I really like the fact you are always thinking about the risks on relying on 3rd party/big cloud players, I also share that vision which is not common enough sadly. Kudos for getting entirely the initial meaning/purpose of Internet, which is not meant to be centralized to a handful big entities.

@LAWRENCESYSTEMS

Жыл бұрын

Thank you

@woswasdenni1914

6 ай бұрын

one of those risks peopel never think about is no support whatsoever. these entities are now so big that you rely on the pure hope it will be fixed if its broken. just spend 3 nights with microsoft highest tier support until i got someone to fix a trivial license issue on microsofts end that blocked all exchange services for the entire tennant with several hundred user

Great video as always, defenatly that's not a VPN killer, I would never rely on a third party for access into my own network.

Very informative! Love to see how someone like you is on top of all this and keeps us informed of what is out there, the advantages and disadvantages, the pro's and con's, the pitfalls etc.. This allows us to make an informed choice. Thanks Tom for your time and effort in producing videos like this. Truly appreciated!

Thank you for this video. Love watching this because it explains the difference/similarity between vpn and overlay. Again thank you for the layman's term explanation.

Long time subcriber here... Love your content! Looked at Cloudflare Tunnels. They are cool, but I really didnt like being dependent on their network to access my network. Plus, i kind felt like i was giving them access to view my private network if they wanted to. 😅 Anyway, keep up the good work, sir. Your opinion and POV are valuable to us all.

I've been using ZeroTier for a few years now (I was introduced to it through one of your videos in-fact!). I think one thing you should have added to this video though is performance. Wireguard and OpenVPN point-to-point are a lot faster than ZeroTier and TailScale. We're talking 50Mb vs 350Mb. So for anyone considering this just know it's not the fastest but these system (TailScale and ZeroTier) are super easy and very reliable.

@GrishTech

Жыл бұрын

That’s a bit subjective. It all depends on whether or not zerotier or Tailscale peers can establish a direct tunnel to each other and if the peer is running in userspace or in the kernel. For example, Tailscale on windows runs in userspace, but on Linux, it can use the kernel drivers for wireguard. For example, two Linux hosts can communicate gigabits per second to each other, but to a windows host, maybe not so fast. Same thing applies for zerotier. Depends on the host and install.

@droknron

Жыл бұрын

@@GrishTech Thank you for the clarification David. I wasn't aware of this and only saw poor performance compared with native Wireguard and OpenVPN (I am testing only on Windows).

@zadekeys2194

7 ай бұрын

​@@droknrontalescale is ment to only be a control plane for wireguard, based on wireguard-go. Perhaps the out of the box TS config needed tweaking to get better speeds ?

I use Wireguard for security and not relying on a third party. It was strange that as soon as Tailscale popped up it seemed like a huge number of homelab enthusiasts jumped in the bandwagon. Especially people that generally highly regard security and self hosting

@bivensrk

11 ай бұрын

So, you're saying that Tailscale != security?

@tehsimo

7 ай бұрын

we're fed up dealing with annoying VPN configuration UIs in hardware

@HSF-ec2bp

7 ай бұрын

@@bivensrk Tailscale/Headscale != actually functional OpenVPN/Wireguard, few lines in iptables, can actually be controlled with firewalls and security . Tailscale, its routing rules interfere with every well known security solution in existance. No, I'm not migrating my perfectly functioning iptable rules to deal with Tailscale lack of motivation to either use kernel wireguard or using the TUN/TAP driver to supplement the user-land Wireguard. Other solutions could deal with this - NetMaker, Firezone, etc. - why not Tailscale?

@nicholastoo858

5 ай бұрын

I also don’t know why introduce 3rd parties

Thanks for this video, answered a question I had about the differences between VPN's and Cloud Flare Tunnel

happy to see a video on this topic esp after the recent Network Chuck video

As always objective & unbiased . thanks

Used to use hamachi until it was bought out but tailscale is now my go to. It just works and works well.

I am always enthusiastic about your videos because they briefly describe the most important contexts. I have heard about the new technique and unfortunately have not yet understood what the advantages are supposed to be. It just looks like a legal man in the middle attack.

Great explanations! Thank you Tom !

About 7 or 8 years ago I worked around the issue of having simple to setup VPN access or clients behind CG-NAT/dynamic ip addresses by implementing pritunl on my own AWS server. This works as an oVPN/Wireguard broker, and all the connections from routers/servers etc are coming from behind the firewall meaning no need for a static ip and works behind NAT. The other great thing is it has a centralised portal to manage all connections, organisations, and client certs/configs + monitoring the connections + it's open source and self hosted. Pritunl is barely (ever?) mentioned in all of LS vpn videos but in my opinion is one of the best pieces of software out there for this kind of thing. I will concede it does tunnel any traffic destined for the remote network through the server (it obviously supports split DNS/public routes through local gateway etc) - but that has never really cause nay issues for our clients in terms of speed or latency. The other plus is they have a wizard for edgerouters which makes the setup for our techs a couple of clicks - and likewise for our customers, they can deploy the software client/profile and cert themselves with a couple of clicks.

You pointed out the biggest problem with services like tailscale and twingate, entrusting your network access to a third party. No thanks. Glad to know theres a self hosted option though, I’d love to see a more in depth video on that!

@cityhunter2501

Жыл бұрын

Agree, I still want to give twingate a try (which is basically a form of proxy) so that I don't need to have any open ports on my router but then I would be relying on twingate servers to stay up all the time. Even if I were to go headscale and host it somewhere, then I still need to make sure that it is locked down and another possible point of failure.

@itsmith32

7 ай бұрын

You better try rather watching videos.

Thanks for the demo and info, have a great day

This video saved me hours or google searches, thanks!!!

One of the biggest issues i find with mesh vpn tech from Tailscale or ZT is access rules. I’m a bit more familiar with TS but controlling what client can access just sucks using TS access rules. Documentation isn’t great and writing it out in JSON is impractical if you are an unfamiliar engineer. So then you’re left with permit any any rules. The tech is great but access controls suck. At this point legacy VPNs are just better supported when it comes to access controls

I use tailscale since some month ago for connect two synology storage systems with hyperbackup. Not the fastest way, but works really nice for me. I can place my offsite backup where ever I want without care about vpn connection or forwarding ports.

Tailscale has really nailed the ease of setup.

@LAWRENCESYSTEMS

Жыл бұрын

They have a solid product for sure.

@itsmith32

7 ай бұрын

Yes, while Headscale made it yours and secure

I just setup Tailscale and made a route to my home network. Wow, that was easy and I’m wondering why I didn’t do this a long time ago. Routes just the traffic I want to my services back home, while the rest of my traffic goes directly to the internet. I could also route all my traffic back through my home connection if I wanted to.

I've used all of your videos to build a pfSense for gaming. It uses a Ryzen 3 1300X can can route a Gigabit with NordVPN over multiple trunks. I have trunked, seemingly secure networks, with NordVPN, using traffic limiters for A+ bufferbloat gaming behind an AT&T fiber BGW-320. Thanks for the awesome guides. I can't seem to get it to work right using multiple NICs for WAN (using different IP addresses from my block), and split the DNS correctly between the WAN and VPN with policy routing. The NordVPN always has to go through the primary gateway which can break easily when I am using Squid Proxy for my non-VPN subnets. I bought a set of Static IPv4 addresses for my multiple NICs, but I need to run the second NIC via a public DHCP request to my AT&T GPON router, as pfSense won't let me have multiple WANs on the same subnet using my single gateway. Do I need to use IP aliases to set up multiple WANs on a single gateway? Do I need another pfSense to have another WAN giving me internet access?

@SomeGuyWatchingYoutube

Жыл бұрын

Also, my AT&T router gives me /64 blocks of IPv6. Are these okay to assign in conjunction to my Static Block to my pfSense? I don't understand how to route the IPv6 while hiding my DNS from this primary AT&T router. Should I use SLAAC or IPv4 over IPv6? Do I need to use DNS64? Do you have any videos explaining the differences between SLAAC, 6rd Tunnels, 6 to 4 tunnels or the likes? I am kind of new to all of this. Been tuning everything for a year now. The last time I had experience with custom routers it was 10 years ago using DD-WRT. Random thought: SynProxy is a pretty cool feature imo and might be easier to set up than Squid. It helps some of my videogames lag less when servers cannot connect to my console directly.

I’m quite excited for zerotier 2.0, rewritten in rust! Hopefully they keep LF for self hosting root servers, improve performance a bit, and include DNS by default.

@itsmith32

7 ай бұрын

Tried ZT a little, but when I've found that I cannot use my exit node behind home router I have stopped trying.

What happens if a notebook with the Tailscale installed, that is usually outside, is in the company internal network? Which network it will use? The internal gave by DHCP server or the one Tailscale creates? Is there a way to block tailscale if the computer is in the company to ensure that there is no problem with the Active Directory (kerberos, name resolution) for example? - Thanks for the video

Tailscale works great for me. It's free, easy to use, and supports ephemeral mode that deletes the instance when not active and adds again when active. It runs super well with PaaS that are bound to restart their containers every now and then.

I'm behind Starlink's CG-NAT so my remote access options are limited. I would love to work out how to use a service like Cloudflare's secure tunnel on my pfsense external interface, so I can then use OpenVPN through the Cloudflare tunnel.

I use cloudflared ZT. I like that I can integrate that with Azure conditional access. No client required for web applications or ssh can be done via browser. Warp client can then handle other ports etc. It's free for small teams and I got 5 YubiKeys for setting up the free tier at a ridiculously reduced price, think they were £10 each.

Thanks for this interesting video! I wonder, would IP6 change anything in this setup or generally in an openvpn, given that there would be no Nat?

Isnt this just a patch for poor network segmentation on the target site. Which is the result of not doing/planning a risk based / information security /availability based network architecure...?

Thanks for the good video. Initially, you suggested that you compare all three, but this wasn't included. Such a video would be fantastic. Especially interested to understand if Nebula is less prone to the controller (lighthouse) being compromised as the connectivity relies on certificates created outside the lighthouse and I am wondering if this would stop a compromised controller from adding a rogue node.

For me, The only benefit of using TS or ZT Overlay Network with it's Coordination Servers is when your ISP doesn't provide a Public IP you can route or Nat. Both ON are Great BTW.

Any chance you could do a follow up video with performance metrics? Such as throughput of wireguard vpn vs tailscale, etc.

I've been using netmaker to run both simple and overlay VPN networks. Should I consider headscale for any reason?

Great stuff useful thanks. So is twingate classed as overlay networks to?

I use traditional VPN (wireguard) and will keep at it.

@fathersoftweakersfazerfrea7315

Жыл бұрын

Im kinda missing the point why you are keeping it 😉

@hifninderri

Жыл бұрын

@@fathersoftweakersfazerfrea7315 probably doesn’t see the point of setting up a different service that won’t benefit them

@ReligionAndMaterialismDebunked

Жыл бұрын

​@@hifninderri but they still didn't explain why.

@ReligionAndMaterialismDebunked

Жыл бұрын

​@@hifninderri maybe they're lazy too, who knows.

@hifninderri

Жыл бұрын

​@@ReligionAndMaterialismDebunked Correct, we can only assume why. I suppose I should have said, I personally will also not be switching off of Wireguard as I do not see any benefit in switching to another solution for my usecase. Maybe they believe the same.

excellent information as always! please make a video on Twingate also

@LAWRENCESYSTEMS

Жыл бұрын

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

I see them as different purposes. An overlay VPN for unattended devices that always needs to be connected like servers, routers, etc. A traditional VPN requires user interaction, as such an Overlay VPN is a device connected network and a traditional agent VPN is a user connected network. Some people might not want to be always connected or might want to connect to a different corporate or business network or switch depending on the type of work required, which means a traditional VPN is not going away.

What made me choose zerotier over the other overlay alternatives is that it splits the coordination plane into configuration and routing. A zerotier controller manages authentication and configuration of each node on a network, but it is also a node itself, meaning that it can be behind a Nat and still be able to communicate with each member of the network, sending config updates, adding new nodes, etc. Routing between each node is managed by the zerotier root servers, which are only responsible of connecting nodes together, aiding with UDP hole punching and relaying data if necessary. Having your own controller means that you own your network, every config has to be authorized by your self hosted controller, while still not needing it to have a publicly accessible ip address tied to it. The most a malicious zerotier root could do would be to mess up new connections and maybe listen in on the encrypted connection between each node (it can't decrypt it) when relaying.

@itsmith32

7 ай бұрын

Hmmm... Which of this stuff cannot be accomplished with Headscale?

@user-hk3ej4hk7m

7 ай бұрын

@@itsmith32 my understanding is that if you want to host your own instance of headscale you'll need to have a public IP address to which you can forward ports. This is not always possible due to CG-NAT. With zerotier the routing and network configuration are separate parts. Zerotier inc does the routing (if you want), you host and control your own network, no port forwarding necessary to the controller.

@itsmith32

7 ай бұрын

@@user-hk3ej4hk7m Looks like you can do the same stuff with TS proprietary controller😁 and if you don't want to port forward you can use VPS for hosting.

@user-hk3ej4hk7m

7 ай бұрын

@@itsmith32 I'd rather have my controller hosted on my home, it's not bandwidth intensive and it has control over the hole network. zerotier has that clear separation and that's why I prefer it, others may have other preferences.

ROFL, I was also going to ask if Lawrence tested or tried Twingate, but it seems this is a very tight knit community... and I do agree with his position that it's not an open source solution. Not quite there yet but I am in the process of building a TrueNAS Scale from an old PC here, and looking up how exactly I'm going to open this up to the void... :P Might go for Tailscale or Headscale then...

Would live to learn what's the status on yggdrasil now. Is it usable, or not? How does it compare with these solutions?

Zerotier has the NDP emulation for their 6PLANE addresses which is amazingly well fitted for Docker container addresses. I haven't found anything similar on top of Wireguard to make me switch

Well. This went viral. Good performing video.

In Aus they are calling then SD-wan basically overlay network vpn as u said. I was asked in a interview about it I said no big deal just site to site can you ping it after setup or not

I only use Wireguard on Linux server (Pi400B with Quad9 DNS) under a 1 Gbps Dynamic line for my use case, as my users are under 10 to 15 per concurrent time. As Server's htop reports about 140 to 145 Mb at idle, with an increase of about 5 to 10 Mb per user load, its running fine for small office for the last 1 year. And, its Not on a Static public IP. Peace :-)

@LAWRENCESYSTEMS I'd be interested to know if you'd tried PBR (policy routing), with pfsense and tailscale where one host or network uses another remote pfsense+tailscale as an exit node?

@LAWRENCESYSTEMS

7 ай бұрын

Not sure I understand the question.

@bmp6361

7 ай бұрын

@@LAWRENCESYSTEMS Lets say you wanted to have a system(s) on Site A exit Site B's internet connection. The rest of the systems(s) on Site A would exit to the local internet ISP.

@LAWRENCESYSTEMS

7 ай бұрын

@@bmp6361 does not sound like a great way to set thing up and I am not sure if Tailscale would route that way.

@bmp6361

7 ай бұрын

@@LAWRENCESYSTEMS use case would be appear to be working from one state vs working from another. I think it would be possible via traditional VPN, where gateways are established. Not sure you can set up Tailscale as a gateway. Thought I'd bounce it off of you. Thanks for you time.

With Tailscale I was not able to traverse the network once connected to the pfsense host from outside. Is there something misconfigured or maybe I was trying to access another machine before I had direct p2p connection. 🤔

@LAWRENCESYSTEMS

Жыл бұрын

Possibly rules were missing. kzread.info/dash/bejne/gmGlj5qLZpq1gLw.html

I like the managed routes feature on zerotier, then i just deploy zerotier on my routers and voila, remote devices with the zerotier one have all the routes, and devices connecting through my routers are able to reach the overlay or remote networks.

Great! VPN isnt dead! Public Cloud Solutions its exposed like your VPN incomming request too... Its like a big VPN public cloud server make the "gateway" function between the clients... Thank U !

Ubiquiti just updated the firmware for its UDR which includes enhancement for its Teleport VPN. Can you do a video on this improvement (if any)?

I saw your comment on my comment on Network Chucks video. Ive used tailscale before and heard of headscale. I figured twingate was a wireguard overlay vpn but it seemed to have a lot more functionality than tailscale. Still, dont like the controller not being self hosted.

@markarca6360

Жыл бұрын

The good thing is it enables admins to fine-tune access to specific resources that the users need access.

Another note some of the commands for headscale have been updated as well I believe it was to parody Tailscale terms

If you are working or have clients in china, you absolutely need/want something like tailscale. I live here and it is the only thing that gets me direct site to site location links(china to china) without the fuss of going through another server.

I think tailscale has the ability to create a subnet router inside the NAT. It was linux only for awhile. I think other os's can do it know also. Not played with it recently.

@itsmith32

7 ай бұрын

Working just great with Headscale and GNU/L

Do I see it correct, that Synology‘s QuickConnect is quite the same with synology as coordination server?

@LAWRENCESYSTEMS

Жыл бұрын

QuickConnect just a reverse proxy that your Synology connects to to allow access. Much less complicated than a coordination server.,

I'm using open vpn and don't need relay on "coordination servers" or need "help" from others to send my data.

You can also self host a zerotier controller. It's somewhat of a pain, though, because the only interface they provide for that is a json api. There is a third party all in one docker image developed by Key Networks with a webserver GUI, but you do have to trust / be able to inspect the source for that software, and hope that it gets patched. You'd still be relying on some of their "root" servers for connections though, so I guess it doesn't entirely solve the issue of trust / control.

@itsmith32

7 ай бұрын

Headscale does it for them😅

What do you think about DPN ?

Was my first though, what about the reliability of the third party? I honnestly don't see the point to take that risk. Thx Tom for sharering.

I rilly think u need to do a video about Twingate, under the hood working, pros &cons! Otherwise thanks for the informative in depth content!!!

@LAWRENCESYSTEMS

Жыл бұрын

Except Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

If anyone is interested in "Twingate" - last week Network Chuck posted a detailed video. Twingate looks sketchy to me. As Tommy said, it's closed source, and there's very little information about the company or the people behind it, which is also strange.

@welovefootball2026

Жыл бұрын

I watched it too but am not jumping in quite yet...

@metal-beard

Жыл бұрын

Networkchuck does a lot of videos for his sponsors as ads but disguises them as ‘tech tutorials’.

@gatolibero8329

Жыл бұрын

@@metal-beard no shame in that game.

i love twingate .... ease to use and simple ..... runs on my docker .... loving it . killers of traditional VPNs

how about Twingate ? have you had a look at it ? is it similar to tailscale ? thanks for the inofrmation

@LAWRENCESYSTEMS

Жыл бұрын

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

This does seem to be a sequel to the preoperatory Hamachi VPN. I would call it a scalable VPN, as it's much easier to set up and deploy I'd assume.

@DannyBazarte

Жыл бұрын

Hamachi was the best for the short time before it was aquired by LogMeIn.

Great content! It would be good to hear your thoughts on Netbird (relatively new alternative to tailscale).

@LAWRENCESYSTEMS

9 ай бұрын

Never used it nothing about it looks so compelling that I would prefer it over existing solutions I have used.

Cat6 ! 🤣

I might be being dumb but how does the overlay network differ from Cloudflare tunnels ?

@LAWRENCESYSTEMS

Жыл бұрын

Cloudflare tunnel is just a reverse proxy to Cloudflare servers.

@grant_HH

Жыл бұрын

@@LAWRENCESYSTEMS Thanks. Just watched network chucks overview of setting up twingate before seeing this. On the surface all look similar. Install agent on network configure services in cloud/controller instead of opening ports 😁 One of these is somewhere on my list after getting pf sence setup

Facts are facts

Or go for ipv6 if available, then you can run your vpn daemon on a host on the inside your network 20and you avoid the nightmare of cgnat ( which unfortunately gers mirecand mire vide soread on home internet connections)

Have you looked at Twingate at all? The granularity and redundancy seems to make a pretty resilient solution.

@LAWRENCESYSTEMS

Жыл бұрын

So does TailScale. Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

Would very much appreciate updated Headscale setup and use tutorial.

@LAWRENCESYSTEMS

Жыл бұрын

kzread.info/dash/bejne/X22burJvkcTHqdo.html

Question: are they a VLAN killer?

If you ever remove the problem of trust, you have removed humanity.

Is slack nebula something similar to this ??

@LAWRENCESYSTEMS

Жыл бұрын

Yes

As many others point out, I don't see how this would benefit me any more than setting up my VPN server, put it behind a deny all, and whitelist any access the clients need. I hear that it's easier to set up, but it seems there's actually more configuration to be done, not less. There's even an additional controller involved?! No thanks. Also I'm with everyone saying not to outsource my remote access methods to third parties. Like, ever. In all honesty it appears to me that these suites try to be a solution for people who might be uncomfortable with managing their ACLs, even though this might not be accurate. This whole zero trust cloud third party thing seems like the new networking hype I have to learn just to be able to say why I won't use it. Maybe (probably) I'm missing a lot of details, I just started to look into this rabbit hole.

@pavelperina7629

Жыл бұрын

I guess cloudflare tunnels are good if you don't want to deal with dynamic DNS via no-ip if you don't have a static IP and renewing let's encrypt certificates and you don't have to change anything if you reconfigure internal network (if you reset router to factory defaults etc). But I'm still using ssh and ssh tunnels for RDP/VNC and i think VPN is better in general. This solution might be useful only if your IP is not accessible at all I guess.

@marianarlt

Жыл бұрын

Hm. Maybe I'm misinterpreting the target audience. Setting up DDNS with the domain provider should be as easy as a click in most situations. Static IPs are common for enterprises. Certificate renewal can easily be automated. The situation you mention could make for a use case I guess, but also seems to be very niche to me. Somebody in the comments is mentioning Zero Trust use with Azure and 2FA, which is more of an actual real use case. I probably have to look into this a little more at some point. The third party thing still bugs me. Kinda the opposite of zero trust... Thanks for commenting!

I'm another step closer to -white- allow lists for everything network related.

I honestly don't really get it. I think tailscale and regular vpns serve different purposes, so tailscale isn't really killing VPNs, just displacing them from areas they were previously used in but didn't really fit

@eointhomaskehoe4977

Жыл бұрын

I was trying to setup a vpn for a customer who a wireless ISP internet connection, we could not get any vpn working as it looks like internet was using CG-Nat After looking for other options I came across Tom using Zerotier and Tailscale and both worked flawlessly for this setup

@mishasawangwan6652

7 ай бұрын

let me explain: clickbait.

What about something like Twingate? I think NetworkChuck recently made a video about it.

@LAWRENCESYSTEMS

Жыл бұрын

Looks similar to tailscale, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@Darkk6969

Жыл бұрын

@@LAWRENCESYSTEMS Same here. I did watch most of Chuck's video about Twingate and was turned off that it's completely closed source and no option to self host the controller. I'm staying with wireguard on pfsense.

Another option is Netbird.

Is Headscale hostable in a HA manner?

@GrishTech

Жыл бұрын

If you use it in a container and thus in Kubernetes, sure. Or you can have it in a vm and use the traditional VM H/A.

@philipgriffiths5779

10 ай бұрын

@@GrishTech but can you run more than one controller for graceful takeover if a controller fails? For me, that's the benchmark of HA.

@GrishTech

10 ай бұрын

@@philipgriffiths5779 I don't believe that's supported.

I wish they would cut thru all the buzz words and just call this VPN-NG or 2.0 .... This stuff was done 20 years ago with Cisco VPN Concentrators.

@bradrobbin4281

Жыл бұрын

Funny you mention that, as Cisco is now looking to kill the VPN all together utilizing their Zero trust and duo MFA tools

Cradlepoint is depreciating their overlay this year forcing me to go vpn .

@philipgriffiths5779

10 ай бұрын

This boggled my mind. Its a shame they got acquired by Ericsson. I thought their approach was on of the best I had seen, bar OpenZiti, the open source project I work on. But hey, big corps like to kill innovation and only deliver guaranteed returns.

I'm in China, Can I watch KZread with Overlay? instead of traditional VPN that I use today!

First

I seriously wish modern "VPNs" had chosen a different name, as they're use and purpose is very different than traditional Virtual Private Networks.

Is this coffee mug a bit of a tease?

@LAWRENCESYSTEMS

Жыл бұрын

We do have coffee mugs in our store lawrence.video/swag/

No one should ever trust a cloud coordination server that is not under their direct control unless the third party is subject to strict liability in case of breach. And none are.

Mesh networks are powerful tools, but security problems arise when they are given to ignorant users. Recently Linus (LTT) made a tutorial in "Tailscale for idiots" style that I think is very wrong. Firewalls exist for a reason, creating unsupervised tunnels for family and friends (and the firends of their friends...) with no supervision and no Vlan isolation, having ignorant users passing links to give access to that streaming service that everybody wants to watch but nobody wants to pay (which is why most of them use it)... that's a delicious cake for hackers: You get one, you get them all.

@Darkk6969

Жыл бұрын

Well for small networks like the home with few users it's not much of an issue. When you get into like 300+ users for corporate / enterprise then it's a completely different beast all together. For something like tailscale I did not like the idea of default mesh network for all users. Lazy admins would certainly take this route just to get started without thinking things through like security.

Another option is Twingate, which uses split-tunneling by default! It allows orgs to adopt ZTN (Zero-Trust Networking) by implementing the principle of least access.

@LAWRENCESYSTEMS

Жыл бұрын

Looks similar, never used it, closed source, light on security details so I don't have a lot of desire to test it knowing there are open source solutions out there.

Hey Tom, what about Twingate? 😉🤣

Overlay looks way too complicated. I'm sticking with my Raspberry Pi & Wireguard. Easy-Peasy, I have full control, and no dependency on a 3rd party.

VPN can be MITM attack

The statement that "overlay networks are VPN killers" is likely an oversimplification and doesn't capture the full nuances of these technologies.

Overlay network is a VPN with extra annoying steps

Stealing WiFi... Cough... Excuse me ... Being intrusive on someone's elses resource then using a vpn paid in crypto.... Ahhhj the good ol war driving days...

Your logo is too generic… this channel is amazing

You missed the chance to include Twingate. :D

@LAWRENCESYSTEMS

Жыл бұрын

¯\_(ツ)_/¯

Killer is the BS & clickbait universe marker-word.

this used to be a respectable channel, shame he's just a paid for shill now

@LAWRENCESYSTEMS

Жыл бұрын

Huh? 🤔 This wasn't sponsored

Tailscale is pure 💩

When you say using cloudflare means exposing your devices, what do you mean? I use cloudflare zero trust to connect to my office devices om a local network. What is exposed about that? Asking concerned

@LAWRENCESYSTEMS

6 ай бұрын

Are you using cloudflare tunnels?