this post was submitted on 02 Mar 2026
53 points (100.0% liked)

Selfhosted

selfhosted@lemmy.world
57200 readers
496 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
53
Tailscale n00b questions (reddthat.com)
submitted 3 days ago* (last edited 3 days ago) by mrnobody@reddthat.com to c/selfhosted@lemmy.world
19 comments fedilink hide all child comments
 

Playing around with a new self-host NAS OS, finally thought about Tailscale. But, I see it wants a login to an account. Checking online, seems I have to use Google, Apple, MS, Github or OIDC (which iassume costs money based on the site).

So how tf y'all setting to your tail scale stuff? I'm not using a big brother us tech account for auth on this thing. Think I'd rather go back to regular wireguard if that's the case.

Edit: OK I see you can use regular email. It didn't load the webpage correctly the first time or I missed it. Odd. Anyway, I do don't want an account add I don't want to risk any data compromise at some point

you are viewing a single comment's thread
view the rest of the comments
[–] irmadlad@lemmy.world 6 points 3 days ago* (last edited 3 days ago) (5 children)

I don’t want to risk any data compromise at some point

What data compromise are you worried about?

  • End-to-End Encryption: Tailscale utilizes WireGuard
  • No Centralized Servers: Tailscale creates a direct peer-to-peer connection between devices
  • Minimal Metadata: Tailscale may collect some metadata to facilitate connections, but this info does not include the content of your data.
  • User-Controlled Access: You have control over which devices can connect
  • Tailscale does not, and cannot inspect your traffic

I'm not the Tailscale sales person. Go with whatever suites your threat model. I am just curious what data compromise you are concerned with. If it's the metadata aspect, you already blew that away when you made the post here at Lemmy, even assuming you are using a VPN.

[–] meschbach@piefed.social 5 points 2 days ago (2 children)

Just a heads up: Headscale will use the official Tailscale DERP servers to resolve NAT traversal.

https://tailscale.com/docs/reference/derp-servers

[–] Toribor@corndog.social 1 point 18 hours ago* (last edited 18 hours ago)

Headscale includes an embedded DERP server but you need to enable it. Their example yaml has it disabled by default, which I assume is because it needs to be publicly available on the internet, requires HTTPS, and thus a certificate and other network/security considerations.

[–] irmadlad@lemmy.world 2 points 2 days ago (1 child)

I know you're trying to tell me something brother, but at this moment in time, I seem more stupid than normal, so if you would, unpack that for me in relation to what I was explaining to OP about Tailscale security.

[–] Toribor@corndog.social 3 points 18 hours ago* (last edited 18 hours ago) (1 child)

DERP is the service that actually relays packets between tailscale connected devices when they are crossing a NAT (leaving one private network and going across the internet to another private network).

If you host headscale (the self-hosted community version of the tailscale control plane) and use it with tailscale, by default it will still use the public Tailscale DERP servers. Your traffic is still encrypted and not visible to them, but it does still rely on part of their centralized architecture even though you are hosting the control plane yourself.

That being said, you can just use the embedded DERP that ships with headscale, although there are some other considerations when doing that because it will need to be publicly on the internet, probably with a proper domain name and publicly trusted certificate.

[–] irmadlad@lemmy.world 2 points 16 hours ago

Thanks for explaining. I really didn't mean it as a Headscale v Tailscale. kind of thing as far as data security goes. I've heard a lot of great things about Headscale. OP was just worried about his data being compromised, and I was just pointing out that it's pretty tight.

load more comments (2 replies)