←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 5 comments | 04 May 22 13:17 UTC | HN request time: 1.201s | source
Show context
arsome ◴[04 May 22 14:39 UTC] No.31261100[source]
I was going to try TailScale but then it seemed the only option to do so as an individual was to login with a 3rd party cloud provider, which I in no way want tied into my networks.

I gave up and just setup wireguard directly instead, I don't trust Tailscale either if that's their attitude towards privacy, it's permanently marred my vision of their product.

replies(10): >>31261128 #>>31261230 #>>31261250 #>>31261558 #>>31261667 #>>31261807 #>>31261815 #>>31261981 #>>31262022 #>>31262899 #
JeremyNT ◴[04 May 22 14:49 UTC] No.31261250[source]
Indeed, this is why I won't use it either. I settled on Slack's Nebula [0] instead of wireguard because it handles direct p2p communication between nodes automatically.

There also exists an open source implementation of the tailscale control server [1] that you could self host.

[0] https://github.com/slackhq/nebula

[1] https://github.com/juanfont/headscale

replies(2): >>31261607 #>>31261688 #
depingus ◴[04 May 22 15:17 UTC] No.31261688[source]
Absolutely love nebula and really wanted it to win when I did my overlay network shootout (for personal use). But device on-boarding and management was overly complex for a lay person (I have a couple users that would require access).

I settled on ZeroTier for now. Unfortunately, I don't think ZeroTier is my long term solution. Their self-hosted option comes with a plethora of caveats that make it basically unusable. And I'm always scared companies that offer free versions of their paid product will eventually neuter the free tier.

I'll be keeping an eye on headscale. Hopefully they get their mobile client situation in order.

replies(1): >>31264257 #
FL410 ◴[04 May 22 18:42 UTC] No.31264257[source]
I am curious what you found complex - was it the PKI? I was able to get Nebula up and running WAY faster than any of the others. It's two (well really only one) binaries and a config file - the simplicity is awesome.
replies(2): >>31264889 #>>31264992 #
1. JeremyNT ◴[04 May 22 19:43 UTC] No.31264889[source]
It's easy to get started, but the issues come mostly from managing that "just a config file" over time.

Have a bunch of new nodes? Replacing a lighthouse? Revoking and replacing certs?

Here's a mistake that I made personally. Did you read the docs fully and realize that the default expiration for a CA is one year? The same is true for certificates. You need some kind of tooling to rotate certs every year, by default, or one day you'll find your entire overlay network disappears.

What about the ACL lists? Well, they're just stored in that same config file. What if you add a new service you didn't count on initially? Or you have a new class of clients?

What if your lighthouse needs to change its IP address? Or you need to retire and replace it outright?

And if you have hosts coming and going a lot, suddenly managing all those configuration files looks like quite a pain indeed...

None of this is unsolvable - assuming you have root on all the nodes you care about. You could even create tooling to automate these things with some kind of configuration management system (which indeed, if you are deploying to more than a handful of systems, you basically must do). But these pain points will eventually add up if you are just trying to connect to friends.

replies(1): >>31265035 #
2. depingus ◴[04 May 22 19:57 UTC] No.31265035[source]
Just FYI, when you create a CA cert or sign certs with nebula-cert you can specify a -duration. Which I know doesn't help you after the fact, but it might help someone going forward.
replies(1): >>31266051 #
3. JeremyNT ◴[04 May 22 21:25 UTC] No.31266051[source]
Very good to know! I did learn this and used 10 year certs/ca when my originals expired... as will presumably most of the other people who didn't fully grok the implications of the defaults :)
replies(1): >>31266113 #
4. rhuber ◴[04 May 22 21:32 UTC] No.31266113{3}[source]
We need to do a better job of this and I'm really sorry you had a not-great experience with expiration. Totally agree with your take.
replies(1): >>31273594 #
5. JeremyNT ◴[05 May 22 14:13 UTC] No.31273594{4}[source]
I hope I don't come across as too negative! Sure I'd love to see some improvements here, and they would help adoption amongst hobbyists / home users, but I totally understand focusing on the features needed to make the business work first.

The existing open source functionality for the overlay network itself is (for me) what's really exciting, and it's all there. The management limitations just keep me from evangelizing more broadly (outside of places like HN).