* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.
* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!
* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.
Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.
Tailscale touts all the perf benefits of the wireguard protocol but in practice between the userland wireguard that seems to be used all the time on all platform (even linux) and the over reliance on DERP, it has none of the performance benefits of the real thing.
https://tailscale.com/blog/more-throughput
Not sure if the kernel implementation pulled ahead again, I don't really follow these things.
Also not defending tailscale, I respect them but I agree they are a one size fits some solution.
There is no enterprise tier, instead you pay for any additional features you need. I.e. log streaming is 2$/month/user and SSH recording is 3$/month/user.
It's market segmentation, needing ACLs is a sign you're at least an SMB, and to a business of nearly any actual size, the difference between $6/user and $18/user is 0.
I wouldn't go that far. Big companies put a lot of effort into saving $12/seat.
But, if you can convince them they get >$18 of value from it they're usually happy to pay. With hobbyists it's more emotional. $6 is "just a coffee" and can be justified just to try it out. At $18/m is one of your household bills, and many will decide they enjoy watching Netflix more than messing around with Tailscale.
We don't even use windows enterprise for the same reason, we have legacy office 365 plans and lifetime windows licenses without the M365 addons because it saves is a few bucks per head. At our size, a few bucks a head quickly add up to millions per year. Microsoft keeps trying to dissuade us and they even pretend office 365 plans don't exist anymore ("office 365 is now microsoft 365") but they do: https://www.microsoft.com/en-us/microsoft-365/enterprise/off... . The same with their Copilot stuff. 30$ is a non starter. Our users want it but nope (and we did a trial in one big team and only 10% actually bothered to use it after the first month so I think it's more the idea of it that want rather than the actual product)
We don't use Tailscale but $6 would be feasible where $18 would be a complete nonstarter.
In fact our company is a lot more cost conscious than I am as a consumer.
Do you have more infos on this one? I use Debian and that would be a major problem for me.
The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.
Because it IS acceptable for many cases.
Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.
Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.
This is my experience too.
I actually came to believe the TS dream of device based VPN as opposed to AP or router based is the wrong thing because it gets confused by subnets and subnet routing so often, but also that the big security problem on networks is bad devices which it's not going to help you with unless you can wrap them up anyway.
That's one of the reasons I started playing with AP to AP real time video like https://github.com/atomirex/umbrella which is a nightmare case from the TS pov. The intention is to eventually wrap clients up on separate networks so they can only see each other via the (locally run) relay.
Similar sentiment can be seen in the discussion from three years ago [1] when they raised $100M.
If you raise $100M you have to put $100M to work or you'll hear constant shit from your board over it.
If they raised $160M they're going to spend $160M on something. My guess would be a lot of enterprise features and product integrations.
I don't know much about Tailscale, nor about how much it costs to run a company, but I thought it was mostly a software company?
I would imagine that salaries are the main cost, and revenue could cover salaries? (seems like they have a solid model - https://tailscale.com/pricing)
I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane, so it should be cheap?
I could be massively misunderstanding what Tailscale is ...
Did the product change a lot in the last 3 years?
What does this mean? They are competing with regular legacy VPNs for sure. Despite tailscale existing for the last 4 years, none of the large corporate clients even got closed to it. They were all on junk from Cisco, Palo Alto, to connect employees to corp net. A “cutting edge” one might use cloudflare warp.
You might be right that there isn’t much competition for pure distributed, but it turns out the market for that is actually quite small and it’s for people who can’t afford dedicated IPs or cloud instances.
Raising money here is a bad sign IMO unless it’s for a completely new product that requires servers at exchanges to eat CDNs like cloudflare’s lunch.
Would this service be comparable to Headscale[0]?
I was about to slog through AI search results looking for an alternative.
I use it in projects to stream internet / connectivity from my phone to the NVIDIA Jetson line, making my robotics projects easily accessible / debuggable:
https://github.com/burningion/bicyclist-defense-jetson?tab=r...
They've since raised more funding recently, and have larger use cases in mind for robotics: https://rerun.io/blog/physical-ai-data
I've spoken with members of the team, and they're all great. Wouldn't hesitate to use the product / work with them anywhere.
Please no.
That said, Tailscale is one of the products that just works.
Maybe a slight bias on my part as I'm a developer and not an investor.
And not that funding or advising is less important, but it's a nice feeling connecting a product I like to faces who make it happen.
1. Potential customers
2. Potential investors
Both groups are a lot more swayable by social proof from seeing the "investors" than the devs as they infer a lot of credibility based on who has funded you. Similarly that's why you often see big company logos on marketing pages because it makes other customers more likely to buy. "<xyz> is too big to be wrong about this product"
They're not exactly secretive, there's just little value to have it on the main company page. (And if you just want pictures, https://tailscale.com/careers has that too.)
Putting people on the website is, very variable. Do you update the website every week or two when someone comes or leaves? Well that's awkward if someone is fired.
You get to 100 people, then 200 people. Now what do you do? Remove everyone? Only put people on above a certain level? What do you do when someone asks you not to be listed. Or when John becomes Jane, but doesn't want to be super duper public about it?
Or, when your company gets media attention and now the moment you add/remove someone from the website you get news or social media posts about it?
When we started Tailscale in 2019, we weren't even sure we wanted to be a venture-backed company. We just wanted to fix networking. Or, more specifically, make networking disappear — reduce the number of times anyone had to think about NAT traversal or VPN configurations ever again.
I will probably eventually cave and use my main account from one of those companies since creating true secondary accounts can be difficult(they end up tied back to your main account on the backend usually, So if something happens to one or the company does something- it'll affect everything and building separation is not easy.) - But I dislike that sort of design.
What is going on with your sentences man.
One key understanding from my brief market experience is that you must build a firewall or router if you really want to own the VPN market. The way the sale is done is that the vendor goes in with the firewall, router, and switch, offering office space connectivity with the infrastructure and various network locations and upselling the VPN. This often accounts for the subpar quality of VPN software. There is a trend called SASE, which includes technologies like TS; people are questioning the enterprise value of SASE. Netskope and Cato Networks are some examples.
I believe that their enterprise journey will be challenging, given the player's extensive experience in upmarket sales. Although TS appears appealing and has potential for improvement, the GTM is entirely unique for enterprise. You need to build reseller network, System integrator partners, high value customizations, etc.
If you decide to embrace the security positioning, you must have a diverse portfolio of products. If you model the org. around Palo Alto et al., you need a huge diversity of products, VPN, hardware, cloud security tools, app security tools, etc., as the ICP (CISO) is trying to optimize their allocated budget. People in enterprise are ok with good enough products as long as they meet compliance standards, fit the budget, and does not disrupt operations.
It could be that they might acquire bunch of companies with this capital.
If you'd like to avoid this extraction, you can fork their command line client code (along with the open source headscale server) and run a mesh network across your linux machines with all the magic DNS and userspace-TCP/IP-stack goodness that you're used to. Tailscale has given away a lot of the engineering for free.
However, as soon as your fork becomes incompatible with Tailscale's stack, you lose a massive value-add: proprietary platform support. Today, you can add the sale's guy's iPhone to your tailnet in seconds. If Apple's capricious automated AppStore security pulls the Tailscale app from the AppStore, Tailscale Corp is big enough to get Apple's attention. A small FLOSS group with some forked clients on github won't be able to provide this same operational stability.
But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.
People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.
Never tried it myself, I only manage small tailnets so the free tier is fine
Given how goddamn terrible Cisco anyconnect is, I hope they succeed.
If they turn evil (unlikely with the current folks there) they’ve written up / open sourced plenty of what got them to this point.
Don’t capture all the value you create. But you should try to capture some.
Securing usernames/passwords and handling second factors etc; is already done so well and it's hard to do.
Having a clear 'this is where we can be secure' stances is what makes me want to trust them more.
But what kind of argument is that, if you are a single individual who wants to signup, I am not going to setup my OIDC servers. That is like saying it is a good idea to run a dedicated linux server in a datacenter under your own management, when all you want is a small static website for your mom+pop store. Sure, you can run your own server and it is all open source, but just overkill.
> already done so well and it's hard to do.
So hard that literally all other websites in the world with a login have implemented it. And tailscale is a VPN-like technology company - if they can't manage to implement a login because it is hard, then I would definitely not accept their offerings.
I honestly don't know how this big dealmaking works but it strikes me that when you take out this big of an obligation that the obligation has a gravity that may drag you in a direction you (or consumers) do not want to go.
Love Tailscale as a product (as does everyone I talk to) but genuinely want to learn more about the trade-offs as usually when we see big dollar signs all we do is celebrate.
When founders raise this much money, it's because there's (1) a lot they want to do and hire for, or (2) they don't want to worry about monetizing the product for a significant period and focus on growth or product development.
You are saying equity is not bonds.
However investors expect to be repaid in the future with control and exhorbitant interest rates (based on risk). VC invests to make money, but that money comes from future equity rounds or IPO.
If you didn't take the VC money (and the business achieved the same growth without the money) then you'd expect you would have been better off by at least the amount invested (investors don't invest with the expectation of only getting their money back).
If the business doesn't succeed then you are on the hook to pay the debt from your equity via liquidation preferences.
VC payment is expectation statistics, but the investors know that game and invest to make money. That money comes from the current equity owners making less in the future.
Took a project I'd been putting off and putting off because I knew it'd eat half a Saturday, and made it a 20-minute affair from signup to having everything done, including adding some devices to the network that I wouldn't even have bothered to try adding on my own.
overall, they still seem to have their heads screwed on straight and have an actual business model, that is also pretty fair - charge enterprises per seat to solve their network identity problems.
anyway, keep up the good work, Avery and co.
I logged a bug about it and the latest versions this seems to have gone away. I also moved away from the mac store variant and into the standalone. Not sure if that helped either.
It's interesting because they have clearly demonstrated a demand for such a thing, but the "just works" pitch is a fantasy, at least today.
As I recall, a few tailscale folks contribute to this open source implementation of the “coordination server”. Apparently tailscale management approved it. So this means management at any time can revoke it, and possibly kill off self hosting of the coordination server as the open source clients become incompatible.
What application are you using for that (on top of Tailscale, that is)?
I realize this is a very ironic place to make this statement, but I am utterly exhausted by VC money destroying all of the services I enjoy, like a slow disease spreading through a herd of livestock.
But VC funding works very differently.
This is not an "xor" statement.
Is the new fund raise to enable Tailscale perform these complex tasks or for scaling it?
I've once read few years back that seamless and secure cloud independent computing or cross-cloud system is the next frontier, and it seems it's a legit problem and a business opportunity for security company like Tailscale and Crowdstrike (investor). The record breaking acquisition of Wiz kind of cemented this problem space and the pain points, and it seems that Tailscale is riding on the opportunity [1].
[1]Google to buy Wiz for $32B (845 comments):
The problem IIRC is that it is the coordination server that decides what is authorised, so if Tailscale was hacked (or otherwise malicious), nodes could get added to your tailnet without explicit authorisation from the tailnet "owner", which is obviously not good. To prevent this, they introduced tailnet-lock, which requires other peers to participate in node authentication: https://tailscale.com/kb/1226/tailnet-lock#how-it-works
Glass half empty customer: OMFG, this is the minimal amount they are going to bleed from us over the next 5 years!
Based customer: this is just a half filled glass, full or empty is just your projection.
> Building the New Internet
(Insert mandatory reference to Silicon Valley here :))
> We think there’s a better way forward. We're calling it identity-first networking.
I would love to see this. Every day I have to stare at YAML files with IP addresses in them is a day I will never get back. I wish cjdns[0] had succeeded already but oh well, now I hope the Tailscale guys will!
1. Immutable Content Naming: In a data-centric system, content is addressed by its name, transcending geographical considerations. This circumvents the vulnerabilities associated with IP addresses, which can be spoofed or manipulated. By employing cryptographic techniques to validate the authenticity of content names, NDN establishes a robust layer of security that underpins the entire architecture.
2. Built-In Data Integrity: NDN employs built-in mechanisms to ensure the integrity of data. Content is signed by publishers and verified by consumers, preventing tampering or unauthorized alterations. This approach effectively mitigates data breaches, as any unauthorized modification is detected and rejected.Their CEO has been working with (and supporting) v6 for decades both at the executive level (now) and also as an extremely capable software engineer that I personally met with a few times while we were both engineers at Google doing network measurement.
There are plenty of open source alternatives cropping up[0]. I'm curious to see what Tailscale can do with a lot of resources.
[0]: https://github.com/anderspitman/awesome-tunneling?tab=readme...
Profitability and exit math just got harder
I love the service and am rooting for them - I just don’t get this cash outlay
I can’t wait to learn what I’m missing here
It’s a bit like saying Dropbox is just a GUI on top of TLS.
Well, it is. After all, for a Linux user, you can already build such a system yourself quite trivially...
What tailscale has over it is hype, lots and lots of hype. Also a much more well thought out, and arguably more secure VPN protocol underneath, which is why GP's comment is on point.
Tailscale did make a donation to WireGuard. They have regularly contributed to wireguard-go, including the complicated GRO/GSO bits.
"Tailscale made a donation during September 2022, as part of their business centered around WireGuard." https://www.wireguard.com/donations/ / https://archive.vn/MMAXO
Well, isn't PUBG a GUI on top of Unreal?
that was disappointing
at least the current software is open source, so others can fork it before it closes down on itself and enshittifies.
I'd sell out at $160M, too. I'm happy for them, and sad for everyone else.
Not the server.
headscale is nice, but it's not an official project.
Before, the internet was built to connect places, not people. That made things messy. People had to set up tricky stuff like VPNs and firewalls. Tailscale makes this much easier by using your name or account, not just numbers like IP addresses.
Now, big companies and people at home use Tailscale to keep their computers and apps connected. It works without a lot of setup, and it’s safe. Even people building smart robots and AI are using it.
What’s really good is that Tailscale still helps small users for free, and they try hard not to break anything when they update their tools. If they keep doing that, they can become a very important part of how the internet works in the future.