←back to thread

Tailscale raises $100M

(tailscale.com)
854 points gmemstr | 1 comments | 04 May 22 13:17 UTC | HN request time: 0.215s | source
Show context
nickysielicki ◴[04 May 22 14:29 UTC] No.31260955[source]
Tailscale has a fantastic product, I’ve been extremely happy from day one. If you’re waiting for a weekend to have a few hours to try out Tailscale, don’t, it takes 15 minutes to get every device you own up and running and talking. This is the lowest friction personal VPN to ever exist, and once you see how easy it is for your own devices, you’ll wish you had it at work.

The biggest risk that this company has is that Cloudflare (in all reality) should just buy them or reimplement it. It’s the type of product cloudflare would make, that’s for sure. Being based on open source wireguard, and being just a STUN/TURN server at its core… I’m sure that Tailscale will be the first but maybe not the best.

I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

Web3 happens when people can host stuff on their phones, and Tailscale is something that lets you host things on your phone.

replies(16): >>31261040 #>>31261078 #>>31261130 #>>31261312 #>>31261392 #>>31261800 #>>31261878 #>>31264974 #>>31265274 #>>31265636 #>>31265787 #>>31267524 #>>31267632 #>>31267917 #>>31267947 #>>31272295 #
depingus ◴[04 May 22 15:29 UTC] No.31261878[source]
> I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

Might want to check out Yggdrasil. It lets you can create a real mesh routed, E2E encrypted network. You can keep your network private, or connect it to the greater network and route others. There's no ring-of-trust (I can't imagine that as a viable solution at scale). But the config file has an AllowedPublicKeys section if you want to specify who can route through your node.

https://github.com/yggdrasil-network/yggdrasil-go

replies(1): >>31264166 #
_abox ◴[04 May 22 18:33 UTC] No.31264166[source]
Thanks, I thought I knew all the major mesh VPN options (tinc, nebula, tailscale, zero tier, hamachi) and yet I never heard of yggdrasil.

This is the kind of comment I love HN for!

replies(3): >>31265825 #>>31270944 #>>31275314 #
PLG88 ◴[05 May 22 08:27 UTC] No.31270944[source]
Here is another (sort of), OpenZiti - https://openziti.github.io/. OpenZiti provides a mesh overlay network built on zero trust priinciples with outbound only connections so that we do not need inbound ports or link listeners. Similar to TS, you can host anything anywhere and has options to deploy on any popular host OS or as a virtual appliance.

What makes it realluy unique though is that it can actually be embedded inside the application via a suite of SDKs. Yes, private, zero trust connectivity inside an application! That provides the highest security and convenience as it can be completely transparent to the user!

Disclaimer, I work for the company who built and maintains OpenZiti so I am opinionated.

replies(1): >>31276061 #
GekkePrutser ◴[05 May 22 17:17 UTC] No.31276061[source]
All the solutions I mentioned are outbound only (for the clients), though they do all have a central point which is open for inbound connections so they can find each other. Or in some cases their own cloud serves this purpose. They call them lighthouses, Moons, etc but the principle is the same.

The embedding inside an app sounds like a really cool discerning feature though. I'll have a look!

replies(1): >>31282574 #
PLG88 ◴[06 May 22 08:00 UTC] No.31282574[source]
Yes, outbound only is great for client side and for me table stakes. OpenZiti allows you to make the server side outbound only too. Do you care about Log4Shell or Spring4Shell when your server is dark to the internet? Java Magazine recently did a piece on it as the OpenZiti team 'zitified Springboot' - https://blogs.oracle.com/javamagazine/post/java-zero-trust-o.... We also recently zitified Prometheus - https://openziti.github.io/articles/zitification/prometheus/...... private, outbound-only connectivity natively part of the code.
replies(1): >>31293744 #
GekkePrutser ◴[07 May 22 11:37 UTC] No.31293744[source]
Oh that's interesting. But how do the server and clients manage to find one another then? Indeed an outbound-only server is a discerning feature and a huge security advantage.

I should really read up on it. I know... I will soon!

replies(1): >>31302874 #
1. PLG88 ◴[08 May 22 10:39 UTC] No.31302874[source]
OpenZiti has an architecture of 'Edge' and 'fabric'. The Edge is at source and destinatation and outbound connects into the fabric. The fabric is SDN, edge connects and authenticates/authorises to controller based on embedded identity, then based on policy and rules, outbound connects to the data plane using smart routing over the mesh. The fabric only 'listens' for endpoints which have embedded, correct identity based on a process called 'bootstrapping trust' (there is a 5 part blog on this).

Clint and Ken did a really good ZitiTV on Friday which covered many of the cool superpowers of OpenZiti - https://www.youtube.com/watch?v=4wOGvZqN6Co&ab_channel=OpenZ...