> I added the Pi to my Tailscale network (no, this is not an ad; just happy), which was pretty painless.
I had a quick look at Tailscale and it seems to be a VPN network that you get to manage? So it's still a VPN just with convenience functions to make adding devices easy is that about right? Where does the DNS for this exist, is it on Tailscale's own servers. There must be some purpose to having to login. Does Tailscale also hold some connection open to figure out which devices are on or not.
In a way this reminds me of AWS SSM Agent. I think it's talking to some central Amazon servers and I don't need to open a port on an EC2.
Tailscale runs its own local DNS resolver on your computer at 100.100.100.100, if you have enabled that in settings. Your DNS queries don't go to any Tailscale servers. By default, the client simply forwards all queries to the system DNS resolver, providing some added conveniences like automatic DNS over HTTPS upgrade when available. Also, you don't really have to use Tailscale for DNS if you're comfortable reaching your devices using their 100.x.y.z IP address. See https://tailscale.com/kb/1081/magicdns for more details.
And yes, Tailscale keeps a connection open to its servers to allow other devices to reach you when you're behind a firewall and direct connections can't be established.
Tailscale is a mesh overlay network that uses Wireguard under the hood. Traffic moves peer to peer as much as possible. DNS happens locally (the special 100.100.100.100 address actually points at the tailscale daemon running on each machine, which already holds the name -> address mapping that MagicDNS needs to work).
You login to Tailscale from each device in order for the central Tailscale control plane to authenticate the device and for it to distribute that device's public Wireguard key out to the rest of the mesh.
I haven't personally used this, but many folks on HN also like that there's an open-source, self-hosted implementation of the control server. https://github.com/juanfont/headscale
I had a quick look at Tailscale and it seems to be a VPN network that you get to manage? So it's still a VPN just with convenience functions to make adding devices easy is that about right? Where does the DNS for this exist, is it on Tailscale's own servers. There must be some purpose to having to login. Does Tailscale also hold some connection open to figure out which devices are on or not.
In a way this reminds me of AWS SSM Agent. I think it's talking to some central Amazon servers and I don't need to open a port on an EC2.