(context added on 2022/09/14)
What are you trying to do?
Log into multiple tailscale accounts at once (eg. example@gmail.com and example@example.com) and easy switch between accounts, i.e. improve the "Log in to a different account..." flow on a device, (possibly) without requiring re-authentication. Access only machines on the network you are currently logged into.
FR to access all the machines on both networks simultaneously: #183
How should we solve this?
The basics of this are not that complicated to do purely client side:
- have ipn.Backend start multiple controlclient instances, one per login
- merge the netmaps from the two instances and feed the merged result to wgengine
Complexity arises from specific details:
-
Should we have multiple local IP addresses, one per account? Is that even possible on all platforms? Or should we get help from the control server to assign the same IP address to all accounts? But if we do that, what about accounts with custom IP subnet designations?
-
If we have multiple local IP addresses, there needs to be a good way to choose which local IP address to use for a given outgoing connection. (Based on routes?)
-
If we use a single local IP address, this could violate users' privacy expectations. Their distinctive identities end up tied together in the control server. It's a lot more elegant if we can support multi-login entirely client side.
-
If two accounts export the same subnet routes (--advertise-subnets), you can get conflicts between them.
-
If two accounts have different DNS overrides, they can conflict. (This isn't so bad if we use the DNS settings only for particular subdomains rather than globally.)
-
Corporate admins may not like the idea of a single machine being on both the corporate and non-corporate networks at once (although it's probably not as bad as being on both the Internet and the corporate network at once.)
(context added on 2022/09/14)
What are you trying to do?
Log into multiple tailscale accounts at once (eg. example@gmail.com and example@example.com) and easy switch between accounts, i.e. improve the "Log in to a different account..." flow on a device, (possibly) without requiring re-authentication. Access only machines on the network you are currently logged into.
FR to access all the machines on both networks simultaneously: #183
How should we solve this?
The basics of this are not that complicated to do purely client side:
Complexity arises from specific details:
Should we have multiple local IP addresses, one per account? Is that even possible on all platforms? Or should we get help from the control server to assign the same IP address to all accounts? But if we do that, what about accounts with custom IP subnet designations?
If we have multiple local IP addresses, there needs to be a good way to choose which local IP address to use for a given outgoing connection. (Based on routes?)
If we use a single local IP address, this could violate users' privacy expectations. Their distinctive identities end up tied together in the control server. It's a lot more elegant if we can support multi-login entirely client side.
If two accounts export the same subnet routes (--advertise-subnets), you can get conflicts between them.
If two accounts have different DNS overrides, they can conflict. (This isn't so bad if we use the DNS settings only for particular subdomains rather than globally.)
Corporate admins may not like the idea of a single machine being on both the corporate and non-corporate networks at once (although it's probably not as bad as being on both the Internet and the corporate network at once.)