Most active commenters
  • Sohcahtoa82(3)
  • anderspitman(3)

←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 40 comments | 04 May 22 13:17 UTC | HN request time: 1.677s | source | bottom
Show context
nickysielicki ◴[04 May 22 14:29 UTC] No.31260955[source]
Tailscale has a fantastic product, I’ve been extremely happy from day one. If you’re waiting for a weekend to have a few hours to try out Tailscale, don’t, it takes 15 minutes to get every device you own up and running and talking. This is the lowest friction personal VPN to ever exist, and once you see how easy it is for your own devices, you’ll wish you had it at work.

The biggest risk that this company has is that Cloudflare (in all reality) should just buy them or reimplement it. It’s the type of product cloudflare would make, that’s for sure. Being based on open source wireguard, and being just a STUN/TURN server at its core… I’m sure that Tailscale will be the first but maybe not the best.

I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

Web3 happens when people can host stuff on their phones, and Tailscale is something that lets you host things on your phone.

replies(16): >>31261040 #>>31261078 #>>31261130 #>>31261312 #>>31261392 #>>31261800 #>>31261878 #>>31264974 #>>31265274 #>>31265636 #>>31265787 #>>31267524 #>>31267632 #>>31267917 #>>31267947 #>>31272295 #
1. siavosh ◴[04 May 22 14:41 UTC] No.31261130[source]
I’m pretty ignorant on this topic, but what are the benefits of having a personal VPN?
replies(7): >>31261258 #>>31261313 #>>31261391 #>>31261507 #>>31261763 #>>31264204 #>>31267904 #
2. gzer0 ◴[04 May 22 14:50 UTC] No.31261258[source]
I am able to route traffic on my mobile device through my home network via the use of their "exit node" option. It allows one of my home devices to act as an exit node for my entire personal tailscale network.

This serves multiple benefits: the main one being that I receive pi-hole filtered ad-free traffic on my mobile device via a Wireguard VPN with my home IP 24/7/365

replies(5): >>31261546 #>>31262837 #>>31264416 #>>31265604 #>>31271256 #
3. newaccount74 ◴[04 May 22 14:53 UTC] No.31261313[source]
I use it so I can connect to my work machine (dynamic IP on office wifi) from my laptop (dynamic IP, home Wifi).

It's also great to be able to just ssh into your laptop at home when you're at work and you forgot to push whatever you were working on last night.

It's not necessary, but Tailscale makes a lot of things just easier.

replies(1): >>31262486 #
4. shepherdjerred ◴[04 May 22 14:58 UTC] No.31261391[source]
I have a server at home with file syncing, personal media, and home automation. I want to be able to access it remotely, but I’d rather some of those things not be publicly accessible for security. I could always do HTTP auth with an nginx reverse proxy, but it’s not a very smooth workflow and it relies on me being able to configure my server/services correctly.

Instead I can bind my services to Tailscales network interface and access it anywhere that I’m connected to my Tailscale network. It’s like authentication for free.

As a side note I know this is an anti pattern since one intruder can access all of my services, but that’s not a vector I’m really concerned about since I’m not exactly a high value target.

replies(1): >>31264665 #
5. stanmancan ◴[04 May 22 15:05 UTC] No.31261507[source]
You can access your home network and any machines on it without exposing anything to the public internet. It's much safer to connect to my home network over a VPN than to expose all of the services to the public internet and hope they're all secure.
replies(1): >>31265482 #
6. karlshea ◴[04 May 22 15:07 UTC] No.31261546[source]
I can do that without Tailscale though by just using the WireGuard app. What is Tailscale adding to this?
replies(4): >>31261559 #>>31262577 #>>31262741 #>>31267601 #
7. nickysielicki ◴[04 May 22 15:08 UTC] No.31261559{3}[source]
NAT breaking, I can have a wireguard network with Tailscale where every device only has an RFC1918 address and a default route.
replies(3): >>31261726 #>>31265016 #>>31266547 #
8. karlshea ◴[04 May 22 15:19 UTC] No.31261726{4}[source]
Ahhh that is slick
9. ziftface ◴[04 May 22 15:22 UTC] No.31261763[source]
Some of my friends used it to play older lan games
10. yeswecatan ◴[04 May 22 16:14 UTC] No.31262486[source]
> It's also great to be able to just ssh into your laptop at home when you're at work and you forgot to push whatever you were working on last night.

What's the difference between using Tailscale for this and just opening the port on your router?

replies(3): >>31262863 #>>31263184 #>>31264890 #
11. rrix2 ◴[04 May 22 16:22 UTC] No.31262577{3}[source]
not having to generate, manage, and distribute wireguard secrets and configurations was good enough reason for me to switch.

Tailscale also provides a "magic DNS" service which lets you resolve your Tailscale device names without setting up unbound etc, and which can relay other requests through to your pi-hole or unbound or whatever, which can then listen only on the tailscale IP address, so no need to run an open resolver or deal with source IP filtering.

e: also, you can share devices between tailscale users without generating, managing, distributing wireguard secrets. You send your pal/partner/kid a link and they can access your fileserver or raspberry pi webserver or pihole server for themselves wherever they are.

12. ReverseCold ◴[04 May 22 16:33 UTC] No.31262741{3}[source]
> For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.
13. ◴[04 May 22 16:42 UTC] No.31262837[source]
14. colordrops ◴[04 May 22 16:45 UTC] No.31262863{3}[source]
Someone answered above - it works even if you have no router you can configure, using NAT busting. I do what you suggest though, just setting up wireguard directly on my OPNSense router. I don't want to get any private company involved in my VPN setup.
15. pimeys ◴[04 May 22 17:10 UTC] No.31263184{3}[source]
Easier. And you don't open the port to a public network.
16. GekkePrutser ◴[04 May 22 18:37 UTC] No.31264204[source]
For me: direct routing between endpoints, thus reducing the lag and spec restrictions you get from routing through a single VPN server.

Other things are seamless transition to local networks, and you can even have local network encryption.

17. Sohcahtoa82 ◴[04 May 22 18:55 UTC] No.31264416[source]
What other benefits are there? I use a PiHole to block ads on my phone already, but I do it via a PiHole installed on an EC2 instance that I also use as an IRC bouncer and other things.
replies(2): >>31264883 #>>31265929 #
18. jjeaff ◴[04 May 22 19:18 UTC] No.31264665[source]
I don't think that is an anti-pattern. One well secured point of access is better than various http access points with varying levels of security and maintenance levels, all requiring frequent manual update to stay secure.
replies(1): >>31265838 #
19. pkulak ◴[04 May 22 19:42 UTC] No.31264883{3}[source]
It means you can self host all kinds of things and never worry about opening a port on your router.
replies(1): >>31265059 #
20. pkulak ◴[04 May 22 19:43 UTC] No.31264890{3}[source]
Like a million times more secure.
21. anderspitman ◴[04 May 22 19:55 UTC] No.31265016{4}[source]
For more background on just how much Tailscale is doing for you with respect to NAT:

https://tailscale.com/blog/how-nat-traversal-works/

22. anderspitman ◴[04 May 22 19:59 UTC] No.31265059{4}[source]
As long as you don't need to share any of your services with non-Tailscale users. Otherwise you'll need to set up some sort of public server.
replies(1): >>31265644 #
23. criddell ◴[04 May 22 20:34 UTC] No.31265482[source]
Doesn’t putting Tailscale in the middle mean you are now hoping they are secure? I supposed that’s probably better than connecting to the VPN on your home gateway router that your ISP has access to.
replies(1): >>31268173 #
24. antihero ◴[04 May 22 20:43 UTC] No.31265604[source]
Ah, the exit node thing is really cool, always handy to have a residential IP to route through too :)
25. vineyardmike ◴[04 May 22 20:46 UTC] No.31265644{5}[source]
But you can also try to get them to be Tailscale users and effortlessly share the devices with access control features they built. I share my home servers and game servers with family/friends easily while still keeping everything off the public internet.
replies(1): >>31266200 #
26. shepherdjerred ◴[04 May 22 21:05 UTC] No.31265838{3}[source]
I meant that for larger organizations where security is a concern you'd want both -- your network should be secured and the individual applications should be as well. Again it's contextual advice and really doesn't matter for my internal site where there's not too much at stake.
27. Spooky23 ◴[04 May 22 21:14 UTC] No.31265929{3}[source]
It’s pretty similar as far as how it works for you.

It may be cheaper to VPN to home vs a cloud server, and you may avoid issues where sites block AWS. You can also securely forward other ports. Sometimes I print or access other services in my house that aren’t internet safe.

replies(1): >>31266277 #
28. apitman ◴[04 May 22 21:40 UTC] No.31266200{6}[source]
But now your friends and family are locked into a proprietary system, subject to whatever the future incentives of Tailscale end up being. How many people can you connect on the free plan?
replies(2): >>31267453 #>>31288614 #
29. Sohcahtoa82 ◴[04 May 22 21:47 UTC] No.31266277{4}[source]
I have the PiHole VPN configured so that only DNS lookups go through it. All other traffic is not tunneled. It means I don't get billed for several gigabytes of traffic from AWS and my traffic doesn't come from an AWS IP, but I still get all the ad-blocking benefits of a PiHole.

At home on my desktop, I just use uBlock Origin in my browser.

replies(1): >>31269013 #
30. devman0 ◴[04 May 22 22:14 UTC] No.31266547{4}[source]
Is forwarding a single port that difficult in most circumstances? I do realize there are some instances where that is hard like CGNAT, but if I have easy access to wireguard in my network already what does tailscale buy me?
replies(1): >>31266791 #
31. donaldihunter ◴[04 May 22 22:38 UTC] No.31266791{5}[source]
I was running Wireguard exactly as you describe, but I'm now using Tailscale because convenience.
32. gzer0 ◴[04 May 22 23:50 UTC] No.31267453{7}[source]
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.

Headscale [1] allows one to implement a self-hosted, open source alternative to the Tailscale control server.

[1] https://github.com/juanfont/headscale

Almost all of tailscale is opensourced at this point besides the GUI.

replies(1): >>31267504 #
33. anderspitman ◴[04 May 22 23:56 UTC] No.31267504{8}[source]
Does headscale do all the same NAT traversal that Tailscale is capable of?
34. LoveGracePeace ◴[05 May 22 00:08 UTC] No.31267601{3}[source]
I do the same, for multiple domains I own. Definitely not difficult.
35. girvo ◴[05 May 22 00:43 UTC] No.31267904[source]
For me, its so I can use Moonlight to stream games from my gaming desktop PC to my iPhone using a Backbone One controller.

Handheld Elden Ring is amazing :)

Though my use-case is extremely simple, and so I just use bare WireGuard

36. stanmancan ◴[05 May 22 01:15 UTC] No.31268173{3}[source]
I have a model and my own router; I don't use (or even have) one provided by my ISP. I'm not entirely sure how Tailscale works TBH, so yes I'm betting on them being secure.

Tailscale comes with a few other benefits that don't come on other VPN's. I have my home server setup as an 'exit node' which allows me to route my traffic through it when I'm travelling. Super handy sometimes like when I'm travelling and my bank decides not to let me log in.

37. O_H_E ◴[05 May 22 03:20 UTC] No.31269013{5}[source]
oh wow that is cool. I have never heard or thought about putting a pi-hole in the cloud.
replies(1): >>31277143 #
38. PinguTS ◴[05 May 22 09:23 UTC] No.31271256[source]
So then, whats is the difference to run OpenConnect and then connecting to it via activating CiscoVPN on the phone/mobile device?

I used that while I was in China as this allowed me to have my own personal VPN.

39. Sohcahtoa82 ◴[05 May 22 18:54 UTC] No.31277143{6}[source]
It made more sense to me for using a PiHole on my phone. I didn't want to expose a VPN port on my home network, and didn't want to deal with trying to tunnel VPN through SSH.

And the EC2 instance I installed it on was already being used for other toy projects, so it's not like it cost me anything. The additional egress bandwidth is likely fractions of a penny.

40. vineyardmike ◴[06 May 22 18:59 UTC] No.31288614{7}[source]
Yea, but my friends and family would rather have a service that just works, has apps, etc instead of an open one. Tailscale is a good actor ~for now~ and ~for now~ thats good enough for us. Not everyday in every situation can I be an activist. I have a list of alternatives incl FOSS ones should I need, but I'll cross that bridge only if I need to, since this JustWorks.

You can connect one person on a free plan, but each person can have their own free plan that you share devices between.