starters

I'm no expert at networks, and don't fully (or at all) understand the protocols behind VPNs.

Tailscale is just what I use, I'm sure there are many other options (self-hosted and not), but this is the only self-hosted option I've tried, and they make it super easy to use!

From my experience, this only works on my personal devices, not school/managed hardware, and I'll talk more about that later on.

why?

Personally, I use Tailscale to be able to bypass any network blocks at my school. They block a lot, I believe they whitelist most domains? It's setup by the Education department in the Government here, but for context, even Wikipedia is blocked!

Why not use a commercial VPN? I'm not fully sure how networks/firewalls can be setup, but I believe it's easy to block common VPN IPs and domains. Tailscale, being self-hosted, is in theory much harder to block as you're the only person to access that IP, so it's less likely to be blocked on some VPN IP blocklist.

The other issue with centralised VPNs (and this is more niche) is that as a security measure, our school Microsoft accounts are geoblocked to only work in Jersey. This means if you're based in another country and try to access the account, it'll throw an error. Meaning for a VPN, it'd have to be located where I am too!

Self-hosted VPNs are also much more privacy respecting! Many of the free offers out there will steal and sell your data as they log everything you access from their servers.

so how do i actually use it at school?

Our school's network is setup like this as far as I can tell:

  • Desktop PCs connected via Ethernet to a central server

  • When a user is authenticated on one of these desktops, the blocks are in place at the network level and you will get reported as your authenticated user if you come across anything that's restricted

  • If you bring a personal device to school, they tell you to go to get it connected to the school network (which still tracks you!)

Here's an example of what these blocks look like, when I accidentally use my laptop with Tailscale disconnected a few months ago:

jack πŸŽƒπŸ‚'s avatar
jack πŸŽƒπŸ‚
@j4ck.xyz
imagine being a school that pays for microsoft 365 then blocking it as its own category πŸ’€πŸ’€πŸ’€πŸ’€πŸ’€
"CYPES Oops, edge-http.microsoft.com is not available because it's categorised as microsoft."
3

So, on the how? Personally, most VPNs' URLs here are blocked. For example, tailscale.com, protonvpn.com, etc are blocked. However, if you run the VPN in the background before connecting to the network, it Just Works. Personally, this is no issue for me. On my laptop, Tailscale is running 24/7 anyways as I use it for self-hosted applications/tools already, this just builds on top of that! So when I get to my school premises, it's already connected to my Raspberry Pi exit node located at my house.

A screenshot of the Tailscale web dashboard showing the users that I have shared my Raspberry Pi to, with "Exit node" tags

Exit nodes are also shareable! (read below) In the screenshot above, you can see that I have shared mine out with 9 other friends. We're all using this at school to get past network restrictions.

Again, this only works on personal devices due to not being able to install apps on Windows, not having admin rights, domain blocks, etc.. that stop it from being possible on their devices, but who cares?! This is a step-up!

I'm unsure how this works, but usually our school network requires login on some localhost + port domain in a browser, but if joined with a VPN, this is entirely skipped!

If I get to school and Tailscale isn't open/has disconnected, I connect to my iPhone's mobile hotspot to bypass the tailscale.com domain block for authentication on my client, then it loads, and I switch back to the school network.

how can i set it up?

For my personal setup, my primary exit node is a Raspberry Pi 4 with only 2GB RAM & a 64GB micro SD card.

A screenshot of `tailscale0 traffic` by day. It shows green peaks + troughs for network sent in/out from my Pi

I'm unsure what those massive peaks/troughs are from, although some of them were when I was downloading pretty big .iso files from my device. But generally, my Pi tends to only use ~500mb of RAM (1/4 of its total) and never crashes until I run much larger software/self-hosted apps on it (which I don't do anymore).

In case you're wondering what the speeds are, I get about 30mb/s peak on the school WiFi. The Pi technically has gigabit Ethernet for download (as it's plugged directly into my router).

I've been writing this blog post during some free periods, and this is what I got on a Speedtest I just ran. I believe the bottleneck here is the school WiFi bandwidth as the Pi gets much higher speeds (see second screenshot)

Speedtest.net results showing download speed of 27.44 Mbps, upload speed of 16.46 Mbps, ping of 25 ms, jitter of 119 ms, and packet loss of 88%. Connection is through JT Global Limited with multi-connections enabled. Four service icons (streaming, gaming, video, and video conferencing) are displayed with colored dots indicating performance levels. A rating scale at bottom shows download speed rated as 3 out of 5, matching 'As expected' performance level.
Terminal screenshot showing speedtest-cli command output on a Raspberry Pi. The test connects to JTGlobal and uses a Sure (Guernsey) LTD server in St Peter Port. Results show download speed of 890.37 Mbit/s and upload speed of 94.64 Mbit/s. The command prompt shows 'pi@raspberrypi:~$' with a cursor awaiting the next command

For the exit node setup on the hardware itself, you just have to make sure it's a device you can leave on practically 24/7. Tailscale is super lightweight (as previously mentioned). You could probably setup one of these for about Β£30 for the Pi itself (excluding network/energy costs, although it hardly uses any energy.)

I won't go into the details of setting up an exit node, as Tailscale have posted a good blog post on the subject, with a video demonstration.

They have pretty good diagrams showing the difference between using an exit node or not:

Network diagram showing laptop connecting directly to google.com via Tailscale overlay network.
Network diagram showing laptop routing through desktop exit node to reach google.com via Tailscale.

In the first diagram, your public internet traffic (like visiting google.com) goes directly through whatever network you're connected to, so the school's blocks still apply.

But in the second diagram with an exit node enabled, all your traffic routes through that device (like my Raspberry Pi at home) first. The school network only sees encrypted traffic going to your home IP - they can't tell what you're accessing or even that you're using a VPN. Your actual web browsing happens from your home connection, which has no restrictions (well, at least not as strong).

sharing

Above I showed that I share my Raspberry Pi exit node out with friends. I do this because it saves them setting one up, and we all use it for the same use case. With the quick internet speeds the Pi has, and the fact that it runs so well, it means that we can all use it at once with no interruptions (I've not experienced anything yet).

can networks block this as a whole?

This is where it goes beyond my knowledge. I'm not sure how far this goes and whether it is or isn't possible to actually block the external connections. As far as I can tell, they can't, but if anyone knows more, feel free to comment under this blog post, or @ me on socials!

conclusion

In summary, I use Tailscale as an exit node to bypass our school's dumb blocks and to ensure they're not snooping on me (I'm not doing anything bad/dodgy I swear, it just feels a little creepy that the school/Education department are seeing what I do on my personal devices).

I'm also not advising that you use this in your own situation, I'm only sharing what I've done. Tailscale also has many uses outside of being an exit node. I've posted quite a lot about this before, and in future I may actually write a blog post on what I use it for personally.