I love Tailscale, it’s by far the best VPN I’ve used, and the easiest wireguard implementation to get up and running I’ve used.

I can certainly see the value of this feature for some orgs, but it seems little scary to me. With this setup, if an attacker is able to compromise Tailscale and add a key to your tailnet, that person will immediately have access to your network AND shell access to all of your boxes, rather than just network access if you use Tailscale with vanilla ssh.

We use Tailscale quite heavily and the SSH feature. Along with many other features, it is great. However, the article doesn't mention pricing, which for me personally seems quite high at $18/month/user. [1]

[1] https://tailscale.com/pricing

Why does Tailscale need special handling for SSH?

Tailscale gives you authorized connectivity between hosts, and DNS; won't it be sufficient to run plain sshd?

(If wireguard-key-level auth were sufficient, even rlogin or netcat would be enough, because the transport is encrypted already.)

Bravo to Alex in the embedded video for clearly explaining the benefits in an interesting way without being overly salesy. I get a genuine sense of enthusiasm from him.
How does it compare with cloudflare's tunnels? [0]

I have been using Cloudflare's cloudflared tunnels. It was great for tunneling ssh traffic behind firewalls. And it starts free.

[0] https://developers.cloudflare.com/cloudflare-one/connections...

I'm sure it's very well done but is it a good idea to give a third party a full access to your infrastructure?
How secure is Tailscale in general, and their new SSH offering?

I assume the crypto is unbreakable for outside parties that just sniff the traffic along the way.

But what if Tailscale gets hacked? Are my keys available there for someone else to connect into my network? How hard would it be for the hacker to add their own machine to my network?

Not directly related to this, but I'm trying to migrate to Tailscale now from OpenVPN, and it doesn't seem like there's a way to use one "account" (for example, Google auth) for multiple tailnets. Our use case is to have the user be able to select whether they want to connect to staging or prod.

Are people just doing this with time-based ACLs within the same tailnet? Curious if there's something more obvious.

From launch page:

> This traffic is rerouted to an SSH service inside the Tailscale daemon instead of to your standard SSH server.

Was their sshd code audited? This is a lot of trust to use different sshd imho.

Iiuc, atm tailscale ssh X11 forwarding doesn't work.
Does anyone have experience with their VSCode extension, does it work just as well as the official SSH remote extension?
i guess commentors don’t have experience with both products but this fills in a gap for folks that might choose teleport instead
beep! Official GUI client missing for Linux.
Just gonna note this is still a thing https://ssotax.org/