I'm a fan of TS and have been a paying customer for work infra for almost a year now. It really is well put together and easy to use, but I do run up against some issues/complaints when diving deep that I hope they can work out:
* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.
* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!
* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.
Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.
> * Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.
Tailscale touts all the perf benefits of the wireguard protocol but in practice between the userland wireguard that seems to be used all the time on all platform (even linux) and the over reliance on DERP, it has none of the performance benefits of the real thing.
> I shudder to imagine what the next tier (cal us') costs.
There is no enterprise tier, instead you pay for any additional features you need. I.e. log streaming is 2$/month/user and SSH recording is 3$/month/user.
There's nothing about ZeroTier's solution which deserves a higher price point than Tailscale. As a long-time user, ZT's administration UI is much worse and the product has been essentially unchanged for a decade.
Better solutions would be things that make the VPN invisible, rather than 'easy'. Tools such as Teleport, IOW.
>$6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m.
It's market segmentation, needing ACLs is a sign you're at least an SMB, and to a business of nearly any actual size, the difference between $6/user and $18/user is 0.
I wouldn't go that far. Big companies put a lot of effort into saving $12/seat.
But, if you can convince them they get >$18 of value from it they're usually happy to pay. With hobbyists it's more emotional. $6 is "just a coffee" and can be justified just to try it out. At $18/m is one of your household bills, and many will decide they enjoy watching Netflix more than messing around with Tailscale.
Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.
We don't even use windows enterprise for the same reason, we have legacy office 365 plans and lifetime windows licenses without the M365 addons because it saves is a few bucks per head. At our size, a few bucks a head quickly add up to millions per year. Microsoft keeps trying to dissuade us and they even pretend office 365 plans don't exist anymore ("office 365 is now microsoft 365") but they do: https://www.microsoft.com/en-us/microsoft-365/enterprise/off... . The same with their Copilot stuff. 30$ is a non starter. Our users want it but nope (and we did a trial in one big team and only 10% actually bothered to use it after the first month so I think it's more the idea of it that want rather than the actual product)
We don't use Tailscale but $6 would be feasible where $18 would be a complete nonstarter.
In fact our company is a lot more cost conscious than I am as a consumer.
Yeah no idea of the discounts there nor of how much we spend on our current VPN provider (I don't work in that team). I guess for a VPN they might have higher spending limits as a VPN is always required to be on on all of our endpoints.
>> Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.
This doesn't make sense to me. It shouldn't matter if you are a small company or a large one, a few bucks per person per month is noise. I get trying to leverage scale to get a better price, but if something saves time / money, a company shouldn't refuse it just because they are large. Whoever is gatekeeping these decisions is ultimately eroding the company's value.
All too often it's those companies that worry excessively about saving a few dollars that also have meetings for everything, glacial decision making, poor strategic focus, tons of internal politics, and so on.
Some of that we have, yes. Glacial decision making definitely. Internal politics crap too. Meetings not so bad though (and especially flying all over the world for business meetings is heavily frowned upon since 2015 which is great because I always hated that)
Strategy is pretty good I think. And they are also not backing down on inclusivity and sustainability despite the threats from Trump (companies with inclusivity aren't allowed to do business with the US govt blahblah). We're an EU company but this worried me a bit (I'm heavily involved in the inclusivity program). But they've already said they are absolutely not giving in on that point.
Um, it's 3x the cost to get one feature. By your logic they should be charging $100/user/mo for the feature since that must also be the same. This is typical "enterprise" nonsense pricing and it will absolutely drive some adopters to look elsewhere.
Namely, customers too stupid to know how to use something else, and/or customers you’ve managed to lock-in sufficiently to make them too scared to do so. I guess that’s a good strategy if you hate what you do and the people you do it for.
I have been using ZeroTier for a few years with great success. It’s not an Enterprise, but for my lil’ shop I get 100 endpoints for $0.10/ea/month, and that includes all features.
It's zero for small businesses with a dozen employees. The moment you have a large business you run into an obvious problem: only a subset of your employees actually use the software, but if even a single user needs a higher tier you have to upgrade all users.
I really hope with this funding they can improve observability and give more love to power users who occasionally need to dig deeper without going full bare metal
The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.
> I don't understand why people pretend this is an acceptable solution for professional networking
Because it IS acceptable for many cases.
Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.
Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.
Also DERP relays having QOS that isn't controlled by myself and I have to hope to get bandwidth through doesn't exactly make me confident about the solution
Sure, but your data is only getting relayed through DERP servers if it cant otherwise establish a direct p2p connection. This can usually be resolved at either side of the connection - if you know about it (which is what the parent was suggesting could be made more clear).
As for your bandwidth concerns in the case of needing to relay, you can even set up your own relay (https://tailscale.com/kb/1118/custom-derp-servers), which would satisfy your desire to be more centralised (i guess you could force all traffic through it, but cant think why you would want to) while still allowing the flexibility of the overlay that tailscale provides.
I never said I had a desire to be more centralised. I just said that static IPs and open ports remove the necessity for hole punching/STUN. You can have multiple sites without a central and all use static IPs and open ports.
That seems like even more reason to use an overlay - it abstracts all that instability away and gives you a consistent, secure network regardless of what the underlying IPs are doing. Obviously peers can have static IPs too if you think that makes them more stable to routing changes (it doesn't).
You said "Dynamic IP addresses typically also have a forced disconnect at a regular interval.", which is false in pretty much every DHCP scenario I have ever seen.
A change in an IP lease should result in no downtime whatsoever, because addressing is not the same as routing. A routing change would have exactly the same effect on a static IP.
I then pointed out that an overlay network means you don't have to worry about that anyway.
I think you need to reread whatever comments you think you are responding to, as there is clearly something out of sync with your replies.
> Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid.
This is my experience too.
I actually came to believe the TS dream of device based VPN as opposed to AP or router based is the wrong thing because it gets confused by subnets and subnet routing so often, but also that the big security problem on networks is bad devices which it's not going to help you with unless you can wrap them up anyway.
That's one of the reasons I started playing with AP to AP real time video like https://github.com/atomirex/umbrella which is a nightmare case from the TS pov. The intention is to eventually wrap clients up on separate networks so they can only see each other via the (locally run) relay.
Agreed. This is why imho Tailscale does not scale very well. Awesome for home labs and small orgs as a VPN replacement, but not enterprise scale with abstrations that actually remove complexity. I wrote about it in this blog - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-ne...
When I saw the new round, I was instantly worried about change in direction that will most likely come with this, and effectively drive away regular users from a tool that seems universally loved.
Similar sentiment can be seen in the discussion from three years ago [1] when they raised $100M.
When they raised the 100M three years ago, I'm pretty sure they said they didn't need it and were saving it for a rainy day (or words to that effect), always seemed very odd at the time. Two q's for anyone who cares to speculate: have they burnt the original investment already? And if not, why would they need more funding? AFAICS there's no real competition in the market place for their product today, the only thing I can conceive is that they have a secret 'tailscale 2' project in the wings which is massively developer or capital intensive. Let's hope it is nothing related to AI band wagoning :-)
Thank you. I’ve lost count of how many times I’ve had to write “we don’t need the money but are saving for a rainy day” CEO talking points and press releases for companies that were < 90 days from not being able to make payroll.
That depends entirely on how you raise the funds. Yes, you can say "Here's the growth rate we'd get without your money - based on that, this investment gets you an ROI of x%."
With x% high enough, sure, you can get VC money without too many strings. (Also, reading the Series B post, they were planning to invest - just in organic growth instead of the usual growth hacking)
And if you read the Series C post, you'd know what they're spending on - GPU (and general) cloud interconnectivity.
There's really not much need to guess, Tailscale's financing announcements are about as open as you can get.
What is tailscale going to do with GPUs? It's about as far removed from NL interaction as you can get, I really don't see any sane AI fit. Maybe they are using them for AI driven dev work? Probably need to think more laterally.
The fine article seems to say lots of companies are using Tailscale to connect to servers with GPUs -- nothing in that implies that Tailscale would own the GPUs.
Not necessarily. You hear plenty of stories of companies who raised money they never ended up needing to touch.
What matters is why. Is it because growth is so bonkers that your burn stays minimal/zero despite increasing costs? Or is it because you don't spend anything and thus can get by with stable revenue. VCs are very happy with the first, less so with the second.
VCs would always prefer you get to megascale with less money - the less you raise, the less they get diluted.
Hm OK well thinking out loud, $100M / 3 is $33M / year?
I don't know much about Tailscale, nor about how much it costs to run a company, but I thought it was mostly a software company?
I would imagine that salaries are the main cost, and revenue could cover salaries? (seems like they have a solid model - https://tailscale.com/pricing)
I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane, so it should be cheap?
I could be massively misunderstanding what Tailscale is ...
You're not wrong to think Tailscale is primarily a software company, and yes, salaries are a big part of any software company's costs. But it's definitely more complex than just payroll.
A few other things:
1. Go-to-market costs
Even with Tailscale's amazing product-led growth, you eventually hit a ceiling. Scaling into enterprise means real sales and marketing spend—think field sales, events, paid acquisition, content, partnerships, etc. These aren't trivial line items.
2. Enterprise sales motion
Selling to large orgs is a different beast. Longer cycles, custom security reviews, procurement bureaucracy... it all requires dedicated teams. Those teams cost money and take time to ramp.
3. Product and infra
Though Tailscale uses a control-plane-only model (which helps with infra cost), there's still significant R&D investment. As the product footprint grows (ACLs, policy routing, audit logging, device management), you need more engineers, PMs, designers, QA, support. Growth adds complexity.
4. Strategic bets
Companies at this stage often use capital to fund moonshots (like rethinking what secure networking looks like when identity is the core primitive instead of IP addresses). I don't know how they're thinking about it, but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on. It's not just product evolution, it's protocol-level reinvention. That kind of standardization and stewardship takes a lot of time and a lot of dollars.
$160M is a big number. But scaling a category-defining infrastructure company isn't cheap and it's about more than just paying engineers.
> but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on.
That’s a path directly into a money burning machine that goes nowhere. This has been tried so many times by far larger companies, academics, and research labs but it never works (see all proposals for things like content address networking, etc). You either get zero adoption or you just run it on IPv4/6 anyway and you give up most of the problems.
IPv6 is still struggling to kill IPv4 20 years after support existing in operating systems and routers. That’s a protocol with a clear upside, somewhat socket compatible, and was backed by the IETF and hundreds of networking companies.
But even today it’s struggling and no company got rich on IPv6.
IPv6 has struggled in adoption not because it’s bad, but because it requires a full-stack cutover, from edge devices all the way to ISP infra. That’s a non-starter unless you’re doing greenfield deployments.
Tailscale, on the other hand, doesn’t need to wait for the Internet to upgrade. Their model sits on top of the existing stack, works through NATs, and focuses on "identity-first networking". They could evolve at the transport or app layer rather than rip and replacing at the network layer. That gives them way more flexibility to innovate without requiring global consensus.
Again, I don’t know what their specific plans are, but if they’re chasing something at that layer, it’s not crazy to think of it more like building a new abstraction on top of TCP/IP vs. trying to replace it.
Generally package is around half of what company spends per extra engineer. And $500k average for a tech heavy product company doesn't sound too far off.
When people say they get 500k they mean they get paid 200k in salary and got 300k in RSUs, with the details mixed around the edges. ICs aren't getting 500k salary except in a few rare cases.
The rule of thumb that employees actually cost a business roughly twice their salary is based on two things:
1. Retention. Hiring costs are “huge”, and so if you have a higher or lower average retention, may make up a disproportionate cost compared to salary. Ramp up time and institutional knowledge loss is no joke either.
2. A spread of average wages. 500k is not average, and a huge number of the costs are relatively fixed. $1,000 a month worth of software licensing isn’t an uncommon number and is fully 1/3 of the salary of a $3k a month or $36k/year junior clerk. It’s peanuts when you look at it next to a $500k/year salary. It may be that the clerk is, all in, costing the company 3x their salary after indemnity insurance and so on. The dev will never reach 10%.
It's really not at scale. It's on the order of 500$ a month per dev for "gold" level care for a company of 50 people. I'm sure it's less the larger you get.
It might depend on the state and the age pool but I have to pay a percentage and based on that it's more like $10k/year. So you are almost 2x undercounting
... But maybe if the average employee of a company is 25 they could get a better deal
There might be other things going on in the US that you could maybe possibly have heard about, and investors are looking for different places other than the US stock market to invest their money, and Tailscale is looking to have a war chest because of the exceedingly possible case that we're headed into a global recession.
There is tons of competition for Tailscale. Its 'just' an easier to use VPN with a great GTM exceution. I think they need more money as they need to fundamentally re-architect their solution to sell into enterprise use cases they their valuation requires.
> AFAICS there's no real competition in the market place for their product today
What does this mean? They are competing with regular legacy VPNs for sure. Despite tailscale existing for the last 4 years, none of the large corporate clients even got closed to it. They were all on junk from Cisco, Palo Alto, to connect employees to corp net. A “cutting edge” one might use cloudflare warp.
You might be right that there isn’t much competition for pure distributed, but it turns out the market for that is actually quite small and it’s for people who can’t afford dedicated IPs or cloud instances.
Raising money here is a bad sign IMO unless it’s for a completely new product that requires servers at exchanges to eat CDNs like cloudflare’s lunch.
Their is tons of competition depending on how you want to attack the problem. Tailscale's problem imho is that their product does not scale well as required by large enterprises. One could argue nor do traditional VPNs, but they are already in place and workking so that product config already works, no need for change. The market is massive, but you need to be at a high abstration layer in my opinion, so that you can replace far more than just the VPN.
No their "real" backend is proprietary. Headscale is a separate implementation that they also maintain. It's intended for self-hosting your individual Tailnet. I'm assuming if you tried to use it as a corporate VPN you would run into limitations.
Their clients for proprietary OSs are at least partly proprietary too.
To be honest I find this all a very reasonable set of compromises. It means I'm comfortable using their proprietary service without feeling like I'm getting locked into a completely closed ecosystem.
I've been tracking this space for a while just out of annoyance that Tailscale offers ssh on the free tier, then not on the "starter" paid tier. Netbird is by far the best of the alternatives that I've tried.
Well, it's important to start with saying I didn't like it as much as Tailscale, but I liked it a lot more than any of the others I tried. The UI for their dashboard is very good and getting it up and running was pretty trouble free though the docs could be a little better.
There are plenty of enterprises that will pay them to run their services and provide better integrations while allowing open source users to continue. Now people will get upset because some of these things will be for those customers only but it is very hard to keep developing these things and give them out for free. Partially open source still allows those to extend the work they give to the community and they will probably still continue to have a free tier to get more enterprise customers in the end.
This is mostly so that the founders can take some money off the table. The founders probably have $10 million cash after this and don't have to worry about rent ever again.
Tailscale is a great. I think of it as a swiss army knife for easier routing and connectivity.
I use it in projects to stream internet / connectivity from my phone to the NVIDIA Jetson line, making my robotics projects easily accessible / debuggable:
That was our initial use case for Tailscale as well. May 2020 we started growing a team and needed a really smooth remote access solution for a bunch of Xaviers... and we weren't allowed to be in the same room together :)
Rerun co-founder here. Rerun doesn’t have replay in the sense of you send messages in and can play back the same messages in the same order later. We have playback in the sense that you can play it back in the viewer. We also have apis for reading back data but its more focused on dataframe use cases rather than sending you back messages
How is Tailscale going to achieve at least $1B in annual revenue? That’s the kind of promise that would have to be made to investors in order to raise funding of this magnitude.
$1B annual revenue is ~4m business users. This is considerably smaller than e.g. Zscaler or Okta. It's a big goal, but achieving it does not require them to sign a majority of businesses or build a monopoly.
I just this past weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.
I will probably eventually cave and use my main account from one of those companies since creating true secondary accounts can be difficult(they end up tied back to your main account on the backend usually, So if something happens to one or the company does something- it'll affect everything and building separation is not easy.) - But I dislike that sort of design.
t weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.
As someone who currently has their photo on a company's 'About Us' page, I hate it. Why does anyone care who the nth developer is? Let me just do my job without forcing me to be publicly listed for spammers and scammers to target me.
It's super useful to potential hires about the kind of team you're building. Especially if there's some kind of niche you're in (product, tech, region, whatever). There are people who I would climb mountains to work with, and others within a niche whose very presence in a company is enough to steer me away. Another signal for me is the fraction of xooglers in the engineering team.
I agree it's silly, but worth noting is that the target audience for those pages are usually:
1. Potential customers
2. Potential investors
Both groups are a lot more swayable by social proof from seeing the "investors" than the devs as they infer a lot of credibility based on who has funded you. Similarly that's why you often see big company logos on marketing pages because it makes other customers more likely to buy. "<xyz> is too big to be wrong about this product"
I think my employer decided to remove all non-executives at some point to ward off headhunters. Not sure how much it helps considering everyone's on LinkedIn.
TBF, the folks who get actual value out of knowing who works at Tailscale already know who works there :)
They're not exactly secretive, there's just little value to have it on the main company page. (And if you just want pictures, https://tailscale.com/careers has that too.)
I think they might be operating at a scale that breaks those kinds of pages at this point? Not literally, of course, just they're past the point where the page makes sense.
Eh. Investors/advisors don't change that frequently. And often people will go "oh? Sequoia generally invests in good companies, the invest in X? They might be worth while to buy/work for".
Putting people on the website is, very variable. Do you update the website every week or two when someone comes or leaves? Well that's awkward if someone is fired.
You get to 100 people, then 200 people. Now what do you do? Remove everyone? Only put people on above a certain level? What do you do when someone asks you not to be listed. Or when John becomes Jane, but doesn't want to be super duper public about it?
Or, when your company gets media attention and now the moment you add/remove someone from the website you get news or social media posts about it?
This is a press release targeted by rapacious capitalists. By mentioning other big named investors, you keep the grift going and continue securing future funding until IPO.
It is commendable that TS has created a market in an already crowded marketplace of VPN tools. They're competing with Palo Alto, Netskope, Check Point, and Cisco, to name a few.
One key understanding from my brief market experience is that you must build a firewall or router if you really want to own the VPN market. The way the sale is done is that the vendor goes in with the firewall, router, and switch, offering office space connectivity with the infrastructure and various network locations and upselling the VPN. This often accounts for the subpar quality of VPN software. There is a trend called SASE, which includes technologies like TS; people are questioning the enterprise value of SASE. Netskope and Cato Networks are some examples.
I believe that their enterprise journey will be challenging, given the player's extensive experience in upmarket sales. Although TS appears appealing and has potential for improvement, the GTM is entirely unique for enterprise. You need to build reseller network, System integrator partners, high value customizations, etc.
If you decide to embrace the security positioning, you must have a diverse portfolio of products. If you model the org. around Palo Alto et al., you need a huge diversity of products, VPN, hardware, cloud security tools, app security tools, etc., as the ICP (CISO) is trying to optimize their allocated budget. People in enterprise are ok with good enough products as long as they meet compliance standards, fit the budget, and does not disrupt operations.
It could be that they might acquire bunch of companies with this capital.
When we started Tailscale in 2019, we weren't even sure we wanted to be a venture-backed company. We just wanted to fix networking. Or, more specifically, make networking disappear — reduce the number of times anyone had to think about NAT traversal or VPN configurations ever again.
I've got conflicted feels about Tailscale. I love their product and a bunch of the people I know use their free tier, including myself.
But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.
People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.
Assuming they wouldn't want to take on server maintenance workload, wouldn't something like NetBird be a better fit? The free version has ACL already, the $5/user/month has OIDC integration, and the business version (MDM integration and auditing) is $12. Then the server is still open source so if they wanted to transition to doing it themselves they still would have that option down the road.
Investors expect that Tailscale will extract many multiples of their contribution from users.
If you'd like to avoid this extraction, you can fork their command line client code (along with the open source headscale server) and run a mesh network across your linux machines with all the magic DNS and userspace-TCP/IP-stack goodness that you're used to. Tailscale has given away a lot of the engineering for free.
However, as soon as your fork becomes incompatible with Tailscale's stack, you lose a massive value-add: proprietary platform support. Today, you can add the sale's guy's iPhone to your tailnet in seconds. If Apple's capricious automated AppStore security pulls the Tailscale app from the AppStore, Tailscale Corp is big enough to get Apple's attention. A small FLOSS group with some forked clients on github won't be able to provide this same operational stability.
Good. This lets them receive some of the value they’ve created (they should get paid!) and gives certainty they won’t go out of business. Which means more Tailscale now and in future!
If they turn evil (unlikely with the current folks there) they’ve written up / open sourced plenty of what got them to this point.
Don’t capture all the value you create. But you should try to capture some.
The same thing has been said about many other companies taking on VC Money. Someday, those investors are going to want to see a return on that investment. Its going to take focus and determination to not just ship enshittification as a feature..
Still can't wrap my head around that TS does not allow to signup with your custom email/password combination but forces you to use bigtech (GitHub, Apple, Meta etc.) to login. Running your custom OIDC provider as a small, private person does not make any sense either.
But what kind of argument is that, if you are a single individual who wants to signup, I am not going to setup my OIDC servers. That is like saying it is a good idea to run a dedicated linux server in a datacenter under your own management, when all you want is a small static website for your mom+pop store. Sure, you can run your own server and it is all open source, but just overkill.
> already done so well and it's hard to do.
So hard that literally all other websites in the world with a login have implemented it. And tailscale is a VPN-like technology company - if they can't manage to implement a login because it is hard, then I would definitely not accept their offerings.
Why is that smart? I signed up for a Microsoft Account with my email and I can use Microsoft Account to log in to Tail scale but I can't use the email directly? How does the middle man bring anything to the table?
If I have to spin up a keycloak instance (you forgot to say on a public-facing data center that runs 24/7) to use a single service I would usually signup with an email and password, I might as well spin up my private vpn server.
but at the same time, now Microsoft knows you are using Tailscale (and they use this data in their tracking + analytics). And all the other products. They get a very good insight of your online habbit, because they have a list of all other products and apps you use where you sign in with your microsoft account. And due to the way token refresh works, they even have a good idea how frequently you use each individual one.
And if you for whatever reason get locked out of your microsoft account (and I say this as someone who had this happen with a Google account) your are basically locked out of your online life.
I own my own domain for my email address (xxxx@mydomain.com). As long as I can set the MX record of that domain freely, I can always restore access to my email adress no matter what any email provider decides to do or block me for.
Because they don't want your password and as a security company, I applaud that.
Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.
And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.
You can make a stodgy password login if you want, or you can run a keycloak yourself.
If you don't want to run an OIDC provider for yourself, why would you want them to?
Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.
Not every company needs their own login system. I fucking hate it.
Microsoft getting hacked proves my point more than you think, they're less likely to get hacked now because they have scar tissue. You're basically saying: "If you ever get hacked your reputation is burned forever, but I want these guys who have never done it before to handle logins for me even though they are saying that they are not comfortable with the extra responsibility". Get over yourself.
If you trust your email provider: Ask them to set up an OIDC provider then.
Email is insecure. I can't be the first person to tell you this.
Multiplying your logins is not more security, it's less in the majority of cases.
If they had taken just say $40 million would they be able to sustain their project for the foreseeable future and perhaps not yield as much future product direction and equity?
I honestly don't know how this big dealmaking works but it strikes me that when you take out this big of an obligation that the obligation has a gravity that may drag you in a direction you (or consumers) do not want to go.
Love Tailscale as a product (as does everyone I talk to) but genuinely want to learn more about the trade-offs as usually when we see big dollar signs all we do is celebrate.
One of the main problems with raising too much is that you stop caring about product-market fit and can go on tangents that do not make you competitive. This is quiet common afaik.
Yes; you will burn through all the capital you raise in ~18 months. It is _extremely_ difficult to efficiently allocate large raises (100M+) in 18 months. In fact, I’m developing a pet thesis that no single human or business can efficiently allocate more than $100M. This would imply that any time a single raise is more than 100M, the investors always would have had a better return by splitting it into chunks of 100M or less. It’s not a _good_ thesis yet, just one I’m performing thought experiments with
Some business can certainly allocate more than $100M, but I could see that thesis for VC-backed tech-style product companies.
A few examples come to mind immediately: trading firms/hedge funds often have more capacity than that in their existing strategies; hardware businesses can have substantial up-front costs; companies with high COGS might need that much to just scale at the rate they're already moving, since each unit locks up a bunch of capital until it's sold.
You can’t be serious. Lots of businesses easily have that much just in cost of goods or marketing spend. $100M is not such a crazy amount especially considering the cost of hiring technical people.
Also note that the benchmark of “efficiency” should be a function of growth, not some absolute standard.
I think we are saying slightly different things. COGS are composed of many smaller capital allocations. According to this untested, pet thesis, putting on a report that $250M was spent on capex is just fine; but if you go to a single vendor and sign a $250M contract, you have wasted money by not being more careful about how that capital is allocated. $100M is _a lot_ of capital, and I think it’s easy to lose sight of how much stuff you can do with that much money when applied to industries that don’t pay tech salaries for speculative growth. As examples: how many pounds of food could you grow for 100M? How many doctors could we train for 100M?
I think the thesis is thought provoking. Not sure yet if it’s worth anything, but it also doesn’t preclude businesses from having massive cashflow.
I mean, it is obvious that you cannot sustain efficiency as you scale (Amdahl's law) but (1) $100M is not that crazy to be able to keep track of in your head, even for a single individual (I can imagine a successful real estate developer with a handful of ongoing projects and various other personal investments), and (2) in a high growth situation, it makes financial sense to sacrifice some economic gain for scale. In your original example, sure an investor would be better off, if they could actually find 10 good investments with zero cost, to spread their money, but very likely they'd be better off taking the big one and spend their energy raising more money.
Isn't it better to 1.5x in 6 months on 40 million than 3x in 2 years on 160?
By definition focusing on things that don't grow your business because you have way too much money in the bank is going to be worse for your business than being forced to focus because you've only got a year of runway.
I'd be curious how much of this $160 million is immediately allocated to bonuses, founders taking money off the table, increased salaries, employee option pools, etc.
Equity investments like this don't need to be repaid, so there isn't a legal obligation to repay them. Of course, there is an obligation to maximize shareholder value — but that is totally independent of the dollar amount invested.
When founders raise this much money, it's because there's (1) a lot they want to do and hire for, or (2) they don't want to worry about monetizing the product for a significant period and focus on growth or product development.
GP didn't talk about "repaying" anything. Taking 160M instead of 40M at the same valuation means giving up 4x the shares, and that's going to result in a bigger voice for those investors at the table in making decisions about the future path of the company.
What if they were offered $160mm and Tailscale countered with 4X the valuation, lowering the number of shares by 75%? Similarly, what if they wanted $40mm but the only deal on the table was $160mm due to ownership targets of funds that can actually write $40mm+ checks? It's hard to play these armchair games, even less so when the terms aren't known.
You're right that we don't know all the terms, but $160M raised is not small and it is very reasonable to worry about what level of control will be given up long term because of it.
409a valuations are made up by independent appraisals, but it’d be quite strange for an investor to agree a share is worth 4 times the appraised value.
(3) investors offer the option for founders (and earlier investors) to take money off the table by buying up a percentage of their stake, essentially creating a mini-exit for the founder and earlier investors
> Equity investments like this don't need to be repaid
You are saying equity is not bonds.
However investors expect to be repaid in the future with control and exhorbitant interest rates (based on risk). VC invests to make money, but that money comes from future equity rounds or IPO.
If you didn't take the VC money (and the business achieved the same growth without the money) then you'd expect you would have been better off by at least the amount invested (investors don't invest with the expectation of only getting their money back).
If the business doesn't succeed then you are on the hook to pay the debt from your equity via liquidation preferences.
VC payment is expectation statistics, but the investors know that game and invest to make money. That money comes from the current equity owners making less in the future.
Not only the "expectation" but lots of VCs have preference built in that guarantees them huge returns on basically any liquidity event. It's probably not as likely in a Series C like this but 2-3x preference is not unheard of. There are few investment vehicles where for every $1 you put in you're guaranteed to get the first $3 made back first.
Yeah I take this as bad news, as a user. I dread the inevitable enshittification. Hopefully open source UX over Wireguard is close-enough to as good by the time they drive me away that losing them isn't too painful.
Took a project I'd been putting off and putting off because I knew it'd eat half a Saturday, and made it a 20-minute affair from signup to having everything done, including adding some devices to the network that I wouldn't even have bothered to try adding on my own.
it is a nice that they're a bit embarrassed about it and spend much of the post explaining why they took more money.
overall, they still seem to have their heads screwed on straight and have an actual business model, that is also pretty fair - charge enterprises per seat to solve their network identity problems.
Does anybody encounter issues with DNS after installing tailscale with it's MagicDNS enabled? It drives me nuts because my entire network just stops working. I removed tailscale but still won't be able to connect to my Ubuntu server.
I have this happen largely with Apple OS devices. Apple's DNS service can be notoriously persnickity (I've had issues with it outside of Tailscale as well), and I usually need to bounce interfaces or flush DNS cache (where I can on macOS) to resolve issues. WRT Tailscale, I also have issues with it on my phone. I currently have my phone configured to connect to my Tailnet when I leave networks I don't control so that I can maintain access to my personal cloud on the go, however after a few connections and disconnections, I have to bounce several interfaces in order to correct both DNS and routing.
Yes! I also experience this. I also had some weird interaction with another wireguard-based VPN and Tailscale, where it crashed my DNS so hard I had to reset my entire laptop.
I've had issues with tailscale dns for a while where I'll wake my mac up and the dns will just not work until I disable tailscale. I can then re-enable it and everything continues to work.
I logged a bug about it and the latest versions this seems to have gone away. I also moved away from the mac store variant and into the standalone. Not sure if that helped either.
I don't know how it works on Linux, but for Windows, the 'MagicDNS' just automatically adds a bunch of static entries to your hosts file to resolve the TS FQDNs and simple/machine names.
Yeah, you need to be conscious about your tailscale domain, your .home (or whatever your router or dhcp server advertises) and your .local hostnames. Even if you’re aware, things are sometimes wonky, IME primarily on macOS.
Sometimes I have issues like this.
It's related to my ISP not supporting IPv6. I don't have time to explain this in detail, but at least that's one angle of it that you might want to explore further.
Same. When my cell has an ip6 ip, I can’t get dns to resolve on my systems at home. I can still access everything by ip4 ip though. I haven’t had time to find a solution yet. I’m still trying to figure out if it’s nginx, pi-hole, router, or Tailscale config related… probably a combination.
I encountered a similar issue when I first started using Tailscale. My fix is simple: disable IPv4 inside Tailscale. Just use the v6 ULA address that begins with fd7a exclusively. This works even if your ISP doesn't support IPv6: the inner IPv6 packets can be encapsulated inside v4 packets. There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.
> Just use the v6 ULA address that begins with fd7a exclusively.
perfect, this is exactly what I desired
(I'm having an increasingly high number of sad v4 only LAN devices and planned to move to a v4 block that sits way too close to the one Tailscale uses.)
> There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.
Yeah, I honestly couldn't get Tailscale to work reliably at all. DNS, routing, firewalls etc. My overall impression was it will work if either you go for it on your entire local subnet, or you have a very simple local network topology. Having local nodes inexplicably talking to each other via a cloud relay basically all the time just isn't acceptable. (And webrtc could always find the local candidates when doing ICE, so it's not that).
It's interesting because they have clearly demonstrated a demand for such a thing, but the "just works" pitch is a fantasy, at least today.
Hope this means headscale involvement doesn’t get 86’d.
As I recall, a few tailscale folks contribute to this open source implementation of the “coordination server”. Apparently tailscale management approved it. So this means management at any time can revoke it, and possibly kill off self hosting of the coordination server as the open source clients become incompatible.
I don't probably use Tailscale to it's full potential but I love this tool. We have our small servers at our offices across the world and it has give us so much flexibility to access some of the files via shared drives or try out installing / testing stuff. Me and my wife also drop each other pictures of our kids using tailscale now.
Depressing news, I have no hope that the countdown to Tailscale being unusable subscription trash has not started with this announcement.
I realize this is a very ironic place to make this statement, but I am utterly exhausted by VC money destroying all of the services I enjoy, like a slow disease spreading through a herd of livestock.
One gives up a decent amount of control for the first 12m, then a bunch more at 100m. Unless you work there, you frankly have no idea how much control the founders have.
>Connecting GPUs across clouds, securing workloads across continents, migrating between cloud providers — it’s messy, it’s hard, and it breaks all the time.
Is the new fund raise to enable Tailscale perform these complex tasks or for scaling it?
I've once read few years back that seamless and secure cloud independent computing or cross-cloud system is the next frontier, and it seems it's a legit problem and a business opportunity for security company like Tailscale and Crowdstrike (investor). The record breaking acquisition of Wiz kind of cemented this problem space and the pain points, and it seems that Tailscale is riding on the opportunity [1].
You are still trusting the tailscale coordination server for proper key exchange. Yes, traffic is end-to-end encrypted and the private keys stay on the device but there's no way to verify that tailscale is negotiating keys for the machine you asked for
Im pretty sure thats not correct, as you can authorise the nodes that get added, and it is only authorised nodes that can participate in the tailnet.
The problem IIRC is that it is the coordination server that decides what is authorised, so if Tailscale was hacked (or otherwise malicious), nodes could get added to your tailnet without explicit authorisation from the tailnet "owner", which is obviously not good. To prevent this, they introduced tailnet-lock, which requires other peers to participate in node authentication: https://tailscale.com/kb/1226/tailnet-lock#how-it-works
Funny how, as soon as I hear about a big new funding round, my reaction is sadness because I assume the product is going to start being bad and user-hostile in about 6 months. It shouldn't be that way, but it's just a reflex after seeing it happen so often.
The shift toward identity-first networking is also super interesting. Feels like we're finally moving past the idea that IPs = trust, and into a world where access control actually maps to human (or service) intent
Congrats to the tailscale guys. I remember when tailscale was not a networking company. Amazing to see where it's ended up and obviously having bradfitz onboard is useful too. I'm always curious to know what the internals of a company looks like with a lot of ex-googlers running it. Does it look like a mini Google or something else? Not sure if apenwarr is here but always interested to learn more.
Everyone is commenting on the HN headline, no one on the actual post:
> Building the New Internet
(Insert mandatory reference to Silicon Valley here :))
> We think there’s a better way forward. We're calling it identity-first networking.
I would love to see this. Every day I have to stare at YAML files with IP addresses in them is a day I will never get back. I wish cjdns[0] had succeeded already but oh well, now I hope the Tailscale guys will!
1. Immutable Content Naming: In a data-centric system, content is addressed by its name, transcending geographical considerations. This circumvents the vulnerabilities associated with IP addresses, which can be spoofed or manipulated. By employing cryptographic techniques to validate the authenticity of content names, NDN establishes a robust layer of security that underpins the entire architecture.
2. Built-In Data Integrity: NDN employs built-in mechanisms to ensure the integrity of data. Content is signed by publishers and verified by consumers, preventing tampering or unauthorized alterations. This approach effectively mitigates data breaches, as any unauthorized modification is detected and rejected.
> NDN has its roots in an earlier project, Content-Centric Networking (CCN), which Van Jacobson first publicly presented in 2006.. NDN applications name data and data names will directly be used in network packet forwarding.. Its premise is that the Internet is primarily used as an information distribution network, which is not a good match for IP, and that the future Internet's "thin waist" should be based on named data rather than numerically addressed hosts.
I like Tailscale and we pay for it at work but it has a number of serious bugs that affect our work that they seem to lack the resources to fix. Hopefully this helps.
Tailscale has a single management engine. My understanding is that if the goes your existing traffic will still flow, but new connections won’t be made.
anyone care to share how they are spending money? labor, operations (training, transfer fees), marketing & business development. It's different than industries I'm more familiar with.
They are a zero-trust networking solution that also traverses IPv4 NATs. Zero-trust networking is a layer above the IP layer. In an IPv6 Internet their capital costs go down, and their product remains valuable for their paying customers. (Free accounts mostly use it for NAT traversal, businesses for the zero-trust encryption.)
Their CEO has been working with (and supporting) v6 for decades both at the executive level (now) and also as an extremely capable software engineer that I personally met with a few times while we were both engineers at Google doing network measurement.
Even if it could mean Tailscale enshittifies eventually, this is probably a good thing for the ecosystem.
As one example,
the bigger they get, the more likely operating systems will build better APIs to support what they do (for example maybe Apple will provide a way to do mDNS over Tailscale), and those APIs can be used by all.
There are plenty of open source alternatives cropping up[0]. I'm curious to see what Tailscale can do with a lot of resources.
Apple had a Tailscale-style feature called "Back to my Mac" that was part of MobileMe. They killed it off with the rest of MobileMe, presumably because they just wanted you to store everything in iCloud.
This is not correct. Wireguard establishes a tunnel between peer A and B, and its simplicity stops there. Tailscale does tons of complex networking, filtering, nat traversal, DNS, file sharing, etc. Wireguard is a small part of the codebase today, which has grown a lot.
It’s a bit like saying Dropbox is just a GUI on top of TLS.
I think the parent commenter used "understood" to mean "recognized."
That said, I don't really understand the supposed misunderstanding you point out. It seems that dang argues that "the exchange was pleasant and successful." I've never seen someone claim otherwise.
Rather, I've seen it used as an example of how technical users can fail to recognize the complexity inherent in their workflows, and therefore may also fail to see the real-world business value in creating (and selling) simpler interfaces. See also a SMOP: https://en.wikipedia.org/wiki/Small_matter_of_programming
No, it's not that simple. This is an instance of context collapse; people dunk on that exchange because they believe it's an HN person belittling Dropbox as a product, when in fact it was an HN person helpfully offering notes on a YC application.
Whether the poster was "belittling Dropbox as a product" or "helpfully offering notes" seems like a judgment one can make about the exchange, regardless of poster's intent. I never understood this to be the reason it was referenced, more the SMOP thing. But I hear what you're saying about the details getting warped over time. (edit: And I do think people sometimes use it as a case of "if you listen to everyone's feedback..." but I think that still rings true: regardless of the judgment you place on it, it could have been demoralizing to Dropbox's founders.)
They dunk on it because the author didn't see the the benefit of the product over using FTP. And it's hard to say the usage of "quite trivially" isn't "belittling" in some form, although I don't think using a loaded word is useful here. Even the followup response shows the same issue with the commenter's thinking:
>You are correct that this presents a very good, easy-to-install piece of functionality for Windows users. The Windows shortcomings that you point out are certainly problems, and I think that your software does a good job of overcoming that. (emphasis added.)
They still fail to understand that this is not a Windows or Linux issue but a reliability and ease of use issue. Not to mention the fact that the desktop Linux marketshare was probably less than 1% and therefore irrelevant in this context to begin with.
a fun thought exercise - what would have to happen to HN for this to come true? basically all the old guard have to age out and not pass on the reference?
Most of this was successfully done 20 years ago by tinc, which is a project written by a couple of European guys in their free time. It even supports routing traffic through other peers and does peer discovery just like BitTorrent (but before BitTorrent even existed) — there is no need for a central server.
What tailscale has over it is hype, lots and lots of hype. Also a much more well thought out, and arguably more secure VPN protocol underneath, which is why GP's comment is on point.
If it's hype, it's not hype the way you're thinking. I've shown Tailscale to a lot of people (this is less salient now, when pretty much everybody uses Tailscale) and the most common reaction I've gotten is "holy shit". It is spooky simple to get working, and it's spooky simple to go from a working installation to a VPN configuration that would take many many hours to replicate with pre-existing tools.
There may be VPN nerds out there who think there's nothing special happening with Tailscale, but I submit those nerds haven't spent a lot of time dealing with the median, replacement-level VPN configuration prior to Tailscale. I'm a pentester, and so I have had that pleasure. Tailscale is revolutionary compared to what it replaced.
Because you're delegating the control plane to Tailscale. Somehow we went decades without this being a thing for security reasons, dealt with the management of VPN appliances, and now suddenly everyone is OK with Tailscale owning the control plane of their VPN for the sake of convenience.
For a company this is probably okay: companies rely on other companies all the time, and can enforce contracts. I would gladly use tailscale at my company.
For an individual, heck no. Fortunately, headscale exists for individuals to use.
My only technical complaint with Tailscale is that its hole punching doesn't seem to work with some common CGNATs/double NATs when both endpoints are using them, and then traffic ends up trickling through their public proxy servers, while running your own is kinda annoying and not recommended or documented.
Jason Donenfeld is listed as a Technical Advisor on https://tailscale.com/company. Most companies pay their advisors something, so I assume something monetary is going on here for him.
Tailscale is definitely more than "Wireguard with a GUI", but I don't think that diminishes your point that Tailscale, if they're not already, would be great stewards if they were contributing more than code back to the Wireguard project.
Tailscale did make a donation to WireGuard. They have regularly contributed to wireguard-go, including the complicated GRO/GSO bits.
"Tailscale made a donation during September 2022, as part of their business centered around WireGuard." https://www.wireguard.com/donations/ / https://archive.vn/MMAXO
> Tailscale is pretty much Wireguard with a GUI on top.
As GP said, they have raised money before. So why are you now disappointed and think they "are selling out", when nothing has changed, and Tailscale has been a clear-cut for-profit startup from the start?
netbird looks like it would be a better option if open source is what youre after. theres a handful of others too, nebula, zerotier, netmaker just to name a few
Tailscale just got a lot of money to keep growing. But what they are doing is more important than the money. They are helping computers talk to each other in an easy and safe way.
Before, the internet was built to connect places, not people. That made things messy. People had to set up tricky stuff like VPNs and firewalls. Tailscale makes this much easier by using your name or account, not just numbers like IP addresses.
Now, big companies and people at home use Tailscale to keep their computers and apps connected. It works without a lot of setup, and it’s safe. Even people building smart robots and AI are using it.
What’s really good is that Tailscale still helps small users for free, and they try hard not to break anything when they update their tools. If they keep doing that, they can become a very important part of how the internet works in the future.
Haha, fair point! I guess i was going for simple Wikipedia rather than deep academic journal. Maybe next time i'll throw in some fancy words just to spice things up.
I'm a fan of TS and have been a paying customer for work infra for almost a year now. It really is well put together and easy to use, but I do run up against some issues/complaints when diving deep that I hope they can work out:
* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.
* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!
* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.
Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.
> * Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.
Tailscale touts all the perf benefits of the wireguard protocol but in practice between the userland wireguard that seems to be used all the time on all platform (even linux) and the over reliance on DERP, it has none of the performance benefits of the real thing.
I thought they vastly improved user-space wireguard performance?
https://tailscale.com/blog/more-throughput
Not sure if the kernel implementation pulled ahead again, I don't really follow these things.
Also not defending tailscale, I respect them but I agree they are a one size fits some solution.
They also seem to be needlessly doing DERP over TCP in some cases where UDP would actually work.
> I shudder to imagine what the next tier (cal us') costs.
There is no enterprise tier, instead you pay for any additional features you need. I.e. log streaming is 2$/month/user and SSH recording is 3$/month/user.
Do you mind sharing the better solutions you'd consider at the higher price point?
zerotier maybe?
There's nothing about ZeroTier's solution which deserves a higher price point than Tailscale. As a long-time user, ZT's administration UI is much worse and the product has been essentially unchanged for a decade.
Better solutions would be things that make the VPN invisible, rather than 'easy'. Tools such as Teleport, IOW.
>$6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m.
It's market segmentation, needing ACLs is a sign you're at least an SMB, and to a business of nearly any actual size, the difference between $6/user and $18/user is 0.
> difference between $6/user and $18/user is 0
I wouldn't go that far. Big companies put a lot of effort into saving $12/seat.
But, if you can convince them they get >$18 of value from it they're usually happy to pay. With hobbyists it's more emotional. $6 is "just a coffee" and can be justified just to try it out. At $18/m is one of your household bills, and many will decide they enjoy watching Netflix more than messing around with Tailscale.
Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.
We don't even use windows enterprise for the same reason, we have legacy office 365 plans and lifetime windows licenses without the M365 addons because it saves is a few bucks per head. At our size, a few bucks a head quickly add up to millions per year. Microsoft keeps trying to dissuade us and they even pretend office 365 plans don't exist anymore ("office 365 is now microsoft 365") but they do: https://www.microsoft.com/en-us/microsoft-365/enterprise/off... . The same with their Copilot stuff. 30$ is a non starter. Our users want it but nope (and we did a trial in one big team and only 10% actually bothered to use it after the first month so I think it's more the idea of it that want rather than the actual product)
We don't use Tailscale but $6 would be feasible where $18 would be a complete nonstarter.
In fact our company is a lot more cost conscious than I am as a consumer.
At that scale, you need the "Call us" plan. No one at that scale is paying full price.
Enterprise math is interesting --
For a global all-you-can-eat enterprise-wide rollout:
* base: 20K users x $200/yr
* 50% discount: volume + multi-year + ...
=> enterprise: $1M/yr
=> 200 person division in the enterprise: $10K/yr
It's not cheap, but averaging out a global rollout, not terrible afaict
(This is super rough. Ex: Add in BYO hardware, internal staffing, pro serv, and who knows the real discounting!)
Yeah no idea of the discounts there nor of how much we spend on our current VPN provider (I don't work in that team). I guess for a VPN they might have higher spending limits as a VPN is always required to be on on all of our endpoints.
>> Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.
This doesn't make sense to me. It shouldn't matter if you are a small company or a large one, a few bucks per person per month is noise. I get trying to leverage scale to get a better price, but if something saves time / money, a company shouldn't refuse it just because they are large. Whoever is gatekeeping these decisions is ultimately eroding the company's value.
All too often it's those companies that worry excessively about saving a few dollars that also have meetings for everything, glacial decision making, poor strategic focus, tons of internal politics, and so on.
Some of that we have, yes. Glacial decision making definitely. Internal politics crap too. Meetings not so bad though (and especially flying all over the world for business meetings is heavily frowned upon since 2015 which is great because I always hated that)
Strategy is pretty good I think. And they are also not backing down on inclusivity and sustainability despite the threats from Trump (companies with inclusivity aren't allowed to do business with the US govt blahblah). We're an EU company but this worried me a bit (I'm heavily involved in the inclusivity program). But they've already said they are absolutely not giving in on that point.
Um, it's 3x the cost to get one feature. By your logic they should be charging $100/user/mo for the feature since that must also be the same. This is typical "enterprise" nonsense pricing and it will absolutely drive some adopters to look elsewhere.
It's a perfectly valid part of a pricing strategy to drive people away if they are not the customers you want.
Namely, customers too stupid to know how to use something else, and/or customers you’ve managed to lock-in sufficiently to make them too scared to do so. I guess that’s a good strategy if you hate what you do and the people you do it for.
I have been using ZeroTier for a few years with great success. It’s not an Enterprise, but for my lil’ shop I get 100 endpoints for $0.10/ea/month, and that includes all features.
It's zero for small businesses with a dozen employees. The moment you have a large business you run into an obvious problem: only a subset of your employees actually use the software, but if even a single user needs a higher tier you have to upgrade all users.
"Subnet routing broke on Ubuntu (maybe other distros) recently"
Do you have more infos on this one? I use Debian and that would be a major problem for me.
possibly referring to https://github.com/tailscale/tailscale/issues/13863 which broke subnet routing for us
I really hope with this funding they can improve observability and give more love to power users who occasionally need to dig deeper without going full bare metal
> NAT/STUN world you were trying to avoid
The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.
> I don't understand why people pretend this is an acceptable solution for professional networking
Because it IS acceptable for many cases.
Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.
Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.
Also DERP relays having QOS that isn't controlled by myself and I have to hope to get bandwidth through doesn't exactly make me confident about the solution
Sure, but your data is only getting relayed through DERP servers if it cant otherwise establish a direct p2p connection. This can usually be resolved at either side of the connection - if you know about it (which is what the parent was suggesting could be made more clear).
As for your bandwidth concerns in the case of needing to relay, you can even set up your own relay (https://tailscale.com/kb/1118/custom-derp-servers), which would satisfy your desire to be more centralised (i guess you could force all traffic through it, but cant think why you would want to) while still allowing the flexibility of the overlay that tailscale provides.
I never said I had a desire to be more centralised. I just said that static IPs and open ports remove the necessity for hole punching/STUN. You can have multiple sites without a central and all use static IPs and open ports.
I was replying to your comment about you wanting to control QoS for relaying.
Dynamic IP addresses typically also have a forced disconnect at a regular interval. Not really what I want to host services on.
That seems like even more reason to use an overlay - it abstracts all that instability away and gives you a consistent, secure network regardless of what the underlying IPs are doing. Obviously peers can have static IPs too if you think that makes them more stable to routing changes (it doesn't).
Do you really think that a tailscale VPN is necessary to deal with link failures? It is not BGP and SD-WAN or MPLS l2 VPN can do that.
I didn't mention Tailscale. I said "overlay", and both SD-WAN and MPLS L2 VPN are overlay networks.
Idk what you mean with routing instability. Changes to routing as a result of failures are a feature not the problem.
You said "Dynamic IP addresses typically also have a forced disconnect at a regular interval.", which is false in pretty much every DHCP scenario I have ever seen.
A change in an IP lease should result in no downtime whatsoever, because addressing is not the same as routing. A routing change would have exactly the same effect on a static IP.
I then pointed out that an overlay network means you don't have to worry about that anyway.
I think you need to reread whatever comments you think you are responding to, as there is clearly something out of sync with your replies.
Who said you can't do both? NAT makes things easier and you can still properly configure your firewall to keep track of all the NAT traversal rules
> Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid.
This is my experience too.
I actually came to believe the TS dream of device based VPN as opposed to AP or router based is the wrong thing because it gets confused by subnets and subnet routing so often, but also that the big security problem on networks is bad devices which it's not going to help you with unless you can wrap them up anyway.
That's one of the reasons I started playing with AP to AP real time video like https://github.com/atomirex/umbrella which is a nightmare case from the TS pov. The intention is to eventually wrap clients up on separate networks so they can only see each other via the (locally run) relay.
Agreed. This is why imho Tailscale does not scale very well. Awesome for home labs and small orgs as a VPN replacement, but not enterprise scale with abstrations that actually remove complexity. I wrote about it in this blog - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-ne...
When I saw the new round, I was instantly worried about change in direction that will most likely come with this, and effectively drive away regular users from a tool that seems universally loved.
Similar sentiment can be seen in the discussion from three years ago [1] when they raised $100M.
[1] https://news.ycombinator.com/item?id=31259950
When they raised the 100M three years ago, I'm pretty sure they said they didn't need it and were saving it for a rainy day (or words to that effect), always seemed very odd at the time. Two q's for anyone who cares to speculate: have they burnt the original investment already? And if not, why would they need more funding? AFAICS there's no real competition in the market place for their product today, the only thing I can conceive is that they have a secret 'tailscale 2' project in the wings which is massively developer or capital intensive. Let's hope it is nothing related to AI band wagoning :-)
You can't raise VC money and save it for a rainy day. If VCs wanted their money in a bank they'd just put it in a bank.
If you raise $100M you have to put $100M to work or you'll hear constant shit from your board over it.
If they raised $160M they're going to spend $160M on something. My guess would be a lot of enterprise features and product integrations.
Thank you. I’ve lost count of how many times I’ve had to write “we don’t need the money but are saving for a rainy day” CEO talking points and press releases for companies that were < 90 days from not being able to make payroll.
I guess technically they weren't lying, just holding back on disclosing that they already knew a rainy day was coming and it was coming very soon...
In my experience, many if not most tech executives don’t believe in the concept of truth vs lying. There are only “competing narratives.”
That depends entirely on how you raise the funds. Yes, you can say "Here's the growth rate we'd get without your money - based on that, this investment gets you an ROI of x%."
With x% high enough, sure, you can get VC money without too many strings. (Also, reading the Series B post, they were planning to invest - just in organic growth instead of the usual growth hacking)
And if you read the Series C post, you'd know what they're spending on - GPU (and general) cloud interconnectivity.
There's really not much need to guess, Tailscale's financing announcements are about as open as you can get.
What is tailscale going to do with GPUs? It's about as far removed from NL interaction as you can get, I really don't see any sane AI fit. Maybe they are using them for AI driven dev work? Probably need to think more laterally.
Read. The. Fine. Article.
The fine article seems to say lots of companies are using Tailscale to connect to servers with GPUs -- nothing in that implies that Tailscale would own the GPUs.
I think you mean to say:
The. fine. article. seems. to. say. lots. of. companies. are. using. Tailscale. to. connect. to. servers. with. GPUs. -- nothing. in. that. implies. that. Tailscale. would. own. the. GPUs.
Besides my joke, you are bang on, nothing implies needing to buy GPUs and based on my knowledge of their product/the space, absolutely no reason to.
Not necessarily. You hear plenty of stories of companies who raised money they never ended up needing to touch.
What matters is why. Is it because growth is so bonkers that your burn stays minimal/zero despite increasing costs? Or is it because you don't spend anything and thus can get by with stable revenue. VCs are very happy with the first, less so with the second.
VCs would always prefer you get to megascale with less money - the less you raise, the less they get diluted.
this is not true at all lmao
of COURSE you can raise money and not use it.
Hm OK well thinking out loud, $100M / 3 is $33M / year?
I don't know much about Tailscale, nor about how much it costs to run a company, but I thought it was mostly a software company?
I would imagine that salaries are the main cost, and revenue could cover salaries? (seems like they have a solid model - https://tailscale.com/pricing)
I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane, so it should be cheap?
I could be massively misunderstanding what Tailscale is ...
Did the product change a lot in the last 3 years?
You're not wrong to think Tailscale is primarily a software company, and yes, salaries are a big part of any software company's costs. But it's definitely more complex than just payroll.
A few other things:
1. Go-to-market costs
Even with Tailscale's amazing product-led growth, you eventually hit a ceiling. Scaling into enterprise means real sales and marketing spend—think field sales, events, paid acquisition, content, partnerships, etc. These aren't trivial line items.
2. Enterprise sales motion
Selling to large orgs is a different beast. Longer cycles, custom security reviews, procurement bureaucracy... it all requires dedicated teams. Those teams cost money and take time to ramp.
3. Product and infra
Though Tailscale uses a control-plane-only model (which helps with infra cost), there's still significant R&D investment. As the product footprint grows (ACLs, policy routing, audit logging, device management), you need more engineers, PMs, designers, QA, support. Growth adds complexity.
4. Strategic bets
Companies at this stage often use capital to fund moonshots (like rethinking what secure networking looks like when identity is the core primitive instead of IP addresses). I don't know how they're thinking about it, but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on. It's not just product evolution, it's protocol-level reinvention. That kind of standardization and stewardship takes a lot of time and a lot of dollars.
$160M is a big number. But scaling a category-defining infrastructure company isn't cheap and it's about more than just paying engineers.
> but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on.
That’s a path directly into a money burning machine that goes nowhere. This has been tried so many times by far larger companies, academics, and research labs but it never works (see all proposals for things like content address networking, etc). You either get zero adoption or you just run it on IPv4/6 anyway and you give up most of the problems.
IPv6 is still struggling to kill IPv4 20 years after support existing in operating systems and routers. That’s a protocol with a clear upside, somewhat socket compatible, and was backed by the IETF and hundreds of networking companies.
But even today it’s struggling and no company got rich on IPv6.
Totally fair to bring up IPv6 vs. IPv4. However, I think Tailscale’s approach might sidestep some of that pain.
Avery (Tailscale CEO) has actually written about IPv6 in the past:
IPv6 has struggled in adoption not because it’s bad, but because it requires a full-stack cutover, from edge devices all the way to ISP infra. That’s a non-starter unless you’re doing greenfield deployments.Tailscale, on the other hand, doesn’t need to wait for the Internet to upgrade. Their model sits on top of the existing stack, works through NATs, and focuses on "identity-first networking". They could evolve at the transport or app layer rather than rip and replacing at the network layer. That gives them way more flexibility to innovate without requiring global consensus.
Again, I don’t know what their specific plans are, but if they’re chasing something at that layer, it’s not crazy to think of it more like building a new abstraction on top of TCP/IP vs. trying to replace it.
Yes, a move to static IPv6 addresses everywhere would help a lot.
At least tailscale funnel isn't control-plane-only, unless I'm totally misunderstanding something
[flagged]
I can confirm that kenrose is an actual human being :-)
Can likewise confirm dblohm7 is a real human too :)
[flagged]
>I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane
Don't they host the relay servers that are the fallback if NAT hole punching and their other bag of tricks doesn't work?
> I don't know much about Tailscale, nor about how much it costs to run a company
$33m/year is only 33 fully loaded software developers including all overhead like HR and managers and office space, and also a cloud hosting bill.
33 really isn't that many.
I'd be surprised if the average package for SWE is $1M/year (fully loaded).
Generally package is around half of what company spends per extra engineer. And $500k average for a tech heavy product company doesn't sound too far off.
> $500k average for a tech heavy product company doesn't sound too far off.
Tailscale puts salary ranges on their job postings. The salaries aren’t bad, but no, they aren’t $500k.
Didn't knew that. It's significantly lower than $500k.
Holy hell I need to ask for a raise.
When people say they get 500k they mean they get paid 200k in salary and got 300k in RSUs, with the details mixed around the edges. ICs aren't getting 500k salary except in a few rare cases.
Funny enough, you could double that to 70 engineers and that's still a TINY amount of engineers.
This is just wrong. What exactly do think companies are spending 500k on per engineer beyond the TC package?
HR, marketing, sales, management, office space, servers, licenses, insurance, etc.
It seems on the high end, but not too unrealistic.
It’s wildly and hugely unrealistic.
The rule of thumb that employees actually cost a business roughly twice their salary is based on two things:
1. Retention. Hiring costs are “huge”, and so if you have a higher or lower average retention, may make up a disproportionate cost compared to salary. Ramp up time and institutional knowledge loss is no joke either.
2. A spread of average wages. 500k is not average, and a huge number of the costs are relatively fixed. $1,000 a month worth of software licensing isn’t an uncommon number and is fully 1/3 of the salary of a $3k a month or $36k/year junior clerk. It’s peanuts when you look at it next to a $500k/year salary. It may be that the clerk is, all in, costing the company 3x their salary after indemnity insurance and so on. The dev will never reach 10%.
Non-salary cost such as payroll taxes, benefits, workers comp, training, equipment, space add another 25-50% typically.
I haven't traditionally seen these areas of spend rolled into Eng costs in the budgeting process.
US Health Insurance is stupid expensive as well.
It's really not at scale. It's on the order of 500$ a month per dev for "gold" level care for a company of 50 people. I'm sure it's less the larger you get.
It might depend on the state and the age pool but I have to pay a percentage and based on that it's more like $10k/year. So you are almost 2x undercounting
... But maybe if the average employee of a company is 25 they could get a better deal
Nope. 2x total comp is standard fully loaded cost.
office space of course!
This might be true for HFT companies. They usually start at 200-300k and mid senior engineers probably make close to a million
33M would be 33 software consultants each making 250k a year.
There might be other things going on in the US that you could maybe possibly have heard about, and investors are looking for different places other than the US stock market to invest their money, and Tailscale is looking to have a war chest because of the exceedingly possible case that we're headed into a global recession.
Aren’t they Canadian though?
Apparently, yeah: https://en.wikipedia.org/wiki/Tailscale. Based in Toronto, Canada.
Go Canada!
All the more reason to invest!
There is tons of competition for Tailscale. Its 'just' an easier to use VPN with a great GTM exceution. I think they need more money as they need to fundamentally re-architect their solution to sell into enterprise use cases they their valuation requires.
> AFAICS there's no real competition in the market place for their product today
What does this mean? They are competing with regular legacy VPNs for sure. Despite tailscale existing for the last 4 years, none of the large corporate clients even got closed to it. They were all on junk from Cisco, Palo Alto, to connect employees to corp net. A “cutting edge” one might use cloudflare warp.
You might be right that there isn’t much competition for pure distributed, but it turns out the market for that is actually quite small and it’s for people who can’t afford dedicated IPs or cloud instances.
Raising money here is a bad sign IMO unless it’s for a completely new product that requires servers at exchanges to eat CDNs like cloudflare’s lunch.
Their is tons of competition depending on how you want to attack the problem. Tailscale's problem imho is that their product does not scale well as required by large enterprises. One could argue nor do traditional VPNs, but they are already in place and workking so that product config already works, no need for change. The market is massive, but you need to be at a high abstration layer in my opinion, so that you can replace far more than just the VPN.
[dead]
I still don't know what it is and I've been reading about it for N years here. On some level, it's healthy to take capital.
Try netbird which is an open-source alternative to free yourself from worries xD https://github.com/netbirdio/netbird
I've always been on the outside looking in, so I've never used Tailscale or its open-source brethren.
Would this service be comparable to Headscale[0]?
[0] https://github.com/juanfont/headscale
Headscale is server only. Netbird is the whole stack (basically does the same thing but completely different software/implementation)
But the tailscale client is open source too
Doesn't that also then make tailscale completely open source?
No their "real" backend is proprietary. Headscale is a separate implementation that they also maintain. It's intended for self-hosting your individual Tailnet. I'm assuming if you tried to use it as a corporate VPN you would run into limitations.
Their clients for proprietary OSs are at least partly proprietary too.
To be honest I find this all a very reasonable set of compromises. It means I'm comfortable using their proprietary service without feeling like I'm getting locked into a completely closed ecosystem.
What? The original coordination server, which is not running headscale, is closed source so yes, they are still a closed source company
Not on Windows and iOS. And on the mac, the most useable client isn’t open source either.
I highly recommend netbird, after using it for two years. The whole stack can be self hosted is open source develop by an european based company.
I use personally for my home network. Very easy to use and quite mature. I'd highly recommend.
Thank you for sharing this link!
I was about to slog through AI search results looking for an alternative.
I've been tracking this space for a while just out of annoyance that Tailscale offers ssh on the free tier, then not on the "starter" paid tier. Netbird is by far the best of the alternatives that I've tried.
Have you tried ZeroTier? Their free plan's been working well for me. I haven't tried NetBird.
Can you comment a bit on what you liked about them, especially compared to Tailscale?
Well, it's important to start with saying I didn't like it as much as Tailscale, but I liked it a lot more than any of the others I tried. The UI for their dashboard is very good and getting it up and running was pretty trouble free though the docs could be a little better.
Ah, that makes sense thank you!
Their Personal Plus (the non-business "starter" plan) does offer SSH, FWIW.
There are plenty of enterprises that will pay them to run their services and provide better integrations while allowing open source users to continue. Now people will get upset because some of these things will be for those customers only but it is very hard to keep developing these things and give them out for free. Partially open source still allows those to extend the work they give to the community and they will probably still continue to have a free tier to get more enterprise customers in the end.
This is mostly so that the founders can take some money off the table. The founders probably have $10 million cash after this and don't have to worry about rent ever again.
The founders of Tailscale probably weren't too worried about rent before Tailscale.
Why? Did they have a previous exit?
IIRC they were senior engineers from Google.
I share your concerns.
Tailscale is a great. I think of it as a swiss army knife for easier routing and connectivity.
I use it in projects to stream internet / connectivity from my phone to the NVIDIA Jetson line, making my robotics projects easily accessible / debuggable:
https://github.com/burningion/bicyclist-defense-jetson?tab=r...
That was our initial use case for Tailscale as well. May 2020 we started growing a team and needed a really smooth remote access solution for a bunch of Xaviers... and we weren't allowed to be in the same room together :)
Off topic but rerun.io is really cool. Never heard of it until I saw your project. Do you know if it does "replay" kinda like rosplay?
Yes, rerun does replay, that was my main use case when prototyping.
They've since raised more funding recently, and have larger use cases in mind for robotics: https://rerun.io/blog/physical-ai-data
I've spoken with members of the team, and they're all great. Wouldn't hesitate to use the product / work with them anywhere.
I can't seem to find the replay function. As in replaying the sensor data as if it was "live". Would you happen to have a link to this feature?
Rerun co-founder here. Rerun doesn’t have replay in the sense of you send messages in and can play back the same messages in the same order later. We have playback in the sense that you can play it back in the viewer. We also have apis for reading back data but its more focused on dataframe use cases rather than sending you back messages
Thanks for the clarification!
+1 rerun is great and they also make egui.rs, one of the best immediate mode graphics libs.
How is Tailscale going to achieve at least $1B in annual revenue? That’s the kind of promise that would have to be made to investors in order to raise funding of this magnitude.
$1B annual revenue is ~4m business users. This is considerably smaller than e.g. Zscaler or Okta. It's a big goal, but achieving it does not require them to sign a majority of businesses or build a monopoly.
Become the provider of choice for enterprise IT networks or get bought by Azure?
My prediction is that they'll be bought by Cisco.
it would fit in very well with Cisco eco system
We’re like trading cards to these people
> get bought by Azure
Please no.
I imagine this was, at least in part, part of the pitch deck.
Easily, tailscale solves on of the hardest problems in software
Naming things?
Do they? What does it do that nothing else does?
One would hope they’d create something like Google drive except you own your stuff that people would pay for.
https://tailscale.com/kb/1369/taildrive
So you want a file system data store that distributes the data over the nodes you own in a sort of dynamic P2P way?
Sounds like Pied Piper to me.
you should see what happened to the rodents in the lab
I just this past weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.
I will probably eventually cave and use my main account from one of those companies since creating true secondary accounts can be difficult(they end up tied back to your main account on the backend usually, So if something happens to one or the company does something- it'll affect everything and building separation is not easy.) - But I dislike that sort of design.
This is not true. You can run Tailscale with a custom self hosted OIDC provider such as Authelia.
https://tailscale.com/kb/1240/sso-custom-oidc
Interesting. I didn't know that you could also use e.g codeberg this way.
t weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.
What is going on with your sentences man.
Off-topic, but it makes me laugh that companies will list their “investors”, “advisors”, etc. on their company page, but not the people working there.
That said, Tailscale is one of the products that just works.
As someone who currently has their photo on a company's 'About Us' page, I hate it. Why does anyone care who the nth developer is? Let me just do my job without forcing me to be publicly listed for spammers and scammers to target me.
I do in fact care about the nth developer when I visit about us pages.
Maybe a slight bias on my part as I'm a developer and not an investor.
And not that funding or advising is less important, but it's a nice feeling connecting a product I like to faces who make it happen.
It's super useful to potential hires about the kind of team you're building. Especially if there's some kind of niche you're in (product, tech, region, whatever). There are people who I would climb mountains to work with, and others within a niche whose very presence in a company is enough to steer me away. Another signal for me is the fraction of xooglers in the engineering team.
You could look all the details you need and more up on linkedin.
> Another signal for me is the fraction of xooglers in the engineering team.
In which direction?
Because it's so cool when I go "oh hey I know that guy!"
I agree it's silly, but worth noting is that the target audience for those pages are usually:
1. Potential customers
2. Potential investors
Both groups are a lot more swayable by social proof from seeing the "investors" than the devs as they infer a lot of credibility based on who has funded you. Similarly that's why you often see big company logos on marketing pages because it makes other customers more likely to buy. "<xyz> is too big to be wrong about this product"
I think my employer decided to remove all non-executives at some point to ward off headhunters. Not sure how much it helps considering everyone's on LinkedIn.
TBF, the folks who get actual value out of knowing who works at Tailscale already know who works there :)
They're not exactly secretive, there's just little value to have it on the main company page. (And if you just want pictures, https://tailscale.com/careers has that too.)
Feels like tech companies treat engineers like implementation details until they need to hire more of them.
Companies hide their employees, especialy the real value adding ones, for fear of them getting poached.
I think they might be operating at a scale that breaks those kinds of pages at this point? Not literally, of course, just they're past the point where the page makes sense.
Cloudflare still has their about page with thousands of people:
https://www.cloudflare.com/people/
lol - wonder if HR or whoever maintains this site just scrapes the internal directory to generate the is page.
Names/photos are not even clickable. Just first names and a photo.
Thats so cloudflare.
used to have last names, but it became a security concern. It is ordered by seniority.
You can always find a lot of us on LinkedIn :D {I work at Tailscale}
Eh. Investors/advisors don't change that frequently. And often people will go "oh? Sequoia generally invests in good companies, the invest in X? They might be worth while to buy/work for".
Putting people on the website is, very variable. Do you update the website every week or two when someone comes or leaves? Well that's awkward if someone is fired.
You get to 100 people, then 200 people. Now what do you do? Remove everyone? Only put people on above a certain level? What do you do when someone asks you not to be listed. Or when John becomes Jane, but doesn't want to be super duper public about it?
Or, when your company gets media attention and now the moment you add/remove someone from the website you get news or social media posts about it?
This is a press release targeted by rapacious capitalists. By mentioning other big named investors, you keep the grift going and continue securing future funding until IPO.
It is commendable that TS has created a market in an already crowded marketplace of VPN tools. They're competing with Palo Alto, Netskope, Check Point, and Cisco, to name a few.
One key understanding from my brief market experience is that you must build a firewall or router if you really want to own the VPN market. The way the sale is done is that the vendor goes in with the firewall, router, and switch, offering office space connectivity with the infrastructure and various network locations and upselling the VPN. This often accounts for the subpar quality of VPN software. There is a trend called SASE, which includes technologies like TS; people are questioning the enterprise value of SASE. Netskope and Cato Networks are some examples.
I believe that their enterprise journey will be challenging, given the player's extensive experience in upmarket sales. Although TS appears appealing and has potential for improvement, the GTM is entirely unique for enterprise. You need to build reseller network, System integrator partners, high value customizations, etc.
If you decide to embrace the security positioning, you must have a diverse portfolio of products. If you model the org. around Palo Alto et al., you need a huge diversity of products, VPN, hardware, cloud security tools, app security tools, etc., as the ICP (CISO) is trying to optimize their allocated budget. People in enterprise are ok with good enough products as long as they meet compliance standards, fit the budget, and does not disrupt operations.
It could be that they might acquire bunch of companies with this capital.
https://github.com/tailscale/tailscale/tree/main/logtail
https://apenwarr.ca/log/20190216 / https://archive.vn/xlsA1
That's quite insightful actually. Perhaps might explain the tailscale name a little better in that context also.
I've got conflicted feels about Tailscale. I love their product and a bunch of the people I know use their free tier, including myself.
But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.
People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.
If 20$/user/month is too much, maybe you could apin up headscale and plug in your OIDC provider?
Never tried it myself, I only manage small tailnets so the free tier is fine
Assuming they wouldn't want to take on server maintenance workload, wouldn't something like NetBird be a better fit? The free version has ACL already, the $5/user/month has OIDC integration, and the business version (MDM integration and auditing) is $12. Then the server is still open source so if they wanted to transition to doing it themselves they still would have that option down the road.
> I can only assume it's focused on killing old school VPN products.
Given how goddamn terrible Cisco anyconnect is, I hope they succeed.
Investors expect that Tailscale will extract many multiples of their contribution from users.
If you'd like to avoid this extraction, you can fork their command line client code (along with the open source headscale server) and run a mesh network across your linux machines with all the magic DNS and userspace-TCP/IP-stack goodness that you're used to. Tailscale has given away a lot of the engineering for free.
However, as soon as your fork becomes incompatible with Tailscale's stack, you lose a massive value-add: proprietary platform support. Today, you can add the sale's guy's iPhone to your tailnet in seconds. If Apple's capricious automated AppStore security pulls the Tailscale app from the AppStore, Tailscale Corp is big enough to get Apple's attention. A small FLOSS group with some forked clients on github won't be able to provide this same operational stability.
Good. This lets them receive some of the value they’ve created (they should get paid!) and gives certainty they won’t go out of business. Which means more Tailscale now and in future!
If they turn evil (unlikely with the current folks there) they’ve written up / open sourced plenty of what got them to this point.
Don’t capture all the value you create. But you should try to capture some.
The same thing has been said about many other companies taking on VC Money. Someday, those investors are going to want to see a return on that investment. Its going to take focus and determination to not just ship enshittification as a feature..
Still can't wrap my head around that TS does not allow to signup with your custom email/password combination but forces you to use bigtech (GitHub, Apple, Meta etc.) to login. Running your custom OIDC provider as a small, private person does not make any sense either.
I think that's quite smart, and OIDC is an open standard at least.
Securing usernames/passwords and handling second factors etc; is already done so well and it's hard to do.
Having a clear 'this is where we can be secure' stances is what makes me want to trust them more.
> and OIDC is an open standard at least
But what kind of argument is that, if you are a single individual who wants to signup, I am not going to setup my OIDC servers. That is like saying it is a good idea to run a dedicated linux server in a datacenter under your own management, when all you want is a small static website for your mom+pop store. Sure, you can run your own server and it is all open source, but just overkill.
> already done so well and it's hard to do.
So hard that literally all other websites in the world with a login have implemented it. And tailscale is a VPN-like technology company - if they can't manage to implement a login because it is hard, then I would definitely not accept their offerings.
Why is that smart? I signed up for a Microsoft Account with my email and I can use Microsoft Account to log in to Tail scale but I can't use the email directly? How does the middle man bring anything to the table?
Because then tailscale doesn’t store a username and password for you, so unless microsoft is hacked you won’t be- theoretically.
If I have to spin up a keycloak instance (you forgot to say on a public-facing data center that runs 24/7) to use a single service I would usually signup with an email and password, I might as well spin up my private vpn server.
yep!
Or use a login system you already have.
but at the same time, now Microsoft knows you are using Tailscale (and they use this data in their tracking + analytics). And all the other products. They get a very good insight of your online habbit, because they have a list of all other products and apps you use where you sign in with your microsoft account. And due to the way token refresh works, they even have a good idea how frequently you use each individual one.
And if you for whatever reason get locked out of your microsoft account (and I say this as someone who had this happen with a Google account) your are basically locked out of your online life.
I own my own domain for my email address (xxxx@mydomain.com). As long as I can set the MX record of that domain freely, I can always restore access to my email adress no matter what any email provider decides to do or block me for.
sure, then spin up a keycloak.
Its not hard.
If you don’t feel comfortable doing so: maybe that is telling.
What are you on about. For years logging in with email was possible even on the most amateurish projects. Now that's not possible for tailscale? Why
Because they don't want your password and as a security company, I applaud that.
Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.
And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.
You can make a stodgy password login if you want, or you can run a keycloak yourself.
If you don't want to run an OIDC provider for yourself, why would you want them to?
Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.
Not every company needs their own login system. I fucking hate it.
Microsoft was hacked before and I don't trust them but I trust the email provider at the company I work for now what
Microsoft getting hacked proves my point more than you think, they're less likely to get hacked now because they have scar tissue. You're basically saying: "If you ever get hacked your reputation is burned forever, but I want these guys who have never done it before to handle logins for me even though they are saying that they are not comfortable with the extra responsibility". Get over yourself.
If you trust your email provider: Ask them to set up an OIDC provider then.
Email is insecure. I can't be the first person to tell you this.
Multiplying your logins is not more security, it's less in the majority of cases.
Thank God Microsoft never got hacked
It's an open standard, but would they allow me to use my OIDC?
Yes, they allow that.
If they had taken just say $40 million would they be able to sustain their project for the foreseeable future and perhaps not yield as much future product direction and equity?
I honestly don't know how this big dealmaking works but it strikes me that when you take out this big of an obligation that the obligation has a gravity that may drag you in a direction you (or consumers) do not want to go.
Love Tailscale as a product (as does everyone I talk to) but genuinely want to learn more about the trade-offs as usually when we see big dollar signs all we do is celebrate.
One of the main problems with raising too much is that you stop caring about product-market fit and can go on tangents that do not make you competitive. This is quiet common afaik.
Yes; you will burn through all the capital you raise in ~18 months. It is _extremely_ difficult to efficiently allocate large raises (100M+) in 18 months. In fact, I’m developing a pet thesis that no single human or business can efficiently allocate more than $100M. This would imply that any time a single raise is more than 100M, the investors always would have had a better return by splitting it into chunks of 100M or less. It’s not a _good_ thesis yet, just one I’m performing thought experiments with
Some business can certainly allocate more than $100M, but I could see that thesis for VC-backed tech-style product companies.
A few examples come to mind immediately: trading firms/hedge funds often have more capacity than that in their existing strategies; hardware businesses can have substantial up-front costs; companies with high COGS might need that much to just scale at the rate they're already moving, since each unit locks up a bunch of capital until it's sold.
The benefit for VC of lending you more than you need is (a) getting the owners hooked on spending money, then (b) taking control.
Now I'm waiting for all AI billboards in San Francisco to be replaced with Tailscale ads
You can’t be serious. Lots of businesses easily have that much just in cost of goods or marketing spend. $100M is not such a crazy amount especially considering the cost of hiring technical people.
Also note that the benchmark of “efficiency” should be a function of growth, not some absolute standard.
I think we are saying slightly different things. COGS are composed of many smaller capital allocations. According to this untested, pet thesis, putting on a report that $250M was spent on capex is just fine; but if you go to a single vendor and sign a $250M contract, you have wasted money by not being more careful about how that capital is allocated. $100M is _a lot_ of capital, and I think it’s easy to lose sight of how much stuff you can do with that much money when applied to industries that don’t pay tech salaries for speculative growth. As examples: how many pounds of food could you grow for 100M? How many doctors could we train for 100M?
I think the thesis is thought provoking. Not sure yet if it’s worth anything, but it also doesn’t preclude businesses from having massive cashflow.
Maybe 200 doctors at prevailing medical school rates? That’s not an obscene amount.
I mean, it is obvious that you cannot sustain efficiency as you scale (Amdahl's law) but (1) $100M is not that crazy to be able to keep track of in your head, even for a single individual (I can imagine a successful real estate developer with a handful of ongoing projects and various other personal investments), and (2) in a high growth situation, it makes financial sense to sacrifice some economic gain for scale. In your original example, sure an investor would be better off, if they could actually find 10 good investments with zero cost, to spread their money, but very likely they'd be better off taking the big one and spend their energy raising more money.
Why would you not just have the same amount of income, but spend less money?
That's much less of a problem than not being able to raise enough in the next round because you only 1.5x'd instead of 3 or 5.
Isn't it better to 1.5x in 6 months on 40 million than 3x in 2 years on 160?
By definition focusing on things that don't grow your business because you have way too much money in the bank is going to be worse for your business than being forced to focus because you've only got a year of runway.
I'd be curious how much of this $160 million is immediately allocated to bonuses, founders taking money off the table, increased salaries, employee option pools, etc.
Equity investments like this don't need to be repaid, so there isn't a legal obligation to repay them. Of course, there is an obligation to maximize shareholder value — but that is totally independent of the dollar amount invested.
When founders raise this much money, it's because there's (1) a lot they want to do and hire for, or (2) they don't want to worry about monetizing the product for a significant period and focus on growth or product development.
GP didn't talk about "repaying" anything. Taking 160M instead of 40M at the same valuation means giving up 4x the shares, and that's going to result in a bigger voice for those investors at the table in making decisions about the future path of the company.
That depends on the share classes. Companies with high interest from investors can sometimes get them to accept shares with reduced voting rights.
What if they were offered $160mm and Tailscale countered with 4X the valuation, lowering the number of shares by 75%? Similarly, what if they wanted $40mm but the only deal on the table was $160mm due to ownership targets of funds that can actually write $40mm+ checks? It's hard to play these armchair games, even less so when the terms aren't known.
You're right that we don't know all the terms, but $160M raised is not small and it is very reasonable to worry about what level of control will be given up long term because of it.
409a valuations are made up by independent appraisals, but it’d be quite strange for an investor to agree a share is worth 4 times the appraised value.
(3) investors offer the option for founders (and earlier investors) to take money off the table by buying up a percentage of their stake, essentially creating a mini-exit for the founder and earlier investors
> Equity investments like this don't need to be repaid
You are saying equity is not bonds.
However investors expect to be repaid in the future with control and exhorbitant interest rates (based on risk). VC invests to make money, but that money comes from future equity rounds or IPO.
If you didn't take the VC money (and the business achieved the same growth without the money) then you'd expect you would have been better off by at least the amount invested (investors don't invest with the expectation of only getting their money back).
If the business doesn't succeed then you are on the hook to pay the debt from your equity via liquidation preferences.
VC payment is expectation statistics, but the investors know that game and invest to make money. That money comes from the current equity owners making less in the future.
Not only the "expectation" but lots of VCs have preference built in that guarantees them huge returns on basically any liquidity event. It's probably not as likely in a Series C like this but 2-3x preference is not unheard of. There are few investment vehicles where for every $1 you put in you're guaranteed to get the first $3 made back first.
No one is going to answer you because no one has seen their books.
Yeah I take this as bad news, as a user. I dread the inevitable enshittification. Hopefully open source UX over Wireguard is close-enough to as good by the time they drive me away that losing them isn't too painful.
Took a project I'd been putting off and putting off because I knew it'd eat half a Saturday, and made it a 20-minute affair from signup to having everything done, including adding some devices to the network that I wouldn't even have bothered to try adding on my own.
obligatory "Raising too much money" (Silicon Valley) https://www.youtube.com/watch?v=8ZgfTarNxdY
it is a nice that they're a bit embarrassed about it and spend much of the post explaining why they took more money.
overall, they still seem to have their heads screwed on straight and have an actual business model, that is also pretty fair - charge enterprises per seat to solve their network identity problems.
anyway, keep up the good work, Avery and co.
Does anybody encounter issues with DNS after installing tailscale with it's MagicDNS enabled? It drives me nuts because my entire network just stops working. I removed tailscale but still won't be able to connect to my Ubuntu server.
I have this happen largely with Apple OS devices. Apple's DNS service can be notoriously persnickity (I've had issues with it outside of Tailscale as well), and I usually need to bounce interfaces or flush DNS cache (where I can on macOS) to resolve issues. WRT Tailscale, I also have issues with it on my phone. I currently have my phone configured to connect to my Tailnet when I leave networks I don't control so that I can maintain access to my personal cloud on the go, however after a few connections and disconnections, I have to bounce several interfaces in order to correct both DNS and routing.
Yes! I also experience this. I also had some weird interaction with another wireguard-based VPN and Tailscale, where it crashed my DNS so hard I had to reset my entire laptop.
I've had issues with tailscale dns for a while where I'll wake my mac up and the dns will just not work until I disable tailscale. I can then re-enable it and everything continues to work.
I logged a bug about it and the latest versions this seems to have gone away. I also moved away from the mac store variant and into the standalone. Not sure if that helped either.
I don't know how it works on Linux, but for Windows, the 'MagicDNS' just automatically adds a bunch of static entries to your hosts file to resolve the TS FQDNs and simple/machine names.
Yeah, you need to be conscious about your tailscale domain, your .home (or whatever your router or dhcp server advertises) and your .local hostnames. Even if you’re aware, things are sometimes wonky, IME primarily on macOS.
Sometimes I have issues like this. It's related to my ISP not supporting IPv6. I don't have time to explain this in detail, but at least that's one angle of it that you might want to explore further.
Same. When my cell has an ip6 ip, I can’t get dns to resolve on my systems at home. I can still access everything by ip4 ip though. I haven’t had time to find a solution yet. I’m still trying to figure out if it’s nginx, pi-hole, router, or Tailscale config related… probably a combination.
I encountered a similar issue when I first started using Tailscale. My fix is simple: disable IPv4 inside Tailscale. Just use the v6 ULA address that begins with fd7a exclusively. This works even if your ISP doesn't support IPv6: the inner IPv6 packets can be encapsulated inside v4 packets. There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.
> disable IPv4 inside Tailscale.
TIL this is a thing
> Just use the v6 ULA address that begins with fd7a exclusively.
perfect, this is exactly what I desired
(I'm having an increasingly high number of sad v4 only LAN devices and planned to move to a v4 block that sits way too close to the one Tailscale uses.)
> There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.
ah that's why I missed it, thanks!
I am on Arch and often end up with DNS broken in a way that requires me to restart tailscaled.
Yeah, I honestly couldn't get Tailscale to work reliably at all. DNS, routing, firewalls etc. My overall impression was it will work if either you go for it on your entire local subnet, or you have a very simple local network topology. Having local nodes inexplicably talking to each other via a cloud relay basically all the time just isn't acceptable. (And webrtc could always find the local candidates when doing ICE, so it's not that).
It's interesting because they have clearly demonstrated a demand for such a thing, but the "just works" pitch is a fantasy, at least today.
The subnet routing feature can cause network issues
Hope this means headscale involvement doesn’t get 86’d.
As I recall, a few tailscale folks contribute to this open source implementation of the “coordination server”. Apparently tailscale management approved it. So this means management at any time can revoke it, and possibly kill off self hosting of the coordination server as the open source clients become incompatible.
I don't probably use Tailscale to it's full potential but I love this tool. We have our small servers at our offices across the world and it has give us so much flexibility to access some of the files via shared drives or try out installing / testing stuff. Me and my wife also drop each other pictures of our kids using tailscale now.
> Me and my wife also drop each other pictures of our kids using tailscale now.
What application are you using for that (on top of Tailscale, that is)?
Tailscale has Taildrop - built-in peer-to-peer file sharing feature
https://tailscale.com/kb/1106/taildrop
Ah, I had totally forgotten about that! Thanks!
I'm using it for friends and family file sharing, it's fantastic.
Depressing news, I have no hope that the countdown to Tailscale being unusable subscription trash has not started with this announcement.
I realize this is a very ironic place to make this statement, but I am utterly exhausted by VC money destroying all of the services I enjoy, like a slow disease spreading through a herd of livestock.
They have raised before, so that money helped shape the service you enjoy.
Yes, but when they raised before they did not give up a bunch of control in return.
One gives up a decent amount of control for the first 12m, then a bunch more at 100m. Unless you work there, you frankly have no idea how much control the founders have.
12m? What are you talking about? Tailscale had already raised 115m previously.
Their series A was 12m. Their series B was 100m.
Start looking for alternatives already. Nothing good came out of VC rounds and private equity for the end consumers ever.
I understand the cynicism. But this is counter productive. Any venture has to have a finance angle. They are not missionaries.
All in for profitability and financial activity. That's the very foundation of innovation.
But VC funding works very differently.
VC funding is on a whole other level, though
Steam does fine financially and without having to answer investors, which is why it's been able to stay mostly good to its user base for so long.
This is not an "xor" statement.
So is Basecamp. Profitability is not a dirty word.
What's wrong with Steam (Valve) business model?
Sure, but amounts matter.
>Connecting GPUs across clouds, securing workloads across continents, migrating between cloud providers — it’s messy, it’s hard, and it breaks all the time.
Is the new fund raise to enable Tailscale perform these complex tasks or for scaling it?
I've once read few years back that seamless and secure cloud independent computing or cross-cloud system is the next frontier, and it seems it's a legit problem and a business opportunity for security company like Tailscale and Crowdstrike (investor). The record breaking acquisition of Wiz kind of cemented this problem space and the pain points, and it seems that Tailscale is riding on the opportunity [1].
[1]Google to buy Wiz for $32B (845 comments):
https://news.ycombinator.com/item?id=43398518
Entshittification incoming?
You know it
This sort of thing tends to trend bad for users.
You are still trusting the tailscale coordination server for proper key exchange. Yes, traffic is end-to-end encrypted and the private keys stay on the device but there's no way to verify that tailscale is negotiating keys for the machine you asked for
Im pretty sure thats not correct, as you can authorise the nodes that get added, and it is only authorised nodes that can participate in the tailnet.
The problem IIRC is that it is the coordination server that decides what is authorised, so if Tailscale was hacked (or otherwise malicious), nodes could get added to your tailnet without explicit authorisation from the tailnet "owner", which is obviously not good. To prevent this, they introduced tailnet-lock, which requires other peers to participate in node authentication: https://tailscale.com/kb/1226/tailnet-lock#how-it-works
Glass half full customer: great, the service I rely on is going to persist!
Glass half empty customer: OMFG, this is the minimal amount they are going to bleed from us over the next 5 years!
Based customer: this is just a half filled glass, full or empty is just your projection.
Tailscale deserves it. They have produced excellent software.
Funny how, as soon as I hear about a big new funding round, my reaction is sadness because I assume the product is going to start being bad and user-hostile in about 6 months. It shouldn't be that way, but it's just a reflex after seeing it happen so often.
The shift toward identity-first networking is also super interesting. Feels like we're finally moving past the idea that IPs = trust, and into a world where access control actually maps to human (or service) intent
Congrats to the tailscale guys. I remember when tailscale was not a networking company. Amazing to see where it's ended up and obviously having bradfitz onboard is useful too. I'm always curious to know what the internals of a company looks like with a lot of ex-googlers running it. Does it look like a mini Google or something else? Not sure if apenwarr is here but always interested to learn more.
Everyone is commenting on the HN headline, no one on the actual post:
> Building the New Internet
(Insert mandatory reference to Silicon Valley here :))
> We think there’s a better way forward. We're calling it identity-first networking.
I would love to see this. Every day I have to stare at YAML files with IP addresses in them is a day I will never get back. I wish cjdns[0] had succeeded already but oh well, now I hope the Tailscale guys will!
[0]: https://github.com/cjdelisle/cjdns/
Operant has something similar in IIoT, https://operantnetworks.com/sie-sbd-part2/
This is about data, though, not about addresses, is it?
It's both, https://en.wikipedia.org/wiki/Named_data_networking
> NDN has its roots in an earlier project, Content-Centric Networking (CCN), which Van Jacobson first publicly presented in 2006.. NDN applications name data and data names will directly be used in network packet forwarding.. Its premise is that the Internet is primarily used as an information distribution network, which is not a good match for IP, and that the future Internet's "thin waist" should be based on named data rather than numerically addressed hosts.
NDN talk by Van Jacobson at Google (2006): https://www.youtube.com/watch?v=oCZMoY3q2uM
I just wished their server side was open source also
https://github.com/juanfont/headscale
It’s pretty hobbled compared with OG Tailscale, so much so that I moved completely to self-hosted NetBird and haven’t looked back.
There is a open source clone for the Tailscale server named headscale fwiw.
I like Tailscale and we pay for it at work but it has a number of serious bugs that affect our work that they seem to lack the resources to fix. Hopefully this helps.
Maybe try out promising alternatives such as netbird, teleport, zerotier, etc
As an alternative there's https://github.com/tonarino/innernet
Good call, I started using it a few months ago, and now it is something I can't live without.
Tailscale was invaluable for connecting my remote offices together. Long gone are the days of openvpn configs
What's the difference between this and say azure vent and configuring that with private endpoints
What are the failure points of hosted solutions like Tail scale versus self hosted options?
Tailscale has a single management engine. My understanding is that if the goes your existing traffic will still flow, but new connections won’t be made.
woot, woot, happy for the team. I love tailscale and can't stop singing praises.
anyone care to share how they are spending money? labor, operations (training, transfer fees), marketing & business development. It's different than industries I'm more familiar with.
Fingers crossed they’ll finally enable sending files to people
What is their use case in an IPv6 internet? Or is this another company with a vested interest in stopping IPv6 from happening?
They are a zero-trust networking solution that also traverses IPv4 NATs. Zero-trust networking is a layer above the IP layer. In an IPv6 Internet their capital costs go down, and their product remains valuable for their paying customers. (Free accounts mostly use it for NAT traversal, businesses for the zero-trust encryption.)
Their CEO has been working with (and supporting) v6 for decades both at the executive level (now) and also as an extremely capable software engineer that I personally met with a few times while we were both engineers at Google doing network measurement.
Congrats TS. You deserve this.
congrats to the tailscale team
Tailscale not having reached profitability yet and having to raise more is bad news, as it increases the odds of future enshitification.
Even if it could mean Tailscale enshittifies eventually, this is probably a good thing for the ecosystem. As one example, the bigger they get, the more likely operating systems will build better APIs to support what they do (for example maybe Apple will provide a way to do mDNS over Tailscale), and those APIs can be used by all.
There are plenty of open source alternatives cropping up[0]. I'm curious to see what Tailscale can do with a lot of resources.
[0]: https://github.com/anderspitman/awesome-tunneling?tab=readme...
Apple had a Tailscale-style feature called "Back to my Mac" that was part of MobileMe. They killed it off with the rest of MobileMe, presumably because they just wanted you to store everything in iCloud.
$33m/year burn accelerating to $50m+/year
Profitability and exit math just got harder
I love the service and am rooting for them - I just don’t get this cash outlay
I can’t wait to learn what I’m missing here
Enshittification will start in 3... 2... 1....
IMHO they should be a good steward and toss the Wireguard guy a mil considering Tailscale is pretty much Wireguard with a GUI on top.
This is not correct. Wireguard establishes a tunnel between peer A and B, and its simplicity stops there. Tailscale does tons of complex networking, filtering, nat traversal, DNS, file sharing, etc. Wireguard is a small part of the codebase today, which has grown a lot.
It’s a bit like saying Dropbox is just a GUI on top of TLS.
> It’s a bit like saying Dropbox is just a GUI on top of TLS.
Well, it is. After all, for a Linux user, you can already build such a system yourself quite trivially...
It'll be a sad day when this reference is posted and understood for the last time.
No it won't. The reference is universally misunderstood.
https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
I think the parent commenter used "understood" to mean "recognized."
That said, I don't really understand the supposed misunderstanding you point out. It seems that dang argues that "the exchange was pleasant and successful." I've never seen someone claim otherwise.
Rather, I've seen it used as an example of how technical users can fail to recognize the complexity inherent in their workflows, and therefore may also fail to see the real-world business value in creating (and selling) simpler interfaces. See also a SMOP: https://en.wikipedia.org/wiki/Small_matter_of_programming
No, it's not that simple. This is an instance of context collapse; people dunk on that exchange because they believe it's an HN person belittling Dropbox as a product, when in fact it was an HN person helpfully offering notes on a YC application.
Whether the poster was "belittling Dropbox as a product" or "helpfully offering notes" seems like a judgment one can make about the exchange, regardless of poster's intent. I never understood this to be the reason it was referenced, more the SMOP thing. But I hear what you're saying about the details getting warped over time. (edit: And I do think people sometimes use it as a case of "if you listen to everyone's feedback..." but I think that still rings true: regardless of the judgment you place on it, it could have been demoralizing to Dropbox's founders.)
They dunk on it because the author didn't see the the benefit of the product over using FTP. And it's hard to say the usage of "quite trivially" isn't "belittling" in some form, although I don't think using a loaded word is useful here. Even the followup response shows the same issue with the commenter's thinking:
>You are correct that this presents a very good, easy-to-install piece of functionality for Windows users. The Windows shortcomings that you point out are certainly problems, and I think that your software does a good job of overcoming that. (emphasis added.)
They still fail to understand that this is not a Windows or Linux issue but a reliability and ease of use issue. Not to mention the fact that the desktop Linux marketshare was probably less than 1% and therefore irrelevant in this context to begin with.
I get it, words matter, but this itself was a reference to the "I understood that reference" meme from Avengers. Thank you for your concern.
How many people on HN today would get the structure - “less $x than $y. No $z. Lame”?
Here's the source for those not familiar with the classic: https://slashdot.org/story/21026. Can't believe it's turning 25 next year.
a fun thought exercise - what would have to happen to HN for this to come true? basically all the old guard have to age out and not pass on the reference?
Ea-Nasir
Us humans are kinda ok at preserving knowledge (and we're getting even better, but not in a good way).
brb destroying some magnetic tapes because i can just put them on the cloud
A weekend project tops
Isn't Dropbox just a GUI on top of rsync? I've also seen people say "FTP"
Yeah, the same way a car is just a GUI on top of two bikes.
Most of this was successfully done 20 years ago by tinc, which is a project written by a couple of European guys in their free time. It even supports routing traffic through other peers and does peer discovery just like BitTorrent (but before BitTorrent even existed) — there is no need for a central server.
What tailscale has over it is hype, lots and lots of hype. Also a much more well thought out, and arguably more secure VPN protocol underneath, which is why GP's comment is on point.
If it's hype, it's not hype the way you're thinking. I've shown Tailscale to a lot of people (this is less salient now, when pretty much everybody uses Tailscale) and the most common reaction I've gotten is "holy shit". It is spooky simple to get working, and it's spooky simple to go from a working installation to a VPN configuration that would take many many hours to replicate with pre-existing tools.
There may be VPN nerds out there who think there's nothing special happening with Tailscale, but I submit those nerds haven't spent a lot of time dealing with the median, replacement-level VPN configuration prior to Tailscale. I'm a pentester, and so I have had that pleasure. Tailscale is revolutionary compared to what it replaced.
Because you're delegating the control plane to Tailscale. Somehow we went decades without this being a thing for security reasons, dealt with the management of VPN appliances, and now suddenly everyone is OK with Tailscale owning the control plane of their VPN for the sake of convenience.
For a company this is probably okay: companies rely on other companies all the time, and can enforce contracts. I would gladly use tailscale at my company.
For an individual, heck no. Fortunately, headscale exists for individuals to use.
[flagged]
My only technical complaint with Tailscale is that its hole punching doesn't seem to work with some common CGNATs/double NATs when both endpoints are using them, and then traffic ends up trickling through their public proxy servers, while running your own is kinda annoying and not recommended or documented.
> running your own [proxy servers] is kinda annoying and not recommended or documented
?? https://tailscale.com/kb/1118/custom-derp-servers
And ease of use, IMHO. That's a bit one with these kind of things. I will admit not having used tinc but I imagine it's not as polished.
Polish costs effort and money and it also really truly saves time and makes for a better product. So that matters.
It definitely matters. I used tinc extensively at a prior gig, and it not having a story for its own key distribution was exceedingly painful.
[dead]
Probably closer to say that Dropbox is a GUI on top of WebDAV
[dead]
[dead]
Jason Donenfeld is listed as a Technical Advisor on https://tailscale.com/company. Most companies pay their advisors something, so I assume something monetary is going on here for him.
Tailscale is definitely more than "Wireguard with a GUI", but I don't think that diminishes your point that Tailscale, if they're not already, would be great stewards if they were contributing more than code back to the Wireguard project.
> they should be a good steward
Tailscale did make a donation to WireGuard. They have regularly contributed to wireguard-go, including the complicated GRO/GSO bits.
> Tailscale is pretty much Wireguard with a GUI on top.Well, isn't PUBG a GUI on top of Unreal?
PUBG pays licensing fees to Epic Games (Unreal).
[dead]
[dead]
[flagged]
[flagged]
so tailscale is selling out
that was disappointing
at least the current software is open source, so others can fork it before it closes down on itself and enshittifies.
Tailscale is a software company founded in 2019 that raised their series A in 2020, not a grassroots community project
so either you do it out of the goodness of your heart, or you maximize shareholder value at no expense
I'd sell out at $160M, too. I'm happy for them, and sad for everyone else.
As GP said, they have raised money before. So why are you now disappointed and think they "are selling out", when nothing has changed, and Tailscale has been a clear-cut for-profit startup from the start?
> at least the current software is open source
Not the server.
headscale is nice, but it's not an official project.
netbird looks like it would be a better option if open source is what youre after. theres a handful of others too, nebula, zerotier, netmaker just to name a few
Oh no. That's really too bad. Fingers crossed they'll beat the VC curse because it is so close to perfect as it is right now.
Tailscale just got a lot of money to keep growing. But what they are doing is more important than the money. They are helping computers talk to each other in an easy and safe way.
Before, the internet was built to connect places, not people. That made things messy. People had to set up tricky stuff like VPNs and firewalls. Tailscale makes this much easier by using your name or account, not just numbers like IP addresses.
Now, big companies and people at home use Tailscale to keep their computers and apps connected. It works without a lot of setup, and it’s safe. Even people building smart robots and AI are using it.
What’s really good is that Tailscale still helps small users for free, and they try hard not to break anything when they update their tools. If they keep doing that, they can become a very important part of how the internet works in the future.
This comment reads like simple.wikipedia.org
Haha, fair point! I guess i was going for simple Wikipedia rather than deep academic journal. Maybe next time i'll throw in some fancy words just to spice things up.