Tailscale raises $100M

> For people who believe there’s a catch — and most still do — then I don’t know how to write a blog post or hire a marketing or sales team to change their minds.

I think the catch is that (at least at the free level) one must trust an identity providers. For many companies that's probably fair enough, but for high-security companies and private individuals one absolutely cannot trust anything running outside of one's physical control. Service providers can be suborned, either legally by corrupt regimes or illegally by employees. There is no way that I would permit Google, Microsoft or GitHub (their three supported options) to gate access to my private devices.

I think that one must also trust Tailscale themselves, although I could be wrong about that.

Yep we had it rejected w an enterprise we work with as the org needed to own the full control plane so we couldn't bring it in, and not on the schedule for the org's security team for them to bring it in. Making a smarter, easier, and less creepily managed VPN more palatable to enterprises would be awesome, so the marketing value of their fundraise is real.

Tailscale will let you use any SAML or OIDC provider you like in the Enterprise plan (presumably because of the cost of supporting the long tail of nonsense IdPs will produce).

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)

There's a kind of WIP control server implementation, it's not production ready in my opinion but it's definitely usable.

https://github.com/juanfont/headscale

Semi-related question: did Latacora or @tqbf ever open source their Go-based SAML IDP: https://twitter.com/tqbf/status/938501701526487040

(That tweet I think was a teaser saying it was coming. I subsequently looked for it a few times and never found it, but maybe plans changed, or maybe I just failed to find it).

Super cool, and a lot of contributors!

Can this work the rest of the wireguard ecosystem (agents, UIs, ...) for a full VPN soln without involving the VC-tied company?

Yes, it's usable with every tailscale client (except for iOS). You provide an argument to make headscale your controller, and then it works much the same as the hosted Tailscale service, with some only minor differences in configuration.

Nope. It was pretty much just Thomas and Erin working on it, and I don't think it's operational. Sorry :(

Yes it works with all of the Tailscale clients except for iOS. No it does not work with clients from the broader Wireguard ecosystem (e.g the Wireguard iOS app).

That only addresses half the problem, though, right? Can't Tailscale still add any nodes they want to one's network?

Also, it doesn't address the individual case, but that's fair enough: Tailscale isn't a charity.

Don't you have to also trust Tailscales closed source coordinator node?

Which also applies to Tailscale's SD-WAN and cloud VPN competitors.

But doesn't apply to my wireguard setup on my OPNSense installation at home.

This is the HN disconnect: people commenting here have completely different concerns than Tailscale's actual customers.

I've seen them mention that they're looking at having the coordination server being self-hostable (and is for some client already), so I expect that to be one of the things you can get at the higher price points in the near future.

That is true. Sometimes we are talking about the business aspects of product-market fit, and sometimes we are talking about our own personal use of the product or domain. In this case it's both.