Community discussions

MikroTik App
 
User avatar
rodyeo
newbie
Topic Author
Posts: 44
Joined: Thu Nov 09, 2006 10:53 am
Location: Malaysia
Contact:

Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 7:32 am

Dear Normis,

I propose Mikrotik RouterOS to adopt TailScale VPN https://tailscale.com/ similar to ZeroTier VPN https://www.zerotier.com/ ... as TailScale is much easier to understand and deploy than confusing ZeroTier ... for newbie users... ;) Earlier a year ago I proposed ZeroTier and I thank you for taking my advise and got it rolled out! Now please look seriously into TailScale as it is the best so far easiest to deploy and get it working in a flash for dummies like me... :)

https://tailscale.com/kb/comparisons/

https://tailscale.com/kb/1139/tailscale-vs-zerotier/


Rodney Yeo
http://fb.com/rodyeo
Rodney Yeo (9W2YJ)
Ham Radio Operator
Malaysia
http://rodyeo.dyndns.org
Air Traffic Radar Station
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 851
Joined: Fri Nov 10, 2017 8:19 am

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 8:31 am

Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff. We experienced it with paypal support (suddenly stopped working because paypal deprecated certain API and all customers who relied on it had to wait for mikrotik to quickly release an update). This will become more common as more services are implemented.
If you find me posting too many replies, I am either procrastinating on some really important task, or just drunk. Roll D20 to find out which one it is.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 937
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 12:12 pm

Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff.
I agree. Protocols and low level stuff: yes! 3rd part services... not so much.
 
mikruser
Long time Member
Long time Member
Posts: 569
Joined: Wed Jan 16, 2013 6:28 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 2:27 pm

I have already suggested a solution similar to DMVPN
viewtopic.php?t=160274
and ticket SUP-65537
but i got answer:
Hello,
This functionality is available in RouterOS using ZeroTier.
do not ask me why it is necessary.
 
Zacharias
Forum Guru
Forum Guru
Posts: 2972
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 3:20 pm

Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff.
I agree. Protocols and low level stuff: yes! 3rd part services... not so much.
I agree too...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 7:55 pm

Dear Normis,

I propose Mikrotik RouterOS to adopt TailScale VPN https://tailscale.com/ similar to ZeroTier VPN https://www.zerotier.com/ ... as TailScale is much easier to understand and deploy than confusing ZeroTier ... for newbie users... ;) Earlier a year ago I proposed ZeroTier and I thank you for taking my advise and got it rolled out! Now please look seriously into TailScale as it is the best so far easiest to deploy and get it working in a flash for dummies like me... :)

https://tailscale.com/kb/comparisons/

https://tailscale.com/kb/1139/tailscale-vs-zerotier/


Rodney Yeo
http://fb.com/rodyeo
Rodney, you proposed zerotier, so I dont think that your a dummy or need tailsscale........ ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mada3k
Long time Member
Long time Member
Posts: 511
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Tue Nov 16, 2021 8:52 pm

Mikrotik, please make support for >insert yet another proprietary vpn protocol>...
CCR/CRS/hEX/wAP • Ansible • NetXMS
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Nov 28, 2021 7:52 pm

Once the container package is ready and back you can try to run tailscale as a container on your Mikrotik.
Tailscale delivers it as a container already for other platforms (i.e Synology)
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 1:41 pm

@rodney
I endorse your suggestion without any reservations

TailScale is very simply stated BRILLIANT .... WoW to the power of 10

A superb Video presentation of TailScale follows:
https://youtu.be/3QEZRpxfZp4
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 5:16 pm

On the surface both Tailscale and Zerotier look eerily similiar, except Zerotier for the home use has less restrictions (100 devices vice 20) and no subnet router limitations...
Thus I fail to see what the 'great' difference is between the two. Im not sure what ZT uses for its backend encryption but Tailscale uses wireguard, so what? Does this mean that Tailscale is significantly faster? Does Tailscale use the same RELAY to direct connectivity where possible schema at ZT (they call it UDP punching)?

In other words, unless Tailscale has some glaring advantages over ZT, not sure what the fuss is about.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 6:16 pm

@anav ,,,, unlike ZeroTier TailScale uses WireGuard as its foundation …. From a setup perspective TailScale is FAR easier to implement …. Apparently YOU did not look at the Video nor read their docs …… from a scaling perspective it is absolutely brilliant especially if one needs A REMARKABLE MESH that requires very little to no intelligence :D

Ideal for the home user with small needs and for the business the scaling and ease of implementation is beyond ridiculous … remarkable brilliant.

Spend the time studying the docs and do look at the entire video.
Objective video from a techie pov
https://youtu.be/bcRVkoeSN0E
Last edited by mozerd on Thu Jan 06, 2022 3:51 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 8:15 pm

Same as with zerotier, I propose to NOT implement 3rd party services.
I'd go half way, do implement 3rd party services, but as extra packages sponsored by those 3rd parties. After all, they are commercial services and support in RouterOS brings them new customers and money, so it would be fair to share some with those who help to earn it. MikroTik could use it to hire and pay new people to work on this, users would be happy to have every service they like, 3rd parties would have new customers, and everyone who doesn't care about any of that wouldn't be affected. Isn't it a brilliant plan? :)
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 10:37 pm

Okay mozerd when I get time I will try to dig into it.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25150
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 10:52 pm

So what it boils down to ... everything is same, but ZT is more configurable, but you like TS apps better? I don't think this is enough to implement a second service that does the same stuff.
No answer to your question? How to write posts
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 11:05 pm

From a scaling and ease of use perspective there is ABSOLUTELY no comparison Normis …. I am actually surprised by your comment. Techies who manage many dispersed users will love LOVE love setting up TailScale for their users and more importantly USERS will love the ability to communicate with all their devices transparently. The mesh that TailScale provides produces unparalleled performance that ZeroTier cannot at this time emulate.
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 653
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 11:17 pm

Really depends on what you try to accomplish.
ZeroTier has some aspects in favor of TailScale, but also many similar features.

https://discuss.zerotier.com/t/zerotier ... scale/3800
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Dec 25, 2021 11:56 pm

TailScale document that provides outstanding information.

How Tailscale works

If you have the patience to read this document .... an excellent learning experience.

NOTE: Using Tailscale for an open source or friends & family project? The Community on GitHub plan can get you up to 25 users, 5 devices per user, and 2 admins for free.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 25150
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 10:07 am

Sorry, but how is ZT iPhone app difficult to use? There is one button basically. And ZT has excellent documentation too.
No answer to your question? How to write posts
 
User avatar
Znevna
Member
Member
Posts: 484
Joined: Mon Sep 23, 2019 1:04 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 11:31 am

Guess he gets payed to do tailscale advertising.
I don't trust anything written by a guy who can't read product labels anyway.
MTKEK Certified, IP Sparky
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 2:22 pm

Sorry, but how is ZT iPhone app difficult to use? There is one button basically. And ZT has excellent documentation too.
ZT iPhone app is not difficult to use ..... but TailScale makes everything much easier from a management perspective when scale is required --- consider the 2 points of demarcation as a starting point because they are extremely important differentiators.

ZeroTier is designed to be a “zero-configuration” technology. A user starts a ZeroTier node without having to write configuration files or provide the IP addresses of other nodes. ZeroTier’s Virtualization Layer 2 (VL2) acts as the configuration manager. New nodes can be added to a ZeroTier network by sharing a computer-generated secret code, which must be entered by the user at connection time.

Tailscale makes connecting devices straightforward: you simply install and log into Tailscale on each device using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.
 
User avatar
Amm0
Member
Member
Posts: 355
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 5:56 pm

Sorry, but how is ZT iPhone app difficult to use? There is one button basically. And ZT has excellent documentation too.
[...] consider the 2 points of demarcation as a starting point because they are extremely important differentiators.

[... *] ZeroTier’s Virtualization Layer 2 (VL2) acts as the configuration manager. New nodes can be added to a ZeroTier network by sharing a computer-generated secret code, which must be entered by the user at connection time.

[... * ] using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.
I'd prefer 2FA in ROS.

TailScale is just enterprise packaging over Wireguard. TailScale could theoretically be implement by some Mikrotik Script language - at the end of the day, TailSpin just updates firewall rules, certs, and send emails to end-user. The same cannot be said about ZeroTier – they do have their own protocol and broader SDN view, than TailSpin's narrow-focus on policy.

Importantly, you can run your own ZT instances without there services. Haven't tried, TL;DR, but that possibility makes ZT more palatable a zero-conf VPN, than a closed source TailScale that uses the same Wireguard Mikrotik already supports. Let's not get into bonding, since Mikrotik ZT doesn't support it with ZT yet AFAIK, but that be another key difference between ZT and TS.

So a -1 from me on this one.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 8:42 pm

After further analysis I've decided TailScale does not need to be integrated into RouterOS because YOU do not need it unless you had a VERY special purpose -- what is that special purpose? Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device. ... However, TailScale encourage you to install Tailscale directly on devices wherever possible, for better performance, security, and a zero-configuration setup

You can establish a TailScale network without involving MikroTik in any way shape or form and everything behind a MikroTik Router would probably work just fine with GREAT VPN performance. I state probably because I have not done extensive testing so there may be stuff that may need some further thought.

BUT for you skeptics following is the MAGIC of TailScale:

Install the TailScale App on your phone and it will prompt you to establish an account .... if you use gmail use it as one of the selections offered for your signing credential and TailScale will automatically create your FREE account and register your phone as well as create a phone VPN entry for you.

Now in your LAN/VLAN/Subnet select a device like your Synology NAS and install TailScale .... sign-in to your TailScale account when prompted and use your gmail account again ... now TailScale will register your NAS and assign an IP address ...

Now go back to your phone ... turn off you wifi .... connect to your TailScale VPN using your cellular connection .... now select the app you use to look at the NAS remotely .... I use FE Explorer for example ... create a link to the Synology NAS that allows you entry and Vola you now have access to that NAS.

You did not have to remember any public keys etc --- TailScal does that for you automatically. ... and YOU did not have to reconfigure your MikroTik Router in any way shape or form. MAGIC :D
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:16 pm

So in order to get file from my NAS, I'll depend on not one (TailScale), but two (+Gmail) external services, while I'd preferably depend on zero. And that's supposed to be great?
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
Znevna
Member
Member
Posts: 484
Joined: Mon Sep 23, 2019 1:04 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:35 pm

Ah, there we go, crap marketing at its finest.
See, because of people like you I will never even try tailscale.
Or any other product that gets spammed in this forum and other places.
Overselling some product is never a good sign, ispapp or moab or cloutik or whatever 3rd party closed source miracle service that gets spammed here.
Some do it in signatures, some spam the forum, some both.
Best thing is that some of you don't even have any MikroTik Certs, yet you sell products for mikrotik devices and want people to trust your products based on ... what?
So please, stop spamming.
MTKEK Certified, IP Sparky
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:43 pm

Its not spamming, and if you like wine so much drink it and keep your fingers away from the keyboard, because I actually find your whining noise far more irritating than lets say Mozerd attempting to describe why tailscale appeals to him.
If you have a contrary opinion then put forth your arguments aka something constructive otherwise, you appear to be a childish brat. Personally I like to have both sides or different angles in a discussion and then I can decide what aspects or functionality may be more or less important for any particular scenario. I understand what Sob is saying which is dependencies on external players is not necessarily a good thing. A direct VPN tunnel (aka wireguard) may be all the that one needs for example and no externals are required for that.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:44 pm

So in order to get file from my NAS, I'll depend on not one (TailScale), but two (+Gmail) external services, while I'd preferably depend on zero. And that's supposed to be great?
https://tailscale.com/kb/1119/sso-saml-oidc/

Nope, it all depends on who you select as your SSO provider. Each device you chose to join your TailScale vpn network must first be registered using your SSO provider .. once registered no further signin is required unless you want to manage TailScale …. Once you select the SSO provider that’s the one you stick with.
 
mhaluska
just joined
Posts: 18
Joined: Sat Jun 13, 2020 1:20 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:47 pm

@Znevna: ignore tailscale, try headscale https://github.com/juanfont/headscale. i think heads are scaling better than tails /s
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sun Dec 26, 2021 9:48 pm

……. I understand what Sob is saying which is dependencies on external players is not necessarily a good thing. A direct VPN tunnel (aka wireguard) may be all the that one needs for example and no externals are required for that.
Security …….
From their WS
Tailscale also offers full end-to-end data encryption. A device’s private key never leaves the device, so Tailscale cannot decrypt network traffic. New nodes can be added to a Tailscale network by authorizing against your company’s SSO identity provider. The default configuration causes nodes to be expired from the Tailscale network unless they are re-authenticated periodically, which triggers key rotation. Optional device posture checking is also available, preventing devices from joining the network unless they are approved by company policy.
In Tailscale, administrators configure a central RBAC ACL policy so that network traffic can be precisely restricted. Although administrators can express access rules in one central policy, the policy is compiled into a set of packet filters, which are enforced by the individual nodes themselves, giving the security properties expected from a zero trust network.
Tailscale supports multi-factor authentication (MFA) through its identity provider integration.
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 1:12 am

Ok, so I can have my own SSO provider (but I need Tailscale's Enterprise subscription to be able to use it). But it's good direction, one dependency is better than two. It's just that zero would be even better. :)

What I'm getting at, why should I want Tailscale as service? I can see how this kind of "clever VPN" can be useful, there's no problem there. But let's say I'm big company, why should I pay them per user per month (which can add up pretty quickly), rather than running such software on my own devices? It's nothing that should require too much maintenance. We have standards for regular VPNs, so there could be some standard for this too, manufacturers like MikroTik could implement it, etc. Of course obvious problem is if it currently doesn't exist, but it's the right way. But this doesn't really bother me, it's everyone's choice, outsourcing is popular, no problem.

What does bother me slightly, if I'm just home user and want to access my NAS from everywhere, then I shouldn't need anything like this at all. All I need is VPN server (any kind I want) on my home router. Yes, it's single point of failure, but if the router goes down, NAS connected behind it will be inaccessible anyway, because it won't have any internet connectivity. The only reason why I may need it is IPv4 address shortage and resulting inability to have VPN server on my router. So on one hand it's great that service like Tailscale can help me get around that, but on the other, don't they, in a way, sabotage long-term solution, which is getting rid of address shortage, i.e. getting IPv6 everywhere? Because if I can access my NAS using their service, what motivation I have to nag my ISP about IPv6? All I wanted was to access my NAS and I already can, so I'm all set. Screw IPv6 with all its problems, magic cloud was the right answer! But somehow I'm not very much excited about that.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 1:15 am

But Sob the arguments you are making are valid vs Zerotier as well, which leads me to believe you see limited uses for both, whereas I was looking to parse out why one was better than another.
Also what is this new term being thrown about (SSO provider).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 1:31 am

@Sob
No need for enterprise account to use SSO ….

Plus you have missed the entire point of TailScale … the ease by which one can set up a secure VPN that Performs well … ITS SO INCREDIBLY easy … that is the point. :D

@anav … SSO stands for Single Sign-On …. Your Gmail account credential is one example if you have a gmail account …. Could also by your Microsoft 365 Office account etc etc etc.
 
User avatar
Amm0
Member
Member
Posts: 355
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 2:15 am

But Sob the arguments you are making are valid vs Zerotier as well, which leads me to believe you see limited uses for both, whereas I was looking to parse out why one was better than another.
Also what is this new term being thrown about (SSO provider).
Nothing is better or worse. Just different. SSO is just a fancy word for a central directory that manages passwords for a set of services. e.g. the"Login with Google" button being an example" you can your Google's login creds at ZeroTier's website  – that's SSO. At a big company, they don't want to maintain many passwords to many system, there whole sub-category of software that integrates this login protocol with the authentication database.

IPv6...
Sob is right more ubiquitous IPv6 support push reset the button on firewalls not needing NAT. And, if you get rid of NAT, you just "unblock a port" – no hairpins or "forwarding" – allow or deny. Since a Mikrotik at a house isn't moving, thus has a "static" IPv6 address by definition. And most mobile providers hand out IPv6, so for the most part if you need to access your home network from a smartphone, IPv6 is pretty easy. Assuming the providers support IPv6... If that's access stuff at your house, IPv6 is pretty simple with no external dependancies... just not universally available like IPv4.

Wireguard...+TailScale
Layer 3 IP Only – so no L2 ethernet stuff or bridging – just routing. Fast, easy, prefect for tunneling between two devices. But WG is just a protocol, the original Wireguard paper deliberately leave key management schemes to the implementors of the protocol a la OpenSSH. So TailScale fills in the gap to link a SSO identity to the Wireguard keys, but that requires their own client on top of WG protocol. But with their client that making the WG connection, they can enforce whatever policy on the client they want. Why TailScale be pretty odd on MT – not sure Sob wants the cloud pushing firewall rules on his router – neither do I. So TailScale, from a classic OSI model, lives at Layer 4 or higher since it's WG under-the-covers.

ZeroTier
Different animal, operates at Layer 2 – so it can be just bridged, with ZT using a Layer 2 firewall in the cloud (e.g. no state, no NAT, just allow/deny). To me, it like a consumer friendly MPLS – anyway can create/join a tagged network, and it the protocol figures out the "right thing" to setup the parties in the tagged network. As a backup way to get into any Mikrotik, it's been pretty handy in V7. If my Mac, joins a ZT network that contains a group of Mikrotik's, they show up in Winbox's neighbor discovery – no hassle, if you follow MT's directions that just works. Still have VPNs/IPv4 statics in most cases, but ZT has been quite handy to get into winbox remotely.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 3:27 am

@Amm0 ….. you state the following: “ Why TailScale be pretty odd on MT – not sure Sob wants the cloud pushing firewall rules on his router – neither do I.”

TailScale does NOT PUSH firewall rules on MikroTik PERIOD ….

It’s very apparent to me that you have ZERO clue how TailScale works …

Learn …. https://tailscale.com/kb/faq/
 
User avatar
Amm0
Member
Member
Posts: 355
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 6:40 am

@Amm0 ….. you state the following: “ Why TailScale be pretty odd on MT – not sure Sob wants the cloud pushing firewall rules on his router – neither do I.”

TailScale does NOT PUSH firewall rules on MikroTik PERIOD ….

It’s very apparent to me that you have ZERO clue how TailScale works …

Learn …. https://tailscale.com/kb/faq/
I just saying my opinion based on a casual reading of their web site, and lessons from watching OpenFlow, which even Mikrotik dropped in V7 – but doesn't mean I'm stupid.

Seems unlikely to be support by Mikrotik. And, I have no need for a enterprise-ready, cloud VPN – regardless if it's "easy" – not sure I need to learn more. But I did read TailScales's comparison with ZeroTier, where Tailscale themselves say:
The bottom lineZeroTier and Tailscale both offer peer-to-peer mesh VPN technologies. They use different protocols to offer a functionally similar service. ZeroTier’s protocol is custom, while Tailscale uses the industry-standard WireGuard protocol for its data plane. Both products offer NAT traversal, and encrypted peer-to-peer connections, and administration dashboards.
ZeroTier and Tailscale are both outstanding alternatives to the traditional VPN, and both have great potential use in modern corporate environments.
Last updated Dec 23, 2021
In ZeroTier protocol doc to ZT designer's blog with original goals for ZT, quite the contrast from a SSO-based an approach. And with V7, there was long WireGuard since early betas, which is what TailScale repackages – so the bells-and-whistles of TailScale is what doesn't fit, IMO.
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 7:48 am

TailScale does NOT PUSH firewall rules on MikroTik PERIOD ….
But it would, if RouterOS itself would be a client, wouldn't it? From their description of ACLs:
The access rules you define for your network get distributed to all the devices in your network, and enforcement of the rules happens on each device directly, without further involvement from Tailscale’s servers.
Which makes sense, because if there's direct communication between clients, only the target client can do any filtering. I assume they don't reinvent the wheel and simply use client's firewall. It's perfectly ok, if you trust their server with keys and configuring links between clients, you can trust them with firewall too. And I'm not suggesting that I wouldn't trust their server, just that ideally I shouldn't need their server at all. I admit, I may be a bit anti-cloud, or perhaps cloudphobic, I'm not sure. :)
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Mon Dec 27, 2021 2:54 pm

..... But it would, if RouterOS itself would be a client, wouldn't it? From their description of ACLs:
You are still in control if the Tik become a client ..... however IMO and as I stated earlier in #22
After further analysis I've decided TailScale does not need to be integrated into RouterOS because YOU do not need it unless you had a VERY special purpose -- what is that special purpose? Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device


Sob, I do not like the Cloud either -- I try hard to avoid it IF I can :lol:
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Thu Dec 30, 2021 1:23 pm

Another very NICE video that explains TailScale

https://youtu.be/76XY8ncctkE

I dare YOU to watch it ....

So Sorry ZeroTierOne but IMO TailScale is FAR --- superior --- and the best part is that YOU do not need to make ANY changes to your MikroTik Router ... no changes of whatsoever nature ... no Firewall Rules to add ... no Firewall Rules to change and the best part is that its FREE for home use.
 
User avatar
lopar
just joined
Posts: 21
Joined: Mon Jan 30, 2017 5:47 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 5:59 pm

TailScale document that provides outstanding information.

How Tailscale works

If you have the patience to read this document .... an excellent learning experience.

NOTE: Using Tailscale for an open source or friends & family project? The Community on GitHub plan can get you up to 25 users, 5 devices per user, and 2 admins for free.
Image

Looks like serious security breach. Any user can ignore ACL and share that "ignoring" routes to other clients in network? Looks really bad.
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 6:16 pm

Not really, each client has local filtering of traffic from other peers (that config is updated from TailScale's server). So if one decides to ignore ACL, it doesn't accomplish anything, because target peer won't accept it.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
mozerd
Long time Member
Long time Member
Posts: 637
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 8:15 pm

@lopar … @Sob provided the correct response ..
Following is what happens:

ACLs are enforced by the receiving node, not the sending node. Convincing the sending node to send a packet isn't sufficient.
If you are suggesting that traffic from 100.71.176.115 would be blocked from connecting to 100.81.195.172 but would be able to do so by bouncing through 100.105.14.79. That doesn't happen. Tailscale nodes do not forward traffic on to other Tailscale nodes. If two nodes want to send traffic they establish a direct Wireguard tunnel, not bounce through other nodes. That is how the ACLs work.

The example ACL shows an accept followed by two reject ACLs. Tailscale does not have a reject ACL. All access is blocked by default, you add accept rules to specify what should be allowed.

I suggest that you give TailScale a try and see for yourself how TailScale ACL’s actually works vs speculating …
 
User avatar
Znevna
Member
Member
Posts: 484
Joined: Mon Sep 23, 2019 1:04 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 10:03 pm

Still hitting the tailscale drums?
I'm so glad mikrotik decided to stop adding completly new features for now and that they only try to fix bugs with the current features.
Btw, the tailscale binaries are HUGE. Nobody considers this a problem for mikrotik devices?
MTKEK Certified, IP Sparky
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 11:14 pm

If MikroTik decides to add TailScale client and its size forces them to make devices with more storage, I say go for it, it will be worth it for just this reason alone. :D
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Fri Jan 14, 2022 11:27 pm

you prefer a larger package sob? Its the weekend LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 7230
Joined: Mon Apr 20, 2009 9:11 pm

Re: Propose Mikrotik to adopt TailScale VPN similar to ZeroTierOne VPN

Sat Jan 15, 2022 12:08 am

Right size for given purpose is the best. In this case, if it would serve as kind of Trojan horse (although it's quite unfortunate term, because the meaning related to computers is already taken) to increase storage, it's the bigger the better.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.

Who is online

Users browsing this forum: Ahrefs [Bot], Baidu [Spider], Bing [Bot], holvoetn, Kindis, SecCon, Semrush [Bot] and 35 guests