier ngrok.
Accidentally wiring everything to everything else sounds kind of scary.
There's 1 or 2 things I wouldn't mind securely exposing to the internet (like Plex) but nothing I need so desperately while I'm out and about that I'd even want to take that risk.
Sounds like this is just for self-hosting?
Speaking of SSH, Tailscale has special support for it whereby it handles any incoming connection to port 22 from the Tailscale network, and deals with authentication itself. No public keys or passwords: if you’re logged into Tailscale you can be logged into the machine. This is particularly handy when you SSH from a phone, as proper credential management is a bit of a nightmare there.
this has me worried. i would not want that. i use zerotier, not tailscale, but the principle is the same. i have my laptops and my phone connected to my servers. given that all of those machines are already on the internet, connecting them into a virtual network does not add any risk in my opinion. (at least as long as you don't use features like the above). all i get is a known ip address for all my devices, with the ability to connect to them if they have an ssh server running. when i am outside the primary benefit is that i can tell which devices are online.
This feature isn't enabled by default.
> Sounds a bit like a fancier ngrok.
Well, yes and no.
You can use it like ngrok, and I'm sure you could configure wireguard and ngrok to give you something similar to what Tailscale does, but Tailscale does it out of the box, with polished and well built client and server apps.
I'm no infra guy, I'm just a former front-end eng, but it gives me the confidence to expose media centres and file servers etc to "the wild" without it being public.
Using Jellyfin to watch content from my home server on my iPad while I'm away from home is as "easy" as Disney or Netflix with Tailscale, just installed the clients and servers and .. voila?
Having all your mobile traffic routed through AdGuard Home (or PiHole) is a game changer. It's also nice using an exit node through my home network whenever I am on public wifi.
Plex already supports remote access via UPnP. https://support.plex.tv/articles/200289506-remote-access/
Tailscale is able to hole punch in scenarios where UPnP is disabled (just good practice) as well as many NAT environments.
To me WireGuard is safer than exposing services directly to the internet.
Sure, it's pretty simple. I had WG provided by an Deciso OPNsense router with an automatic VPN profile on most user devices. All of my infrastructure also had PKI. (I moved recently and have yet to set it up again.)
I love me some tailscale. But it kills the battery on my phone and it kills resolve.conf every time I boot wsl. I wish I had better luck.
i use zerotier without problems on the phone. yes, they are no longer open source, but source is accessible and it's not worth the effort to switch.