June 17, 2020

1450 words 7 mins read

Joining Tailscale: simplifying networking authentication and authorization

Joining Tailscale: simplifying networking authentication and authorization

This post was originally published on bradfitz.com.I used to tolerate and expect complexity. Working on Go the past 10 years has changed my perspective, though. I now value simplicity above almost all else and tolerate complexity only when its well isolated, well documented, well tested, and necessary to make things simpler overall at other layers for most people. For example, the Go runtime is re

latively complex internally but it permits simple APIs and programming models for users who then dont need to worry about memory management, thread management, blocking, the color of their functions, etc. A small number of people need to understand the runtimes complexity, but millions of people can read write simple Go code as a result. More importantly, Go users then have that much more complexity budget to work with to build their actual application. I wouldve never built Perkeep had I needed to fight both its internal complexity and the complexity imposed on me by other contender languages/environments at the time. All that is to say, simplicity is not only refreshing, but it also enables. Go made me feel productive in a way I hadnt felt in many years where everything just felt like it was getting more complex. Ever since finding Go, Ive been regularly hunting for other technologies that provide simplicity as a feature. Ive always found networking and authentication and web apps to be a bit tedious and overly complex. I built LiveJournal back in 1999 (including OpenID for it some years after) and have had little desire since to build other web apps. HTTP authentication and cookies and web security and redirects and OpenID and OAuth and such just arent very fun. Its not the sort of complexity most developers, especially those writing internal or personal apps, want to deal with. I somewhat accidentally discovered WireGuard about a year ago. I didnt realize what it enabled at the time; Id just wanted to connect some networks and devices together. What I discovered is how it also solves a lot of identity/authentications issues. My parents recently got an RV to do the retiree thing of driving around the country. My dad put a Raspberry Pi on its CAN bus so he could monitor and control its sensors settings with a little Go HTTP server. Later he added an LTE modem to it and we set up WireGuard so he could access it from his phone remotely. When he later wanted to expose a read-only version of its interface to the world, the authn/z check was simple: check the IP address. If its one of the trusted WireGuard IPs, it can change settings. No cookies, no redirects. And we didnt have to proxy all the traffic through a cloud provider and pay for the bandwidth there as well. Since then I keep following that same model for all my personal projects and its been a joy. (I know my homelab is gratuitous and atypical, but Ive hit many of the same problems in work projects.) Unfortunately, my bespoke home configs have grown unwieldy, I have no key rotation, and its tedious and manual for me to add new devices. This could all really use some nice tooling. (Another thing I learned to love from Go!) So, Im going to join Tailscale to help build this, so everybody can enjoy this simplicity, whether theyre a hobbyist or large enterprise or anybody wanting the BeyondCorp security model, but at the IP level instead of the HTTP level. You should be able to write private IP/UDP/TCP/HTTP servers where you can check who the user is by looking at the IP address only, and firewall/audit by just looking at the IP address (which Tailscale could also help manage in its tooling). And it shouldnt matter whether all the devices on the network are behind NATs, have IPv6 or not, or are actively roaming around between networks. They should all be addressable and reachable easily, and without modifying applications. And yes, we want to open source much of this, not only because its what we enjoy, but also because itll let you trust us. There will be paid and hosted bits, but more on the business side of things in the future. Theres much to do, and much to figure out, but Im excited to help build it and to see what sorts of applications can be built with a simple identity connectivity layer at the bottom. I have some ideas in mind, but more on that later too.

Date: 2020-01-30

URL: https://tailscale.com/blog/bradfitz-joins/


IPv4, IPv6, and a sudden change in attitude (2020-07-08) A few years ago I wrote The World in Which IPv6 was a Good Design Im still pretty proud of that article but I thought I should update it a bit No Im not switching sides IPv6 is just as far away from universal adoption or being a good design for our world as it was three years ago But since then I co-founded a company that turned out to be accidentally based on the principles I outlined in that art..
First open source release (2020-02-10) We just made the first bits of the Tailscale code public starting with the Linux client and its dependent/common code https://githubcom/tailscale/tailscale Still lots of rough edges TODOs everywhere so temper expectations accordingly We want to hack in open and not wait until its perfect
Several grumpy opinions about remote work & videoconferencing (2020-03-09) This post was originally published on apenwarrcaAs a fully remote work company we had to make some choices about the technologies we use to work together and stay in touch We decided early on about the time we realized all three cofounders live in different cities that we were going to go all-in on remote work at least for engineering which for now is almost all our work As several people have poi..
Tailscale has reached general availability (2020-04-02) Just over a year ago we founded Tailscale with a common sense of nostalgia for the good old days of LANs In our collective opinion then and now networking and cloud infrastructure has become too complicated Attempts to increase team connectivity and migrate towards remote work results in a corresponding burden of security This reduces productivity Systems and approaches dont scale without signific.. Tailscale has reached general availability
How NAT traversal works (2020-08-21) Markdown p > code border: none; -webkit-font-smoothing: subpixel-antialiased; -moz-osx-font-smoothing: auto; We covered a lot of ground in our post about How Tailscale Works However we glossed over how we can get through NATs Network Address Translators and connect your devices directly to each other no matter whats standing between them Lets talk about that now! Lets start with a simple problem..
Tailscale for Android is Here (2020-08-03) tl;dr Tailscale is now available in the Google Play Store for Android devices Get started here Tailscale 10 will be released next week Tailscale is the easiest way to create simple secure networks for teams of any size Today we are announcing our Android App is officially out of beta and generally available in the Google Play Store Android support has been one of our most requested features and we..
Hello from Tailscale (2020-03-18) This message was emailed to all our newsletter subscribersSubscribe to our newsletter hereWe have some catching up to do Tailscale opened our waitlist for signups in April 2019 almost a year ago but we havent shared much news! Its time to rectify that Over the past 11 months weve grown the team and narrowed our focus to just one core product: a company-wide mesh overlay network based on the WireGu.. Hello from Tailscale
deb and rpm package repositories (2020-02-29) Some news we have deb and rpm package repositories up! pkgstailscalecom Currently serving unstable-track packages for tailscaled a replacement for our current linux relaynode If youre brave give it a try! Stable release with docs coming soon
The Log Blog (2020-09-14) Did you know that our CEO apenwarr is something of a B-list Internet celebrity? Part of his claim to fame is a pithy-but-informational blog which contains a pithy-but-informational post detailing exactly how to handle and parse a distributed logging system correctly Tailscales logging infrastructure follows this system in broad strokes In apenwarrs design many embedded Linux devices buffer logs lo..
Why not “Why not WireGuard?” (2020-04-23) An article by Michael Tremer titled Why not WireGuard is sometimes shared in VPN discussions Unfortunately that article contains several misconceptions and some out-of-date information that deserves to be addressed Lets go through his arguments section by section Will WireGuard replace my IPsec site-to-site VPN? Tremer writes: No There is no chance the big vendors will pick up WireGuard They do n.. Why not “Why not WireGuard?"