Tailscale Services

Posted2 months agoActive2 months ago

xd1936

171 points

37 comments

tailscale.comTechstory

excitedpositive

Debate

20/100

TailscaleNetworkingSecurityVPN

Key topics

Tailscale

Networking

Security

VPN

Video walkthrough: https://www.youtube.com/watch?v=mELAg50ljSA

Tailscale has announced a new 'Services' feature, allowing users to expose services on their tailnet, sparking excitement and discussion among users about its potential use cases and limitations.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

Peak period

30-36h

Avg / period

3.7

Comment distribution37 data points

Loading chart...

Based on 37 loaded comments

Key moments

01Story posted
Oct 28, 2025 at 8:19 AM EDT
2 months ago
Step 01
02First comment
Oct 28, 2025 at 2:47 PM EDT
6h after posting
Step 02
03Peak activity
12 comments in 30-36h
Hottest window of the conversation
Step 03
04Latest activity
Oct 31, 2025 at 12:34 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (37 comments)

Showing 37 comments

peter_d_sherman

2 months ago

1 reply

I did not intuitively understand what Tailscale does, so I visited the following related page:

https://tailscale.com/blog/how-tailscale-works

Ah! OK, now I get it! :-)

But, what found particularly interesting on that page was the following:

>" Some especially cruel networks block UDP entirely

, or are otherwise so strict that they simply cannot be traversed using STUN and ICE. For those situations, Tailscale provides a network of so-called DERP (Designated Encrypted Relay for Packets) servers. These fill the same role as TURN servers in the ICE standard, except they use HTTPS streams and WireGuard keys instead of the obsolete TURN recommendations."

DERP seems like one interesting solution (there may be others!) to UDP blockages...

sureglymop

2 months ago

Yup, really in very simple terms they just give you a public-key discovery/exchange server for your wireguard connected devices. Really wouldn't be that hard to create from scratch, wireguard does the heavy lifting.

Would encourage anyone to go look at the wireguard source code, it's amazingly concise and easy to read.

But they do seem to contribute and open source a lot to the community which I am grateful for.

bicepjai

2 months ago

2 replies

I recently found Tailscale when searching to control my home lab when traveling and have been amazed by how simple it is we can create a private network.

SOLAR_FIELDS

2 months ago

I normally am one to not recommend proprietary services, especially for homelab use but their solution is just so far above all of the alternatives in terms of usability that I make an exception here.

devilbunny

2 months ago

Even better: while some public WiFi spots block VPN authentication, Tailscale (if already connected while on a different network) will continue to send traffic.

You can't VPN out of the guest WiFi at my work (using personal device), but Tailscale, if connected while I'm at my house or via phone hotspot, will happily let me use my home devices as exit nodes. So I just leave it on all the time and only disconnect if there are issues (rare). I can use sketchy WiFi without really worrying about snooping, and for services that require me to use a US IP address... well, my house is definitely in the US and it's not going anywhere.

sharts

2 months ago

2 replies

i like tailscale but i notice that i get more weird network blippy latency issues when using it. i used to always have my phone connected to my tailnet so i could use my dns, etc. but always occasionally something won’t load right and i have to refresh again couple of times.

It tended to happen a lot more when switching between wifi / cellular when leaving and entering buildings, etc.

Now I just don’t use it

david_van_loon

2 months ago

1 reply

I've found that using Tailscale on my Android phone became worlds more reliable (as far as the issues you've described) once I stopped using a custom DNS resolver on my Tailnet.

Hikikomori

2 months ago

Want to use my pi-hole as DNS though.

thedougd

2 months ago

Similar struggle here. I don't have custom DNS, but do use MagicDNS.

preisschild

2 months ago

2 replies

I just wish tailscale would allow you to use long-lived tokens for ephemeral nodes...

Short lived tokens is not always an option

DomBlack

2 months ago

1 reply

You can use oauth tokens with the permissions of auth_key write to use long lived tokens to permission ephemeral nodes

DominoTree

2 months ago

I have a GitHub action that uses an OAuth token to provision a new key and store it in our secrets manager as part of the workflow that provisions systems - the new systems then pull the ephemeral key to onboard themselves as they come up

It can get especially interesting when you do things like have your GitHub runners onboard themselves to Tailscale - at that point you can pretty much fully-provision isolated systems directly from GitHub Actions if you want

Daviey

2 months ago

1 reply

I'm curious, which situations are short-lived tokens not an option?

preisschild

2 months ago

I want to give every node in my kubernetes cluster a tailscale key to join the cluster via the cloud-config / userdata. But this key is enforced by tailscale to be short lived, so if the server is reset and it boots again from cloud-config it has the expired key and can't join the tailscale network again.

EKSolutions

2 months ago

1 reply

I wonder if that architecture screenshot's "MagicDNS" value is a nod to Pangolin, since they are currently working on a new Clients feature that should eventually replicate some of the core Tailscale functionality.

alexktz

2 months ago

I'm afraid it's much more sophisticated. A Pangolin has both a Tail and Scales.

aidos

2 months ago

2 replies

Does anyone use Tailscale in production as the network layer between services? Would be interested about hearing experiences.

We use it for to allow us to connect in from the outside (and user to user access etc), but not for service to service connections.

SOLAR_FIELDS

2 months ago

In addition, do people do so in mesh format? Seems expensive to do so for all of your machines, more often the topology I see is a relay/subnet advertisement based architecture that handles L3 and some other system handles L6/L7

Multicomp

2 months ago

Works great to connect fly.io apps that are only exposed to flycast private IPv6 addresses. And I think Tailscale services will replace these.

Performance between fly.io web servers in iad region to RDS databases in us-east-1 via subnet routers has been spotty to say the least.

SOLAR_FIELDS

2 months ago

3 replies

Can someone help me understand what this is vs exposing my services via MagicDNS using the tailscale Kubernetes operator? Functionally it looks like a fair amount of overlap but this solution is generic outside of Kubernetes and more baked into tailscale itself? The operator solution obviously uses kube primitives to achieve a fair amount of the features discussed here.

smallerize

2 months ago

Was the personal plan not always free?

apenwarr

2 months ago

(I'm a Tailscale employee) The recent versions of the Tailscale k8s operator actually used a pre-release of the Services feature to do exactly that. So, not much difference. The official Services release is making that functionality available for more use cases (and generally better documented and user friendly).

nickdichev

2 months ago

I’m also curious about this since I’ve been exposing services via their experimental caddy plugin.

keeda

2 months ago

1 reply

Fascinating to watch Tailscale evolve from what was (at least in my mind) a consumer / home-lab / small-business client networking product into an enterprise server-networking product.

echelon

2 months ago

1 reply

They're morphing into a B2B centicorn, and the consumer-led tooling route was a genius path.

They provided much-needed solutions to annoying problems and did it in a way that made developers love them.

Really smart and well executed.

SOLAR_FIELDS

2 months ago

I know they are good at what they do because it's dev tooling that I will actually pay for, which is as many people know, a difficult thing to convince developers to do.

paxys

2 months ago

2 replies

I understand the usefulness of the feature, but find their examples weird. Are people really exposing their company's databases and web hosts on their tailnet?

nickdichev

2 months ago

Yes I host web services for my consumption, like miniflux rss aggregator, that don’t need to be on the public internet.

Similarly I’m going to host my small business’ staging database on a home server and expose that on my tail net.

theshrike79

2 months ago

How is that different from exposing on the company intranet in general? Or hosting them in a publicly accessible AWS endpoint?

david_van_loon

2 months ago

I'm happy to see this feature added. It's a feature that I didn't quite realize I was missing, but now that I see it described, I can understand exactly how I'll put it to use. Great work as always by the Tailscale team.

rhjensen79

2 months ago

Fantastic. So many posibilities

TranquilMarmot

2 months ago

Very cool, I love Tailscale. I use it to connect together a VPS, desktop computer, phone, and a few laptops. My main use case is self-hosted Immich and Forgejo so this is great.

defnnn

2 months ago

This would be great if it supported wildcards for ingress controllers. A service foo would give you foo.tailYYYY.ts.net as well as *.foo.tailYYYY.ts.net.

pkt0x53

2 months ago

This project exactly does the same thing https://github.com/mascarenhasmelson/TailPass

dlisboa

2 months ago

If I'm getting this right it's only highly available from a network layer perspective. However if one of your nodes is still responsive but the service that you exposed on it isn't responsive there's no way for Tailscale to know and it'll route the packet just the same? It's not doing health checks like a reverse proxy would I imagine.

subarctic

2 months ago

This sounds great, I think it's exactly what I was looking for recently for hosting arbitrary services on my tailnet. I figured out a workaround where i created a wildcard certificate and dns cname record pointing to my raspberry pi on my tailnet but this could be potentially simpler

setheron

2 months ago

Is this like a more robust funnel?

View full discussion on Hacker News

ID: 45731848Type: storyLast synced: 11/20/2025, 2:24:16 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN