Go through all of tail scale's settings, turn on tailnet lock etc
How secure is your home firewall? I use PFsense.
How secure is your login to tailscale?
and the email account it is registered too.
Do you have 2nd factor turned on?
Have you hardened your general login for your home server/s?
In general you shouldn't have any ports exposed on your router.
secure password on non standard port for the login page.
all your other container apps are password protected and don't use the same password.
On your machines are you network drives password protected?
Do you have important network shares set to private (server accessed only)
Is everything up to date so patched for security
thank you for giving me this checklist to make my connection and server secure. i will go through these one by one to make sure that everything is as secure as i could possibly can! this is very very informational for me
so if theoretically tailscale was breached or had bad intentions, what things can they obtain exactly? can they connect to my machines even they are not advertised as exit nodes? can they view files on my computer?
well the weak point is the control server. you can run your own (Headscale) but most people aren't gonna do that. so you are relying on the security of the Tailscale team and their cloud-based server. i'm not saying that is a bad idea, but certainly, from purely a "what could go wrong" perspective...it's the weak point. what you can do is minimize the possible attack vector and surface as much as possible. for example...i serve up a Plex server and a couple other miscellaneous servers over Tailscale. they are physical machines on a separate physical network that is completely [physically] isolated from my "actual" network. so even if a breach were to occur, it wouldn't be the end of the world.
And it has happened once already.
But was patched before anything got through.
But like you say, defense in layers. Even if they join your tailnet you should have firewalls on servers and workstations. Even if they can access your network you should have passwords and services that are patched etc. Have encryption where appropriate etc. Enable two factor for Tailscale ssh or don't use Tailscale ssh at all.
One risk is that an attacker or malware could spread more readily among all your devices since they are all connected to the same VPN, which is usually inside the secure perimeter.
I found this page, as I was also curious about this. What is to prevent a bad actor (say, a disgruntled Tailscale employee) from accessing my home network mappings?
Your biggest risk is probably overconfidence. Don't expect tailscale to protect you from all types of attacks.
More replies
I think tailscale is pretty secure...
Go through all of tail scale's settings, turn on tailnet lock etc
How secure is your home firewall? I use PFsense.
How secure is your login to tailscale?
and the email account it is registered too.
Do you have 2nd factor turned on?
Have you hardened your general login for your home server/s?
In general you shouldn't have any ports exposed on your router.
secure password on non standard port for the login page.
all your other container apps are password protected and don't use the same password.
On your machines are you network drives password protected?
Do you have important network shares set to private (server accessed only)
Is everything up to date so patched for security
thank you for giving me this checklist to make my connection and server secure. i will go through these one by one to make sure that everything is as secure as i could possibly can! this is very very informational for me
More replies
Theoretically if tailscale was to be breached or had bad intentions, they would have access to your home server or see what you’re doing.
This is avoidable with Tailnet lock.
You could also run your own coordination server with Headscale.
Yes, left on default settings would allow this to happen.
More replies
so if theoretically tailscale was breached or had bad intentions, what things can they obtain exactly? can they connect to my machines even they are not advertised as exit nodes? can they view files on my computer?
More replies More replies
well the weak point is the control server. you can run your own (Headscale) but most people aren't gonna do that. so you are relying on the security of the Tailscale team and their cloud-based server. i'm not saying that is a bad idea, but certainly, from purely a "what could go wrong" perspective...it's the weak point. what you can do is minimize the possible attack vector and surface as much as possible. for example...i serve up a Plex server and a couple other miscellaneous servers over Tailscale. they are physical machines on a separate physical network that is completely [physically] isolated from my "actual" network. so even if a breach were to occur, it wouldn't be the end of the world.
And it has happened once already.
But was patched before anything got through.
But like you say, defense in layers. Even if they join your tailnet you should have firewalls on servers and workstations. Even if they can access your network you should have passwords and services that are patched etc. Have encryption where appropriate etc. Enable two factor for Tailscale ssh or don't use Tailscale ssh at all.
More replies
More replies
One risk is that an attacker or malware could spread more readily among all your devices since they are all connected to the same VPN, which is usually inside the secure perimeter.
I found this page, as I was also curious about this. What is to prevent a bad actor (say, a disgruntled Tailscale employee) from accessing my home network mappings?
More replies