Remote Access Comparison / why TailScale

By sduncan 0 Comment

Remote Access Comparison / why TailScale

Uncategorised

TailScale: A cloud hosted version of WireGuard with a pretty web GUI.
Pros:
No server installation, just sign-up
Doesn’t require any VIPs or TCP port forwards on your firewall (more secure)
Double NAT friendly
Asymmetric Routing friendly
Overlapping subnets are usable with manual switching
Subnet router (requires a Linux endpoint)
Clients for Windows, Linux, MacOS, Android, iOS, Synology, TrueNas Scale, Home Assistant, pfSense, OPNsense….very etc.
Auth, including MFA provided by 3rd party ie Microsoft/Google/GitHub etc
Auth can stay logged in for long periods, not prompting for MFA
Supports Mesh, Client-Server, Peer2Peer
Does NOT require static IP on Firewall or Dynamic DNS
After version 1.66? Tailscale client can be remotely updated from the Web Console, Machines tab
Want to manage a remote server? Tailscale + Windows Admin Center. No firewall rules or VPN req’d.
Free for small networks; 3users, 100devices. Standard is $6/user/m
The Business network can also get to the client, to check for updates or if a user leaves and refuses to return company laptop the biz can remotely delete company data.


Cons:
All the eggs in 1 basket. You’re trusting that TailScale has no code bugs or backdoors.
Client needs to be installed, same for any vpn but no client for RdWeb
The Free version allows you to be logged onto 1 network at a time
Remember to right click tray icon, prefs, run unattended or it won’t work when logged out or a different user is logged in.

Competitors:

RdWeb/Citrix:
Pros:
no client needs to be installed
can use published apps or full desktop
Cons:
Client OS must have RDP software. not available on all OSs and not all compatible with modern protocols/encryption
must connect to a Firewall, static IP +DNS recommended, no peer to peer
Server OS must be Windows
Licensing costs RDS User CALS ~$200us/user (concurrent per 90days?)
Needs DUO or equivalent for MFA $0 for 10users, $3/6/9/user/m depending on features

IPSec VPN:
Pros:
mature (not buggy)
inter-device compatibility is high
Layer 3 = high software compatibility
supports both site2site and client2site
Cons:
must connect to a Firewall, static IP +DNS recommended, no peer to peer
hardest to understand and configure
does not connect thru double NAT

SSL VPN:
Pros:
Easier to setup than IPSec VPN
may not require client software
Cons:
Buggy and insecure (in the news a lot lately)
Not true routing, just port forwarding
must connect to a Firewall, static IP +DNS recommended, no peer to peer
does not connect thru double NAT

VIP / PortForwarding + RDP
Pros:
convenient, easy to understand + setup on server side
no client required on client side
Cons:
Super Insecure! Don’t ever do this!
Still insecure with MFA because the Protocol is buggy
must connect to a Firewall, static IP +DNS recommended, no peer to peer

Guacamole
Pros:
Free
supports multiple MFA schemes via add-ons
Cons:
Setup requires intimate knowledge of Linux/Docker
Docker wasn’t reliable, could be my limited knowledge
must connect to a Firewall, static IP +DNS recommended, no peer to peer

sduncan