I kinda know it doesn't, but do they get some Metadata? Does the encryption protect me from tailscale as well? Or since tailscale has my keys, they can see my traffic if they wanted to?
Tailscale doesn't have your keys.
Both the servers, Headscale and Tailscale, coordinate the key exchange, but that happens peer to peer.
The Tailscale servers have access to some metadata. The IP addresses and IDs of the nodes, what OS, client version, what node there connecting to. But can't see any of the data.
According to the documentation, there are limited circumstances where the Tailscale protocol is unable to establish a direct connection and requires relaying the traffic through a so-called DERP server. It seems `headscale` provides an embedded DERP server, meaning it could in principle having to relay traffic (but that should not be the norm).
No, traffic won’t pass through it, and would use a DERP server instead which is analogous to STUN servers for SIP. Traffic is encrypted between the nodes and the only major part that concerns me is that you could MITM this in the same way that Facebook does with WhatsApp and the e2e encryption there, but this doesn’t keep me up at night and I use Tailscale and Headscale on my personal systems, and full Tailscale on professional systems.
Unless you enable the DERP relay feature of course...
Following. I have the same question.
I kinda know it doesn't, but do they get some Metadata? Does the encryption protect me from tailscale as well? Or since tailscale has my keys, they can see my traffic if they wanted to?
Tailscale doesn't have your keys.
Both the servers, Headscale and Tailscale, coordinate the key exchange, but that happens peer to peer.
The Tailscale servers have access to some metadata. The IP addresses and IDs of the nodes, what OS, client version, what node there connecting to. But can't see any of the data.
More replies More replies
According to the documentation, there are limited circumstances where the Tailscale protocol is unable to establish a direct connection and requires relaying the traffic through a so-called DERP server. It seems `headscale` provides an embedded DERP server, meaning it could in principle having to relay traffic (but that should not be the norm).
No, traffic won’t pass through it, and would use a DERP server instead which is analogous to STUN servers for SIP. Traffic is encrypted between the nodes and the only major part that concerns me is that you could MITM this in the same way that Facebook does with WhatsApp and the e2e encryption there, but this doesn’t keep me up at night and I use Tailscale and Headscale on my personal systems, and full Tailscale on professional systems.
Unless you enable the DERP relay feature of course...
More replies