There are several ports open (you dont open them, Tailscale does), including for peer relay. Some are vpn ports, but the ports for relay servers are not for VPN so my guess is that the software that listens to those ports is a lot less secure (compared to Wireguard or OpenVPN).
Yes my router has open ports, but it does not do any port forwarding. So I can 'directly' connect any device behind my router without my router needing to know any specifics of which device that is. And I don't need to do any port forwarding of anything on my network and thus expose them to the whole internet; I just expose them to the users of my tailscale network (only me)
Within my risk appetite on trusted network segments. I have bigger issues if malware is operational within the trust boundary, it can do what it needs using outbound connections just fine (recon, lateral movement, etc). Your risk appetite might differ.
malware. Got any no-name IOT devices on your network? Got some Huawei built hardware anywhere? Playing some new indie game from developers in romania?
I had to install openwrt on my router so that I could restrict access to upnp by mac address just to my gaming pc (imo this should be standard on any router as an advanced setting, most are just upnp yes/no) so that I can still play online games.
Peer relays are a bit different from our previously available Custom DERP servers. While the custom DERPs do relay traffic, they also require a bunch of configuration and management for their other jobs and they open up availability concerns that are pretty tough for our average customer.
Conversely Peer Relays are built on top of the shoulders of DERP. For example, they don't need to do peer discovery set connections up end to end - instead connections are brokered via our DERP fleet and then in a sense "upgraded" to an available Peer Relay or Direct connection. Because of that they're super lightweight and much easier to deploy + manage. And, they scale horizontally so you can deploy many peer relays across your network, and they're resilient to downtime (we'll just fall back to DERP).
I’m so confused. What is the difference between a peer relay and a DERP server that is self hosted?
The issue I have is I’m trying to connect two devices where one is behind a CGNAT that always causes the connection to be relayed even though the other one is not behind a cgnat with proper port forwarding. Would a peer relay solve this but is it like a DERp where I have to host it on a VPS separate from my existing two networks or is this something different where I can host the peer relay on the network not behind a CGNAT and somehow it will link the two networks through it?
You should be able to stand up a peer relay on an existing tailscale device - so your proposal is correct! Try setting one of the devices up as a peer relay per the docs here: https://tailscale.com/docs/features/peer-relay
What is the issue with one Wireguard port open? You vpn to home LAN and everything is there.
The issue with these VPN companies is that they log data, you have to run an agent running as root, reliance on several other companies too like IdP, etc. Very large attack surface.
If your devices are in one network like at home, you have all those things with Wireguard too.
Devices in home LAN all talk to each other, so you have a mesh network.
You need keys for your laptop, phone and remote devices only.
Most nodes are in LAN and don’t need to even run VPN.
With plain Wireguard, you open a single port in a single device. With mesh VPNs you open tons of ports: several ports in coordination, STUN and relay servers, also every device runs a vpn server listening to a port.
You VPN to home and use your home DNS. Your enter ACL rules and DNS server in your router.
I use a mesh VPN but I’m thinking of switching back to Wireguard, my older setup.
I have requested theft a number of times, even presented video footage. I was surprised they ask you fill out bureaucratic paperwork and at the end they do nothing, after all these taxes we pay in Europe.
Linux desktop is amazing. Coming from Debian, I installed Windows and had to quickly purge it from my hardware! Super bloated, slow, constantly phoned some CC center, automatically connected to OneDrive, …
Debian is a breath of fresh air in comparison. Totally quiet and snappy.
Debian (stable) is great but I wouldn't use it for a gaming PC on modern hardware. The drivers included are just too old. Bazzite or Arch (DIY option) seem better options.
Debian Stable gamer here, with modern hardware, having a great time.
> The drivers included are just too old.
This can usually be fixed by enabling Debian Backports. In some cases, it doesn't even need fixing, because userland drivers like Mesa can be included in the runtimes provided by Steam, Flatpak, etc.
Once set up, Debian is a very low-maintenance system that respects my time, and I love it for that.
I don't game, but all my computers run Debian Stable, and my oldest child wastes considerable time gaming on Steam. I had to tweak one or two things for him early on, but it all seems to work fine.
People who don't use Debian misunderstand Stable. It's released every two years, and a subset of the software is kept up to date in Backports. For anything not included in Backports, its trivial to run Debian Testing or Unstable in a chroot on your Stable machine.
I moved to Debian Stable ~20 years ago because constant updates in other distros always screwed up CUPS printing (among other things). Curiously, I was using Ubuntu earlier this year and the same thing happened. Never going back.
reply