I was once in South Africa and needed to look up my prescriptions in the CVS app. I had lost my pills and needed to show a local pharmacist what I needed. CVS geoblocked me. Luckily I had a TailScale exit node running at home, which solved the problem.
I was on a cruise ship a few weeks ago and realized that, instead of being throttled, a lot of sites were completely blocked. Very irritating. They also do DPI on the cruise ship network so that VPN clients like OpenVPN are blocked regardless of port.
Without a laptop handy, I had to use my iPhone to set up a droplet running Ubuntu, then install vray onto it and configure it to run on port 443. vray uses "standard" SSL to tunnel connections, so to DPI it just looks like normal HTTPS traffic and I was able to pass traffic through the firewall when I needed to access something that was blocked. It makes me wonder if TailScale would also bypass their analysis, or if it would be blocked as well.
(I didn't abuse this to the detriment of the network, and I did pay for the "streaming package" on sea days when I had a lot of traffic to run)
I've run a SSH server on port 443 to bypass blocking before. Probably wouldn't work if they are _actually_ doing DPI, but a surprising number of networks don't - just have blocklists and only support port 80 and 443 access.
Wireguard is easy to block. Some VPN providers do implement an obfuscation layer for it, but Tailscale uses plain WG, so if WG is blocked, you will get no connection. Control plane would still work, though.
Intriguingly, my work network (both guest and employee networks) blocks OpenVPN, commercial VPN (Proton I use, plus a couple of others I tried just as an experiment), and Tailscale authentication, but if the device is already authenticated to the tailnet, it will continue to work. Turns out that work uses the same ISP my home does, so perhaps that's part of it, but I have another TS exit node running at my in-laws' house (so I can remotely maintain their network, and so I can get out to the Internet via TS even if my home is down), and they're in another state with a different ISP.
I haven't actually tried this when my home service is down, because it's basically never down, but I can easily switch exit nodes when they are both running without hitting the authentication servers again.
It's easy to block the control plane because Tailscale has endpoints listing all current control and DERP servers. On Linux you can use a SOCKS proxy for control plane traffic, if connections still work. Some firewalls are really restrictive.
I can understand the work network policy, someone could use Tailscale to leak data, but a residential ISP should not block it. I would rather bother their support for an incomplete service.
My residential ISP does not block it. My issue with work isn’t that they block it on employee WiFi, it’s that they block it on the guest network too. Our nanny software is rather extreme - blocks, for example, alcohol-related sites. Which in a sense is fine, because I don’t need to read up on whiskey at work, but it also often blocks restaurant sites.
I'm pretty sure it would work. From my testing, Tailscale works where Shadowsocks, plain Wireguard and any other VPN don't. And it also works to pierce through the great F*W, which was actually really surprising. I suppose Tailscale has DERP and other nodes in Cn too?
Another data point: I was at Doha airport recently and logged into their public WiFi. Unfortunately, they seemed to be MitM'ing certain connections, mostly to well-known domains. To work around this, I tried setting up Mullvad (which I had used occasionally in the past) but they downgraded Mullvad.net to HTTP, too. Thankfully, I had Tailscale already set up and I could easily book their Mullvad package and add Mullvad as an exit node to my Tailnet. Problem solved.
