We chose Tailscale as our mesh zero-trust platform primarily for its 4via6 subnet routing. Many of our interfacing networks reuse CIDR ranges, and we had no interest in maintaining a custom WireGuard implementation to handle subnet overlaps. The hidden operational cost of bespoke networking solutions is never trivial. Tailscale’s combination of 4via6, fine-grained ACLs, lightweight agents, and a customer-friendly licensing model made it an easy decision for us—especially given their flexibility around node licensing, which erred in favor of the customer and our custom use cases that would have otherwise inflated our COGS.
Wow people don't like this in the comments. I like this! This is cool. I think the use case of deploying robots and being able to rely on their IPs for various uses is smart, and interesting. Looking forward to seeing how this evolves.
I'm largely responsible for this, so I'll try to answer.
Technically it's not NAT64 today. Different prefix for one, but it's also not translated at the IP layer (yet). For TCP, we terminate the TCP in tailscaled and make a new TCP connection out and switch them together, so packets are not 1:1 end-to-end.
We also had grander plans for the 32 "site-id" bits in the middle there. Instead of just a 8-bit (now 16-bit) "site ID" number in there, you could actually put the 32-bit CGNAT IPv4 address of any peer of yours, and then access its IPv4 space relative to that node, without any configuration.
Say you have an Apple TV plugged in at home.
Then you're at a coffee shop and want to access something on your LAN and don't have a subnet router set up.
You should be able to `ssh 10-0-0-5-via-appletv.foo-bar.ts.net` and have MagicDNS map that "appletv" as the "Site ID" and put its 32-bit CGNAT address in, and then parse out the 10.0.0.5 as the lower 32-bits, and then have Tailscale route your packets via your home Apple TV node.
All subject to ACLs, of course, but we could make it a default or easy-to-enable recommended default that you could do such things as an admin for your self-owned devices.
So why it's called "4via6"? That was just kinda a temporary internal name that ended up leaking out to docs/KB and now a blog post, apparently. :)
I never said it didn't work with UDP or ping. I described what it does differently for TCP.
Anyway, I'm sorry we offended you with its name.
I personally think it would've been more offensive to use an existing spec name and then not implement the spec of that name perfectly. (which is likely if our needs/goals only 90% overlap with the spec we pick)
At least if we screw up this implementation, we didn't tarnish anybody else's spec or its name.
As far as I understand it, both involve translating between IPv6 and IPv4, but NAT64 is a broad standard for general IPv6-to-IPv4 internet access, whereas Tailscale's 4via6 is more specific feature to solve a niche problem of overlapping private IP ranges within a Tailscale VPN environment using some proprietary addressing scheme. But it's been a while since I was deep in network land.
Most people working outside the network layer are not familiar with the basics of IPv6 and how it interops with v4 systems. In fact, I would bet that many AWS admins are not familiar with dualstack VPC configurations, for example. This product name communicates clearly to those users what the value prop is.
Honest question- Would a full IPv6 implementation across the board, hurt Tailscale's M.O. and bottom line, assuming all routing worked properly (a big assumption, to be sure)?
You can probably guess the next question, if the answer to that one is anything like a "yes"
That said, my experiences with Tailscale have been nothing but positive and I appreciate the work they're doing to simplify Internet connectivity between endpoints inside different LANs and WANs
Reminds me of the network a friend described. After a couple of mergers and sales, they had so much NAT that one particular cron job tab used an internal server-to-server connection that passed through five NAT instances.
And this tailscale product seems to say "this product makes that kind of situation less awful" which I'm sure is somehow good but I can't help thinking that "less awful" is going to mean "still awful" for most deployments.
I've been hearing about Yggdrasil for some time now, I'd like to dive into it a bit more but I don't really know where to start for practical stuff. Do you happen to have some personal success story with it, or could you please point me to some blog posts maybe?
Thanks and I apologize in advance for imposing on you.
My journey was: Wireguard (dropped because it is pain in the ass to configure and poor Windows support) -> Tailscale (dropped because it had RCEs at the time) -> Nebula (needs a separate service that issues host certificates, or manual clunky process) -> Yggdrasil. This was for personal stuff, but now I am also using it for my p2p GPU cloud startup (see https://borg.games/setup).
In comparison to other options I found Yggdrasil to be straightforward to setup:
3. Repeat on all machines (Android is supported, unsure about iOS)
Now they have access to each other and everyone else in Yggdrasil by their _permanent_ Yggdrasil IPv6 address (derived from PrivateKey in yggdrasil.conf).
OPTIONAL quality-of-life stuff:
4. add Listen entries to yggdrasil.conf and a corresponding port forward on your home router then use it as a peer for your out-of-home machines to avoid extra hop to public peers
5. Create a bunch of DNS AAAA (IPv6) at your favorite DNS provider to give your machines names
Extra bonus: they recently added userspace stack support, so you can embed Yggdrasil directly into your app, and use it as a SOCKS proxy: https://github.com/yggdrasil-network/yggstack
We chose Tailscale as our mesh zero-trust platform primarily for its 4via6 subnet routing. Many of our interfacing networks reuse CIDR ranges, and we had no interest in maintaining a custom WireGuard implementation to handle subnet overlaps. The hidden operational cost of bespoke networking solutions is never trivial. Tailscale’s combination of 4via6, fine-grained ACLs, lightweight agents, and a customer-friendly licensing model made it an easy decision for us—especially given their flexibility around node licensing, which erred in favor of the customer and our custom use cases that would have otherwise inflated our COGS.
Wow people don't like this in the comments. I like this! This is cool. I think the use case of deploying robots and being able to rely on their IPs for various uses is smart, and interesting. Looking forward to seeing how this evolves.
> Wow people don't like this in the comments
Not a single purely negative comment here as of the time i'm writing this. Maybe a criticism or two, but no one has a "dislike".
well, at least there was a lot of bikeshedding.
Love to see more schemes that put the lie to 128 bit addresses being overkill. We'll find ways to run out of them soon enough!
(Signed: someone who deployed at scale a scheme that eats 8 octets for two embedded IPv4 addresses, plus an additional 2 octets of signaling).
Why do they feel the need to call NAT64 by some new weird “4via6” name?
I'm largely responsible for this, so I'll try to answer.
Technically it's not NAT64 today. Different prefix for one, but it's also not translated at the IP layer (yet). For TCP, we terminate the TCP in tailscaled and make a new TCP connection out and switch them together, so packets are not 1:1 end-to-end.
We also had grander plans for the 32 "site-id" bits in the middle there. Instead of just a 8-bit (now 16-bit) "site ID" number in there, you could actually put the 32-bit CGNAT IPv4 address of any peer of yours, and then access its IPv4 space relative to that node, without any configuration.
Say you have an Apple TV plugged in at home.
Then you're at a coffee shop and want to access something on your LAN and don't have a subnet router set up.
You should be able to `ssh 10-0-0-5-via-appletv.foo-bar.ts.net` and have MagicDNS map that "appletv" as the "Site ID" and put its 32-bit CGNAT address in, and then parse out the 10.0.0.5 as the lower 32-bits, and then have Tailscale route your packets via your home Apple TV node.
All subject to ACLs, of course, but we could make it a default or easy-to-enable recommended default that you could do such things as an admin for your self-owned devices.
So why it's called "4via6"? That was just kinda a temporary internal name that ended up leaking out to docs/KB and now a blog post, apparently. :)
[flagged]
> that doesn't work with UDP or even ping?
I never said it didn't work with UDP or ping. I described what it does differently for TCP.
Anyway, I'm sorry we offended you with its name.
I personally think it would've been more offensive to use an existing spec name and then not implement the spec of that name perfectly. (which is likely if our needs/goals only 90% overlap with the spec we pick)
At least if we screw up this implementation, we didn't tarnish anybody else's spec or its name.
Don't worry about the bikeshedders! Awesome stuff you all are doing at Tailscale! Keep making complex things easier for the rest of us.
As far as I understand it, both involve translating between IPv6 and IPv4, but NAT64 is a broad standard for general IPv6-to-IPv4 internet access, whereas Tailscale's 4via6 is more specific feature to solve a niche problem of overlapping private IP ranges within a Tailscale VPN environment using some proprietary addressing scheme. But it's been a while since I was deep in network land.
Most people working outside the network layer are not familiar with the basics of IPv6 and how it interops with v4 systems. In fact, I would bet that many AWS admins are not familiar with dualstack VPC configurations, for example. This product name communicates clearly to those users what the value prop is.
[flagged]
Maybe because it's not exactly NAT64, even though it has the same goal?
Don't forget 6to4 and Teredo. Different names for different things.
Honest question- Would a full IPv6 implementation across the board, hurt Tailscale's M.O. and bottom line, assuming all routing worked properly (a big assumption, to be sure)?
You can probably guess the next question, if the answer to that one is anything like a "yes"
That said, my experiences with Tailscale have been nothing but positive and I appreciate the work they're doing to simplify Internet connectivity between endpoints inside different LANs and WANs
Reminds me of the network a friend described. After a couple of mergers and sales, they had so much NAT that one particular cron job tab used an internal server-to-server connection that passed through five NAT instances.
And this tailscale product seems to say "this product makes that kind of situation less awful" which I'm sure is somehow good but I can't help thinking that "less awful" is going to mean "still awful" for most deployments.
Or just use Yggdrasil with a firewall.
I've been hearing about Yggdrasil for some time now, I'd like to dive into it a bit more but I don't really know where to start for practical stuff. Do you happen to have some personal success story with it, or could you please point me to some blog posts maybe?
Thanks and I apologize in advance for imposing on you.
No problem, I love the tech.
My journey was: Wireguard (dropped because it is pain in the ass to configure and poor Windows support) -> Tailscale (dropped because it had RCEs at the time) -> Nebula (needs a separate service that issues host certificates, or manual clunky process) -> Yggdrasil. This was for personal stuff, but now I am also using it for my p2p GPU cloud startup (see https://borg.games/setup).
In comparison to other options I found Yggdrasil to be straightforward to setup:
1. Get it
2. Edit yggdrasil.conf to add public peers you want to connect to. You can get them from https://publicpeers.neilalexander.dev/
3. Repeat on all machines (Android is supported, unsure about iOS)
Now they have access to each other and everyone else in Yggdrasil by their _permanent_ Yggdrasil IPv6 address (derived from PrivateKey in yggdrasil.conf).
OPTIONAL quality-of-life stuff:
4. add Listen entries to yggdrasil.conf and a corresponding port forward on your home router then use it as a peer for your out-of-home machines to avoid extra hop to public peers
5. Create a bunch of DNS AAAA (IPv6) at your favorite DNS provider to give your machines names
Extra bonus: they recently added userspace stack support, so you can embed Yggdrasil directly into your app, and use it as a SOCKS proxy: https://github.com/yggdrasil-network/yggstack
Isn't Yggdrasil IPv6-only? I guess you could maybe do something similar with Yggdrasil+NAT64?
This is not a problem if you are running services that support IPv6.