The official Tailscale subreddit. Not routinely monitored by Tailscale employees. Please contact support via https://tailscale.com/contact/support if you need further help.
What are the security risks by using Tailscale as a non technical person?
i really like using tailscale since it is very easy to install and also very easy to setup even for a person like me that is not very technical, i just needed to download and login via a trusted 3rd party and everything is well and done! however i am a little bit concerned regarding security on using this.
based on what i have read is that is using wireguard and all is encrypted and all of that but i want to know the general security risks by using tailscale to access for example a home server at your home when you are out on a vacation? what are the points of possible failure? can someone snoop in my connection? what are some examples or points where using tailscale would not be secure? what are some possible ways to mitigate or lessen some of the possible risks?
Your biggest risk is probably overconfidence. Don't expect tailscale to protect you from all types of attacks.
I think tailscale is pretty secure...
Go through all of tail scale's settings, turn on tailnet lock etc
How secure is your home firewall? I use PFsense.
How secure is your login to tailscale?
and the email account it is registered too.
Do you have 2nd factor turned on?
Have you hardened your general login for your home server/s?
In general you shouldn't have any ports exposed on your router.
secure password on non standard port for the login page.
all your other container apps are password protected and don't use the same password.
On your machines are you network drives password protected?
Do you have important network shares set to private (server accessed only)
Is everything up to date so patched for security
thank you for giving me this checklist to make my connection and server secure. i will go through these one by one to make sure that everything is as secure as i could possibly can! this is very very informational for me
Theoretically if tailscale was to be breached or had bad intentions, they would have access to your home server or see what you’re doing.
This is avoidable with Tailnet lock.
You could also run your own coordination server with Headscale.
Yes, left on default settings would allow this to happen.
so if theoretically tailscale was breached or had bad intentions, what things can they obtain exactly? can they connect to my machines even they are not advertised as exit nodes? can they view files on my computer?
well the weak point is the control server. you can run your own (Headscale) but most people aren't gonna do that. so you are relying on the security of the Tailscale team and their cloud-based server. i'm not saying that is a bad idea, but certainly, from purely a "what could go wrong" perspective...it's the weak point. what you can do is minimize the possible attack vector and surface as much as possible. for example...i serve up a Plex server and a couple other miscellaneous servers over Tailscale. they are physical machines on a separate physical network that is completely [physically] isolated from my "actual" network. so even if a breach were to occur, it wouldn't be the end of the world.
And it has happened once already.
But was patched before anything got through.
But like you say, defense in layers. Even if they join your tailnet you should have firewalls on servers and workstations. Even if they can access your network you should have passwords and services that are patched etc. Have encryption where appropriate etc. Enable two factor for Tailscale ssh or don't use Tailscale ssh at all.
One risk is that an attacker or malware could spread more readily among all your devices since they are all connected to the same VPN, which is usually inside the secure perimeter.
I found this page, as I was also curious about this. What is to prevent a bad actor (say, a disgruntled Tailscale employee) from accessing my home network mappings?