Tailscale gives you authorized connectivity between hosts, and DNS; won't it be sufficient to run plain sshd?
(If wireguard-key-level auth were sufficient, even rlogin or netcat would be enough, because the transport is encrypted already.)
I have been using Cloudflare's cloudflared tunnels. It was great for tunneling ssh traffic behind firewalls. And it starts free.
[0] https://developers.cloudflare.com/cloudflare-one/connections...
I assume the crypto is unbreakable for outside parties that just sniff the traffic along the way.
But what if Tailscale gets hacked? Are my keys available there for someone else to connect into my network? How hard would it be for the hacker to add their own machine to my network?
Are people just doing this with time-based ACLs within the same tailnet? Curious if there's something more obvious.
> This traffic is rerouted to an SSH service inside the Tailscale daemon instead of to your standard SSH server.
Was their sshd code audited? This is a lot of trust to use different sshd imho.
I can certainly see the value of this feature for some orgs, but it seems little scary to me. With this setup, if an attacker is able to compromise Tailscale and add a key to your tailnet, that person will immediately have access to your network AND shell access to all of your boxes, rather than just network access if you use Tailscale with vanilla ssh.