Hacker Neue

Preferences
Jnr parent
I am not sure I understand why Headscale was excluded. As far as I know, it is made by people not related to Tailscale.

It would be like complaining Vaultwarden is bad because the Bitwarden project is not fully open source even though Vaultwarden is fully open source and has most of the features implemented.

And Headscale kind of ticks all the other boxes mentioned, except "not headscale", because:

* p2p mesh network - it is a mesh network. And even when mesh is blocked, you can use multiple relay servers (derp) which will relay to the mesh from closest location. And you can host your own derp servers.

* Open source and selfhosted - check

* Not Wireguard (Signature-based blocking) - in cases where wireguard is blocked, the derp relay servers run over https and are usually not blocked based on signatures. For example, I use it with Traefik proxy in TCP mode so I could run derp and other http services on the same 443 port and it works great. So - check?

Packaged in nixpkgs - check

On top of that, if you add Headplane admin UI you get nice graphical management, very similar to the one of Tailscale.

97nomad
I did it mostly by religious reason, but also because everyone writes about Headscale and I didn't want to write about things that everyone already knows.
Jnr OP
Religious or political ones? :) I did not know, but after quick search online, it states that Tailscale blocked russian IPs at some point in the past.

I guess it doesn't really matter, but it would have been nice to give some transparency to the reader that it was not due to actual technical limitations.

97nomad
Religious. Open source versions of products that are created/supported by companies providing proprietary versions of the same product have caused me so many problems in the past that now I don't approve this practice.

It should be the same exact copy, or situation turns into "try demo version, buy the full product". At least from my point of view.

Jnr OP
Once you have worked with the large cloud providers (AWS, Azure, GCP), you start to realize that solutions built on those platforms frequently differ a lot from what can realistically be self hosted. Especially when it comes to large SaaS platforms. They probably could not provide it even if they wanted to. Or it would be only viable to large enterprises being direct competitors, but not viable to a homelab.

I think it makes no sense for them to put much focus on developing a separate small open source version of their server. So it is good that they actually support its development.

antonkochubey
How did you manage to put the derper behind Traefik? It seems to be not supported at least officially:

“ The DERP protocol does a protocol switch inside TLS from HTTP to a custom bidirectional binary protocol. It is thus incompatible with many HTTP proxies. Do not put derper behind another HTTP proxy.”

Jnr OP
I learned this from hosting SmallStep CA behind Traefik. You can use TCP mode for specific subdomains and match it using HostSNI. Then if the client uses SNI it should work. So you can use both TCP and HTTP routers on the same port.

https://github.com/Janhouse/tailscaled-derper/blob/main/dock...

Since we use TLS passthrough and Traefik just proxies TCP, you have to pass certificates to derper, so you either use the Traefik certificate extractor or some other tool to get them.

And initially I though that I would have to integrate libproxyproto into derper in order to handle client IP addresses correctly behind Traefik but it looks like it doesn't really need it.

cassianoleal
> As far as I know, it is made by people not related to Tailscale.

I thought the Headscale dev had been hired by Tailscale, didn’t he?

Can’t find references right now but I have a distinct memory of reading about it.

Jnr OP
I think you are correct. https://www.hackerneue.com/item?id=33990413 From the headscale commit log, seems like it was https://github.com/kradalby not the owner of the headscale repo. And he is making a lot of commits.

So, looks like Tailscale is paying one of the developers to develop for headscale, as par of his job.

This is one of the best ways a company can support an open source project though.

sadeshmukh
It's also not hindered. It works completely fine, but it doesn't have users (self hosted competitor).
kdmtctl
It uses the same plain WG which doesn't pass across borders by the rules of this experiment.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal