I wish there was a way to use the tailscale app to connect to my own vanilla WireGuard endpoint at home. I don’t want to use and pay for tailscale when I can run WireGuard myself. But there seems to be no good WireGuard app for tvOS (there is for iOS and macOS though) and if the TS app works as well as it says, I’m jealous I can’t use it with my setup.
(There’s another really shitty VPN app for tvOS that I tried, but it also costs money so screw that. It’s also buggy as hell and crashes all the time.)
I should add that my use case is the occasional trip where we take the Apple TV with us places and want to access my media library. Or being able to share my media library with extended family (setting their Apple TV up with a vpn to my house.) More complex things like travel routers can work, but are more hassle than I want, although I’m increasingly leaning towards taking the plunge there…
Personal-level Tailscale is free for up to 3 users. So your immediate family is covered even on trips.
You could create an account with any one of their identity providers (or roll your own OIDC, it's possible) and just have it not have a linked credit card. The account you use to authenticate Tailscale doesn't have to be the Apple account that you use to log into the hardware device itself - my wife's laptop, phone, and iPads are logged in under my Tailscale account but separate Apple/iCloud accounts (we have family sharing for our apps, etc., but the TS is usually going to be up to me, so I haven't created another account for her). Free gets you 100 devices, so we're nowhere close to running out of those.
Doesn’t have to be an apple box either. A raspberry pi is what I’m using. I’m in the exact same situation, living in one country temporarily but citizen of another, and I have an exit point in my home country at my parents place on a raspberry pi. Basically any computer will work.
The advantage of the AppleTV is that it's basic consumer hardware that a lot of people have, that you can provide for them at a reasonably low cost if they don't, and that doesn't really require much in the way of tech skill for the person whose house it's in to keep it up to date. You don't even have to do anything to update versions - tvOS will do it automatically.
I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.
I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.
Android TV works great as well. I have it running on an old Chromecast that cost less than $50 new.
While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)
I have run into the firewall problems before. Even seen them that block authentication but -if already connected to the tailnet before joining the WiFi in question - will continue to pass data. OpenVPN would not connect and couldn’t handle the IP address switch.
At worst, I turn on phone hotspot, authenticate, then switch back to WiFi. A purely serendipitous discovery on my part, but a very welcome one.
Interesting, maybe they block the orchestration servers of Tailscale, but not the actual data plane (which is almost always P2P, i.e., it usually does not involve Tailscale servers/IPs at all)?
I'm sure they do, but the question is, why did OpenVPN fail? It's pure P2P. I've got a dynamic DNS through afraid.org, and that resolves on that network, so it's not just DNS-level blocking. I effectively have a static IP anyway; there's no CGNAT going on, so I've discovered that I misconfigured my DDNS once or twice only when afraid.org emailed to tell me that I hadn't updated in X months.
Were you using the semi-well-known port (1194)? Otherwise, maybe it's just more fingerprint-able, or whatever DPI the firewall uses hasn't caught up to Wireguard yet?
