Something that bugs me about ZeroTier is also present here, which is that there's no name management whatsoever, so I have to either keep a hosts file around with all the names of the network or find a script on GitHub that does it for me (or put a DNS server on the Tailscale network, and make sure all the hosts have records on there manually since there isn't a way to automatically integrate it with the hostnames that Tailscale already logs). Or, of course, use public records and pray you don't have more than a couple services because who wants to log in to the domain host every time you bring up a new container?
Half the magic of BeyondCorp (which I'm a big believer in) is that it's invisible from an end user perspective. I open a browser, go to git.corp.planeteaston.com, and it works, not "let's go to gitlab... it didn't resolve. what was the IP address again? 192.168.10-oh, wait, I'm offsite, the address is different, let's go see what it is in the Tailscale console", and a tech person could figure that out, maybe, never mind a computer-illiterate person in another department that was just told "go home, coronavirus, take your laptop".
This isn't a knock, since the main competitor, ZeroTier, doesn't have a great solution for DNS either besides run a DNS server, but whoever cracks it will probably win this race. And it's almost worse for ZeroTier, which by default (at least when I started using it 2-ish years ago), wanted you to use IPv6 addresses by default that there was no chance of you memorizing. I'll be a customer when this works!
ZeroTier has punted on this problem for ages because it's extremely hairy with a very long tail of edge cases and a lot of weird configurations in enterprises that we do not want to break. We really hate breaking stuff on user machines, and we also want to avoid pulling a Zoom and being more invasive on install than users expect. Then you have captive portal logins, people running stuff like Cloudflare's local DNS daemon or local dnsmasq, and more. It's the shaggiest yak ever so we have to make sure we have a really heavy duty shaver ready.
We are working on it as soon as we ship 2.0, which is a huge undertaking that's taking longer than we hoped. 2.0 has a ton of important improvements including but not limited to professionally audited design and code (not revealing the security firm yet but they are extremely well known). Just finished our first round with them. (Bonus: our existing design is not bad and it won't take much to harden it a lot more.)
(Tailscale co-founder) Everyone at tailscale agrees 100% with all your comments here. We're eager to someday have a chance to stop optimizing NAT traversal so that we can make magic DNS work. But we also know we have to get the core routing near-perfect before we start adding more features. I'm guessing ZeroTier feels the same.
> But we also know we have to get the core routing near-perfect
As someone who's been following tailscale's development, I'm curious to what you mean by core routing? Isn't routing P2P? Or, do you mean routing via DERP tunnels or TURN relays when P2P is a no-go? If so, what really are some key challenges here?
Not saying you're wrong - and I'm just a (happy) hobby user of ZeroTier. But for my use case, mDNS/Bonjour works fine (ZeroTier "vouches" for sever/nodes - if you're able to broadcast your name, you're "inside" - and marginally trusted).
I suppose ms windows servers are still lagging on mDNS, though?
Indeed, my only problem with ZeroTier is that I cannot setup custom DNS routing on it. Currently I use nextdns.io on my phone to rewrite `www.mycompany.test` to the WiFi address of my laptop (I use https in local dev). I want to do this over mobile too, which would work with ZeroTier, except for the fact that I can't run two VPNs at once (nextdns + zerotier) on the phone.
Something that bugs me about ZeroTier is also present here, which is that there's no name management whatsoever, so I have to either keep a hosts file around with all the names of the network or find a script on GitHub that does it for me (or put a DNS server on the Tailscale network, and make sure all the hosts have records on there manually since there isn't a way to automatically integrate it with the hostnames that Tailscale already logs). Or, of course, use public records and pray you don't have more than a couple services because who wants to log in to the domain host every time you bring up a new container?
Half the magic of BeyondCorp (which I'm a big believer in) is that it's invisible from an end user perspective. I open a browser, go to git.corp.planeteaston.com, and it works, not "let's go to gitlab... it didn't resolve. what was the IP address again? 192.168.10-oh, wait, I'm offsite, the address is different, let's go see what it is in the Tailscale console", and a tech person could figure that out, maybe, never mind a computer-illiterate person in another department that was just told "go home, coronavirus, take your laptop".
This isn't a knock, since the main competitor, ZeroTier, doesn't have a great solution for DNS either besides run a DNS server, but whoever cracks it will probably win this race. And it's almost worse for ZeroTier, which by default (at least when I started using it 2-ish years ago), wanted you to use IPv6 addresses by default that there was no chance of you memorizing. I'll be a customer when this works!