Glenn,
It helps to know the local IPs of all the devices on the LAN, but I’ve found that’s really not an issue.
I have a security cam app on my iPhone which is configured with the name and LAN IP of all my cameras (192.168.20.x). They appear in a list on the app. So after using the TS client on my iPhone to connect to my TailNet (the TS client is a widget right on the lock screen), I just launch the cam app and tap the camera(s) I want to look at. There’s no need for me to remember any of the camera IP addresses.
Ditto for the Synology surveillance app on my phone. It’s already configured with the LAN IP, port number, and login credentials for the Synology. A single tap connects to the NAS, logs in, and lets me browse any security footage the cams have captured. Similarly, I can connect to Synology as a file server and access any/all of the files on it.
Ditto for my Indigo home automation server. When I’m away from home, a single tap on the Indigo app on iPhone (or on iPad) connects through the ATV and lets me do home automation things. No need for me to remember the IP of the Mac mini that is running the Indigo server.
This is all possible due to TailScale’s nifty subnet routing feature. The TailScale client in my ATV is configured to know about all my subnets (192.168.1.0, 192.168.2.0, 192.168.20.0). Thus any of my devices with the TS client (iPhone, iPad, MacBook) can access any of the many devices on my various subnets.
Just to be clear - this isn’t limited to the tvOS client on the Apple TV. Any TS client running on any device can be configured as a subnet router. I’ve also deployed the Linux variant of TS on a Raspberry Pi and it can provide the same access to any device on the LAN to which it’s connected.
Could Tailnet enable me to view videos stored by my eufy video doorbell’s base station when my iPhone isn’t at home? The eufy doesn’t use cloud storage.
I think the challenge would be getting the “Homebase” base station on the Tailnet network. One way, maybe, would be to share a local WiFi network from my iMac and connect the eufy to it. But then the iPhone would only be able to access the eufy if the Tailnet VPN was on.
Michael,
That’s exactly how I use Tailscale. I have a half-dozen security cams, and I don’t let them record to the cloud. They have internal SDcards to capture video. When I’m out and about, I activate the TS client on my iPhone, and then launch the camera viewing apps to access the cams, just as I would if I were at home.
I’m not familiar with Eufy, but I presume that their HomeBase hub is connected to your LAN with wired ethernet. If so, it’s pretty easy to arrange to get access to the hub over Tailscale. What you need is a Tailscale client on your LAN to be part of your Tailnet. I use an AppleTV, with the TS app installed. The ATV just sits on my LAN, happily running the TS app 7x24. Even when it’s sleeping, it will respond to remote requests from your iPhone when you’re away from home, activate the VPN, and let you connect through the VPN to any device on your LAN (such as the HomeBase). In order to let the ATV serve as a TS ‘gateway’, you enable the Subnet Router feature so that TS clients (such as your iPhone) can access any LAN devices.
I’ve also had success configuring a Raspberry Pi as a Tailscale endpoint. Ditto with an old Mac mini that’s running High Sierra. So if you have an old Mac sitting around gathering dust, you could deploy it as part of your tailnet. Stick it in a corner somewhere, connect it to your LAN, and it can be the TS gateway to your Eufy HomeBase.
Great article as always. There is at least one more use case for the AppleTV app. If you set it up as an Exit node and use another device outside the AppleTV network to access the AppleTV as an exit node, you then have essentially made the AppleTV’s network a VPN endpoint to access the internet.
As you probably know, this has some great benefits. Here’s one. I was out of my local area on vacation recently and wanted to watch a basketball game on Xfinity’s streaming app. The place we were staying had an internet plan not tied to a cable provider. Their TV access was internet based and was pretty limited. The game was not available through their Internet TV access. We could not use our Xfinity streaming app to watch the game since we weren’t on an Xfinity network due to some licensing restrictions for the broadcast. If I had had Tailscale hooked up through my AppleTV as an exit node, I could have streamed the game without any trouble. I tried streaming today using the Xfinity Stream app from my phone over cellular internet (5G) connected to my exit-node at home and it streamed well without any stuttering. I have been blown away with how performant the exit-node connection is - as good or better than my current VPN provider, probably due to my fast connection at home and the peer to peer nature of the connection.
Tailscale is pretty darn amazing. Thanks for the article.
Many thanks for this interesting article. I started to explore and downloaded Tailscale from the appstore to my mac. I was put off, however, when starting it, that it requested my setting up an account. After entering my email address, a window opens asking me to select my Microsoft account:
MS is not able to sniff your VLAN.
Tailscale doesn’t require that you set up an account, at least not in the normal sense. They use well-known SSO providers to provide authentication (Google, Apple, Github, and even Microsoft). So there’s no need to create yet another userid and password for Tailscale; you just use an existing userid. If you already have an Apple Account (formerly known as an AppleID), just click the Sign up with Apple button on their set-up page. TS will then use Apple’s auth server to verify you’re you, and then sign you in. Or if you have a Gmail account, hit the Sign up with Google button. If you have a Microsoft account, you could use that. Whichever you choose, whenever you log in to TS, you’ll then be prompted to enter those credentials. I use my Apple account for Tailscale. When I log it, my Mac asks me to use the touchID feature to confirm I’m me. That makes access to my Tailscale account quite easy (and secure).
Thanks @david0! I was confused by the sign in-window, which seems to indicate login either with an individual account or with an existing account eg Apple:
After entering my email, then the Microsoft-Window appeared (why?)
Following your recommendation, I now signed up with my Apple account, and that worked smoothly. I am now looking forward to explore its usage.
Cheers and thanks again
Thanks so much for posting this. I did not know about the tvOS client, but, as you describe, it adds a lot of great features and possibilities. As I have an Apple TV 4K in my two distinct networks, and setting up subnet routing is easy, I’m looking forward to what I can do with this.
Doug,
Since you have ATVs at two locations, here’s a tip on what you can do with them. Let’s say you’re at location 1, using ATV-Home to watch streaming content. But you’d like to appear to be at location 2 where the other ATV is located. You first configure ATV-Remote to act as a possible exit node for your tailnet. Then when desired, you choose ATV-Remote to be the exit node for ATV-Home (you do that with the TS app on ATV-Home). ATV-Home will then use the distant ATV as the gateway out to the internet. Presto, ATV-Home thinks it’s in the other location.
Once you’re finished doing whatever you were doing, you change the exit node setting on ATV-Home back to ‘none’. It will then revert to using your home internet connection. This sleight of hand can be useful, especially if the two ATVs are located in different geographies.
Markus,
I can’t explain the presence of the Microsoft Window that you encountered. When I signed up for TS several months ago, I registered with the Sign up with Apple button. Since then, I’ve only ever logged in using Sign in with Apple button. I’ve noticed the Enter your email field, but have ignored it. I find the Sign in with Apple option is simple and elegant - it works with all my Apple devices (Mac, iPad, iPhone) and only requires a single operation to authenticate with either TouchID or FaceID. Out of curiosity today, I entered my email address into the Enter email field to see what would happen. Like magic, the Apple authentication screen appeared, and I then used TouchID on my MacBook to log in. It’s all very slick, with no need to create and maintain yet another userid and password combo to use with Tailscale.
If you have a Mac that is always on, you can use the Tailscale Open Source Variant which will run at boot without requiring a user login. Note there’s no GUI for this, but the CLI is very easy to use and as well designed as the rest of Tailscale. For me, the easiest way to install and keep it updated is to use Homebrew. I guess this provides a similar experience to how @david0 uses the Tailscale tvOS app but can be used if you don’t have an TV. (I’ve used it with a small organisation with a Mac mini running in a server room.)
I do this on my two Mac minis after realizing that changing user accounts while screen sharing meant losing the Tailscale connection.
For me, the easiest way to install and keep it updated is to use Homebrew.
Oh, I didn’t even think of using Homebrew. I just followed the directions Tailscale provide. Homebrew will be a better way, though. So I’m going to look into that now.
On setting up AppleTV I’m wondering if I set it up in my name does the AppleTV have to stay signed into my account to keep working? The AppleTV is usually set to our joint account (see below), but sometimes it gets changed to another account.
This comes up because between my wife and I we have three accounts, mine, hers and a joint account. I set up the joint account at least a decade ago to share music and some apps. The joint account is probably not needed now, but I’m reluctant to change it for fear of losing music or who knows what issue will pop up.
PS. Amazing discussion software. Can see finished post and search puts in markers in the scroll bar which show up even while writing this.
Greg,
That is a really good question. I don’t know the answer, but it got me curious. My wife and I both have AppleIDs - I’ll do a little experiment with my ATV to see what happens if I switch the AppleID used by tvOS.
You may have already found the answer on your own. If TS is sensitive to which AppleID is used for the ATV to sign in with, one workaround might be to create another account specifically to use with Tailscale. Perhaps a Google account — TS can use Google for authentication. If you happen to have a Gmail account (or a MS/Outlook/Live account), you could use one of them for TS.
Wow. Mind blown. I didn’t even know such products existed. To be fair, I’m not exactly a networking savant.
I have installed Tailscale on my MBP and my ATV, and set up the ATV as an exit node and a subnet router. I have proved everything working by connecting my MBP to my iPhone hotspot; web browsing and even screen sharing to another Mac on my LAN (once I got its IP address) worked flawlessly.
So my remaining question is: Do I still need my third-party VPN subscription (I use NordVPN)? I’ve only ever used it to secure a WiFi connection outside my local network. I never found the “pretend you’re in country x” feature to do anything worthwhile. The resource I was attempting to access seemed to always say “It appears you’re using a VPN…”. If I can use Tailscale to join my LAN from anywhere, and effectively do my browsing from there, it doesn’t seem subscribing to a third-party VPN service does anything for me.
