Most active commenters
  • depingus(5)
  • JeremyNT(4)

←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 12 comments | 04 May 22 13:17 UTC | HN request time: 1.892s | source | bottom
Show context
arsome ◴[04 May 22 14:39 UTC] No.31261100[source]
I was going to try TailScale but then it seemed the only option to do so as an individual was to login with a 3rd party cloud provider, which I in no way want tied into my networks.

I gave up and just setup wireguard directly instead, I don't trust Tailscale either if that's their attitude towards privacy, it's permanently marred my vision of their product.

replies(10): >>31261128 #>>31261230 #>>31261250 #>>31261558 #>>31261667 #>>31261807 #>>31261815 #>>31261981 #>>31262022 #>>31262899 #
JeremyNT ◴[04 May 22 14:49 UTC] No.31261250[source]
Indeed, this is why I won't use it either. I settled on Slack's Nebula [0] instead of wireguard because it handles direct p2p communication between nodes automatically.

There also exists an open source implementation of the tailscale control server [1] that you could self host.

[0] https://github.com/slackhq/nebula

[1] https://github.com/juanfont/headscale

replies(2): >>31261607 #>>31261688 #
depingus ◴[04 May 22 15:17 UTC] No.31261688[source]
Absolutely love nebula and really wanted it to win when I did my overlay network shootout (for personal use). But device on-boarding and management was overly complex for a lay person (I have a couple users that would require access).

I settled on ZeroTier for now. Unfortunately, I don't think ZeroTier is my long term solution. Their self-hosted option comes with a plethora of caveats that make it basically unusable. And I'm always scared companies that offer free versions of their paid product will eventually neuter the free tier.

I'll be keeping an eye on headscale. Hopefully they get their mobile client situation in order.

replies(1): >>31264257 #
1. FL410 ◴[04 May 22 18:42 UTC] No.31264257[source]
I am curious what you found complex - was it the PKI? I was able to get Nebula up and running WAY faster than any of the others. It's two (well really only one) binaries and a config file - the simplicity is awesome.
replies(2): >>31264889 #>>31264992 #
2. JeremyNT ◴[04 May 22 19:43 UTC] No.31264889[source]
It's easy to get started, but the issues come mostly from managing that "just a config file" over time.

Have a bunch of new nodes? Replacing a lighthouse? Revoking and replacing certs?

Here's a mistake that I made personally. Did you read the docs fully and realize that the default expiration for a CA is one year? The same is true for certificates. You need some kind of tooling to rotate certs every year, by default, or one day you'll find your entire overlay network disappears.

What about the ACL lists? Well, they're just stored in that same config file. What if you add a new service you didn't count on initially? Or you have a new class of clients?

What if your lighthouse needs to change its IP address? Or you need to retire and replace it outright?

And if you have hosts coming and going a lot, suddenly managing all those configuration files looks like quite a pain indeed...

None of this is unsolvable - assuming you have root on all the nodes you care about. You could even create tooling to automate these things with some kind of configuration management system (which indeed, if you are deploying to more than a handful of systems, you basically must do). But these pain points will eventually add up if you are just trying to connect to friends.

replies(1): >>31265035 #
3. depingus ◴[04 May 22 19:53 UTC] No.31264992[source]
I found it too complex for a lay person. On a regular computer or server its not too bad. I can send someone a config file with the certs and keys already built in. That's easy enough. But on mobile it requires a back and forth exchange of keys over a different medium.

Compare that to ZeroTier where I can just tell someone, "install this app and punch in this Network ID". Also, ZT lets me control the entire network firewall from a centralized place. Where Nebula is doing it on a per-client basis and requires new certs if device groups change.

I don't want to talk up ZT too much though. Their self-hosted option is a joke. There is no webui. You have to do everything via the API...including the firewall rules; And you have to write those rules in the non-human readable format that their webui abstracts away. Worse still, their mobile apps won't work with the self-hosted option. I used them to get something up and running quickly, but I'll probably end up on Nebula anyways.

replies(1): >>31265633 #
4. depingus ◴[04 May 22 19:57 UTC] No.31265035[source]
Just FYI, when you create a CA cert or sign certs with nebula-cert you can specify a -duration. Which I know doesn't help you after the fact, but it might help someone going forward.
replies(1): >>31266051 #
5. api ◴[04 May 22 20:45 UTC] No.31265633[source]
> Their self-hosted option is a joke. There is no webui.

There's a community developed one:

https://github.com/key-networks/ztncui

replies(1): >>31268518 #
6. JeremyNT ◴[04 May 22 21:25 UTC] No.31266051{3}[source]
Very good to know! I did learn this and used 10 year certs/ca when my originals expired... as will presumably most of the other people who didn't fully grok the implications of the defaults :)
replies(1): >>31266113 #
7. rhuber ◴[04 May 22 21:32 UTC] No.31266113{4}[source]
We need to do a better job of this and I'm really sorry you had a not-great experience with expiration. Totally agree with your take.
replies(1): >>31273594 #
8. depingus ◴[05 May 22 02:05 UTC] No.31268518{3}[source]
I had looked at this. It doesn't seem like they've implemented anything to handle firewall rules. They may not even be able to, seeing as how that part of ZT is closed source. Also, this doesn't solve the problem with mobile apps, so the whole thing was a moot point for me.
replies(1): >>31270067 #
9. benoliver999 ◴[05 May 22 06:02 UTC] No.31270067{4}[source]
The mobile app does work with the self hosted option, we use it at work.
replies(1): >>31290153 #
10. JeremyNT ◴[05 May 22 14:13 UTC] No.31273594{5}[source]
I hope I don't come across as too negative! Sure I'd love to see some improvements here, and they would help adoption amongst hobbyists / home users, but I totally understand focusing on the features needed to make the business work first.

The existing open source functionality for the overlay network itself is (for me) what's really exciting, and it's all there. The management limitations just keep me from evangelizing more broadly (outside of places like HN).

11. depingus ◴[06 May 22 22:19 UTC] No.31290153{5}[source]
The official ZT docs* say, "The mobile apps don't support custom roots." And I don't see any setting in the Android app to point it to any server.

* https://docs.zerotier.com/self-hosting/introduction

replies(1): >>31298146 #
12. benoliver999 ◴[07 May 22 20:16 UTC] No.31298146{6}[source]
Ah, that's because we run a controller node not a root. So you just add an ID as normal.

The software linked in the parent works with the mobile apps.