←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 10 comments | 04 May 22 13:17 UTC | HN request time: 0.536s | source | bottom
1. throwaway92394 ◴[04 May 22 13:50 UTC] No.31260376[source]
Am I the only one that has an issue with a VPN that I can't self host? Presumably if Tailscale get's PWN'd or subpoenaed then your network is breached no?
replies(7): >>31260409 #>>31260514 #>>31260521 #>>31260540 #>>31260615 #>>31260804 #>>31261420 #
2. lvh ◴[04 May 22 13:52 UTC] No.31260409[source]
Depends on the kind of breach. Tailscale is extremely carefully designed to minimize that risk. Notably: Tailscale doesn't get your keys. (Granted: a compromised agent would still be a problem. It's a thing I have some plans for :-))

(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)

3. moloch ◴[04 May 22 13:59 UTC] No.31260514[source]
No, they don't have access to the Wireguard keys and everything is point-to-point. They'd have to push a backdoored software update to gain access (and this is a threat with any vendor product).
replies(1): >>31263189 #
4. bfm ◴[04 May 22 14:00 UTC] No.31260521[source]
A self hosted alternative we've been using for our infrastructure is innernet, which was discussed on https://news.ycombinator.com/item?id=26628285 last year
5. cassianoleal ◴[04 May 22 14:01 UTC] No.31260540[source]
You're certainly not the only one. There is headscale [0] if you're worried about that though.

[0] https://github.com/juanfont/headscale

6. cpuguy83 ◴[04 May 22 14:06 UTC] No.31260615[source]
Tailscale's data plane is [1] mostly p2p except for some cases where it doesn't work and it goes through an encrypted relay. So your data does not run through Tailscale servers.

There is an oss [2]coordination server that does let you totally self-host.

[1] https://tailscale.com/blog/how-nat-traversal-works/

[2] https://github.com/juanfont/headscale

replies(1): >>31268145 #
7. aborsy ◴[04 May 22 14:19 UTC] No.31260804[source]
Yes, Tailscale distributes public keys, and can add arbitrary nodes to anyone’s network.

Not that they do it, but the possibility is there, and one has to account for risks.

8. atsmyles ◴[04 May 22 15:00 UTC] No.31261420[source]
Just install wireguard yourself. With Bullseye on the RPi, it is easier than ever. There is a learning curve, but it is worth it.
9. soraminazuki ◴[04 May 22 17:10 UTC] No.31263189[source]
IIUC Tailscale controls key distribution, so you'd still have to trust them. However, it might still be possible to eliminate that need for trust by verifying peer connections out of band.
10. ignoramous ◴[05 May 22 01:11 UTC] No.31268145[source]
If the tailscale control-plane is pwnd, outside of compromised ACLs (access controls) and DNS routes, I don't think it affects anything critical on the data-plane like passwords (because SSO) or private-keys since tailscale machine keys and node keys never leave the device: https://tailscale.com/blog/tailscale-key-management/