Is anyone else using Tailscale? How do you make use of it? I’ve been using it for a few years. I’ve used it with Open Media Vault, for SSH access into LAN machines, etc.
There’s also defined.net (Nebula) and zerotier.com. Which do you prefer and why?
I use it for my NAS to NAS backup. I was really confused when I saw a 100.x.x.x address. I thought my stuff was exposed, but then I learned that the address space was reserved for GCNAT and felt better 
.
But I love it so far. Really good, free service.
A coworker introduced me to ZeroTier a few years back, and I immediately took to it – I created a ZT network for “all the things” – but then I decided I wanted to (re)learn routing, so I switched to WireGuard. I looked at Tailscale, but decided free WireGuard is enough for me. Yes there’s a free tier at Tailscale, and maybe I should check it out, but for now I’m just using WG.
I love this type of solution: I have completely blocked SSH to my servers – the only way to get to them is to get onto my ZT/WG network, or DigitalOcean console (which is behind 2FA, so good luck with that). The only open ports to my system are related to SMTP, HTTP, or WG.
I did something similar with my ssh, I wouldn’t recommend it. I also only allowed SSH via my WG network, until I nuked the WG0.config file, on reboot I couldn’t access my VPS at all and had to destroy it. (Didn’t have a console, like AWS does).
But for opensource coolness, I use this WG container. Wg-easy.
@Ben , thanks - that’s really cool. I’m going to have to check that out, and I hope it can be run behind Traefik (I run everything behind Traefik).
My use case is a little different from yours: If I lose SSH access, I will log into the console, since my VMs are at DigitalOcean, and DigitalOcean provides a nice web console.
I also run the WG web UI behind Traefik (I also run everything behind Traefik). Works very well. 