New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Tailscale or IPtables
Hi
I have have a cluster with servers around the globe and some backup servers that are mirrors of the main ones.
Util now I use iptables to white list each IP on each server and use ssh keys to connect each other.
Whenever I change provider or add a new server I need to change each one by hand (I could automate it, but I prefer this way).
Tailscale can serve the same propose, since I can create a private network that just works.
Should I use iptables or change to tailscale? Have another suggestion?
Thanks!
What do you suggest?
- What do you suggest?41 votes
- Tailscale41.46%
- IPtables36.59%
- Other21.95%
Comments
Tailscale ist an online Service if you trust them ok. But I will prefer wireguard Selfhost
I was looking tailscale since its easy to setup and has an Android cliente that helps a lot when we're in the road.
Wireguard, tinc or zerotier would be better IMO.
I use both iptables and wireguard. iptables permit 100% trusted sources and from everywhere else I log in to one of my two wireguard endpoints first.
I use tailscale to connect around 30 boxes of my ha setup, in the future i will probably migrate away to wireguard, right now tailscale is very simple to use & its easy to connect staff members to access the network.
Wireguard + bird = profit
I use netmaker for mesh networking. It's like tailscale but it uses the kernel WireGuard instead of userspace which. Kernel WireGuard should perform better than userspace implementation.
I self-host headscale(tailscale control plane) too. I use tailscale as a backup plus easy exit node switching. I can use any of my Linux machine as VPN server.
i use tailscale for all my servers and it's been perfect for me. adding new servers takes literally 2 commands and some of them are even only accessible via tailscale and ive never had any issues
iptables is legacy - you should really be using nftables.
Regardless, WireGuard is a better approach instead of whitelisting IP addresses. It's pretty easy to configure, and if each server needs to be able to reach each other server, you could use something like Ansible to deploy a similar config to each server.
Isn't wireguard stable on Android now? A quick search finds things like https://github.com/WireGuard/wireguard-android and the official page states Android support (though that might just be the endpoint code with no official UI). If wireguard is problematic on Androig OpenVPN may be an option for self-hosting.
If your preference for hand-updating the firewall config is that you fear the automation being a single point of failure (not an unreasonable concern: an unexpected complication in the automation could lock you out of resources in a manner that is much faf to correct) then also consider that tailscale could also represent a SPOF too: if they are down you lose access until they recover.
The same could be true for you own VPN if you self-host of course.
So you still want some sort of simple route in (i.e. direct SSH without VPN, or a per-server VPN endpoint) from known admin addresses, rather than relying on the VPN for all admin access as well as for the hosts talking to each other.
Tailscale works great for this. I have a bunch of random VMs everywhere and connecting through Tailscale is super easy, leaves no open ports, and makes accessing your servers as easy as accessing something else on your LAN.
You should try zerotier, very reliable