How could Tailscale MITM users?

I am trying to wrap my head around the entire setup with Tailscale.

My major question before I bring this up as a potential solution for us internally is as follows.

“How could Tailscale possibly harm us if they go rogue?”

Also, does the answer to this question change depending on the plan? (ie. “Free users can have DNS intercepted, but Enterprise users can not” etc.)

If any of the guarantees require certain steps by admins / end users (checking fingerprints etc) please include them in the answer if possible.

Trying it out without thinking too deep into it was like magic and I’m really excited about the product. I just got confused about the way it works.


1 Like

The main thing of relevance here is that the two nodes negotiate the wireguard key between themselves. The central coordination server facilitates them finding each other, but the tunnel goes from one node to the other not through the coordination server.

1 Like

But how does node1 know node2 isn’t actually a MITM node that Tailscale set up?

I saw nowhere in the UI for verifying pubkey/fingerprints.

Got a reply for you (from Tailscale Support) and some more :smiley:

But how does node1 know node2 isn’t actually a MITM node that Tailscale set up?

Security · Tailscale is a great resource to understand how we treat security and your data. Tailscale’s code is open source, so you can see for yourself what’s happening. There’s not really a scenario where we’ve set up a rogue node, because for that to be a problem, it would have to be a node on your tailnet, authenticated to your account. DERP relays don’t log anything and can’t see your data as it is, they only facilitate creating a direct connection, or when acting as a relay, passing encrypted data through. In either case, all traffic is end-to-end encrypted, and Tailscale doesn’t have your private encryption keys, so cannot see any of your data.

That said, if this is still of concern, Headscale might be the solution for you: GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server

Headscale lets you host your own Control server, and that might help ease some of the concerns!

Can Tailscale employees see what ports/services are open on my tailscale client (node/machine)?

No; if we were provided with support-related bug logs, there might be information that we could get from there, but without that, we can’t see anything like that.

Would a Tailscale rogue employee able to arbitrarily assign a client IP in my assigned Tailscale subnet and access an unprotected machine?

No; nodes on your tailnet must be authenticated and we can’t get around that.

1 Like