I agree. Protocols and low level stuff: yes! 3rd part services... not so much.Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff.
I agree too...I agree. Protocols and low level stuff: yes! 3rd part services... not so much.Same as with zerotier, I propose to NOT implement 3rd party services. Implement functions, protocols etc. but not services. Service implementation will always require more attention from developers and will take their time away from fixing/developing basic stuff.
Rodney, you proposed zerotier, so I dont think that your a dummy or need tailsscale........Dear Normis,
I propose Mikrotik RouterOS to adopt TailScale VPN https://tailscale.com/ similar to ZeroTier VPN https://www.zerotier.com/ ... as TailScale is much easier to understand and deploy than confusing ZeroTier ... for newbie users... Earlier a year ago I proposed ZeroTier and I thank you for taking my advise and got it rolled out! Now please look seriously into TailScale as it is the best so far easiest to deploy and get it working in a flash for dummies like me...
https://tailscale.com/kb/comparisons/
https://tailscale.com/kb/1139/tailscale-vs-zerotier/
Rodney Yeo
http://fb.com/rodyeo
I'd go half way, do implement 3rd party services, but as extra packages sponsored by those 3rd parties. After all, they are commercial services and support in RouterOS brings them new customers and money, so it would be fair to share some with those who help to earn it. MikroTik could use it to hire and pay new people to work on this, users would be happy to have every service they like, 3rd parties would have new customers, and everyone who doesn't care about any of that wouldn't be affected. Isn't it a brilliant plan?Same as with zerotier, I propose to NOT implement 3rd party services.
ZT iPhone app is not difficult to use ..... but TailScale makes everything much easier from a management perspective when scale is required --- consider the 2 points of demarcation as a starting point because they are extremely important differentiators.Sorry, but how is ZT iPhone app difficult to use? There is one button basically. And ZT has excellent documentation too.
I'd prefer 2FA in ROS.[...] consider the 2 points of demarcation as a starting point because they are extremely important differentiators.Sorry, but how is ZT iPhone app difficult to use? There is one button basically. And ZT has excellent documentation too.
[... *] ZeroTier’s Virtualization Layer 2 (VL2) acts as the configuration manager. New nodes can be added to a ZeroTier network by sharing a computer-generated secret code, which must be entered by the user at connection time.
[... * ] using your organization’s SSO identity provider. Tailscale manages key distribution, key rotation, machine certificates, and all configurations for users, which is very useful if any of the devices on the network belong to non-technical users.
https://tailscale.com/kb/1119/sso-saml-oidc/So in order to get file from my NAS, I'll depend on not one (TailScale), but two (+Gmail) external services, while I'd preferably depend on zero. And that's supposed to be great?
Security …….……. I understand what Sob is saying which is dependencies on external players is not necessarily a good thing. A direct VPN tunnel (aka wireguard) may be all the that one needs for example and no externals are required for that.
Tailscale also offers full end-to-end data encryption. A device’s private key never leaves the device, so Tailscale cannot decrypt network traffic. New nodes can be added to a Tailscale network by authorizing against your company’s SSO identity provider. The default configuration causes nodes to be expired from the Tailscale network unless they are re-authenticated periodically, which triggers key rotation. Optional device posture checking is also available, preventing devices from joining the network unless they are approved by company policy.
In Tailscale, administrators configure a central RBAC ACL policy so that network traffic can be precisely restricted. Although administrators can express access rules in one central policy, the policy is compiled into a set of packet filters, which are enforced by the individual nodes themselves, giving the security properties expected from a zero trust network.
Tailscale supports multi-factor authentication (MFA) through its identity provider integration.
Nothing is better or worse. Just different. SSO is just a fancy word for a central directory that manages passwords for a set of services. e.g. the"Login with Google" button being an example" you can your Google's login creds at ZeroTier's website – that's SSO. At a big company, they don't want to maintain many passwords to many system, there whole sub-category of software that integrates this login protocol with the authentication database.But Sob the arguments you are making are valid vs Zerotier as well, which leads me to believe you see limited uses for both, whereas I was looking to parse out why one was better than another.
Also what is this new term being thrown about (SSO provider).
I just saying my opinion based on a casual reading of their web site, and lessons from watching OpenFlow, which even Mikrotik dropped in V7 – but doesn't mean I'm stupid.@Amm0 ….. you state the following: “ Why TailScale be pretty odd on MT – not sure Sob wants the cloud pushing firewall rules on his router – neither do I.”
TailScale does NOT PUSH firewall rules on MikroTik PERIOD ….
It’s very apparent to me that you have ZERO clue how TailScale works …
Learn …. https://tailscale.com/kb/faq/
In ZeroTier protocol doc to ZT designer's blog with original goals for ZT, quite the contrast from a SSO-based an approach. And with V7, there was long WireGuard since early betas, which is what TailScale repackages – so the bells-and-whistles of TailScale is what doesn't fit, IMO.The bottom lineZeroTier and Tailscale both offer peer-to-peer mesh VPN technologies. They use different protocols to offer a functionally similar service. ZeroTier’s protocol is custom, while Tailscale uses the industry-standard WireGuard protocol for its data plane. Both products offer NAT traversal, and encrypted peer-to-peer connections, and administration dashboards.
ZeroTier and Tailscale are both outstanding alternatives to the traditional VPN, and both have great potential use in modern corporate environments.
Last updated Dec 23, 2021
But it would, if RouterOS itself would be a client, wouldn't it? From their description of ACLs:TailScale does NOT PUSH firewall rules on MikroTik PERIOD ….
Which makes sense, because if there's direct communication between clients, only the target client can do any filtering. I assume they don't reinvent the wheel and simply use client's firewall. It's perfectly ok, if you trust their server with keys and configuring links between clients, you can trust them with firewall too. And I'm not suggesting that I wouldn't trust their server, just that ideally I shouldn't need their server at all. I admit, I may be a bit anti-cloud, or perhaps cloudphobic, I'm not sure.The access rules you define for your network get distributed to all the devices in your network, and enforcement of the rules happens on each device directly, without further involvement from Tailscale’s servers.
You are still in control if the Tik become a client ..... however IMO and as I stated earlier in #22..... But it would, if RouterOS itself would be a client, wouldn't it? From their description of ACLs:
After further analysis I've decided TailScale does not need to be integrated into RouterOS because YOU do not need it unless you had a VERY special purpose -- what is that special purpose? Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device
TailScale document that provides outstanding information.
How Tailscale works
If you have the patience to read this document .... an excellent learning experience.
NOTE: Using Tailscale for an open source or friends & family project? The Community on GitHub plan can get you up to 25 users, 5 devices per user, and 2 admins for free.
We have heard that about most VPN technologies by now. It seems there is always one more VPN that MikroTik REALLY have to integrate.I think TailScale support should be added to integrate with existing TS networks.
TS is gaining significant momentum as the good alternative to VPN and one very very useful use case is VPN to cloud VPCs.
There is an active Tik user [cannot remember his name] that is building a TailScale Container for Tik Devices ... however that is strictly limited to ARM based Tiks so currently very limited in scope. As I have stated before ZeroTier is IMO a waste of time and a very poor performer plus as you stated not all MT devices can run it.. ABSOLUTLY there is no question that TailScale is a very good WireGuard Management system.My point is that they adopted zerotier but it has limited applicability, not all MT devices can run it.
If tailscale can run on more devices, then it should be adopted if they are relatively equal otherwise.
Let the user decide which package they want to load!
I installed it as a guide, the image is already running, but the tailscale management website doesn't show the node. Please share how to do, configure your tailscale container. Thank you!I don't know if you've seen this, but I just tested it on my RB5009 and it works great!
https://github.com/Fluent-networks/tailscale-mikrotik/
I advise doing b on point 6. Make sure to edit build.sh and change the platform to the correct one (linux/arm64 for RB5009) and the Tailscale version to the latest.