Tailscale raises $100M

For anyone else who wonders wtf tailscale is:

> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.

It seems to take care of key distribution, nat-traversal, authentication etc etc

Neat! No sure how that is 'fixing internet' exactly, but really cool anyway

"Fixing the internet" == you can comunicate with computers that want to comunicate with you, and not with others.

Tailscale is one of the ways you can restore the end-to-end connectivity principle that IP introduced and that NAT destroyed.

"Fixing the internet" == you can communicate with computers that you want to communicate with, and not with others.

This is kind of overstated. Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.

Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.

"Fixing the internet" == computers that mutually consent to communicating with each other are able to communicate with each other

I thought that Tailscale was pretty interesting.

Avery Pennarun, its CTO, is somebody whose judgment I am used to trusting.

Then I learned that to use it, I would be dependent on authenticating using a login on one of the unaccountable internet behemoths who could take away my account for any random reason or no expressed reason at all.

No, thank you.

This fact must be bundled everywhere someone mentioned "IPv6 will allow direct connectivity again". While NAT isn't a fully-functional firewall, it did do things that a firewall in a router would do. What equipment have proper IPv6 firewalls? Routers, that's who.

I agree, GitHub is awful.

If you use an identity provider like Okta or OneLogin, then you're not tied to any "contentful" services like GitHub or a Google account that "historically" seem to have more problems of this type.

As far as threat models go, I can't really say I understand this one too much.

> Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.

No, they do not behave just like NAT. With NAT you have two problems:

* figuring out your address

* firewall hole punching

With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.

* https://en.wikipedia.org/wiki/Hole_punching_(networking)

* https://en.wikipedia.org/wiki/Port_Control_Protocol

* https://en.wikipedia.org/wiki/Universal_Plug_and_Play

* http://www.upnp.org/resources/documents/AnnexA-IPv6_000.pdf

This helps immensely for residential connections since people (generally) control their gateways, and with more and more higher speed (fibre) connections being done, it could help in more self-hosted and peer-to-peer services.

What one is allowed to do at the office would be dictated by the policy(s) of your employer: they could allow PCP/uPNP opening via authenticated requests for example.

> Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.

Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.

It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.

"Fixing the internet" == computers whose _owners_mutually consent to communicating with each other are able to communicate with each other

I'm about to go away but having local access will be very useful.

I've just setup tailscale in a few minutes, very smoothly. I'm impressed it scales down to this kind of simple use case nicely, and it seems it has nice features as my use cases might scale up.

Google does that, Microsoft doesn't. Microsoft will ban you from a particular service if you egregiously violate the terms of service for a particular application of theirs, but never the whole account.

Google will throw you on your ass in the blink of an eye.

No, no, no, no. You haven't really experienced the quality of IPv6 routers at home. The only thing that I can (probably) say with confidence is you will not need TURN, and even that assumption can be broken with even more restrictive firewalls that block nearly all UDP traffic or even not know your real public address because IPv6 NAT does exist (https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no..., https://datatracker.ietf.org/doc/html/rfc6296), but fortunately this is usually found in enterprise stuff. NAT-PMP or router UPnP is probably the wildest: majority don't (remember that I'm focusing on ISP routers since that most people don't bother to switch to actual routers...*), some only on IPv4 (which is even more frustrating), and only few supports it correctly. Worse, those same broken garbage-level routers have NAT-like firewalls: at least you know what address and port you will contact the other computer, but you will still need UDP (TCP handshake will be very problematic) and you will still need keepalives (or otherwise your firewall will just close the port).

* ... and most that do get another router (usually because they have seen that their Wi-Fi on the "modem" is bad) don't turn on** bridge mode which will be a definite headache on both IPv4 (double NAT) and IPv6 (address conflict, especially if you're using an ISP like Comcast that would only allocate a /64 and no more.

** ... because you need to call up the ISP or even outright refused to bridge it (either because they're stupid but you don't have another ISP to switch or the equipment manufacturer of their garbage special router didn't program one).

... if your definition of "home routers" excludes ISP-provided ones, then I'll agree. Unfortunately, I'm pretty sure that either you are on an ISP that actually cared and found a good supplier or didn't check out what are the capabilities of ISP-provided routers.

Oh, that is a shame. I can see why they do it like this for businesses, but for personal accounts I refuse to use SSO. Been bitten by that a few times too many.

I _could_ use my github account, but I don't trust them at all anymore. And I'm not going to setup an account with some other service just to use this. So that is a hard pass for personal use.

For a company it makes sense to have to use whatever sso provider you are already using i guess

Ah yeah, that makes sense.

As an example: shortly after Russia invaded Ukraine, Namecheap cancelled all accounts of all of its customers who were located in Russia. This was done regardless of what content if any was hosted by the account, whether or not the person in question supported the war, or whether the person in question was actively fleeing Russia and may have been relying on technical infrastructure they had previously set up to help them do so.

Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.

Yes. If they can’t build basic auth and make sure it’s secure, it sends quite the message.

Super annoying and borderline unacceptable.

So basically Wireguard with automated key setup/distribution/identity management?

(btw. I love Wireguard - currenly using it to route traffic between my servers + transfer media between my home and my mother's mediacenter with both PCs being behind their own router - she loves it too as so far there were no problems hehe)

Okta and OneLogin are both private corporations that have each existed for 13 years. Does your threat model include an estimate for how long they will stay in business? What if one of them puts the other out of business? Does your threat model choose a winner in that fight?

As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.

These things don't happen when you use public key authentication.

Of the three ISPs in my area that I have used, all of them allowed inbound traffic and either had useful controls in their routers or didn't supply a router, just an ethernet handoff. RCN, Comcast, Verizon.

All of them filtered out the SMB/CIFS ports.

Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.

Yeah, it's inconsistent to be honest. I've found that Hitron to not have any sort of firewalls (except for IPv4 NAT if you consider it as a firewall), while Huawei routers (which is not used in the US for reasons hopefully known to you) do have an IPv6 firewall that is only an off or on switch, stupidly their enterprise stuff do have advanced controls, Alcatel/Nokia-branded ones are inconsistent to say the least and the same can be said for Zyxel. I'm actually interested in checking out other routers used by ISPs, but those are the ones I've actually seen.

Our epic treatise on how NAT traversal works (in general, not specific to Tailscale) mentions this. IPv6 greatly reduces the amount of pain for p2p connections, but does not eliminate some of the fundamentals (stateful firewall traversal) if you want it to be zero-config: https://tailscale.com/blog/how-nat-traversal-works/

But until deployment hits 100%, and until ISPs start caring about IPv6 reliability the way they do about IPv4, "just use IPv6" can't be your answer. It's lovely when it works, but you need to do something other than "give up" when it doesn't. (also, as long as the internet is dual-stacked, doing IPv6 right also implies figuring out if NAT64 is in play, and wielding it correctly; so arguably IPv6 adds more complexity to the overall story, for now :) )

Is there anything in there TOS that states it or has this just been their practice so far?

> No, no, no, no. You haven't really experienced the quality of IPv6 routers at home.

I've been running IPv6 at home >2 years. You're telling me that my own experience is invalid?

No, not necessarily, but if you're using an aftermarket router rather than an ISP-supplied router, then this rather long list is not applicable to you.

Does it matter? Whether they say they will do it, or just do it without saying they will, the experience is the same.

What matters most is if they can. Then, if they ever have done. What I want is that they can't.

Is that generally true? A third-party authentication servive is needed just to get it going, or is that needed for specific use cases?

> With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.

What about phone networks? (in the US providers block all incoming traffic.) Or other ISPs that block incoming traffic?

NAT has been used to address a fundamental problem of what traffic can be trusted. That's what Tailscale fixes.

Apparently the third-party authentication service is needed just to get it going. If you get an "enterprise license" you can choose among more authentication services, but not yourself.

Some people suggest trying Nebula instead.

The point is for the user to not have to go configure their firewall.

That, plus fanatically good NAT Traversal: https://tailscale.com/blog/how-nat-traversal-works/

Avery Pennarun is CEO.

David Crawshaw is CTO.

I am corrected.

You can do some things that you don't want to do.

If someone uses a rubber hose, you might be forced to communicate against your will, using the fixed Internet.

This is a strange example to pick given that (1) it's a war, and (2) a significant percentage (majority?) of Namecheap's employees and offices are in Ukraine.

If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.

Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.

[1]: https://www.namecheap.com/careers/ukraine

Which can be done via UPnP and PCP, and without having to maintain TURN/STUN/etc infrastructure. The latter of which can only be done with IPv6, since with IPv4 you're NATing.

So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.

With IPv4 I have to worry about UPnP/PCP working and TURN/STUN/etc non-sense when it comes to peer-to-peer protocols. With IPv6 I only have to worry about about UPnP/PCP working. In my books that's an improvement.

If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?

For enterprise, sure, using a separate IDM provider works, but last I checked, neither Okta nor OneLogin cater to individuals and their personal accounts. So as far as threat models go, I understand why people view this requirement from Tailscale as utter garbage for personal accounts.

you want a free service written, maintained, and hosted by others that they don't control. Am I understanding you?

No. I would be happy to pay for service, but they offer no choice but to rely on somebody else's authentication, regardless.

They don't want to build basic auth. They probably could, but it gives them more headaches and customer service touch points compared to delegating that out. Like: what if the user forgets their password? Or what if they lose their 2FA device?

Yes, welcome to operating a SaaS.

read harder next time. https://tailscale.com/kb/1119/sso-saml-oidc/

But isn't that just part of Wireguard itself? In the end that's what's happening in my case when I exchange data through Wireguard between my flat and the one of my parents... .

No, wireguard is just the VPN itself.

The NAT traversal stuff is all magic that happens before the socket is given to wireguard.

I don't think parent is saying it's unexpected, but rather that having a third-party identity provider (especially a corporation) is an unwarrented and/or unwanted political dependency. I deeply empathize with this sentiment but also recognize why many companies choose to rely on them (identity is very difficult).

Maybe a apt place to ask the question, all of my devices are silos. I’m still wondering if this is for people besides me, or if I’m just missing the potential use cases for myself. I have never needed to connect my device to each other. In the house I have a few laptops, a couple phones, Xbox, Apple TV’s, fire sticks, and every device is just connected to the google mesh Wi-Fi. Every device communicates out for what it needs (and yeah probably more) but I never in years have needed to use a device as a server unless I was developing on it and using it as localhost. Do I still have a use for tailscale?

What precisely are the consequences of the third-party auth? Is it, they get an IP ping each time a device connects or does anything? Or, does that only happen once, but they can revoke access at any time? *Surely* they aren't granted access to the content? That would be mindboggling.

How is that different than just regular VPN?

This isn't a very nice comment (from my reading anyway).

> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.

> Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

Thank you. It is hard to interpret what this might mean, for me.

I'm guessing you're in the US? Haven't had any problems with IPv6 on ISP-supplied routers in UK, NL, DE, CN, HK, VN, TH, SG over the last 10y or so, seems like a solved problem for most of the world.

A bit offtopic, but how did they create the visualizations? Do they have a designer on their team for that or is there any good tool that creates charts like these?

Very cool write-up. Thank you all for writing (and linking) it.

You should checkout the opensource project OpenZiti (https://openziti.github.io/). It has its own internal PKI system so you dont need to (but can) like to an external 3rd party. It also allows you to close all inbound ports and link listeners (as every endpoint has embedded identity so makes outbound only connections) and can be embedded directly into apps with SDKs as well as deploy on any popular OS or as a virtual appliance.

A designer drew them: https://twitter.com/apenwarr/status/1241188397013774337

I took a stab at recreating one of the diagrams here, using pikchr: https://zellyn.com/2022/02/tailscale-diagram-in-pikchr/

thx

If you're that concerned with 3rd party auth, I'm surprised you're not more concerned about trusting your virtual network to a SaaS platform (who could definitely decrypt the traffic). For those more privacy minded, they'd probably wanna go with one of the self-hosted alternatives, of which there are now a few.