Hacker News: tailscaletomhttps://news.ycombinator.com/user?id=tailscaletomHacker News RSShttps://hnrss.org/hnrss v2.1.1Sat, 18 Apr 2026 05:32:28 +0000<![CDATA[New comment by tailscaletom in "Mullvad on Tailscale: Privately browse the web"]]>Yepp! Strong recommend on using systemd-resolvd, we've observed the least bugs and issues there.

]]>Thu, 07 Sep 2023 17:49:26 +0000https://news.ycombinator.com/item?id=37422803tailscaletomhttps://news.ycombinator.com/item?id=37422803https://news.ycombinator.com/item?id=37422803<![CDATA[New comment by tailscaletom in "Mullvad on Tailscale: Privately browse the web"]]>Userspace mode might be an option (runs without a TUN or doing any system network wiring, at the expense of performance): https://tailscale.com/kb/1112/userspace-networking/

Running Tailscale without privileges is a challenge because tailscaled needs to be able to configure your network, and if you enable Tailscale SSH it also needs to be able to create sessions for configured users. For people who dont need SSH and accept this challenge + maintenance burden, it is possible: https://tailscale.com/kb/1279/security-node-hardening/

]]>Thu, 07 Sep 2023 17:41:39 +0000https://news.ycombinator.com/item?id=37422682tailscaletomhttps://news.ycombinator.com/item?id=37422682https://news.ycombinator.com/item?id=37422682<![CDATA[New comment by tailscaletom in "Tailscale bug allowed a person to share nodes from other tailnets without auth"]]>Yes. Peers added in this fashion would not have been signed by a trusted tailnet-lock key, so clients would refuse to trust them.

]]>Wed, 18 Jan 2023 17:34:10 +0000https://news.ycombinator.com/item?id=34429898tailscaletomhttps://news.ycombinator.com/item?id=34429898https://news.ycombinator.com/item?id=34429898<![CDATA[New comment by tailscaletom in "Tailscale bug allowed a person to share nodes from other tailnets without auth"]]>If you're excited about tailnet lock and want to get on the alpha sooner rather than later, feel free to drop me an email. As Dave mentioned we are slowly crunching through the waitlist to get some miles in, but I'm also happy to take on enthusiastic testers ahead of that!

You can email me at tom@ (tailscale dot com)

]]>Wed, 18 Jan 2023 04:56:53 +0000https://news.ycombinator.com/item?id=34423573tailscaletomhttps://news.ycombinator.com/item?id=34423573https://news.ycombinator.com/item?id=34423573<![CDATA[New comment by tailscaletom in "Tailnet Lock"]]>(Tailscalar and a tailnet lock author here)

If you're okay with trusting Tailscale's control plane, we have a feature for exactly this use case! Its called Device Authorization: https://tailscale.com/kb/1099/device-authorization/

You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)

]]>Thu, 15 Dec 2022 17:08:25 +0000https://news.ycombinator.com/item?id=34002537tailscaletomhttps://news.ycombinator.com/item?id=34002537https://news.ycombinator.com/item?id=34002537<![CDATA[New comment by tailscaletom in "Tailnet Lock"]]>(Tailscalar and a tailnet lock author here)

Thanks for the feedback!! Writing the documentation for how this worked was a challenge, and its good to hear what pieces we need to call out more strongly in the future.

If you're interested in gory details around tailnet lock internals, we have the beginnings of a whitepaper here: https://tailscale.com/kb/1230/tailnet-lock-whitepaper/

]]>Thu, 15 Dec 2022 16:52:17 +0000https://news.ycombinator.com/item?id=34002280tailscaletomhttps://news.ycombinator.com/item?id=34002280https://news.ycombinator.com/item?id=34002280