Hello,
I’ve read a bunch of articles and watched videos, but I still do not really understand how tailscale works behind the scenes. Does it send all of the traffic for each device through the tailscale servers to connect them? If so, why doesn’t it change the public ip of the device?
If you see this and are kind enough to respond, explain in somewhat simple terms please
You know how you passed notes in class? You just wrote your friend’s name and passed it to the kid next to you and so on and so forth. You didn’t need a mailing address on the note or a security envelope since it was a private space and everyone knew each other.
Now imagine one of your friends is in another school. Now you write your note but you have to seal it up in an envelope and write the other school’s mailing address and send it out into the world with a public address. Imagine your school had an administrator who did that officially. Mrs Keller’s class was in a different school but they know which school so they bundle up all the notes for that school in a postal box and send it out.
Once it reaches your friends school imagine there is someone who can open the letters and envelopes and then hand the note to the correct friend in the correct classroom.
That’s a virtual private network. From your friend’s perspective it was an insecure note without an address but it was sent from one classroom to another as if they were classrooms in the same school. They appear to be local even though there was a transparent step where the notes for distant schools are all securely packaged up and shipped using a public postal service.
All that Tailscale does is let you assign a local address like a classroom name and a student name and then it figures out where that student actually is, locks the note in a secure briefcase and ships it to the recipient where a Tailscale agent then unlocks the briefcase and hands the insecure note to the recipient on the other end.
Removed due to reddit thrird party app charges
the ping times for me are almost indistinguishable for me in comparison to true wireguard. It’s some magic stuff going on. The difference is way too little for the traffic to be forwarded through their derp servers.
There’s some great answers here already, but I just also wanted to note that we have a blog post on exactly this topic in case that’s helpful: Tailscale: How it works. (Though maybe that’s one of the articles you’ve already read?)
Just wanted to say that this is a great EILI5 answer!
That was a really fun read! YOU’RE the tech support friend everyone WISHES they had.
I’ll create a few more users on Reddit now and upvote you a few more times. Best explanation of VPN ever.
Thank you for your answer! So tailscale would be just like a list of where to find all of your devices? Wouldn’t that be possible just connecting to the public ip address, or would that be insecure?
That’s because it’s not. Tailscale servers simply act as the controller for your vpn network, exchanges encryption keys and sets policies.
How can they make a signaling connection? ICE, STUN would work only for media connection, right?
I’ll create a few more users on Reddit now and upvote you a few more times
Banned for Upvote Manipulation
(I know you didn’t mean it literally but somehow this is a real thing)
If you connected directly, it would be up to you (the application) to put the note into a secure envelope (encrypt the data) and look up the mailing (public) address of your destination, as well as making sure someone at the destination understands how to forward the contents of your letter to the right recipient within the mailing address (NAT).
If you hosted an HTTP web server it would be plaintext sent over the internet like a folded over note that anyone handling it could easily read. If you hosted an HTTPS (S standing for secure) web server it would be just about as secure as Tailscale.
The other advantage is that since Tailscale is handling the traffic you can use it like a smart firewall that rejects all traffic that wasn’t encrypted by an approved user. You also are confident that even your unencrypted data that you might accidentally expose is also encrypted by tailscale. Tailscale also has been well audited and hardened for security. Whatever random application you’re exposing to the internet is more likely to have security vulnerabilities.
Also, some applications simply won’t work with a public address because they don’t have a mechanism to request open public ports in the firewall. Or have a failover mechanism like Derp to get through firewalls no matter what.
A VPN is mostly useful as being a service which does all of the things that a public facing application would need to do but doesn’t. Or as an extra layer of defense. That’s not to say that there aren’t applications that work well without a VPN. I use Parsec which is a remote desktop application. It has all of the features of tailscale:
If the only application that I used was Parsec, I wouldn’t really need Tailscale because it does the 3 main things a VPN does: Authentication, Public to Private Address Translation (NAT) and Encryption.