[USG Flex H] - Wireguard/Tailscale
Ally Member
Hello everyone,
Today I've tried to configure the Tailscale VPN, but I've some questions about:
- Why is not possible to use Wireguard? I think that Wireguard is more affidable than Tailscale. Tailscale is a service on-top of Wireguard, end of support/develop, end of Tailscale service; instead Wireguard is a low level app, that works directly with IP/FW Rules. Tailscale is a service, Wireguard the protocol;
- As per #1 using Tailscale, can implement less security than Wireguard. Using Tailscale send my network packets to an external service, I don't connect directly with my FW/LAN, I pass all my packets to Tailscale that forward to my LAN;
- For use the Tailscale direct connection, I need to open UDP port. How is possible to do that? I see some packets pass from my phone ISP carrer, to my WAN IP on the Tailscale port. In this case I need to open the FW rule from ANY to Zywall on the UDP Port; is really this the configuration? Is really safe allow the UDP port to ANY? Can I change the default Tailscale UDP port? I see that per default there are 2 FW rules from Tailscale to any and from Tailscale to Zywall, but seems that the direct connection don't use those rules.
- Is possible to configure multiple Tailscale VPNs? Can be interesting use one VPN for internal use only, and one for internal use+exit mode.
Thank you so much
All Replies
-
Wrong section sorry!!
0 -
Hi @Maverick87,
Regarding your questions, we are checking the information and will inform you of any updates.
By the way, I've moved your post to the correct forum category.
Zyxel Tina
0 -
Hi @Zyxel_Tina,
thank you so much, I'll wait your reply.
0 -
Hi @Maverick87,
Thank you for your patience. Here are the answers to your questions:
[Ans 1]
We chose Tailscale primarily for its seamless NAT traversal and diverse authentication options. Unlike standard WireGuard, Tailscale ensures connectivity in restricted environments by utilizing relay servers when P2P is unavailable.
Furthermore, the client-side is 100% open-source with high development velocity on GitHub. This transparency ensures that any potential vulnerabilities—such as private key exposure—are quickly identified and audited by the global community, ensuring continuous security and functional enhancement.
[Ans 2]
Please refer to the Tailscale documentation:
Tailscale determines whether a direct connection is possible and uses a relay server only when necessary.
In theory, traffic relayed through the server cannot be intercepted, as it is used only for public key exchange.
[Ans 3]
Tailscale uses UDP ports to carry encrypted traffic, so these ports may need to be allowed.
The firewall zone is used to process traffic after decryption. Therefore, zones are used to differentiate traffic, and firewall rules are applied based on zones. Only traffic matching the Tailscale zone will be processed.
[Ans 4]
Currently, our firewall supports only a single Tailscale tunnel. However, the separating internal-only vs. internal + exit node access can be achieved via Tailscale's ACL policy on the Tailscale Admin Portal.
This allows user to control per device/user whether they can use the exit node or internal subnet only — but the ACL configuration would need to be done by user on the Tailscale side. For reference, the relevant Tailscale documentation:
- ACL configuration:
- Tags for device grouping:
- Exit node setup:
Hope this helps :)
Zyxel Tina
0 -
Hi @Zyxel_Tina,
My question on about why Tailscale, it also stems from the fact that Wireguard is compliant with a whole series of security measures that every company applies (because, as I said, it's also more secure because it doesn't go through third-party servers), whereas Tailscale apparently can't always be installed because it's blocked by installation policies.
For example, the company I work for doesn't allow me to install the Tailscale client on my Windows company PC, while Wireguard can be installed.0 -
Hi @Maverick87,
Thank you for your feedback!
I've already forwarded your request to the relevant team. I also noticed that you've created an idea post.
We'll be monitoring the votes and comments as part of our evaluation process.
If anyone likes this idea, please show your support by leaving a comment or voting for it.
Zyxel Tina
0
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 222 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.5K Security
- 619 USG FLEX H Series
- 349 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 53 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 486 News and Release
- 92 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 105 Security Highlight
