Tailscale: A modern replacement for Hamachi

Photo of Xe Iaso
Xe Iaso on

When I was in college almost a decade ago, I lived on the computer science floor of my dorm. It was quite possibly one of the most interesting places I’ve ever lived. It was full of nerds, and we had file shares and LAN parties every weekend. While I was there, I got introduced to a tool called Hamachi that we used in order to keep playing games like Minecraft, StarCraft (Brood War), and Age of Mythology together over winter and summer breaks. We shared our photos, code creations, and more; all over that shared network. This allowed us to be together even on breaks, when we were on opposite sides of the state.

With Hamachi, you had a network number and you shared that with your friends in order to join your machines together. You got your own IP address and could discover your friends’ computers using the app. There was firewall hole punching, as well as an array of relay servers as a fallback. It was a fantastic thing in practice. My friends and I were able to play games for all the years I was in college. Things faded naturally as people graduated, but Hamachi continued to be one of the most useful pieces of software I had ever used.

An image of Mara
<Mara> Hi! I’m the cartoon shark that normally appears on Xe’s blog, but I’ll be along for the ride to introduce additional side context. My art was drawn by Selicre.

I’ve been working at Tailscale for almost two years, and after deep diving into Tailscale in a billionty different aspects, I think that Tailscale is not just Hamachi v2, it’s an evolution beyond the concepts Hamachi brought to the table. Tailscale transforms the ideas of Hamachi in ways that take it from being another mesh VPN to being a fundamental building block that your friends, family, co-workers, and external contractors can use in order to build the next generation of shared game worlds, internal applications, and more as we transition toward an interplanetary civilization.

In the process of writing this article, I made an informal Twitter poll. My audience on Twitter skews toward “tech bros,” gender minorities, gamers, and other such groups of people. The poll was also filtered through selection bias due to the fact that I only had it open for 24 hours on a Monday. My Twitter audience is a minute subset of the audience that Tailscale in general is targeting (ideally we want Tailscale to pioneer intra-galactic networking or something like that), but I was able to confirm my suspicion that the respondents to the survey who used Hamachi in the past mostly used it for playing games with people.

Peeling back the nostalgia

At some level, you can think about Tailscale as an idealized form of what Hamachi could have been if they hadn’t stopped at the network connection level. Hamachi focused on connectivity and left the rest up to the users. There was no strict identity associated with each node on a Hamachi network. Horrifically, when someone was on your Hamachi network, they had effectively all the same permissions as being on your local LAN or WiFi connection.

There was no way to limit or cordon off the scope of someone’s permissions. The only way to limit someone’s access to machines on the network was to eject all of their machines from it. You couldn’t eject every machine someone owned at once. You had to eject each of their devices one at a time.

At the time I used it, access to Hamachi networks was also controlled by knowing the network number. That was it. There was no identity challenge with an identity provider. You had no way of knowing who anyone was without asking them directly through an external communications channel.

An image of Mara
<Mara> Pedantically, this is fine for individuals. This is not as fine when it comes to taking Hamachi into the office, though. What if friendships sour and previously friendly contact turns into vitriol and anger? How can you block someone quickly if they become a threat? What if their machine gets infected and you want to prevent the spread of ransomware? A low-permissions model is great for most issues, but when things go bad it can make you regret doing it like that.

Tailscale solves these issues by making a link between membership in the tailnet and human identities, validated by your identity provider. As a side effect, you can remove someone’s access from the tailnet and all of their machines will go with it. No more having to track down someone’s machines or having to maintain spreadsheets of IP addresses-to-person mappings. If you’re not in the same email domain or GitHub organization, you can’t get in. No more network number guessing. You can even use node sharing to give people access to individual services (such as your Minecraft or Plex server) without having to give them access to your whole tailnet.

An image of Mara
<Mara> This is why Tailscale doesn’t currently support using a basic email address and password for signing up. We can’t make the same guarantees about account ownership that way. We can’t draw a hard line between people’s identities and their machines without a trusted authority vouching for it.

Tailscale lets you use access control lists (ACLs) to limit people’s access. Put all your friends who should only have access to the Minecraft server into an ACL group, then only give them permission to connect to the Minecraft server and its map UI.

An image of Mara
<Mara> You can even use Tailscale as your authentication provider for Minecraft! Then you have an even more strict mapping between actions taken in-game and who did it. This works with node sharing, too.

The IP address space that Hamachi used was selected to avoid conflicting with anyone’s existing private networks. They used the IP address block 5.0.0.0/8, which was unused at the time. Then people started using that IP address block on the public internet because of the IPv4 address shortage. Hamachi compromised by using the 25.0.0.0/8 range owned by the UK Ministry of Defence. Most of those IP addresses are not publicly routable and don’t host anything important to random members of the public, so Hamachi used that range.

This is still kind of ugly from a network engineering standpoint. If that range ever gets sold, Hamachi may have to re-number that network again, which will surely break countless DNS entries and autojoin lists across the planet. Tailscale has the same problem of not wanting to collide with anyone’s existing networks, but we took a different approach. Tailscale uses a private address range called the Carrier Grade NAT address space. We have our own IPv6 subnet in the Unique Local Address space: fd7a:115c:a1e0::/48, which we also encourage you to use as much as possible. This allows us to ensure that we will never have to change IP address ranges. Your IP addresses are stable and you can feel safe to use them in documentation and DNS names. Even if you are the UK Ministry of Defence.

An image of Mara
<Mara> When we rolled the random number generator dice for our IPv6 subnet like the RFC says to, it was kind of serendipitous because the result we got kinda looks like tailscale0. Interesting coincidence, eh?

Tailscale also supports more OSes and platforms than Hamachi ever did. Hamachi was released as closed source software that was only compiled for Windows, macOS and as a beta for Linux. Tailscale supports Windows 7, Windows 10, Windows 11, macOS 10.13 and later, iOS 12 and later, Android 6.0 and later, and just about any Linux distribution you can think of for every CPU architecture that the Go compiler will build it for. If you have a Raspberry Pi running CentOS, a random ancient 32-bit laptop running OpenSUSE, and one of those fancy RISC-V development boards running Ubuntu: It’ll all just work. You’ll be able to connect to them from your iPhone on the other side of the planet. The VPN engine at the heart of the Tailscale client is also open source, which means that you can get Tailscale working on platforms we don’t officially support, such as FreeBSD or OpenBSD.

Hamachi required you to connect to their proprietary central servers and didn’t allow you to self-host the infrastructure at the core of it. Tailscale is an adamant supporter of open source software, including the open source control server Headscale. You can use Headscale to connect your devices together without Tailscale knowing anything about them.

An image of Mara
<Mara> If you do choose to run your own Headscale server, you should probably make sure that server is run on a separate machine in a separate datacentre. Ideally, this should be visible over the public internet for convenience. You want to do this because many people use Tailscale as a remote access tool. If something goes wrong while you are not in your local network when you need to debug your remote access tool behind that network, it can become difficult-to-impossible to fix until you come home. It may also be a good idea to use a separate backup mechanism to access that machine should you decide to put it deep in your local network anyway.

Of course, this doesn’t include the other things that Tailscale does, such as HTTPS certificates with Let’s Encrypt, MagicDNS, and Tailscale SSH.

More than just networking

Hamachi gives you network connectivity between your devices and stops there. Tailscale does also give you network connectivity between your devices, but it doesn’t stop there. Tailscale uses its primitives as building blocks to allow you to do more. Tailscale lets you connect with a network of your colleagues, friends, and family so that you can go back to doing what you love together, be it playing Minecraft, sharing prototypes of web applications, securing access to internal services, or anything else you can imagine.

What could you do if you didn’t have to worry about the hard problems of networking? Find out with Tailscale.

An image of Mara
<Mara> Want to be convinced? Use Tailscale for free today. You can also use the code ITJUSTWORKS for a year of Personal Pro on us. This code has a limited number of uses, so act quickly if you want to take advantage of it!

Share via

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter