I used to avoid Tailscale a lot, because I thought it wouldn’t solve my problem.
Basically my nodes often route all traffic through WireGuard → at that point their IP is the WireGuard IP.
It’s already around 11:30pm. I want to buy a batch of 5 VPS to use. I used to buy from VPSRE and, true to the name, it’s cheap. 90k for 3 months, so about 30k/month.
So yeah, super cheap. Until now I mostly used Hypercore — my choice =)) which is 75k/month. If I buy 5 of those from VPSRE, the savings are huge.
While fiddling with domains and checking prices, I saw an option to buy extra IPs. In the end I decided to buy one with 500Mbps bandwidth and add 4 more IPs, so I’d have 5 WAN networks, each 100Mbps. I bought this to get familiar with interfaces: if there’s more than 1 WAN IP, how do you configure WireGuard? I want some real hands‑on experience, not just because it’s cheap to buy 5 VPS for 200k.
For now, while waiting for the VPS, I’ll continue with Tailscale. The goal this time is to mesh the network between nodes. Once meshed, I can pull info from Windows Exporter for Prometheus. Right now there are still 5 nodes not being scraped because they don’t connect directly to the VPN.
1. What is Tailscale?
Tailscale is a zero‑config VPN service that builds a secure network between devices. It uses WireGuard under the hood to connect computers, servers, and mobile devices into a private network, allowing easy access without manual firewall or port‑forwarding configuration. Tailscale works as a mesh network where every device can talk directly to each other via private IPs.
2. Installing Tailscale
Installing Tailscale is pretty straightforward and well documented on the official site. Here are the basics for common OSes:
On Windows:
- Download the installer from tailscale.com/download.
- Run the .msi and follow the instructions.
- After installation, run
tailscale loginin Command Prompt or PowerShell to sign in and connect.
On Linux (Ubuntu/Debian):
- Install from the repository:
curl -fsSL https://tailscale.com/install.sh | sh - Start the service:
sudo systemctl enable --now tailscaled - Login:
sudo tailscale up
On macOS:
- Download from the App Store or the download page.
- Open the app and sign in.
After installation, you need to sign in to your Tailscale account (Google, GitHub, etc.) to join the network. Full guide: docs.tailscale.com.
3. Why I avoided it and the issues
The device limit is the biggest issue. It only allows 20 devices, which I really don’t like. Let’s see how long until I write a Headscale setup post. Or maybe a solution to connect from Tailscale into my home LAN, otherwise I’ll use Headscale to mesh everything into a private network.
Well well, I tried running both WireGuard and Tailscale interfaces at the same time, and Tailscale just died — total failure, no ping anymore.
Let’s say I put Tailscale on a VPS, then route interface tsc0 into wg0 — what happens? I’d probably still get requests, but that would bind Tailscale to the WireGuard IP or port, or only allow pinging the Tailscale IP while pinging the WireGuard IP directly becomes almost impossible. Then the ports would be 3389 for RDP, 9182 for Prometheus metrics, plus a separate 9100 for VPS metrics. That’s basically the same as exposing the VPN directly. The only difference is it’s more private and reduces security risks, maybe even avoids DoS. The downside: still not free, and only 20 devices.
In the end, Tailscale still got routed entirely through WireGuard. So yeah, I’m stuck. It didn’t meet my original goal. Putting Tailscale on hold for now.
Comments
Join the conversation
Leave a comment
No comments yet
Be the first to share your thoughts!