Tailscale Services - Hacker News

Posted by xd1936 10/28/2025

Tailscale Services(tailscale.com)

Video walkthrough: https://www.youtube.com/watch?v=mELAg50ljSA

171 points | 37 comments

peter_d_sherman 10/28/2025|

I did not intuitively understand what Tailscale does, so I visited the following related page:

https://tailscale.com/blog/how-tailscale-works

Ah! OK, now I get it! :-)

But, what found particularly interesting on that page was the following:

>" Some especially cruel networks block UDP entirely

, or are otherwise so strict that they simply cannot be traversed using STUN and ICE. For those situations, Tailscale provides a network of so-called DERP (Designated Encrypted Relay for Packets) servers. These fill the same role as TURN servers in the ICE standard, except they use HTTPS streams and WireGuard keys instead of the obsolete TURN recommendations."

DERP seems like one interesting solution (there may be others!) to UDP blockages...

sureglymop 10/31/2025|

Yup, really in very simple terms they just give you a public-key discovery/exchange server for your wireguard connected devices. Really wouldn't be that hard to create from scratch, wireguard does the heavy lifting.

Would encourage anyone to go look at the wireguard source code, it's amazingly concise and easy to read.

But they do seem to contribute and open source a lot to the community which I am grateful for.

sharts 10/29/2025||

i like tailscale but i notice that i get more weird network blippy latency issues when using it. i used to always have my phone connected to my tailnet so i could use my dns, etc. but always occasionally something won’t load right and i have to refresh again couple of times.

It tended to happen a lot more when switching between wifi / cellular when leaving and entering buildings, etc.

Now I just don’t use it

david_van_loon 10/29/2025||

I've found that using Tailscale on my Android phone became worlds more reliable (as far as the issues you've described) once I stopped using a custom DNS resolver on my Tailnet.

Hikikomori 10/29/2025||

Want to use my pi-hole as DNS though.

thedougd 10/30/2025||

Similar struggle here. I don't have custom DNS, but do use MagicDNS.

TranquilMarmot 10/28/2025||

Very cool, I love Tailscale. I use it to connect together a VPS, desktop computer, phone, and a few laptops. My main use case is self-hosted Immich and Forgejo so this is great.

SOLAR_FIELDS 10/29/2025||

Can someone help me understand what this is vs exposing my services via MagicDNS using the tailscale Kubernetes operator? Functionally it looks like a fair amount of overlap but this solution is generic outside of Kubernetes and more baked into tailscale itself? The operator solution obviously uses kube primitives to achieve a fair amount of the features discussed here.

apenwarr 10/30/2025||

(I'm a Tailscale employee) The recent versions of the Tailscale k8s operator actually used a pre-release of the Services feature to do exactly that. So, not much difference. The official Services release is making that functionality available for more use cases (and generally better documented and user friendly).

nickdichev 10/30/2025|||

I’m also curious about this since I’ve been exposing services via their experimental caddy plugin.

smallerize 10/30/2025||

Was the personal plan not always free?

aidos 10/29/2025||

Does anyone use Tailscale in production as the network layer between services? Would be interested about hearing experiences.

We use it for to allow us to connect in from the outside (and user to user access etc), but not for service to service connections.

Multicomp 10/29/2025||

Works great to connect fly.io apps that are only exposed to flycast private IPv6 addresses. And I think Tailscale services will replace these.

Performance between fly.io web servers in iad region to RDS databases in us-east-1 via subnet routers has been spotty to say the least.

SOLAR_FIELDS 10/29/2025||

In addition, do people do so in mesh format? Seems expensive to do so for all of your machines, more often the topology I see is a relay/subnet advertisement based architecture that handles L3 and some other system handles L6/L7

pkt0x53 10/31/2025||

This project exactly does the same thing https://github.com/mascarenhasmelson/TailPass

keeda 10/29/2025||

Fascinating to watch Tailscale evolve from what was (at least in my mind) a consumer / home-lab / small-business client networking product into an enterprise server-networking product.

echelon 10/29/2025|

They're morphing into a B2B centicorn, and the consumer-led tooling route was a genius path.

They provided much-needed solutions to annoying problems and did it in a way that made developers love them.

Really smart and well executed.

SOLAR_FIELDS 10/30/2025||

I know they are good at what they do because it's dev tooling that I will actually pay for, which is as many people know, a difficult thing to convince developers to do.

defnnn 10/28/2025||

This would be great if it supported wildcards for ingress controllers. A service foo would give you foo.tailYYYY.ts.net as well as *.foo.tailYYYY.ts.net.

dlisboa 10/29/2025||

If I'm getting this right it's only highly available from a network layer perspective. However if one of your nodes is still responsive but the service that you exposed on it isn't responsive there's no way for Tailscale to know and it'll route the packet just the same? It's not doing health checks like a reverse proxy would I imagine.

subarctic 10/29/2025|

This sounds great, I think it's exactly what I was looking for recently for hosting arbitrary services on my tailnet. I figured out a workaround where i created a wildcard certificate and dns cname record pointing to my raspberry pi on my tailnet but this could be potentially simpler

More comments...