Tailscale
So I recently moved out for the first time (with my partner) and found myself without much in the way of network infrastructure. From issues with our ISP taking an entire week to put a hole through a wall, to the networking equivalent of selective hearing, moving in and losing access to what was at my old house was rough.
Some of these issues were easy to solve:
No private DNS server? Easy, write my NAS' hostname and address into the hosts file until I can get around to setting up honest-to-god DNS services on my home network.
No Ethernet backbone? Easy, just plug a cheap Netgear switch (which my new household has collected like dust motes) into the Wi-Fi extender, and spur everything off that. Who needs low latency, anyways?
No VLANs or subnetting? Just pray to the lords above that nothing goes wrong until I can replace a few pieces of kit.
No VPN? Easy… wait… no it isn't.
VPNs on consumer networks
I had the misfortune when moving to go from a niche semi-professional ISP, who offers static IPv4 and "Bring-Your-Own-Router" as standard, to a consumer grade ISP, who despite me being on their "Pro" package, will not let me replace their locked down OpenWrt-based-router (which I wouldn't mind so much if said router gave me more options when I select "Expert Mode").
A big issue with deploying a VPN here is that, well, I can't do it very easily. The router thankfully supports DDNS, but then I have to set up a DDNS account, a VPN server, hope that it's all secure and working, and then just hope that it doesn't fall over. I don't really trust the router provided to really handle that sort of thing, either; no amount of Pro branding will take my mind off the fact that this router is a lemon compared to even Synology's WRX560, thanks to the cardinal sin of hiding OpenWrt's features from me.
I was resigned, for a moment, to the fact that I would need to put my back into making this work, be it through DDNS or otherwise.
Thankfully, in a single message in Discord, I had found an answer much better:
I just installed tailscale on my stuff and I feel like I had a magic trick pulled on me
This message sort of made me go "huh" in that way that I rarely get: technological curiosity. I had heard of Tailscale before, but mostly from developer types, whose tool needs rarely overlap with mine. As you may understand from previous blog posts of mine, I don't fraternize with development tools and frameworks except where they directly address my needs. For example: Git meets my needs generically, since I like version control in more ways than just programming.
That message made me actually look into it, though, and what I found essentially solved my issue and then some.
Why this is good for me
I've always enjoyed the concept of a PAN. The Personal Area Network. Essentially, consider what would happen if all your devices could chant in synchronous harmony and talk to each other with the sole goal of working together like peanut butter and jelly. On top of that, I also enjoy the concepts in SD-WAN. A little bit of tech magic dust that essentially folds the world like a map between two networks into making one big (private) network spread over geographically large distances.
SD-WAN is like folding a map
What I'd never actually considered is what would happen if there were such a thing as an SD-PAN. A collection of my personal devices that think they exist on the same network but are actually any arbitrary amount of router hops or miles away from each other. That's kind of the idea of a VPN, of course, but there's a topological difference between a VPN and what Tailscale does.
With a VPN, you connect to a VPN server along with however many devices you wish, and then they all appear on the local network of that VPN server. This works great for businesses, who have both the servers to run this sort of system, and the need for people to connect back to a "main office" or "data centre" (or the cloud!) to access sensitive line-of-business resources.
Tailscale takes a different approach of having no central server (except an orchestration server). Devices peer and mesh with each other directly (or via relay if need be), and are given an IP address within the CGNAT IPv4 address space. This works way better than a VPN server for my needs, since I really only need to access a few devices from my home network.
There's a very good upside to all of that; since devices are peering directly, you don't need to port forward a VPN server, nor do you need to set up DDNS for it to work. The Discord message I had read was correct, this feels like a magic trick.
Internet Philosophy
An original principle of the Internet is the end-to-end principle. Basically, devices should talk directly with each other, and routers should only do the legwork of routing packets between each end of a connection. This works great until you hit the fact that IANA ran out of IPv4 addresses in 2011, and the IPv6 transition is a funny joke at this rate. So, to mitigate things, Network Address Translation became necessity.
I have nothing against NATs, they work well for what they need to do, but they ultimately prevent the end-to-end principle from coming to fruition, by mediating connections between endpoints instead of just routing them.
Tailscale is interesting because it quite easily revives this, devices are talking as if they were adhering to the end-to-end principle, even if the underlying medium between them isn't. My MacBook thinks it can just talk directly to my NAS at home, despite there being NATs and complications in between. And the funny thing of course is that this has no reason to not work. These technologies are not new, SD-WAN predates Tailscale by a non-insignificant margin of time, the only thing that's impressive is bringing that sort of tech back a layer and saying "Well, the devices should just talk to each other themselves" and having it work flawlessly. It works harmoniously like magic.
I did consider whether this counts as selling my network's soul to a corporation, but then I remember I already did that by buying a MacBook.