It turns out that Tailscale was not necessary at all. The eufy video doorbell doesn’t have cloud storage, but it does have Internet access. In fact, it only has Internet access – what I didn’t realize is that even when I’m at home, using the iPhone app to access the doorbell is actually going iPhone > Internet > back to my network > eufy base station > doorbell.
Which means, there is no difference in accessing the doorbell while at home or away. And it also supports access from an Internet web portal; but you need to generate a temporary PIN and enable the access for a defined time period, such as an hour.
I just moved the eufy base station to a guest WiFI network, that only has Internet access.
Michael,
A wise move to put it on the guest network!
You’re probably aware of the security and privacy issues with an internet-accessible camera. Internet scanners such as Shodan will eventually find your Eufy (perhaps already have…) and register it in their database. Hackers may then stop by your public IP and try to compromise the camera. I’ve recently been looking through the logs on one of my routers and am amazed by the number of port scanners trying to break in - hour after hour, day after day.
The irony is I only put it on the guest network because the eufy app won’t permit me to switch it to a Wi-Fi network that has a space in the password! So I set up the guest network – which wasn’t enabled before – to have a passwordwithnospacesinit.
Isolating the IoT device to the guest network doesn’t prevent it from being hacked. It only prevents a hacked camera from being leveraged to attack the local network. Because, the guest network does have Internet access, which is required for the eufy device to be accessed and controlled.
We don’t know how the eufy device is doing its security. I don’t think it is actually open to the public Internet unless I turn on the web portal access*. I think it is probably making an outgoing connection to some eufy server, and then using that connection for the control traffic. There’s also some degree of protection by the effect of the NAT in my router – the eufy device doesn’t use IPv6.
* and even then then the web portal could still be using an outgoing connection from the eufy base station to the eufy server. My point is, I doubt the eufy is listening on a fixed port.
Two years ago, Anker/Eufy claims they fixed their complete lack of security, but after all their lying and then (after having been caught) pretending it’s no big deal, I don’t believe anything they say today.
I have now-discontinued EufyCam 2 Pro with the Homebase 2, because they supported (and are only configured for) HomeKit Secure Video. At one point they sent me an upgrade offer, and after I bought it I figured out that they’d dropped support for HSV, so I canceled the order. I have a certain level of trust (possibly misplaced) in the Apple ecosystem, and virtually none for the other ecosystems.
I’m using a Firewalla router, and I’ve blocked the Homebase from accessing the internet. I can still watch video via the Home app, and the Eufy app if I’m on my network (and I’ve got the Firewalla configured to offer a wireguard VPN, with “always on” VPN on my devices when I’m not on one of my home SSIDs). Given that these devices are discontinued, they’re not providing firmware updates. And so blocking it from the internet doesn’t seem to be causing any problems. At some point I’ll probably lock it down further so that the Homebase can only talk to the Apple home hubs.
It was one of the earliest in this space. To this day, it’s unique in being a Layer 2 VPN, which matters if you want to use protocols that rely on multicast or broadcast traffic.
I love the fact that these tools are taking up traction. Zerotier, Tailscale, Nebula, even Cloudflare Tunnel all make the case for end-to-end connectivity across the Internet for your devices. But I hate the fact that it is these tools, instead of IPv6, which is providing connectivity to private little islands, instead of the glorious Internet as a whole. Really, in a sense, they make the case for what the Internet should be, but isn’t, because of the short-termism and inertia that kept IPv4 and NAT and the crappy, corporatised, legacy VPN protocols alive for so long. But this isn’t the space for that rant, and anyway I’m tired.
I use Cloudflare, personally. It’s not for love of Cloudflare, really, but Teams is free, and even though it’s not strictly peer-to-peer, it’s very low-latency and works basically anywhere. Also, I can easily host protected web applications that can be accessed with a web browser on any device, and they host my DNS. But Tailscale is absolutely the right choice if you don’t need any of that stuff, and really, it’s a power-play more than anything for Cloudflare to bundle services. Teams is free for up to 50 users, FWIW. If you have a domain, you can then set up Cloudflare Tunnel to route either hostnames or subnets, and run the agent on a single computer inside your network, and the Cloudflare One client on your devices to VPN in. You can do split-tunnel routing, only routing your private network(s), and you can arrange it so that the client can detect when it’s on-net or not, therefore disabling itself to optimise routing. I anticipate that my ISP will soon have cause to push me into a CGN/LSN arrangement, so I’m preparing for the worst.
With my firewalla router, I have configured the WireGuard VPN, and then added a cleitn VPN connection to each of my mobile devices (iPhone, iPad, MacBookPro, as well as my family devices). I have each of those set up (using the WireGuard app) to have the VPN set for on-demand for all networks except my SSIDs.
The end result is that any time our devices are not on my home network, the VPN activates and all of the traffic is routed through my home network.
Because of this, I haven’t yet found a compelling use case to look at Tailscale. So far I haven’t really had a need for the mesh (device-to-device communication). If I didn’t have the firewalla, though, Tailscale would be extremely compelling.
I am soon going to need a VPS in the US to route certain traffic, including some georestricted traffic, so I might take the opportunity of setting up Nebula rather than Tailscale. It’s self-hostable and peer-to-peer, so you can use your VPS as a “lighthouse” (rendezvous point). That is another option for the so-inclined, and it means depending on one less centralised service, if that’s important to you.
The part about Wireguard that I find objectionable is getting site-to-site working, without source NAT, and without having to completely map out your topology of IP addresses. I know, first-world problems, but it offends my network-nerd brain. That is, of course, a big part of why Tailscale exists. But I note that even Tailscale use source NAT for their “subnet routers”, because yes, there’s really no other way to make it work on most consumer networks (my crappy Netgear router, ironically, does let me set up custom routes, but that’s surely exceptional IME).
Connecting to my Mac from my iPhone via Tailscale
I set up Tailscale on my Mac, Apple TV and iPhone with no problem but couldn’t figure out how to connect to my Mac from my iPhone. Reddit and other sources said I needed an SSH app on my iPhone which I installed to no avail. After much wasted time, I checked with Google AI which said to open the Files app on my phone and choose “Connect to Server” which I found is accessed via the small circle with three dots at the top right. Bingo!