Total newb question. I have TS installed and I use it to access a media server on another network. Alls well. But Windows (and my iphone) keep referring to TS as a VPN. Is TS used like I’m using it, changing my IP? If I use Netflix with TS connected, is it going to see me as behind a VPN? Or is it only active when making TS to TS connections?
TS is a VPN.
Is TS used like I’m using it, changing my IP?
No, it’s not a public routed VPN gateway like you’re thinking of. It’s just a private network.
If I use Netflix with TS connected, is it going to see me as behind a VPN?
Nope, you’re still using your internet connection as normal.
Tailscale is indeed a VPN, that’s how you connect to your media server. but does not change your IP per default. Unless you run an exit node and configure your devices to use that node to connect to internet, TS will keep your public IP the same.
So no harm in leaving myself connected on all machines 24/7?
Sorry, I wasn’t being clear - I don’t need my IP changed, just want to make sure I can run tailscale full time as CONNECTED on all my devices without otherwise effecting my IP and browsing.
Thanks, I did check my IP online and it did stay the same, but I was trying to wrap my head around the idea of Tailscale as a VPN and how it interacted with my home network connection.
Sorry one more question. When I connect to my media server on a different network, Chrome shows the connection as “insecure”. Is that the case? Or am I ‘insecure’ inside the tunnel created by Tailscale and therefore totally secure?
Nope, only traffic going to other machines on tailscale will go through the VPN. Unless you specifically set up a machine as an exit node and route traffic through that.
No problem at all!
It has nothing to do with Tailscale’s security. It’s about your server not serving the page through SSL, you can just ignore it (unless you’re sending confidental info like personal logins etc. through that page) or learn about setting up SSL certs through Let’s Encrypt on the media server you’re using.
Is there a way to confirm this? Maybe in the settings page or in any docs?
Essentially it sounds like a split tunnel, right?
Normally when I setup a media server, I use a reverse proxy (caddy) and that handles SSL for me and alls well. I was trying something different this time and running the server behind my router without opening ports or dealing with dynamic IPs (hence tailscale). My understanding is that I am in a closed system with Tailscale and, therefore, not having SSL shouldn’t matter. Yes, I log into my server, but if I am on the only one on this network (Tailscale) does that matter?
Trace route would show you how the traffic is being routed to a specific address.
In that environment, using TLS would be adding a second layer of encryption and security. Not strictly necessary, but also wouldn’t hurt anything to do so.
Tailscale can help to provision certificates for the private nodes on the tailnet: Secure Tailscale Internal Services with Easy TLS Certificates
The next major release of Caddy will provide a way to automate this, automatically getting certificates if available from Tailscale. There is a beta release containing this functionality now: Release v2.5.0-beta.1 · caddyserver/caddy · GitHub
You’re right, it doesn’t matter that much for your use case but browsers still won’t care about that. Although one can still provision certs with Tailscale easily. Chrome will probably stop complaining about it then.