What I said in Silent Lucidity still holds; I’m not really here, which means I’m tinkering with software & systems, but avoiding any online friction. Except that there’s another important story that’s due to publish today. This is turning into a very not-quiet sabbatical.

When I rebooted Infowar Irregulars Bulletin almost a year ago I decided that the gritty “operations technical” details were going to be separated from the “operations psychological” angle that is the focus of articles here. Tool Time contains a mix of videos and writing, typically posted without any notice. It’s not so much a serial as it is a technical tradecraft wiki.

That hasn’t changed, but Tailscale WILL change a lot of my technical recommendations, so much so I feel that it should be introduced here for everyone.

Attention Conservation Notice:

I’ve always known that WireGuard was going to be an important improvement in VPN technology, but I’m amazed by what Tailscale has done. This one is a must read, so you start to internalize what it means overall.

A Networking Sea Change:

Last night I told a bunch of people to take a look at Tailscale and this was my response this morning to a moderately technical person who asked “What is this?”

Tailscale is a service that uses well known 2FA identity service providers like Gmail and Github, and it orchestrates the creation of a WireGuard encrypted mesh network using the 100.64.0.0/10 carrier grade NAT address space. This service will put an end to VPNs as an enterprise network access method, but they will remain as a method of shifting one's endpoint. They are beta testing integration with Mullvad to do this and others will follow.

Basically approved devices can use whatever network they can get, where ever they happen to be, they'll communicate with each other in an encrypted fashion, and avoid anything else. This is a great way to put a stop to intruders pivoting inside networks and it's probably going to be a pretty good C&C for bad guys.

When networks do not allow traffic to pass enough for a mesh, but they do provide NAT, the Tailscale machines behind them use a DERP exchange point to communicate. Their client software is open source, so it's auditable, and there is a free version of their orchestration system called Headscale for the truly paranoid and/or C&C players who will use it.

Yesterday, if I wanted to access my Ubuntu or Proxmox systems, I had to VPN to something they trust, or for my desktop there was a slow, flaky Tor ssh hidden service. Today I can ignore the VPN and Tor, all I do is "tailscale ssh <host>" and I'm in.

The methods are very different, but role wise this puts something similar to Tor onions into the hands of anyone who can make themselves a Gmail and follow simple instructions. It's dramatically raised the bar for network access, doing so in an extremely secure fashion.

New Heading(s):

I’ve already put Tailscale to work on all the things. There’s some other stuff happening as well.

There are things I service, things that are shared with others, and where I have enough influence to do so, we’re going to put Tailscale in and see how it goes. I suspect the ritual of static route, firewall entry, and /etc/hosts.allow mods for ssh access is about to give way to a Tailscale only solution.

There are instructions for using a single lightweight VPS as a front end for self hosted services. This was the content in which I first saw Tailscale and I’m going to build this myself, as it will facilitate using my new MacBook Pro’s AI capabilities in conjunction with my hosted systems.

The Headscale coordination system would put the operator fully in charge of a public internet egress point. An observer can’t monitor the DERP servers to see what talks to what, they’d have to figure out that an innocuous machine is a hub, and then track its doings. I whipped up a couple of small VPS overseas to have a go at this in a user selectable fashion.

I am not sure how sturdy this stuff is for Android and iPhone, so I attached my captive wireless network stuff to my workstation and I’m going to have a look for myself.

Conclusion:

I’m trying to come up with an analogy in the form of a prior change that was this dramatic and I can’t. This is the next natural step in the process that brought us location shifting VPNs, the Tor darknet, and the much more obscure but completely fascinating I2P. Those took a couple decades to blossom, while Tailscale took only a couple days for me.

If you have more than one device, particularly if you have a desktop at home and a laptop you use when mobile, you should create an account and give Tailscale a try.