1. Tailscale is amazing. I hate them so much. (We use Tailscale and are very happy with it.)
2. Tailscale is user-mode WireGuard.
3. "User-mode WireGuard" in the sense this post uses the term is a misnomer and refers to the fact that we run TCP/IP itself in userland (Tailscale normally runs through a tunnel device and uses your native TCP/IP stack).
4. But Tailscale also has code to do user-mode TCP/IP (they've got it running in a browser with wasm).
> Last I heard[0] they were experimenting but hadn't shipped it. AFAIK their client still requires root, no?
Tailscale's gvisor/netstack-based userspace networking mode has been supported and in wide use for quite some time. It's the default on Synology DSM7, for instance.
You don't need root when you run tailscaled with `--tun=userspace-networking`.
Peers can still connect inbound to the non-root tailscaled, but to connect _out_ to other peers, you need to use tailscaled's HTTP or SOCKS5 proxy, which are also flags to tailscaled, to specify what port they listen on.
Yeah, their client is always going to require privileges, because it needs to enable every other program on the system to interact directly with remote hosts transparently. User-mode TCP/IP works for us because we own the client-side program that our users run to talk to stuff on Fly.io.
2. Tailscale is user-mode WireGuard.
3. "User-mode WireGuard" in the sense this post uses the term is a misnomer and refers to the fact that we run TCP/IP itself in userland (Tailscale normally runs through a tunnel device and uses your native TCP/IP stack).
4. But Tailscale also has code to do user-mode TCP/IP (they've got it running in a browser with wasm).