Nice charts without axes. I use those all the time. Especially in pitch decks.
replies(1):
- SSH'ing into a raspberry pi I have at home that does random IoT stuff.
- Accessing servers on my local dev machine from other devices for testing (i.e. a Windows box or phone)
- Giving access to production bastion devices without publicly exposing anything to the internet.
And best of all I don't have to fiddle with the usual networking stuff. It just works. Kudos on the raise!
Non-disclaimer: I have no relation to anyone on the team. Tailscale is just a delight to use.
I sincerely hope not, but there's so much bad precedent.
I think the catch is that (at least at the free level) one must trust an identity providers. For many companies that's probably fair enough, but for high-security companies and private individuals one absolutely cannot trust anything running outside of one's physical control. Service providers can be suborned, either legally by corrupt regimes or illegally by employees. There is no way that I would permit Google, Microsoft or GitHub (their three supported options) to gate access to my private devices.
I think that one must also trust Tailscale themselves, although I could be wrong about that.
> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.
It seems to take care of key distribution, nat-traversal, authentication etc etc
Neat! No sure how that is 'fixing internet' exactly, but really cool anyway
That's such a broad "mission statement" that I wonder if it's effective at all. I mean, what SaaS wouldn't say that they fix something with the internet? That's to whole reason for online businesses solving one or another problem.
How could that statement help them guide their implementations of various solutions?
OK, but it's not. Now what? Do we just live without until the platform overlords provide it, or does someone build it on top of the platform?
What even is the "platform", when my Android phone is connecting to my iPad and my Windows laptop and Linux desktop and Amazon cloud server?
$100M = ~$0.20 / computer user in US and western Europe (wealthy countries in connected software markets)
Fun little thing we did with it: nobody can access the prod network without requesting access via a Slack bot (powered by https://indent.com/). So somebody requests access, another authorized person approves it, and the Tailscale ACLs are updated for X minutes and then reset.
Access to secure environments is super low friction but more secure (with fantastic audit trails) than ever.
What if we all just had a static IP address, and a DNS name? …and the address migrated around the world with you? …and you could connect to any of your devices no matter where they were?
Does this not promote the destruction of anonymity on the Internet?
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
Will they be left out of this new internet?
However this is the path that could move them towards being pressured to add a bunch of bloat, followed by acquisition pressure and a big payout that will likely eventually cause the product to stagnate after the founding team leaves and the buyers don't care.
I really hope they’re all already rich enough that they aren’t tempted by that. :-)
Update: altered content to add more speculative version.
I wouldn't put them in the Dropbox bucket.
Also, I think the value Tailscale provides is fairly unique and far from obviously a platform feature like file storage and perhaps even password management.
Tailscale doesn't make privacy worse any more than the fact that to a first approximation, no residential Internet provider in the US has rotated an IP in recent memory.
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
edit: Only the client is open source. See clarification below.
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
But given the huge amount of money invested, pressure will go into other directions. I'm afraid my (aside of the iOS issues) beloved Tailscale is on a path to expensive enterprisey bloat, losing what made it so good (the JSON based ACLs, the external authentication provider reliance, etc - GitHub Auth is a killer-feature for me for example)
$100M seems more than a small-scale operation or is $100M in tech actually small scale?
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
(1) The old school castle and moat IT model that dominates at 99% of companies. If we can disrupt this then TS, ZT, and four other upstarts could all become billion dollar companies. Right now 1-2% of this market has been disrupted at most.
(2) The put everything in the cloud and everyone gets a thin client model. If that wins then all of us lose because there is no market for endpoint connectivity. We also lose all privacy, all data ownership, and all ability to experiment or innovate without paying for it by the instance-hour with TOS-enforcement bots looking over our shoulder.
My only complaint is that if you use it on your phone (iphone 11) and forget to turn it off it drains the battery like crazy.
I thought customers were complainingly loudly against their new direction of making 1Password an Electron app. Is that not the case?
Note: I'm not a 1Password customer.
There is an open source alternative called headscale [0]. The main downside is that you'll need to run it.
The closed source centralised control server has other potential issues though, and it ends up being up to the user to decide what's the right balance of security vs convenience.
The home page is a pretty clear exposition of what TailScale is: https://tailscale.com/
"Fixing the Internet" is not done by layering more private network garbage on top of it.
Their claim[0] that after you install Tailscale on all your devices: "This final configuration is called 'zero trust networking',” is pretty interesting. It seems this would be more like having a trusted internal network (sure it is overlaid on an untrusted network). A true zero-trust network would mean all of your clients and servers are secure in a manner that they can operate on the public Internet...like O365, Salesforce, etc. To say that you run a zero-trust network because you implement a fancy VPN is C-suite dreaming at its finest.
"get around a misbehaving corporate firewall" like newhouseb sings praises for is exactly the sort of thing that should be happening less, and the opposite of "fixing the Internet". Follow the policies of the network you are being allowed to use, or lobby for them the be fixed. Don't like ISPs messing with DNS traffic? Get rules/laws implemented that prohibit that, instead of garbage like hiding your DNS in DNS over HTTPS. (DNS over TLS seems more acceptable to me.)
So why do people care about that?
Those all seem like positive things but they are in and of themselves, not value creating.
From this article and even their landing page ... I think they might need an explanation that makes more sense than IT/Networking Admin.
Even as a developer, I don't quite see the obvious benefit.
Instead of taking about 'what if you could have this tech that does ABC' - instead, talk about it in terms of problems 'what if you didn't have this problem or that one'. etc..
Perhaps you refer to loss of local vaults? If so, they were never really a viable option for me - I needed the app syncing across multiple devices, including mobile, and doing so with a third party sync solution wasn't suitable.
It actually allows me to turn my iPad Pro into a proper development machine as long as I have access to the internet since I can write code locally via Textastic, push to my git repo and test via the VM connected to Tailscale. Of course this was possible with a box on DigitalOcean but I prefer not to pay monthly for a machine just for noodling around.
There is an oss [2]coordination server that does let you totally self-host.
Avery Pennarun, its CTO, is somebody whose judgment I am used to trusting.
Then I learned that to use it, I would be dependent on authenticating using a login on one of the unaccountable internet behemoths who could take away my account for any random reason or no expressed reason at all.
No, thank you.
They are claiming they are on the road to "fix the internet", their own words.
(That tweet I think was a teaser saying it was coming. I subsequently looked for it a few times and never found it, but maybe plans changed, or maybe I just failed to find it).
For whatever reason, SYN flooding detection triggers when you do more than a few TCP connections per second which makes most TCP-based things super frustrating and their IT is clueless as to how to fix it.
There are Docker containerized apps that manage Wireguard too
Maybe contribute to one and fret less about behavior of VC funded business and wondering if they’re actually respecting your privacy to accomplish finance goals
As far as threat models go, I can't really say I understand this one too much.
No, they do not behave just like NAT. With NAT you have two problems:
* figuring out your address
* firewall hole punching
With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.
* https://en.wikipedia.org/wiki/Hole_punching_(networking)
* https://en.wikipedia.org/wiki/Port_Control_Protocol
* https://en.wikipedia.org/wiki/Universal_Plug_and_Play
* http://www.upnp.org/resources/documents/AnnexA-IPv6_000.pdf
This helps immensely for residential connections since people (generally) control their gateways, and with more and more higher speed (fibre) connections being done, it could help in more self-hosted and peer-to-peer services.
What one is allowed to do at the office would be dictated by the policy(s) of your employer: they could allow PCP/uPNP opening via authenticated requests for example.
This is not true. The commercial breaks in all US pro sports have a pre-determined length, and the game action will not resume until the broadcast has rejoined (outside of a mistake somewhere along the line). In the NFL, they have a countdown timer on the stadium scoreboard indicating how much time is left in the commercial break, and even a dedicated guy who stands on the field next to a referee, talking to the TV truck to confirm when the broadcast has rejoined.
I'm not sure what you mean by this, but this sounds like exactly what they are, with some functionality on top. It's what I use to VPN into my LAN from outside, and it's pretty general purpose from where I stand.
Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.
It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.
The biggest risk that this company has is that Cloudflare (in all reality) should just buy them or reimplement it. It’s the type of product cloudflare would make, that’s for sure. Being based on open source wireguard, and being just a STUN/TURN server at its core… I’m sure that Tailscale will be the first but maybe not the best.
I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.
Web3 happens when people can host stuff on their phones, and Tailscale is something that lets you host things on your phone.
I've just setup tailscale in a few minutes, very smoothly. I'm impressed it scales down to this kind of simple use case nicely, and it seems it has nice features as my use cases might scale up.
Google will throw you on your ass in the blink of an eye.
Avery and the team at Tailscale are building a fantastic product and totally deserve the round and recognition, huge congratulations - we're super happy for them.
In many ways they're also an ice-breaker for the zero trust overlay network architecture, which means they've got the most work to do. As the current top comment on this thread correctly notes, with huge investment comes the obligation to eventually pay it back.
The market hasn't even come close yet to crossing the chasm and seeped into mainstream conscience to become the accepted norm - yet.
That said, we believe fiercely that networks should be simple to reason about, easy to use and safe to operate. That private connectivity should “just work”, and just work in exactly the same way, everywhere too. Flexible to change, simple to automate and only available to the right things at the right times.
When you think about it, building private networks is actually pretty complex right now and can be pretty insecure too. It's some unholy combination of spell casting meets a yak shaving contest to wrangle firewalls, VPNs, MTUs, and manage IPs, subnets, ACLs, NSGs, VPCs, NAT, routing, VLANs, certificates & secret keys, then hoping a zero-day doesn't show up that drops someone straight into the network via the VPN server, who then starts poking around the squishy centre.
Once you've used products like Enclave, Tailscale or ZeroTier and seen how simple private networks really can be - at a certain point you almost stop and ask the question, why would you not do it like this.
There will always be nay-sayers and people for whom this approach just isn't a fit, and that's fine - but I personally find it hard to imagine that this genie can be put back in the bottle.
- Founder @ https://enclave.io
* ... and most that do get another router (usually because they have seen that their Wi-Fi on the "modem" is bad) don't turn on** bridge mode which will be a definite headache on both IPv4 (double NAT) and IPv6 (address conflict, especially if you're using an ISP like Comcast that would only allocate a /64 and no more.
** ... because you need to call up the ISP or even outright refused to bridge it (either because they're stupid but you don't have another ISP to switch or the equipment manufacturer of their garbage special router didn't program one).
I really wish we could get some clear copy on what that means in a title.
I gave up and just setup wireguard directly instead, I don't trust Tailscale either if that's their attitude towards privacy, it's permanently marred my vision of their product.
Those are not general purpose VPNs though.
In fact, they are not even VPNs in the first place. They merely use the same technology to provide a private tunnel to the public Internet (and use the name in marketing material because by now people are familiar with it).
What they are not is general purpose private networks.
There also exists an open source implementation of the tailscale control server [1] that you could self host.
I get why they're doing it (or, at least, think I do), and I'm not angry enough to go get angry on Twitter, but I am going to avoid the upgrade for as long as I can. That's kind of a bummer to get there with a product you've historically really liked.
This serves multiple benefits: the main one being that I receive pi-hole filtered ad-free traffic on my mobile device via a Wireguard VPN with my home IP 24/7/365
It's also great to be able to just ssh into your laptop at home when you're at work and you forgot to push whatever you were working on last night.
It's not necessary, but Tailscale makes a lot of things just easier.
i rolled my own with a simple vps, a haproxy and ansible.
Instead I can bind my services to Tailscales network interface and access it anywhere that I’m connected to my Tailscale network. It’s like authentication for free.
As a side note I know this is an anti pattern since one intruder can access all of my services, but that’s not a vector I’m really concerned about since I’m not exactly a high value target.
The vision you outlined is great, except it doesn't work. The trust assumptions are too high, and even a great product like Tailscale seems to rely completely on centralized identity providers (you have to choose Google, Microsoft, or Github on sign-in).
Ultimately, if you want to maintain full control of your online identity and network, you'll probably need some of the decentralized (but economically aware) resources you seem to have issues with — or at the very least a means of transitioning authentication to private key methods with DIDs.
I _could_ use my github account, but I don't trust them at all anymore. And I'm not going to setup an account with some other service just to use this. So that is a hard pass for personal use.
For a company it makes sense to have to use whatever sso provider you are already using i guess
But if we don't succeed in disrupting the actual competition everyone fails.
At least that's how I look at this market.
Of course I'm also a mostly-follower of the "ignore your market peers, focus on the customer" philosophy. Your greatest competition is always your own shortcomings.
They wrote a bit about their thought process: Factors in authentication (2019), https://apenwarr.ca/log/20190114
> It seems to me that the above successful enrollment patterns all use one or more of the following techniques:
> A human authenticates you and issues you a token (usually in person).
> A short-distance, physical link (proximity-based authentication) like a biometric sensor, or USB or bluetooth connection.
> Delegation to an existing authenticator [SSO]...
> What people tend to miss... is that enrollment is necessary whether or not you send a push notification to the phone during login. The push notification is only secure if this specific browser instance is enrolled; but if this browser is enrolled, then the push notification adds no extra security... The enrollment was the security.
Fully expect them to ship u2f authenticators or sell them at tsCare shops!
That's https://github.com/tailscale/tailscale/issues/1572 which we haven't given up on. It's just not done. We did it for macOS and we thought the same thing would've worked for iOS (they share ton of the same code) but it apparently didn't work.
The mobile apps have been a low priority thus far. We just recently hired some people to work on them, though.
The highest priority for them currently is fixing battery life (we do some dumb things when LTE + wifi are both available, and when using exit nodes, and some unnecessary heart beating that sucks on mobile) and then there's also a mobile app redesign (or just "design" coming).
We like Headscale and we're super glad that it exists. (they saved us some work by doing it first, as our control server wasn't in a releasable state) We keep Juan et al updated when there's protocol changes or things they can do. (e.g. recent https://github.com/juanfont/headscale/issues/552)
I use it this way to access devices that can't run the tailscale software.
With an open source implementation out there, anyone can do it merely pulling a Docker container, and without paying Tailscale.
Regardless I manage a dozen users with no issue using Embarks container; once they’re setup I touch nothing.
Paying people is not working with people; it’s working with a specific group. Open source is working with people.
People sometimes ask me to describe the differences between Nebula and Tailscale. One of the most important relates to performance and scale. Nebula can handle the amount of internal network traffic and scalability of nodes (100k+ nodes, constant churn) required on a large network like Slack's, but Tailscale cannot. Tailscale's performance is fine for many situations, but not suitable for infrastructure. It is just a fundamentally different set of goals.
Nebula was created and open sourced before Tailscale was offering their product, but their architecture is similar to older offerings in the market, and is something we purposely avoided when creating Nebula.
Fwiw, I even recommend Tailscale to friends who want to do things like connect to their Plex server or Synology or [other thing] at home remotely. It simplifies this kind of thing greatly and doesn't require you to set up any infrastructure you control directly, which can be a headache for folks who just want to reach a handful of computers/devices.
Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.
The swap from native to electron on macos was hugely disappointing but something I could have probably lived with if they hadn't gone full saas no alternative.
why not?
More importantly why was it necessary to remove the local vaults feature (I don't need it to integrate with any particular 3rd party syncing solution, I can handle that myself without any features from them) entirely?
I settled on ZeroTier for now. Unfortunately, I don't think ZeroTier is my long term solution. Their self-hosted option comes with a plethora of caveats that make it basically unusable. And I'm always scared companies that offer free versions of their paid product will eventually neuter the free tier.
I'll be keeping an eye on headscale. Hopefully they get their mobile client situation in order.
An actual VPN provides you with a private network that just happens to workover of the public Internet, usually encrypted, but is inaccessible from it.
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources that are inaccessible on the public network and is typically used for remote workers. Encryption is common, although not an inherent part of a VPN connection.
That having been said, I also am wary of using Tailscale for the same reasons as above, I have to trust Tailscale and Github? I can maybe justify trusting Tailscale, but trusting GH/Microsoft/other SSO provider is a bridge too far.
Cloudflare, please make a box I can buy and stick it in the closet with a WAN connection. Routers suck, it’s time to reinvent them. Also please don’t make them look like goddamn spaceships.
In light of the recent incidence at Okta, the risk of the VPN company or the identity provider getting compromised, or provided with a gag order by the government, should be accounted for.
https://tailscale.com/kb/1013/sso-providers/
> Tailscale works on top of the SSO/IDP/IAM identity provider you or your company already use.
> We don’t support sign-up with email addresses. By design, Tailscale is not an identity provider: there are no Tailscale passwords.
> Using an identity provider is not only more secure than email and password, but it allow us to automatically rotate connection encryption keys, follow security policies set by your team (e.g., 2FA), and more.
You can BYO SAML provider if you like, you'll just have to pay for it: https://tailscale.com/kb/1119/sso-saml-oidc
They used to have a kick-ass Mac app. That appealed to a considerable amount of their users. Then they ditched the native app for Electron, and those same users were disappointed.
Might want to check out Yggdrasil. It lets you can create a real mesh routed, E2E encrypted network. You can keep your network private, or connect it to the greater network and route others. There's no ring-of-trust (I can't imagine that as a viable solution at scale). But the config file has an AllowedPublicKeys section if you want to specify who can route through your node.
If this was about heart beating, I would expect that to only happen when the client is connected.
Also, in the battery stats, the background usage is there and tailscale is listed, but with - % of battery usage.
However, when I force quit tailscale, all of the background energy usage goes away.
Super annoying and borderline unacceptable.
(btw. I love Wireguard - currenly using it to route traffic between my servers + transfer media between my home and my mother's mediacenter with both PCs being behind their own router - she loves it too as so far there were no problems hehe)
Have you tried 1.24.2 that's just as of yesterday on the App Store? It fixes one of the worst of the offenders (but not all yet).
In any case, we understand a lot of the problems now and plan to work on it soon.
These companies usually bring something really easy to use, let people onboard and modify their network/DNS/etc to hell until they get vendor stuck and then they squeeze every possible dollar out of their pockets. Once you're in, after days or weeks of fine tuning, after you managed to pollute your codebase with their configs and IP addresses, it's hard to get out.
I suspect those "free slots" will change soon ,but we won't see those types of graphs anywhere soon and be prepared to get charged for bandwidth and everything else possible.
First thanks for working on Nebula! It's great.
Nebula seems to be about 95% there. The functionality it actually does provide once set up is really great. It's just missing the 5% that is arguably the most important for a huge number of people: a simple way to do the configuration management bits such as device enrollment, revocations, key rotations, that sort of thing.
If you are a home user, with a small network, the overhead of doing things manually is low, but you need to be patient and technical enough to read the docs and do it right initially. If you're a big enough organization I guess you can write your own tooling. But for any small shop or any non-technical home user this is not going to fly and you will bounce off it.
I don't know if the plan is to create a commercial offering for this side of the house (it would make sense...) but as far as I'm concerned, this is the only reason that Tailscale is so successful and Nebula is lesser known (despite Nebula's advantages in other ways that may be more relevant to technical users).
I have a big collection of movies, and I’d like my mom-technical blue collar friends to be able to watch them. I trust them, and I have trusted communication channels with them. We exchange keys somehow.
With the sort of routing I’m describing, they could watch my movies and I wouldn’t have to have a public IP address. And I wouldn’t mind if their friends (that aren’t my friends) watch my movies, either, by forwarding through my friends. What’s the catch? This could work for that. How could I do this today?
I don’t have any ideological or moral problem with blockchains, I just think they suck at solving problems where the requirements for trust are low or met elsewhere.
edit: mom-technical was a typo of non-technical but I’m leaving it because it’s more accurate.
Saying that these services are "not VPNs" is unnecessary pedantry. Definitions evolve over time, and these services meet the common definition of a VPN.
Remote devices would need a client installed on it to access the VPN, of course.
> the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.
They have the financial resources to build it in ~Rust but still chose electron. It’s a mind boggling decision.
As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.
These things don't happen when you use public key authentication.
All of them filtered out the SMB/CIFS ports.
Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.
Is there anyone here with a counter argument? Has a security review been performed on each dependency? Any reason to think my fear is unfounded?
But until deployment hits 100%, and until ISPs start caring about IPv6 reliability the way they do about IPv4, "just use IPv6" can't be your answer. It's lovely when it works, but you need to do something other than "give up" when it doesn't. (also, as long as the internet is dual-stacked, doing IPv6 right also implies figuring out if NAT64 is in play, and wielding it correctly; so arguably IPv6 adds more complexity to the overall story, for now :) )
I pay over $700/ yr for their business plan and would like to have better performance for it.
- Better iOS battery life, there have been many improvements but it’s still too much to leave running 24/7, I understand they’re making improvements here
- Their in built SSH server which seems to be in development
- Using Tailscale ACLs to control access to Kubernetes ingress resources, they recently released an nginx auth plugin so I imagine this is now possible if you attach a Tailscale sidecar to the nginx ingress controller
- Arbitrary ACLs which also seem to be in progress, it would be awesome to define in ACLs who has access to different parts of e.g a backoffice application
- Official support for DNS extra records, already using this with the Headscale self hosted control plane for personal projects but it would be great to use it on Tailscale too
- Kernel Wireguard for the data plane, I think this is on the roadmap?
Overall a fantastic piece of software which I use for both personal and professional projects.
Anywho, the more important bit is my point about performance. Nebula is significantly faster than userspace Wireguard, and plain userspace Wireguard is (last I checked) a bit faster than Tailscale, due to the additional code needed for things like your ACLs. At gigabit type scale it is probably fine and not noticeable, but at Slack, we needed to scale to 10G+ on links, while ensuring we didn't take a significant hit on CPU resources.
Again, I think Tailscale is very good for its target use case as a VPN replacement, and congrats on raising these funds!
Lately I have been migrating all my self-hosted stuff into a raspberry pi (instead of running a public instance in the cloud). It gives me a bit of piece of mind knowing that it adds an extra layer of security (to hit any of my endpoints/apps you would need to infiltrate my VPN). And it will save me a lot of money on hosting.
I don't need to expose my computers publicly or enable upnp or anything. It just works.
I don’t necessarily blame them but think their decision was pushed along by the need for big money.
For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.
There’s really no value add as a user for a monthly fee. Although lots of people don’t mind. I’d rather not pay for something as essential and simple as a synchronized, encrypted data blob. I literally replaced it with a Google doc and cutting and pasting more. A filter over Google docs does not require a monthly fee.
I have this problem with lots of SaaS products that could be software if they didn’t want or need lots of money.
This is the part that doesn't scale. Hell, this is extremely risky even at a small scale. You don't know who your friends' friends are, you will have friends that abuse this, and you will end up with a much larger network than you anticipated.
How many of your friends and family are "friends" with bots on Facebook?
What's the difference between using Tailscale for this and just opening the port on your router?
Making broad claims like this without a source or links to benchmarks feels like FUD to me. For example Tailscale's comparison page on performance (https://tailscale.com/kb/1148/tailscale-vs-nebula/#performan...) doesn't mention a meaningful performance difference, so if you're claiming they're not telling the truth (by omission), I'd hope to see more to that than just a straight assertion, even just "We tried Tailscale in Slack's network and it wasn't able to keep up with our usage patterns".
My problem is the client doesn't support multiple servers, so I can't have a work vpn and a home vpn, not even with an easy toggle - you have to run tailscale with different conf options for both. Changing namespaces also isn't easy, so having friends and family segregated even on one server is also a pain point.
Tailscale also provides a "magic DNS" service which lets you resolve your Tailscale device names without setting up unbound etc, and which can relay other requests through to your pi-hole or unbound or whatever, which can then listen only on the tailscale IP address, so no need to run an open resolver or deal with source IP filtering.
e: also, you can share devices between tailscale users without generating, managing, distributing wireguard secrets. You send your pal/partner/kid a link and they can access your fileserver or raspberry pi webserver or pihole server for themselves wherever they are.
Respectfully, I think you may misunderstand the company’s mission.
I've been running IPv6 at home >2 years. You're telling me that my own experience is invalid?
I will say that the OSS tooling of Nebula is everything someone needs to stand up an entire working network on every common platform (linux/mac/windows/ios/android), but there is a definite gap in simplification that we need to address to make it easier for smaller scale use cases.
We actually have a managed enterprise Nebula offering at my current gig, but that's rather a different market than Tailscale, so I'm avoiding talking as that company as opposed to a Nebula OSS project lead. The commercial offering is targeted at large enterprises, because that's the market where Nebula has unique advantages. It also means we don't currently have a freemium or smb type offering, and are not prioritizing creating one at all. I don't want to give people false hope that we will, and would prefer to see the OSS project improve to address the small-medium use cases.
> Tailscale raises $100M to do what any Hacker News reader could have done in a weekend [0]
[0] https://twitter.com/apenwarr/status/1521873453921583105?cxt=...
And maybe we're all worse-off for it, but now you're done dealing with that issue.
Make the service usable without depending on some internet behemoth who might yank my authentication credentials anytime without notice, and we can talk.
Never forget https://news.ycombinator.com/item?id=8863
Outside of say, Garry Tan and Leo Polovets, who could be considered regulars, it’s rare that an investor shows up in the HN comments. Hi!
Your comment is reassuring, but the reality is that other investors will look at their portfolio companies, review the competitive landscape, then decide that they no longer share the vision, in the not too distant future.
Compare that to the numerous audits a VPN like Mullvad has had - https://mullvad.net/en/blog/tag/audits/.
What about phone networks? (in the US providers block all incoming traffic.) Or other ISPs that block incoming traffic?
NAT has been used to address a fundamental problem of what traffic can be trusted. That's what Tailscale fixes.
A few years ago I discovered WireGuard and I was really amazed how easy it was to setup a tunnel. Especially if you've dealt with IPsec before. It felt as easy as creating an SSH tunnel between two servers, with only 4 or 5 lines of code in a config on both sides.
Then last year I discovered Tailscale and I was blown away! How did this even work[1] without opening ports in the firewall? And how cool is it that I no longer have overlapping addresses[2] from other networks. Within 15 minutes I had my own mesh network between my Mac, iPhone, Raspberry Pi and other servers. Fantastic!
I'm on the Personal/Free plan but if this would no longer be free, I would be happy to pay for this service (shut up and take my money).
Does this mean - instead of deploying a dashboard/ci to aws, I should host it "locally" on a single computer (macbook, raspberry pi) and then internal employees can access that site via Tailscale's network layer?
Regardless at Uno we're working on a password manager with a native app and rust core. It's geared more towards everyday consumers than power HN users, but you might find it interesting. The rust core including api server is open source right now because that's one point where we diverge from 1P. Whatever tech stack you choose, it needs to be openly auditable so that the community can collectively ensure it remains secure. https://github.com/withuno/identity
Other things are seamless transition to local networks, and you can even have local network encryption.
If all tools were this reasonable, I'd be very happy.
However, I just don't see much difference from my vanilla Wireguard setup. Granted, my use case is very simple, just connect a few devices at home and in the cloud into a single network and use one of them as an exit node, but I'm still not sure what would make me prefer Tailscale over Wireguard.
So far the biggest difference has been that it makes me use an external identity provider instead of having to manually exchange keys between devices, and I'm not sure I'm very comfortable with that.
If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.
Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.
They don't even give the option to try to debug my own identity provider.
aka the BYO SAML feature does not exist for personal or small team/business users.
But maybe that's the point? TailScale's product is actually an identity integration layer for Wireguard? If you don't need an identity provider, Tailscale doesn't add value over Wireguard?
A fully native app will offer you no such protection. If a dependency used for styling or animations or whatever is compromised, it will have total access to the system and be able to exfiltrate at will to any location. In Electron, the equivalent dependencies can instead run inside the CSP sandbox, preventing them from doing any serious harm.
Supply chain vulnerabilities also aren't unique to npm. Any project that uses dependencies (in any language) has the same issue.
That's only true if you can actually articulate a reason why it won't scale to some matbitut that some user might actually need today or at some point in the future.
For example, Go may be "not as scalable at C" (or vice versa! Or both!), but what matters is the scale to which it is actually desired to be deployed.
Full disclosure - there is little to no functionality yet, but the homepage is enough
The reality is that making software, like any other human endeavour, takes time and energy. Paying one another money is a rather well-established mechanism of rewarding and incentivising that time and energy (since not everyone wants to work free of charge to make and maintain software for you, out of the goodness of their hearts, no matter how much you insist that you're owed their unpaid labour).
There are small and local means of getting free food, or free woodworking, etc, but the general reality is that a high-quality high-dependency maintained product, over the long term, is more feasible when it's paid.
"Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere."
Okay... at first I said to myself, _no way_. But then I thought, "Any sufficiently advanced technology is indistinguishable from magic."
So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.
Have a bunch of new nodes? Replacing a lighthouse? Revoking and replacing certs?
Here's a mistake that I made personally. Did you read the docs fully and realize that the default expiration for a CA is one year? The same is true for certificates. You need some kind of tooling to rotate certs every year, by default, or one day you'll find your entire overlay network disappears.
What about the ACL lists? Well, they're just stored in that same config file. What if you add a new service you didn't count on initially? Or you have a new class of clients?
What if your lighthouse needs to change its IP address? Or you need to retire and replace it outright?
And if you have hosts coming and going a lot, suddenly managing all those configuration files looks like quite a pain indeed...
None of this is unsolvable - assuming you have root on all the nodes you care about. You could even create tooling to automate these things with some kind of configuration management system (which indeed, if you are deploying to more than a handful of systems, you basically must do). But these pain points will eventually add up if you are just trying to connect to friends.
A lot of that is Crypto related, but money seems to be absolutely flooding into tech at the moment despite all of the doom and gloom around
If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?
This has essentially been the guiding principle of my side projects for the last two years. Folks shouldn't need to understand DNS, TLS, HTTPS, IP addresses, ports, NAT, CGNAT, etc in order to own their data. Self-hosting a small server for you and your friends shouldn't be any more difficult or less secure than installing an app on your phone.
Compare that to ZeroTier where I can just tell someone, "install this app and punch in this Network ID". Also, ZT lets me control the entire network firewall from a centralized place. Where Nebula is doing it on a per-client basis and requires new certs if device groups change.
I don't want to talk up ZT too much though. Their self-hosted option is a joke. There is no webui. You have to do everything via the API...including the firewall rules; And you have to write those rules in the non-human readable format that their webui abstracts away. Worse still, their mobile apps won't work with the self-hosted option. I used them to get something up and running quickly, but I'll probably end up on Nebula anyways.
https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-h...
The same thing is being said on HN about all kind of network software, but tell me one software that Cloudflare is really known for except its cdn ? None.
HN is really a strong echo chamber and some people believe Cloudflare and Stripe are going to be the leader in all software areas. (Even though Cloudflare is not the leading CDN and Stripe is not the leading payment processor). They are both amazing companies but they won't fix all problems of the world. I would even argue that they won't even solve more than their current core domains
I see they are staying away from a16z ;)
> We don't want to put revenue ahead of quality, because our stats say quality is where all our growth comes from.
Dr. Deming shining through here [0], but really, even this 1986 article paints a neat little picture of how I presume tailscale's operating at the moment: https://hbr.org/1986/01/the-new-new-product-development-game
> How, Avery, on earth, are you all planning to spend one hundred million dollars?
Wireguard platinum sponsorship in 3, 2, 1...?
> Now I just tell people: We're here to fix the Internet. If we don't, who will?
I called this a year ago, as it was pretty evident to me even then (downvotes notwithstanding), but I'd not be surprised if tailscale became a ISP someday, given their holistic approach to product development: https://news.ycombinator.com/item?id=26249199 But hey, there are many more people working to fix the internet... including tailscale clones and other over-funded/under-funded developers, which brings me to...
> I mean, imagine. What if the Internet just worked like it was supposed to? [and goes on to list e2ee + Mobile IP + SSO + DDNS + NAT Traversal]
If you squint just enough, it reads like the MASQUE protocol (built atop QUIC) that Google, Apple, Cloudflare are working to standardize: https://ietf-wg-masque.github.io/
That said, in time, I see tailscale not only compete with Zscaler, but also with Tanium, Cloudflare, CrowdStrike, F5, Palo Alto Networks and the likes. Once they are embed in an enterprise' network, there's very little their product couldn't expand into to make other SaaS / solutions obsolete.
[0] Systems thinking and Deming, https://archive.is/tXJhw
I don't have 100k hosts on a large network to test deploying Tailscale, but if I did, I'd be benchmarking the cpu/network/storage overhead of telling 99,999 hosts about a new one that comes online, every time that happens, or every time its pubkey changes. You can optimize this away _if_ your "fan out" is not as large, but there are plenty of cases where every host on your network needs to talk to a particular host, so all of them need to know about its keys as soon as possible.
Again these aren't unsolvable problems, to a point, but we didn't want to solve a problem when we could avoid it entirely, so that's the path we chose. It removes complexity and is a good part of the reason the system we built has been resilient.
A complaint some people express about tailscale is the battery life on mobile (or at least iOS). This exists because there is coordination overhead on even idle tailscale nodes. Back when we ported Nebula to iOS, we sweated details like "how often it wakes the radios" and did a lot of profiling. I never turn Nebula "off" on my iPhone, and it just sits in there in the background not using any resources most of the time.
We worked hard to optimize this out of our architecture, so that Nebula avoids generating traffic that is unrelated to the actual communication between hosts or lookups to lighthouses. An idle nebula tunnel can truly be idle indefinitely, and that also matters as the set of hosts becomes larger.
I do not think the Nebula project and Tailscale are direct replacements for each other in any fashion, and afaik neither is trying to be. I'm just pointing out that different design goals led to unique advantages and disadvantages to each architecture.
There's a community developed one:
> If we're going to fix the Internet, there's no point only fixing it for big companies who can pay a lot. That misses the point of the whole adventure. The Internet is for everyone. We have to fix it for everyone, or why bother? We knew we had to design a business model and a technical architecture that removes any incentive to abuse your privacy. Providing an ever-expanding free tier is how we help as many people as possible.
> ...
> Tailscale's go-to-market strategy is what we call bottom-up growth, or product-led growth (PLG). An earlier name for this is "GTM 3.0", which is explained beautifully in a presentation by Adam Gross... To summarize: in GTM 3.0, you give away an unlimited free tier for individual use (Not a trial, a free tier; this is what makes it different from GTM 2.0). Then, for collaboration in small teams, you charge a bit. Then, for big company control and auditability, you charge even more. At each level, the value proposition is different, so that users use your tech differently and benefit differently from it. And at each level, the buyer is different, so the messaging is different.
From tailscale.com/blog: How our free plan stays free, https://archive.is/R7jqw
So you think they could be lying about their fundamental selling point, and hiding it in all of their audits? Personally, I'd trust them more than Apple/Google/etc.
https://support.1password.com/1password-security/
https://1passwordstatic.com/files/security/1password-white-p...
I like this assessment. "[J]ust a STUN/TURN server at its core." It gives me hope maybe more people are starting to learn how to look at peer-to-peer not as something that is unreasonably complex and off-limits to ordinary users. LAN-like connectivity is not just for offices and gamers.
Of course, following a STUN/TURN standard is just one approach to a rendezvous server. It isn't the first or last approach to have worked.
By "rendezvous server" I mean a program that accepts connections and saves each client's address and open port number and makes this data available to other connecting clients, thereby allowing one client to connect directly to another client without involving the rendezvous server. The server needs only to tell clients about IP addresses and port numbers, nothing more.^1 Thus it can be a relatively small, relatively simple program.^2
I hope that going forward there will be even more choice in small, open source rendezvous servers, not created for commercial purposes, that ordinary users can run on globally reachable IP addresses. Most users must "lease" these addresses from others. Because not every user has a globally reachable IP address available, the use of "hosting" and now what people today call "cloud" services has been necessary.
Enormous amounts of traffic are passing through these third party "cloud" providers. They are, to use a popular term, "gatekeepers". Business customers, including ones who already control globally reachable IPv4 address space, let alone individual customers without such resources, are effectively beholden to them if they want to be on the internet. Not only that, the services are generally expensive.
However no data needs to be sent to or received from a rendezvous server other than address and port information. If customers are charged based on ingress/egress, it could be affordable for users to run these small programs on a "cloud server" due to the smaller amount of data transfer. With less data being sent to these third party providers, the privacy concerns would arguably be reduced as well (cf. eliminated).
The ability to connect devices directly over a network, including the internet, should not be monopolised like so many other aspects of the computers and the internet today. It should be available for everyone. The only cost should be paying for the globally reachable IP address and a tiny amount of traffic required for running a rendezvous server.
1. The advantage here is that the program can be easier and quicker to compile and users may be more inclined to read the source code and, optionally, make edits and recompile. Non-commercial, not a complex program like a web browser that is prohibitively slow to compile that almost no one compiles for themselves, nor one that few people have both the aptitude and inclination to read, edit and improve its source code.
2. Yes, there can be exceptions. For example, in some cases two clients using the same ISP might not be able to reach other directly. But these cases are the exceptions, not the rule.
The Tailscale agent (thing that runs on your machine) changes the system routing table (at least on Linux) and uses policy-based routing (marks packets destined for the "Tailnet" specially) to build the overlay network. Since everything is done at L3 in the OSI model, iOS and Android clients (in the form of an app) are also available without needing root (jailbreaking).
There are some things it can't do owing to the whole thing operating at L3, but it's a really awesome implementation nevertheless. And just to add, they aren't the first to build a product like this, but they do it incredibly well and the time to value for most users is extremely short, made even better by the fact that the expectation is that the time to value will be long(ish) and painful.
Cloudflare needs to solve two problems: they need to introduce a free tier of Access that doesn’t use the CDN and creates direct connections between endpoints (to basically remove all operating costs), and they need to make the onboarding process for hobbyists easier instead of having a “contact sales” link on their homepage for these products. That’s doable.
It may be cheaper to VPN to home vs a cloud server, and you may avoid issues where sites block AWS. You can also securely forward other ports. Sometimes I print or access other services in my house that aren’t internet safe.
Publishing repeatable benchmarks is hard, and when doing open source work, it just hasn't been a priority. As I replied above, if I'm going to say it I should prove it, and I promised to do just that.
And a counterpoint: tailscale does mention in the "Tailscale vs Nebula" article on their website that performance is just about the same but similarly provides no proof. This is motivation enough for me to show proof of the opposite, I guess.
The NAT traversal stuff is all magic that happens before the socket is given to wireguard.
> Your personal information will be transferred ... to certain third parties that provide services on our behalf.
> We use service providers to provide services such as ... data analysis to better understand and improve product and website usage, and providing advertising and marketing services.
:/
At home on my desktop, I just use uBlock Origin in my browser.
But, and I'm probably just shouting into the void at this point, relying upon your network being secured as a method of securing your office/product will only result in heartache.
If you're a company SEO or similar trying to protect your company from threats, your first assumption must be "the network is compromised" no matter whether it's on the internet, or VPN tunnels, or firewalled local network.
Vs a clear moral screw up like the big tech companies colluding to not hire one another’s employees.
Seed investor in Tailscale since 2019.
Massive growth just means you can dominate the market then have more flexibility on the price you'll charge.
I am wary of investors wrecking incentives for founders but that ship sails when you raise an A round. They've done an incredibly good job for me in that time, I think they'll keep on doing that.
Why would their free service change? They're going to make money off big companies. They're not going to make money off me with a bait-n-switch to capture my $10/mo personal budget.
But: Now that they have more money, I just wish they could spend some time making it enterprisey and not hobbyist-ey.
Things like: improve all the screens with high-density modes so we can filter thousands of devices, not hundreds. And make it integrate better with Windows Intune for hands-free deployment i.e. if we're a Hybrid 365 environment, please detect the users credentials from their Windows install and login automatically. Maybe release an installer for enterprise deployment that silently downloads and installs the latest version so that we can i.e. integrate it into a Windows Autopilot unboxing experience.
Headscale [1] allows one to implement a self-hosted, open source alternative to the Tailscale control server.
[1] https://github.com/juanfont/headscale
Almost all of tailscale is opensourced at this point besides the GUI.
I do have some nits though:
- It's kind of finicky on Android, especially with exit nodes enabled. Sometimes I lose connectivity completely after connecting to an exit node, until I flip my WiFi on and off, then everything starts working.
- Not being able to auto-update the desktop clients, or at least update remotely, is a bit of a pain, and potentially a security risk?
I get why they don't but I often wish more SaaS companies had a bring your own computer & storage model. It doesn't make sense for 95% of customers and the 5% of us who might like it and have the tech chops to use it would just complain about having to pay more because we are outliers. But I wish it was offered!
This is basically just `git pull` on steroids.
The network will coalesce around using a handful of hub nodes for the packet forwarding, and a malicious party need only to coopt that central cluster of nodes to unmask all web users.
The "blockchain bullshit" enables trusted decentralized interaction at scale.
While that's absolutely true, the Node ecosystem (which I use, love, and make my money in) definitely takes the sheer dependencies of dependencies of dependencies problem to a rather fascinating extreme, compared to nearly any other language I use.
Tailscale comes with a few other benefits that don't come on other VPN's. I have my home server setup as an 'exit node' which allows me to route my traffic through it when I'm travelling. Super handy sometimes like when I'm travelling and my bank decides not to let me log in.
tailscale seems to prefer websocket transport for derp frames: https://github.com/tailscale/tailscale/blob/505f844/derp/der...
https://i.imgur.com/hQU6Orz.jpg
Tailscale app not force quit but also not connected
My theory is that this is because there is no standard library in Node.
My JS frontend has something like 20,000 packages that need to be installed to build the app. The next highest-dependency lang I use is python, where my average python app will have approx 100 packages all in. And then it only goes down from there with other systems.
There's an exponential effect at work based on the number of libraries that do any one thing. If in python you have (for sake of argument) an average of 5, and in node an average of 25, the downstream effect is that you have massively more dependencies in your tree (many, many, more than 5x), just like you're seeing.
I still don't think the O(n) properties of dependency trees are any different in other languages though. Node just has the largest scale. If python had as many total packages as node, and was also as popular for building frontends, I think you'd have exactly the same situation. That's what I meant by "not in a different category". Node's scale/popularity is in a different category than python's, but its approach to dependencies is basically the same.
IMO there is no real way to use google in a privacy-protecting way.
Tailscale hosts all the auth and coordination stuff and uses SSO.
Zerotier lets you host an auth server, which also handles connections, but when required some already-established connections go through zerotier servers (encrypted).
We use the latter option at work
Unfortunately if I need to bring anyone into my mesh network who is non technical, this is now a non starter.
Installed zerotier and it couldn't be simpler now.
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.
> Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
What makes it realluy unique though is that it can actually be embedded inside the application via a suite of SDKs. Yes, private, zero trust connectivity inside an application! That provides the highest security and convenience as it can be completely transparent to the user!
Disclaimer, I work for the company who built and maintains OpenZiti so I am opinionated.
Their website makes it seem like you can do SSO/MFA with even the free personal plan though. If you cannot integrate with your SSO provider then that's just marketing bullshit.
What they should really put there is "Can only sign in with Google/Github/Microsoft account".
You can find information about it over at https://openziti.github.io/ you don't even need to trust the software itself. You can add a 3rd party certificate to the server and mint your own private keys/certs and deliver them to your friends and have 100% control over where and how and whom you trust. You control access down to individual services, not CIDR blocks, not IP addresses. You can embed the sdks into any of your own apps if you're into that sort of thing. :) you could setup a relay server in some cloud provider for the 'untrusted' traffic (hmmmm you make me wonder if we could integrate with tor somehow now too...)
Seems like it'd do most/much of the things you want it to. I'd be happy to help you out. We have a discourse you can post questions to.
Our opinion of zero trust is that you should not have to trust us. Thats why we made is open source and with its own internal identity system. The only things you need to trust are the controller (which uses your CA/PKI) and the code (which you can audit).
I took a stab at recreating one of the diagrams here, using pikchr: https://zellyn.com/2022/02/tailscale-diagram-in-pikchr/
The existing open source functionality for the overlay network itself is (for me) what's really exciting, and it's all there. The management limitations just keep me from evangelizing more broadly (outside of places like HN).
The embedding inside an app sounds like a really cool discerning feature though. I'll have a look!
Also sad because bring your own storage is more secure to me than trusting a company with all of my passwords. So they are reducing security and increasing price.
And the EC2 instance I installed it on was already being used for other toy projects, so it's not like it cost me anything. The additional egress bandwidth is likely fractions of a penny.
If it’s a real human problem, humans will solve it. If it’s instigated due to someone with coins in their pocket to mesmerize lizard brains, it’s a synthetic solution that will vanish with the synthetic driver of the work; payments.
Just because paying for things is common throughout history does not mean it’s necessary or the best choice long term; see Netflix propping up payment flows churning out crap. It means meat based tape recorders simply LARP the past.
Here are a couple of cool artciles on some we have already done: - Springboot framework: https://blogs.oracle.com/javamagazine/post/java-zero-trust-o... - Prometheus: https://openziti.github.io/articles/zitification/prometheus/...
You can connect one person on a free plan, but each person can have their own free plan that you share devices between.
I should really read up on it. I know... I will soon!
The software linked in the parent works with the mobile apps.
Their online security-related UX is also a freaking nightmare. The desktop and mobile apps are excellent and still clearly the best, but yikes, their password plus secret uuid plus device identity is awful. I know multiple people who permanently lost everything thanks to that (remember, no local backups any more! That's what cloud storage almost always guarantees!), and they now push others away too.
I'm now a (relatively) happy KeePass user.
Clint and Ken did a really good ZitiTV on Friday which covered many of the cool superpowers of OpenZiti - https://www.youtube.com/watch?v=4wOGvZqN6Co&ab_channel=OpenZ...
