Thanks for looking. I haven’t found an answer, but I’m mainly thinking about a VPN and know next to nothing about networking and VPNs.
So before breaking things, I’m waiting for an answer and watching discussion here before proceeding with ATV. I do have Tailscale installed on my Mini and MBA.
That may depend on the upload speed of your home network. For example, at home I have 700 mbps download but I used to have only 20 mbps upload (I’m up to 30 now, and I was just told that the cable company is about to offer equal upload and download speeds, as they’ve been improving the local network.)
So with a VPN all traffic coming to my remote device would be no faster than that.
For remote access while you are traveling with a phone - that may be good enough.
@david0 Thank you for the wealth of information and advice you’ve offered! The company should hire you for outreach!
2 Likes
@tidbits22
Greg, I did a little experiment. On my ATV, the Tailscale client is normally active (connected to my tailnet), serving as an exit node and subnet router on my tailnet. There’s a single AppleID account (mine) registered and in use on the ATV. So I added my wife’s AppleID, under Settings/Users and Accounts, then switched to it. The Tailscale connection was unaffected - it remained connected, still available as an exit node on my tailnet.
A second experiment: with the ATV still set to use my wife’s AppleID, I opened the Tailscale app on the ATV, disconnected it, then reconnected it. No problem. Even though the ATV was set to her AppleID, the TS client logged into my tailnet using my AppleID for authentication.
It appears that the tvOS Tailscale client retains its own authentication settings and uses them to connect regardless of which Apple account is being used by the ATV.
3 Likes
Thank you for doing that. That will make it much more usable. I’ll pursue that.
@fischej
Jeff, If that’s all you use NordVPN for, there’s probably no need for it. As long as your home internet service is reliable (and fast enough for browsing/banking/emailing when you’re on the road), the ATV-as-exit-node should suffice to maintain your privacy when using hotspots and Internet cafes. That’s been my experience with tailnet. However, my home internet service is a speedy 500/500 Mbps over fibre 
. YMMV.
I’ve also encountered the “it appears you’re using a VPN….” error when attempting to use commercial VPNs to transport myself into another country. Some people have success with that use case; others not so much. I’ve never really pursued it.
2 Likes
Thanks, David. I have the same Internet connection as you, so that shouldn’t be a problem.
Slightly off topic, but in an earlier post you mentioned using Tailscale to view footage from your security cameras which were not exposed to the public Internet. May I ask what brand and model of camera you use? I’m thinking about switching from Blink for the added security of only local LAN storage.
1 Like
Jeff,
I have a variety of cameras. Indoors, I have a couple of Amcrest IPM-721s.
Outdoors, I use both HikVision and Reolink. The Hikvisions are more of a commercial product - I’ve seen them deployed in various business settings. The Reolink (an RLC-810) is a consumer product. All are hard-wired to my network, and are powered over the ethernet cable. In my early dabbling with security cameras, I used WiFi, but found wireless connections somewhat problematic, so I migrated to POE (power over ethernet). The wired LAN connections are much more reliable, especially since the cams are continuously streaming video to my DVR.
All but one of the cams are equipped with internal microSD cards for storage. But my primary recording setup is a Synology NAS, using its Surveillance Station application as a DVR. As I mentioned above, I’ve firewalled all the cameras so they can’t ‘phone home’ (which they all attempt to do). The only way I can access them remotely to view the live video streams from the cams (or the recordings from the DVR) is through a VPN connection to my LAN. Hence my use of TailScale.
This is now way off topic (and apologies to @glennf for hijacking his thread): I encountered one unexpected issue with the firewall rule that blocks the cameras from accessing the internet. They all try to keep their internal clocks accurate by contacting an NTP server out on the internet somewhere, generally every few hours. The firewall rule prevents them from connecting, so the cameras’ timestamps would drift and become pretty useless. My ‘fix’ was to enable a local NTP server on the Synology and point the cameras there to get their time.
Note that it’s not essential to block the cameras from accessing the internet, but I prefer not to let them contact their overseas masters and send them who knows what kind of personal/private information.
2 Likes
I have TS installed on my MBP. If that computer is physically on my LAN (i.e., I’m at home), and TS is in the “Connected” state, does TS detect that I’m actually on the LAN that has the exit point, and not route traffic out and back in again (i.e., effectively disable itself)? Or do I need to remember to disconnect at home, and reconnect when traveling?
Based on some simple tests I did with traceroute, it appears if you’re accessing another device on your LAN, the connection is direct, whether it’s through your tailnet or the local IP address. If you’re trying to reach a site on the public internet, however, it will still go through the exit node. But when you’re at home, that’s only one extra hop, so it’s probably a negligible performance hit.
Jeff,
It won’t route traffic ‘out and back in again’. In this use case, there’s actually no ‘out’ for it to send traffic to. The TS architecture is (in general) a point-to-point topology**. When you’re away from home, the TS client in your MBP magically discovers the TS node in your AppleTV and establishes a point-to-point VPN between the two. The ATV then routes any traffic from the MBP destined for the internet out through the exit node, and any LAN traffic (as defined by the subnet router routes you specified) onto your LAN.
When your MBP returns home, its still-active TS client re-discovers the exit node on the ATV (both of which are now on your LAN). It’s my understanding that the TS client in the MBP still sets up a VPN to the TS app in the ATV, but it’s point-to-point across your LAN. It doesn’t ‘go out’ anywhere. Full disclosure: I’m not 100% sure about this. But based on some quick Speedtests using my WiFi-connected iPhone, I think that’s what it’s doing:
- Speedtest with TS disconnected: 210/260 Mbps (down/up)
- Speedtest with TS connected, using my ATV as exit node: 140/160 Mbps
Based on this (admittedly limited) test, I don’t think it’s necessary to disconnect TS when you’re at home, but you will incur a performance penalty. I surmise that the reduction in throughput is due to the VPN encrypt/decrypt and other processing being done by the TS clients in my iPhone and ATV.
** This is not completely accurate. There are some scenarios where TS has to use an intermediate relay server to deal with obscure challenges posed by NAT traversal. Tailscale calls these DERP servers.
1 Like
Thanks @david0 and @chirano. So I think I’m getting a clearer picture of how this works:
- When you set the TS client to the “connected” state, it looks for the exit node’s address via the Tailscale Connection Server (if I’m reading the TS docs correctly).
- Once the TS client finds the exit node, it establishes an encrypted peer-to-peer connection with that node.
- Any subsequent requests are routed via the exit node, either within your LAN (based on the subnet routing rules you set up), or outside.
Conrad’s testing seems to indicate there is some question about #3, though. Perhaps the TS client does special-case traffic between it and another device on the same LAN, based on the subnet routing rules?
Either way, it seems that I should keep the TS client turned off on my MBP when I’m home. Keeping it active doesn’t appear to add any value (other than I don’t have to remember to turn it on when I travel), and, however negligible, it does add overhead to all connections.
Thanks again guys!
FWIW there is an option in the Tailscale menu. Click the menubar icon, click Exit Nodes - here you can turn off the advertised exit node, plus there is an option “Allow local network access.”
Jeff,
Should you not remember to turn it on when you travel, you’ll find out pretty quickly as you won’t be able to access any devices back at home 
Personally, I leave the TS client on my iPhone off except when I consciously want to access something on my home network. However, there are occasions when I’ve forgotten to turn it off, and then continued to use the iPhone in other locations (over cellular data, back at home, etc). I’ve never noticed any negative impact. Then a few days later, I’d notice the little VPN icon up in the iOS menu bar and realize it was still active. I think that’s an indication of how stable/reliable TS is!
Just to clarify, when I wrote “direct,” I meant the two devices on the LAN talk to each other with no intermediary, like David described in more detail. Traffic would only go through the exit node if your computer was trying to access something on the public internet (that’s not part of your tailnet).
So when you did your tests, did both of the nodes on the LAN have TS in the “connected” state? Maybe that’s the difference. In that case, they can both find each other, and therefore have point-to-point VPNs between them. But maybe traffic within the LAN between a TS-active node and a non-TS node is routed via the node set up to be the subnet router (which I’ve been imprecisely referring to as the “exit node,” just because in my case they are the same node). Or to put more simply, traffic destined for a LAN node outside your Tailnet is routed via the designated TS subnet router node.
I don’t think that’s an issue. If the remote computer on your LAN isn’t running Tailscale, you can’t access it using its Tailscale device name (e.g., xxx.tailnetname or just xxx if you’re using Tailscale to resolve names), so you’d have to access it using its name on the LAN (i.e., xxx.local), which would bypass Tailscale completely.
So I tried Tailscale out recently when I was on holiday to connect in to my desktop and read my email that way and it worked really well, let me do everything I normally do.
My Dad is heading off on a holiday and so I set up his own Tailscale for him so he could do the same with his laptop/desktop.
Then I figured it would be handy if I could connect to his Macs then I could screenshare to his desktop to help with any issues he has. My attempt did not go well. I thought that he could invite me to join his network, which he could, but then after doing that I lost all access to my own network! Thankfully, after leaving his network, my network all reappeared. So that was very confusing.
So - if I have a network and he has a network, is there any way I can have one of my Macs join his network? Is that something that can be done, or not?
By default Tailscale only allows connections to one Tailnet at a time. I did some searching; there seem to be ways to do this, though I have not tried myself.
See How to Connect to Two Tailscale Networks (Home and Work) on One Linux Machine | by Peter M | Medium (which discusses Linux, so may not work on MacOS) and Multi-Tailnet: Unlocking Access to Multiple Tailscale Networks (which does discuss using Macs.)
2 Likes
Peter,
You might consider combining the two tailnets into one. IE, add all of your Dad’s devices onto your tailnet, thus creating a single ‘FamilyNet’. Then add him as a User. With this configuration, you’d have access to all of your devices, as well as to all of his devices (whether you’re at home or travelling).
As a User, he’d also have access to everything. But if that’s not desirable, you can use Tailscale’s ACLs (Access Control List) to restrict what he’d be able to access. Defining an ACL rule is a bit arcane, but Tailscale has a bunch of articles on how to do it, and their support team would certainly help if you get stuck.
Tailscale’s free plan supports up to 100 devices (should be more than enough for the two of you), and up to 3 users.
2 Likes