Tailscale has raised $160M

When I saw the new round, I was instantly worried about change in direction that will most likely come with this, and effectively drive away regular users from a tool that seems universally loved.

Similar sentiment can be seen in the discussion from three years ago [1] when they raised $100M.

[1] https://news.ycombinator.com/item?id=31259950

Try netbird which is an open-source alternative to free yourself from worries xD https://github.com/netbirdio/netbird

I share your concerns.

Thank you for sharing this link!

I was about to slog through AI search results looking for an alternative.

How is Tailscale going to achieve at least $1B in annual revenue? That’s the kind of promise that would have to be made to investors in order to raise funding of this magnitude.

Become the provider of choice for enterprise IT networks or get bought by Azure?

so tailscale is selling out

that was disappointing

at least the current software is open source, so others can fork it before it closes down on itself and enshittifies.

I've been tracking this space for a while just out of annoyance that Tailscale offers ssh on the free tier, then not on the "starter" paid tier. Netbird is by far the best of the alternatives that I've tried.

Good. This lets them receive some of the value they’ve created (they should get paid!) and gives certainty they won’t go out of business. Which means more Tailscale now and in future!

If they turn evil (unlikely with the current folks there) they’ve written up / open sourced plenty of what got them to this point.

Don’t capture all the value you create. But you should try to capture some.

Tailscale is a software company founded in 2019 that raised their series A in 2020, not a grassroots community project

it is a nice that they're a bit embarrassed about it and spend much of the post explaining why they took more money.

overall, they still seem to have their heads screwed on straight and have an actual business model, that is also pretty fair - charge enterprises per seat to solve their network identity problems.

anyway, keep up the good work, Avery and co.

Tailscale is a great. I think of it as a swiss army knife for easier routing and connectivity.

I use it in projects to stream internet / connectivity from my phone to the NVIDIA Jetson line, making my robotics projects easily accessible / debuggable:

https://github.com/burningion/bicyclist-defense-jetson?tab=r...

Tailscale was invaluable for connecting my remote offices together. Long gone are the days of openvpn configs

I don't probably use Tailscale to it's full potential but I love this tool. We have our small servers at our offices across the world and it has give us so much flexibility to access some of the files via shared drives or try out installing / testing stuff. Me and my wife also drop each other pictures of our kids using tailscale now.

Off-topic, but it makes me laugh that companies will list their “investors”, “advisors”, etc. on their company page, but not the people working there.

That said, Tailscale is one of the products that just works.

I've always been on the outside looking in, so I've never used Tailscale or its open-source brethren.

Would this service be comparable to Headscale[0]?

[0] https://github.com/juanfont/headscale

Even if it could mean Tailscale enshittifies eventually, this is probably a good thing for the ecosystem. As one example, the bigger they get, the more likely operating systems will build better APIs to support what they do (for example maybe Apple will provide a way to do mDNS over Tailscale), and those APIs can be used by all.

There are plenty of open source alternatives cropping up[0]. I'm curious to see what Tailscale can do with a lot of resources.

[0]: https://github.com/anderspitman/awesome-tunneling?tab=readme...

As someone who currently has their photo on a company's 'About Us' page, I hate it. Why does anyone care who the nth developer is? Let me just do my job without forcing me to be publicly listed for spammers and scammers to target me.

Does anybody encounter issues with DNS after installing tailscale with it's MagicDNS enabled? It drives me nuts because my entire network just stops working. I removed tailscale but still won't be able to connect to my Ubuntu server.

Yeah, you need to be conscious about your tailscale domain, your .home (or whatever your router or dhcp server advertises) and your .local hostnames. Even if you’re aware, things are sometimes wonky, IME primarily on macOS.

IMHO they should be a good steward and toss the Wireguard guy a mil considering Tailscale is pretty much Wireguard with a GUI on top.

One would hope they’d create something like Google drive except you own your stuff that people would pay for.

When they raised the 100M three years ago, I'm pretty sure they said they didn't need it and were saving it for a rainy day (or words to that effect), always seemed very odd at the time. Two q's for anyone who cares to speculate: have they burnt the original investment already? And if not, why would they need more funding? AFAICS there's no real competition in the market place for their product today, the only thing I can conceive is that they have a secret 'tailscale 2' project in the wings which is massively developer or capital intensive. Let's hope it is nothing related to AI band wagoning :-)

Off topic but rerun.io is really cool. Never heard of it until I saw your project. Do you know if it does "replay" kinda like rosplay?

so either you do it out of the goodness of your heart, or you maximize shareholder value at no expense

I'd sell out at $160M, too. I'm happy for them, and sad for everyone else.

I am on Arch and often end up with DNS broken in a way that requires me to restart tailscaled.

I've had issues with tailscale dns for a while where I'll wake my mac up and the dns will just not work until I disable tailscale. I can then re-enable it and everything continues to work.

I logged a bug about it and the latest versions this seems to have gone away. I also moved away from the mac store variant and into the standalone. Not sure if that helped either.

There are plenty of enterprises that will pay them to run their services and provide better integrations while allowing open source users to continue. Now people will get upset because some of these things will be for those customers only but it is very hard to keep developing these things and give them out for free. Partially open source still allows those to extend the work they give to the community and they will probably still continue to have a free tier to get more enterprise customers in the end.

  When we started Tailscale in 2019, we weren't even sure we wanted to be a venture-backed company. We just wanted to fix networking. Or, more specifically, make networking disappear — reduce the number of times anyone had to think about NAT traversal or VPN configurations ever again.

Isn't logtail what got Avery et al started?

https://github.com/tailscale/tailscale/tree/main/logtail

https://apenwarr.ca/log/20190216 / https://archive.vn/xlsA1

Tailscale is definitely more than "Wireguard with a GUI", but I don't think that diminishes your point that Tailscale, if they're not already, would be great stewards if they were contributing more than code back to the Wireguard project.

This is not correct. Wireguard establishes a tunnel between peer A and B, and its simplicity stops there. Tailscale does tons of complex networking, filtering, nat traversal, DNS, file sharing, etc. Wireguard is a small part of the codebase today, which has grown a lot.

It’s a bit like saying Dropbox is just a GUI on top of TLS.

The same thing has been said about many other companies taking on VC Money. Someday, those investors are going to want to see a return on that investment. Its going to take focus and determination to not just ship enshittification as a feature..

If they had taken just say $40 million would they be able to sustain their project for the foreseeable future and perhaps not yield as much future product direction and equity?

I honestly don't know how this big dealmaking works but it strikes me that when you take out this big of an obligation that the obligation has a gravity that may drag you in a direction you (or consumers) do not want to go.

Love Tailscale as a product (as does everyone I talk to) but genuinely want to learn more about the trade-offs as usually when we see big dollar signs all we do is celebrate.

> at least the current software is open source

Not the server.

headscale is nice, but it's not an official project.

Yeah, I honestly couldn't get Tailscale to work reliably at all. DNS, routing, firewalls etc. My overall impression was it will work if either you go for it on your entire local subnet, or you have a very simple local network topology. Having local nodes inexplicably talking to each other via a cloud relay basically all the time just isn't acceptable. (And webrtc could always find the local candidates when doing ICE, so it's not that).

It's interesting because they have clearly demonstrated a demand for such a thing, but the "just works" pitch is a fantasy, at least today.

That was our initial use case for Tailscale as well. May 2020 we started growing a team and needed a really smooth remote access solution for a bunch of Xaviers... and we weren't allowed to be in the same room together :)

Tailscale deserves it. They have produced excellent software.

Most of this was successfully done 20 years ago by tinc, which is a project written by a couple of European guys in their free time. It even supports routing traffic through other peers and does peer discovery just like BitTorrent (but before BitTorrent even existed) — there is no need for a central server.

What tailscale has over it is hype, lots and lots of hype. Also a much more well thought out, and arguably more secure VPN protocol underneath, which is why GP's comment is on point.

> they should be a good steward

Tailscale did make a donation to WireGuard. They have regularly contributed to wireguard-go, including the complicated GRO/GSO bits.

  "Tailscale made a donation during September 2022, as part of their business centered around WireGuard." https://www.wireguard.com/donations/ / https://archive.vn/MMAXO

> Tailscale is pretty much Wireguard with a GUI on top.

Well, isn't PUBG a GUI on top of Unreal?

> It’s a bit like saying Dropbox is just a GUI on top of TLS.

Well, it is. After all, for a Linux user, you can already build such a system yourself quite trivially...

I imagine this was, at least in part, part of the pitch deck.

Sometimes I have issues like this. It's related to my ISP not supporting IPv6. I don't have time to explain this in detail, but at least that's one angle of it that you might want to explore further.

So you want a file system data store that distributes the data over the nodes you own in a sort of dynamic P2P way?

netbird looks like it would be a better option if open source is what youre after. theres a handful of others too, nebula, zerotier, netmaker just to name a few

Depressing news, I have no hope that the countdown to Tailscale being unusable subscription trash has not started with this announcement.

I realize this is a very ironic place to make this statement, but I am utterly exhausted by VC money destroying all of the services I enjoy, like a slow disease spreading through a herd of livestock.

Equity investments like this don't need to be repaid, so there isn't a legal obligation to repay them. Of course, there is an obligation to maximize shareholder value — but that is totally independent of the dollar amount invested.

When founders raise this much money, it's because there's (1) a lot they want to do and hire for, or (2) they don't want to worry about monetizing the product for a significant period and focus on growth or product development.

Investors expect that Tailscale will extract many multiples of their contribution from users.

If you'd like to avoid this extraction, you can fork their command line client code (along with the open source headscale server) and run a mesh network across your linux machines with all the magic DNS and userspace-TCP/IP-stack goodness that you're used to. Tailscale has given away a lot of the engineering for free.

However, as soon as your fork becomes incompatible with Tailscale's stack, you lose a massive value-add: proprietary platform support. Today, you can add the sale's guy's iPhone to your tailnet in seconds. If Apple's capricious automated AppStore security pulls the Tailscale app from the AppStore, Tailscale Corp is big enough to get Apple's attention. A small FLOSS group with some forked clients on github won't be able to provide this same operational stability.

I do in fact care about the nth developer when I visit about us pages.

Maybe a slight bias on my part as I'm a developer and not an investor.

And not that funding or advising is less important, but it's a nice feeling connecting a product I like to faces who make it happen.

GP didn't talk about "repaying" anything. Taking 160M instead of 40M at the same valuation means giving up 4x the shares, and that's going to result in a bigger voice for those investors at the table in making decisions about the future path of the company.

The subnet routing feature can cause network issues

And ease of use, IMHO. That's a bit one with these kind of things. I will admit not having used tinc but I imagine it's not as polished.

Polish costs effort and money and it also really truly saves time and makes for a better product. So that matters.

I have this happen largely with Apple OS devices. Apple's DNS service can be notoriously persnickity (I've had issues with it outside of Tailscale as well), and I usually need to bounce interfaces or flush DNS cache (where I can on macOS) to resolve issues. WRT Tailscale, I also have issues with it on my phone. I currently have my phone configured to connect to my Tailnet when I leave networks I don't control so that I can maintain access to my personal cloud on the go, however after a few connections and disconnections, I have to bounce several interfaces in order to correct both DNS and routing.

Yes, rerun does replay, that was my main use case when prototyping.

They've since raised more funding recently, and have larger use cases in mind for robotics: https://rerun.io/blog/physical-ai-data

I've spoken with members of the team, and they're all great. Wouldn't hesitate to use the product / work with them anywhere.

It'll be a sad day when this reference is posted and understood for the last time.

What are the failure points of hosted solutions like Tail scale versus self hosted options?

What if they were offered $160mm and Tailscale countered with 4X the valuation, lowering the number of shares by 75%? Similarly, what if they wanted $40mm but the only deal on the table was $160mm due to ownership targets of funds that can actually write $40mm+ checks? It's hard to play these armchair games, even less so when the terms aren't known.

Probably closer to say that Dropbox is a GUI on top of WebDAV

You're right that we don't know all the terms, but $160M raised is not small and it is very reasonable to worry about what level of control will be given up long term because of it.

(3) investors offer the option for founders (and earlier investors) to take money off the table by buying up a percentage of their stake, essentially creating a mini-exit for the founder and earlier investors

Jason Donenfeld is listed as a Technical Advisor on https://tailscale.com/company. Most companies pay their advisors something, so I assume something monetary is going on here for him.

It definitely matters. I used tinc extensively at a prior gig, and it not having a story for its own key distribution was exceedingly painful.

$1B annual revenue is ~4m business users. This is considerably smaller than e.g. Zscaler or Okta. It's a big goal, but achieving it does not require them to sign a majority of businesses or build a monopoly.

A weekend project tops

Hm OK well thinking out loud, $100M / 3 is $33M / year?

I don't know much about Tailscale, nor about how much it costs to run a company, but I thought it was mostly a software company?

I would imagine that salaries are the main cost, and revenue could cover salaries? (seems like they have a solid model - https://tailscale.com/pricing)

I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane, so it should be cheap?

I could be massively misunderstanding what Tailscale is ...

Did the product change a lot in the last 3 years?

No it won't. The reference is universally misunderstood.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

+1 rerun is great and they also make egui.rs, one of the best immediate mode graphics libs.

One of the main problems with raising too much is that you stop caring about product-market fit and can go on tangents that do not make you competitive. This is quiet common afaik.

a fun thought exercise - what would have to happen to HN for this to come true? basically all the old guard have to age out and not pass on the reference?

This is mostly so that the founders can take some money off the table. The founders probably have $10 million cash after this and don't have to worry about rent ever again.

If it's hype, it's not hype the way you're thinking. I've shown Tailscale to a lot of people (this is less salient now, when pretty much everybody uses Tailscale) and the most common reaction I've gotten is "holy shit". It is spooky simple to get working, and it's spooky simple to go from a working installation to a VPN configuration that would take many many hours to replicate with pre-existing tools.

There may be VPN nerds out there who think there's nothing special happening with Tailscale, but I submit those nerds haven't spent a lot of time dealing with the median, replacement-level VPN configuration prior to Tailscale. I'm a pentester, and so I have had that pleasure. Tailscale is revolutionary compared to what it replaced.

The founders of Tailscale probably weren't too worried about rent before Tailscale.

I think they might be operating at a scale that breaks those kinds of pages at this point? Not literally, of course, just they're past the point where the page makes sense.

Ea-Nasir

Us humans are kinda ok at preserving knowledge (and we're getting even better, but not in a good way).

That depends on the share classes. Companies with high interest from investors can sometimes get them to accept shares with reduced voting rights.

I can't seem to find the replay function. As in replaying the sensor data as if it was "live". Would you happen to have a link to this feature?

> Me and my wife also drop each other pictures of our kids using tailscale now.

What application are you using for that (on top of Tailscale, that is)?

How many people on HN today would get the structure - “less $x than $y. No $z. Lame”?

I think the parent commenter used "understood" to mean "recognized."

That said, I don't really understand the supposed misunderstanding you point out. It seems that dang argues that "the exchange was pleasant and successful." I've never seen someone claim otherwise.

Rather, I've seen it used as an example of how technical users can fail to recognize the complexity inherent in their workflows, and therefore may also fail to see the real-world business value in creating (and selling) simpler interfaces. See also a SMOP: https://en.wikipedia.org/wiki/Small_matter_of_programming

Yes; you will burn through all the capital you raise in ~18 months. It is _extremely_ difficult to efficiently allocate large raises (100M+) in 18 months. In fact, I’m developing a pet thesis that no single human or business can efficiently allocate more than $100M. This would imply that any time a single raise is more than 100M, the investors always would have had a better return by splitting it into chunks of 100M or less. It’s not a _good_ thesis yet, just one I’m performing thought experiments with

Same. When my cell has an ip6 ip, I can’t get dns to resolve on my systems at home. I can still access everything by ip4 ip though. I haven’t had time to find a solution yet. I’m still trying to figure out if it’s nginx, pi-hole, router, or Tailscale config related… probably a combination.

Headscale is server only. Netbird is the whole stack (basically does the same thing but completely different software/implementation)

As GP said, they have raised money before. So why are you now disappointed and think they "are selling out", when nothing has changed, and Tailscale has been a clear-cut for-profit startup from the start?

Why would you not just have the same amount of income, but spend less money?

Everyone is commenting on the HN headline, no one on the actual post:

> Building the New Internet

(Insert mandatory reference to Silicon Valley here :))

> We think there’s a better way forward. We're calling it identity-first networking.

I would love to see this. Every day I have to stare at YAML files with IP addresses in them is a day I will never get back. I wish cjdns[0] had succeeded already but oh well, now I hope the Tailscale guys will!

[0]: https://github.com/cjdelisle/cjdns/

Isn't Dropbox just a GUI on top of rsync? I've also seen people say "FTP"

My only technical complaint with Tailscale is that its hole punching doesn't seem to work with some common CGNATs/double NATs when both endpoints are using them, and then traffic ends up trickling through their public proxy servers, while running your own is kinda annoying and not recommended or documented.

Tailscale has Taildrop - built-in peer-to-peer file sharing feature

https://tailscale.com/kb/1106/taildrop

I encountered a similar issue when I first started using Tailscale. My fix is simple: disable IPv4 inside Tailscale. Just use the v6 ULA address that begins with fd7a exclusively. This works even if your ISP doesn't support IPv6: the inner IPv6 packets can be encapsulated inside v4 packets. There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.

Fingers crossed they’ll finally enable sending files to people

You can always find a lot of us on LinkedIn :D {I work at Tailscale}

They have raised before, so that money helped shape the service you enjoy.

No, it's not that simple. This is an instance of context collapse; people dunk on that exchange because they believe it's an HN person belittling Dropbox as a product, when in fact it was an HN person helpfully offering notes on a YC application.

I agree it's silly, but worth noting is that the target audience for those pages are usually:

1. Potential customers

2. Potential investors

Both groups are a lot more swayable by social proof from seeing the "investors" than the devs as they infer a lot of credibility based on who has funded you. Similarly that's why you often see big company logos on marketing pages because it makes other customers more likely to buy. "<xyz> is too big to be wrong about this product"

Whether the poster was "belittling Dropbox as a product" or "helpfully offering notes" seems like a judgment one can make about the exchange, regardless of poster's intent. I never understood this to be the reason it was referenced, more the SMOP thing. But I hear what you're saying about the details getting warped over time. (edit: And I do think people sometimes use it as a case of "if you listen to everyone's feedback..." but I think that still rings true: regardless of the judgment you place on it, it could have been demoralizing to Dropbox's founders.)

Operant has something similar in IIoT, https://operantnetworks.com/sie-sbd-part2/

  1. Immutable Content Naming: In a data-centric system, content is addressed by its name, transcending geographical considerations. This circumvents the vulnerabilities associated with IP addresses, which can be spoofed or manipulated. By employing cryptographic techniques to validate the authenticity of content names, NDN establishes a robust layer of security that underpins the entire architecture.

  2. Built-In Data Integrity: NDN employs built-in mechanisms to ensure the integrity of data. Content is signed by publishers and verified by consumers, preventing tampering or unauthorized alterations. This approach effectively mitigates data breaches, as any unauthorized modification is detected and rejected.

This sort of thing tends to trend bad for users.

Some business can certainly allocate more than $100M, but I could see that thesis for VC-backed tech-style product companies.

A few examples come to mind immediately: trading firms/hedge funds often have more capacity than that in their existing strategies; hardware businesses can have substantial up-front costs; companies with high COGS might need that much to just scale at the rate they're already moving, since each unit locks up a bunch of capital until it's sold.

No one is going to answer you because no one has seen their books.

Cloudflare still has their about page with thousands of people:

https://www.cloudflare.com/people/

There might be other things going on in the US that you could maybe possibly have heard about, and investors are looking for different places other than the US stock market to invest their money, and Tailscale is looking to have a war chest because of the exceedingly possible case that we're headed into a global recession.

> I don't know much about Tailscale, nor about how much it costs to run a company

$33m/year is only 33 fully loaded software developers including all overhead like HR and managers and office space, and also a cloud hosting bill.

33 really isn't that many.

woot, woot, happy for the team. I love tailscale and can't stop singing praises.

Entshittification incoming?

I just wished their server side was open source also

brb destroying some magnetic tapes because i can just put them on the cloud

The benefit for VC of lending you more than you need is (a) getting the owners hooked on spending money, then (b) taking control.

That's much less of a problem than not being able to raise enough in the next round because you only 1.5x'd instead of 3 or 5.

It's super useful to potential hires about the kind of team you're building. Especially if there's some kind of niche you're in (product, tech, region, whatever). There are people who I would climb mountains to work with, and others within a niche whose very presence in a company is enough to steer me away. Another signal for me is the fraction of xooglers in the engineering team.

Yes! I also experience this. I also had some weird interaction with another wireguard-based VPN and Tailscale, where it crashed my DNS so hard I had to reset my entire laptop.

Eh. Investors/advisors don't change that frequently. And often people will go "oh? Sequoia generally invests in good companies, the invest in X? They might be worth while to buy/work for".

Putting people on the website is, very variable. Do you update the website every week or two when someone comes or leaves? Well that's awkward if someone is fired.

You get to 100 people, then 200 people. Now what do you do? Remove everyone? Only put people on above a certain level? What do you do when someone asks you not to be listed. Or when John becomes Jane, but doesn't want to be super duper public about it?

Or, when your company gets media attention and now the moment you add/remove someone from the website you get news or social media posts about it?

> Equity investments like this don't need to be repaid

You are saying equity is not bonds.

However investors expect to be repaid in the future with control and exhorbitant interest rates (based on risk). VC invests to make money, but that money comes from future equity rounds or IPO.

If you didn't take the VC money (and the business achieved the same growth without the money) then you'd expect you would have been better off by at least the amount invested (investors don't invest with the expectation of only getting their money back).

If the business doesn't succeed then you are on the hook to pay the debt from your equity via liquidation preferences.

VC payment is expectation statistics, but the investors know that game and invest to make money. That money comes from the current equity owners making less in the future.

Because you're delegating the control plane to Tailscale. Somehow we went decades without this being a thing for security reasons, dealt with the management of VPN appliances, and now suddenly everyone is OK with Tailscale owning the control plane of their VPN for the sake of convenience.

PUBG pays licensing fees to Epic Games (Unreal).

That's quite insightful actually. Perhaps might explain the tailscale name a little better in that context also.

I'd be surprised if the average package for SWE is $1M/year (fully loaded).

Generally package is around half of what company spends per extra engineer. And $500k average for a tech heavy product company doesn't sound too far off.

What's the difference between this and say azure vent and configuring that with private endpoints

Isn't it better to 1.5x in 6 months on 40 million than 3x in 2 years on 160?

By definition focusing on things that don't grow your business because you have way too much money in the bank is going to be worse for your business than being forced to focus because you've only got a year of runway.

Not only the "expectation" but lots of VCs have preference built in that guarantees them huge returns on basically any liquidity event. It's probably not as likely in a Series C like this but 2-3x preference is not unheard of. There are few investment vehicles where for every $1 you put in you're guaranteed to get the first $3 made back first.

You're not wrong to think Tailscale is primarily a software company, and yes, salaries are a big part of any software company's costs. But it's definitely more complex than just payroll.

A few other things:

1. Go-to-market costs

Even with Tailscale's amazing product-led growth, you eventually hit a ceiling. Scaling into enterprise means real sales and marketing spend—think field sales, events, paid acquisition, content, partnerships, etc. These aren't trivial line items.

2. Enterprise sales motion

Selling to large orgs is a different beast. Longer cycles, custom security reviews, procurement bureaucracy... it all requires dedicated teams. Those teams cost money and take time to ramp.

3. Product and infra

Though Tailscale uses a control-plane-only model (which helps with infra cost), there's still significant R&D investment. As the product footprint grows (ACLs, policy routing, audit logging, device management), you need more engineers, PMs, designers, QA, support. Growth adds complexity.

4. Strategic bets

Companies at this stage often use capital to fund moonshots (like rethinking what secure networking looks like when identity is the core primitive instead of IP addresses). I don't know how they're thinking about it, but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on. It's not just product evolution, it's protocol-level reinvention. That kind of standardization and stewardship takes a lot of time and a lot of dollars.

$160M is a big number. But scaling a category-defining infrastructure company isn't cheap and it's about more than just paying engineers.

Yeah, the same way a car is just a GUI on top of two bikes.

Oh no. That's really too bad. Fingers crossed they'll beat the VC curse because it is so close to perfect as it is right now.

obligatory "Raising too much money" (Silicon Valley) https://www.youtube.com/watch?v=8ZgfTarNxdY

I'd be curious how much of this $160 million is immediately allocated to bonuses, founders taking money off the table, increased salaries, employee option pools, etc.

409a valuations are made up by independent appraisals, but it’d be quite strange for an investor to agree a share is worth 4 times the appraised value.

You can't raise VC money and save it for a rainy day. If VCs wanted their money in a bank they'd just put it in a bank.

If you raise $100M you have to put $100M to work or you'll hear constant shit from your board over it.

If they raised $160M they're going to spend $160M on something. My guess would be a lot of enterprise features and product integrations.

Tailscale has a single management engine. My understanding is that if the goes your existing traffic will still flow, but new connections won’t be made.

Why? Did they have a previous exit?

This is just wrong. What exactly do think companies are spending 500k on per engineer beyond the TC package?

This is about data, though, not about addresses, is it?

I think my employer decided to remove all non-executives at some point to ward off headhunters. Not sure how much it helps considering everyone's on LinkedIn.

anyone care to share how they are spending money? labor, operations (training, transfer fees), marketing & business development. It's different than industries I'm more familiar with.

office space of course!

HR, marketing, sales, management, office space, servers, licenses, insurance, etc.

It seems on the high end, but not too unrealistic.

Yeah I take this as bad news, as a user. I dread the inevitable enshittification. Hopefully open source UX over Wireguard is close-enough to as good by the time they drive me away that losing them isn't too painful.

Took a project I'd been putting off and putting off because I knew it'd eat half a Saturday, and made it a 20-minute affair from signup to having everything done, including adding some devices to the network that I wouldn't even have bothered to try adding on my own.

I use personally for my home network. Very easy to use and quite mature. I'd highly recommend.

You can’t be serious. Lots of businesses easily have that much just in cost of goods or marketing spend. $100M is not such a crazy amount especially considering the cost of hiring technical people.

Also note that the benchmark of “efficiency” should be a function of growth, not some absolute standard.

Now I'm waiting for all AI billboards in San Francisco to be replaced with Tailscale ads

Here's the source for those not familiar with the classic: https://slashdot.org/story/21026. Can't believe it's turning 25 next year.

They dunk on it because the author didn't see the the benefit of the product over using FTP. And it's hard to say the usage of "quite trivially" isn't "belittling" in some form, although I don't think using a loaded word is useful here. Even the followup response shows the same issue with the commenter's thinking:

>You are correct that this presents a very good, easy-to-install piece of functionality for Windows users. The Windows shortcomings that you point out are certainly problems, and I think that your software does a good job of overcoming that. (emphasis added.)

They still fail to understand that this is not a Windows or Linux issue but a reliability and ease of use issue. Not to mention the fact that the desktop Linux marketshare was probably less than 1% and therefore irrelevant in this context to begin with.

$33m/year burn accelerating to $50m+/year

Profitability and exit math just got harder

I love the service and am rooting for them - I just don’t get this cash outlay

I can’t wait to learn what I’m missing here

Hope this means headscale involvement doesn’t get 86’d.

As I recall, a few tailscale folks contribute to this open source implementation of the “coordination server”. Apparently tailscale management approved it. So this means management at any time can revoke it, and possibly kill off self hosting of the coordination server as the open source clients become incompatible.

This is a press release targeted by rapacious capitalists. By mentioning other big named investors, you keep the grift going and continue securing future funding until IPO.

Enshittification will start in 3... 2... 1....

lol - wonder if HR or whoever maintains this site just scrapes the internal directory to generate the is page.

Names/photos are not even clickable. Just first names and a photo.

Thats so cloudflare.

IIRC they were senior engineers from Google.

But the tailscale client is open source too

Rerun co-founder here. Rerun doesn’t have replay in the sense of you send messages in and can play back the same messages in the same order later. We have playback in the sense that you can play it back in the viewer. We also have apis for reading back data but its more focused on dataframe use cases rather than sending you back messages

> running your own [proxy servers] is kinda annoying and not recommended or documented

?? https://tailscale.com/kb/1118/custom-derp-servers

Holy hell I need to ask for a raise.

At least tailscale funnel isn't control-plane-only, unless I'm totally misunderstanding something

Aren’t they Canadian though?

I'm using it for friends and family file sharing, it's fantastic.

Tailscale just got a lot of money to keep growing. But what they are doing is more important than the money. They are helping computers talk to each other in an easy and safe way.

Before, the internet was built to connect places, not people. That made things messy. People had to set up tricky stuff like VPNs and firewalls. Tailscale makes this much easier by using your name or account, not just numbers like IP addresses.

Now, big companies and people at home use Tailscale to keep their computers and apps connected. It works without a lot of setup, and it’s safe. Even people building smart robots and AI are using it.

What’s really good is that Tailscale still helps small users for free, and they try hard not to break anything when they update their tools. If they keep doing that, they can become a very important part of how the internet works in the future.

This comment reads like simple.wikipedia.org

Sounds like Pied Piper to me.

Haha, fair point! I guess i was going for simple Wikipedia rather than deep academic journal. Maybe next time i'll throw in some fancy words just to spice things up.

I can confirm that kenrose is an actual human being :-)

It's both, https://en.wikipedia.org/wiki/Named_data_networking

> NDN has its roots in an earlier project, Content-Centric Networking (CCN), which Van Jacobson first publicly presented in 2006.. NDN applications name data and data names will directly be used in network packet forwarding.. Its premise is that the Internet is primarily used as an information distribution network, which is not a good match for IP, and that the future Internet's "thin waist" should be based on named data rather than numerically addressed hosts.

NDN talk by Van Jacobson at Google (2006): https://www.youtube.com/watch?v=oCZMoY3q2uM

It’s wildly and hugely unrealistic.

The rule of thumb that employees actually cost a business roughly twice their salary is based on two things:

1. Retention. Hiring costs are “huge”, and so if you have a higher or lower average retention, may make up a disproportionate cost compared to salary. Ramp up time and institutional knowledge loss is no joke either.

2. A spread of average wages. 500k is not average, and a huge number of the costs are relatively fixed. $1,000 a month worth of software licensing isn’t an uncommon number and is fully 1/3 of the salary of a $3k a month or $36k/year junior clerk. It’s peanuts when you look at it next to a $500k/year salary. It may be that the clerk is, all in, costing the company 3x their salary after indemnity insurance and so on. The dev will never reach 10%.

you should see what happened to the rodents in the lab

That depends entirely on how you raise the funds. Yes, you can say "Here's the growth rate we'd get without your money - based on that, this investment gets you an ROI of x%."

With x% high enough, sure, you can get VC money without too many strings. (Also, reading the Series B post, they were planning to invest - just in organic growth instead of the usual growth hacking)

And if you read the Series C post, you'd know what they're spending on - GPU (and general) cloud interconnectivity.

There's really not much need to guess, Tailscale's financing announcements are about as open as you can get.

Apparently, yeah: https://en.wikipedia.org/wiki/Tailscale. Based in Toronto, Canada.

Go Canada!

You know it

Their Personal Plus (the non-business "starter" plan) does offer SSH, FWIW.

TBF, the folks who get actual value out of knowing who works at Tailscale already know who works there :)

They're not exactly secretive, there's just little value to have it on the main company page. (And if you just want pictures, https://tailscale.com/careers has that too.)

Yes, but when they raised before they did not give up a bunch of control in return.

> get bought by Azure

Please no.

Thanks for the clarification!

Can you comment a bit on what you liked about them, especially compared to Tailscale?

I don't know how it works on Linux, but for Windows, the 'MagicDNS' just automatically adds a bunch of static entries to your hosts file to resolve the TS FQDNs and simple/machine names.

Can likewise confirm dblohm7 is a real human too :)

I'm a fan of TS and have been a paying customer for work infra for almost a year now. It really is well put together and easy to use, but I do run up against some issues/complaints when diving deep that I hope they can work out:

* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.

* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!

* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.

Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.

> $500k average for a tech heavy product company doesn't sound too far off.

Tailscale puts salary ranges on their job postings. The salaries aren’t bad, but no, they aren’t $500k.

Funny how, as soon as I hear about a big new funding round, my reaction is sadness because I assume the product is going to start being bad and user-hostile in about 6 months. It shouldn't be that way, but it's just a reflex after seeing it happen so often.

Have you tried ZeroTier? Their free plan's been working well for me. I haven't tried NetBird.

We’re like trading cards to these people

I think we are saying slightly different things. COGS are composed of many smaller capital allocations. According to this untested, pet thesis, putting on a report that $250M was spent on capex is just fine; but if you go to a single vendor and sign a $250M contract, you have wasted money by not being more careful about how that capital is allocated. $100M is _a lot_ of capital, and I think it’s easy to lose sight of how much stuff you can do with that much money when applied to industries that don’t pay tech salaries for speculative growth. As examples: how many pounds of food could you grow for 100M? How many doctors could we train for 100M?

I think the thesis is thought provoking. Not sure yet if it’s worth anything, but it also doesn’t preclude businesses from having massive cashflow.

> Another signal for me is the fraction of xooglers in the engineering team.

In which direction?

Maybe 200 doctors at prevailing medical school rates? That’s not an obscene amount.

Not necessarily. You hear plenty of stories of companies who raised money they never ended up needing to touch.

What matters is why. Is it because growth is so bonkers that your burn stays minimal/zero despite increasing costs? Or is it because you don't spend anything and thus can get by with stable revenue. VCs are very happy with the first, less so with the second.

VCs would always prefer you get to megascale with less money - the less you raise, the less they get diluted.

Thank you. I’ve lost count of how many times I’ve had to write “we don’t need the money but are saving for a rainy day” CEO talking points and press releases for companies that were < 90 days from not being able to make payroll.

Easily, tailscale solves on of the hardest problems in software

My prediction is that they'll be bought by Cisco.

Non-salary cost such as payroll taxes, benefits, workers comp, training, equipment, space add another 25-50% typically.

US Health Insurance is stupid expensive as well.

Funny enough, you could double that to 70 engineers and that's still a TINY amount of engineers.

It's really not at scale. It's on the order of 500$ a month per dev for "gold" level care for a company of 50 people. I'm sure it's less the larger you get.

it would fit in very well with Cisco eco system

As an alternative there's https://github.com/tonarino/innernet

I haven't traditionally seen these areas of spend rolled into Eng costs in the budgeting process.

Doesn't that also then make tailscale completely open source?

When people say they get 500k they mean they get paid 200k in salary and got 300k in RSUs, with the details mixed around the edges. ICs aren't getting 500k salary except in a few rare cases.

For a company this is probably okay: companies rely on other companies all the time, and can enforce contracts. I would gladly use tailscale at my company.

For an individual, heck no. Fortunately, headscale exists for individuals to use.

Not on Windows and iOS. And on the mac, the most useable client isn’t open source either.

Nope. 2x total comp is standard fully loaded cost.

> * Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.

Tailscale touts all the perf benefits of the wireguard protocol but in practice between the userland wireguard that seems to be used all the time on all platform (even linux) and the over reliance on DERP, it has none of the performance benefits of the real thing.

I still don't know what it is and I've been reading about it for N years here. On some level, it's healthy to take capital.

>$6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m.

It's market segmentation, needing ACLs is a sign you're at least an SMB, and to a business of nearly any actual size, the difference between $6/user and $18/user is 0.

Um, it's 3x the cost to get one feature. By your logic they should be charging $100/user/mo for the feature since that must also be the same. This is typical "enterprise" nonsense pricing and it will absolutely drive some adopters to look elsewhere.

Apple had a Tailscale-style feature called "Back to my Mac" that was part of MobileMe. They killed it off with the rest of MobileMe, presumably because they just wanted you to store everything in iCloud.

I guess technically they weren't lying, just holding back on disclosing that they already knew a rainy day was coming and it was coming very soon...

It's a perfectly valid part of a pricing strategy to drive people away if they are not the customers you want.

It might depend on the state and the age pool but I have to pay a percentage and based on that it's more like $10k/year. So you are almost 2x undercounting

... But maybe if the average employee of a company is 25 they could get a better deal

>I'm sure they have some cloud fees, but I thought it was mostly "control plane" and not data plane

Don't they host the relay servers that are the fallback if NAT hole punching and their other bag of tricks doesn't work?

Didn't knew that. It's significantly lower than $500k.

The shift toward identity-first networking is also super interesting. Feels like we're finally moving past the idea that IPs = trust, and into a world where access control actually maps to human (or service) intent

I really hope with this funding they can improve observability and give more love to power users who occasionally need to dig deeper without going full bare metal

Feels like tech companies treat engineers like implementation details until they need to hire more of them.

Do you mind sharing the better solutions you'd consider at the higher price point?

Start looking for alternatives already. Nothing good came out of VC rounds and private equity for the end consumers ever.

Congrats TS. You deserve this.

I understand the cynicism. But this is counter productive. Any venture has to have a finance angle. They are not missionaries.

Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.

We don't even use windows enterprise for the same reason, we have legacy office 365 plans and lifetime windows licenses without the M365 addons because it saves is a few bucks per head. At our size, a few bucks a head quickly add up to millions per year. Microsoft keeps trying to dissuade us and they even pretend office 365 plans don't exist anymore ("office 365 is now microsoft 365") but they do: https://www.microsoft.com/en-us/microsoft-365/enterprise/off... . The same with their Copilot stuff. 30$ is a non starter. Our users want it but nope (and we did a trial in one big team and only 10% actually bothered to use it after the first month so I think it's more the idea of it that want rather than the actual product)

We don't use Tailscale but $6 would be feasible where $18 would be a complete nonstarter.

In fact our company is a lot more cost conscious than I am as a consumer.

I just this past weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.

I will probably eventually cave and use my main account from one of those companies since creating true secondary accounts can be difficult(they end up tied back to your main account on the backend usually, So if something happens to one or the company does something- it'll affect everything and building separation is not easy.) - But I dislike that sort of design.

This is not true. You can run Tailscale with a custom self hosted OIDC provider such as Authelia.

https://tailscale.com/kb/1240/sso-custom-oidc

Naming things?

What is their use case in an IPv6 internet? Or is this another company with a vested interest in stopping IPv6 from happening?

33M would be 33 software consultants each making 250k a year.

I've got conflicted feels about Tailscale. I love their product and a bunch of the people I know use their free tier, including myself.

But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.

People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.

> disable IPv4 inside Tailscale.

TIL this is a thing

> Just use the v6 ULA address that begins with fd7a exclusively.

perfect, this is exactly what I desired

(I'm having an increasingly high number of sad v4 only LAN devices and planned to move to a v4 block that sits way too close to the one Tailscale uses.)

> There's unfortunately no GUI to do this; you'll have to change the Tailscale ACL to disable IPv4.

ah that's why I missed it, thanks!

Interesting. I didn't know that you could also use e.g codeberg this way.

> AFAICS there's no real competition in the market place for their product today

What does this mean? They are competing with regular legacy VPNs for sure. Despite tailscale existing for the last 4 years, none of the large corporate clients even got closed to it. They were all on junk from Cisco, Palo Alto, to connect employees to corp net. A “cutting edge” one might use cloudflare warp.

You might be right that there isn’t much competition for pure distributed, but it turns out the market for that is actually quite small and it’s for people who can’t afford dedicated IPs or cloud instances.

Raising money here is a bad sign IMO unless it’s for a completely new product that requires servers at exchanges to eat CDNs like cloudflare’s lunch.

Ah, I had totally forgotten about that! Thanks!

> but it may mean building new standards on top of the duct-taped 1980s-era networking stack the modern Internet still runs on.

That’s a path directly into a money burning machine that goes nowhere. This has been tried so many times by far larger companies, academics, and research labs but it never works (see all proposals for things like content address networking, etc). You either get zero adoption or you just run it on IPv4/6 anyway and you give up most of the problems.

IPv6 is still struggling to kill IPv4 20 years after support existing in operating systems and routers. That’s a protocol with a clear upside, somewhat socket compatible, and was backed by the IETF and hundreds of networking companies.

But even today it’s struggling and no company got rich on IPv6.

Still can't wrap my head around that TS does not allow to signup with your custom email/password combination but forces you to use bigtech (GitHub, Apple, Meta etc.) to login. Running your custom OIDC provider as a small, private person does not make any sense either.

"Subnet routing broke on Ubuntu (maybe other distros) recently"

Do you have more infos on this one? I use Debian and that would be a major problem for me.

Sure, but amounts matter.

They are a zero-trust networking solution that also traverses IPv4 NATs. Zero-trust networking is a layer above the IP layer. In an IPv6 Internet their capital costs go down, and their product remains valuable for their paying customers. (Free accounts mostly use it for NAT traversal, businesses for the zero-trust encryption.)

Their CEO has been working with (and supporting) v6 for decades both at the executive level (now) and also as an extremely capable software engineer that I personally met with a few times while we were both engineers at Google doing network measurement.

All in for profitability and financial activity. That's the very foundation of innovation.

But VC funding works very differently.

You could look all the details you need and more up on linkedin.

used to have last names, but it became a security concern. It is ordered by seniority.

All too often it's those companies that worry excessively about saving a few dollars that also have meetings for everything, glacial decision making, poor strategic focus, tons of internal politics, and so on.

I think that's quite smart, and OIDC is an open standard at least.

Securing usernames/passwords and handling second factors etc; is already done so well and it's hard to do.

Having a clear 'this is where we can be secure' stances is what makes me want to trust them more.

At that scale, you need the "Call us" plan. No one at that scale is paying full price.

They also seem to be needlessly doing DERP over TCP in some cases where UDP would actually work.

zerotier maybe?

Well, it's important to start with saying I didn't like it as much as Tailscale, but I liked it a lot more than any of the others I tried. The UI for their dashboard is very good and getting it up and running was pretty trouble free though the docs could be a little better.

Ah, that makes sense thank you!

> and OIDC is an open standard at least

But what kind of argument is that, if you are a single individual who wants to signup, I am not going to setup my OIDC servers. That is like saying it is a good idea to run a dedicated linux server in a datacenter under your own management, when all you want is a small static website for your mom+pop store. Sure, you can run your own server and it is all open source, but just overkill.

> already done so well and it's hard to do.

So hard that literally all other websites in the world with a login have implemented it. And tailscale is a VPN-like technology company - if they can't manage to implement a login because it is hard, then I would definitely not accept their offerings.

I like Tailscale and we pay for it at work but it has a number of serious bugs that affect our work that they seem to lack the resources to fix. Hopefully this helps.

Congrats to the tailscale guys. I remember when tailscale was not a networking company. Amazing to see where it's ended up and obviously having bradfitz onboard is useful too. I'm always curious to know what the internals of a company looks like with a lot of ex-googlers running it. Does it look like a mini Google or something else? Not sure if apenwarr is here but always interested to learn more.

> Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid.

This is my experience too.

I actually came to believe the TS dream of device based VPN as opposed to AP or router based is the wrong thing because it gets confused by subnets and subnet routing so often, but also that the big security problem on networks is bad devices which it's not going to help you with unless you can wrap them up anyway.

That's one of the reasons I started playing with AP to AP real time video like https://github.com/atomirex/umbrella which is a nightmare case from the TS pov. The intention is to eventually wrap clients up on separate networks so they can only see each other via the (locally run) relay.

I highly recommend netbird, after using it for two years. The whole stack can be self hosted is open source develop by an european based company.

> difference between $6/user and $18/user is 0

I wouldn't go that far. Big companies put a lot of effort into saving $12/seat.

But, if you can convince them they get >$18 of value from it they're usually happy to pay. With hobbyists it's more emotional. $6 is "just a coffee" and can be justified just to try it out. At $18/m is one of your household bills, and many will decide they enjoy watching Netflix more than messing around with Tailscale.

There's nothing about ZeroTier's solution which deserves a higher price point than Tailscale. As a long-time user, ZT's administration UI is much worse and the product has been essentially unchanged for a decade.

Better solutions would be things that make the VPN invisible, rather than 'easy'. Tools such as Teleport, IOW.

Agreed. This is why imho Tailscale does not scale very well. Awesome for home labs and small orgs as a VPN replacement, but not enterprise scale with abstrations that actually remove complexity. I wrote about it in this blog - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-ne...

Enterprise math is interesting --

For a global all-you-can-eat enterprise-wide rollout:

* base: 20K users x $200/yr

* 50% discount: volume + multi-year + ...

=> enterprise: $1M/yr

=> 200 person division in the enterprise: $10K/yr

It's not cheap, but averaging out a global rollout, not terrible afaict

(This is super rough. Ex: Add in BYO hardware, internal staffing, pro serv, and who knows the real discounting!)

Steam does fine financially and without having to answer investors, which is why it's been able to stay mostly good to its user base for so long.

This is not an "xor" statement.

Because it's so cool when I go "oh hey I know that guy!"

Glass half full customer: great, the service I rely on is going to persist!

Glass half empty customer: OMFG, this is the minimal amount they are going to bleed from us over the next 5 years!

Based customer: this is just a half filled glass, full or empty is just your projection.

It's an open standard, but would they allow me to use my OIDC?

>Connecting GPUs across clouds, securing workloads across continents, migrating between cloud providers — it’s messy, it’s hard, and it breaks all the time.

Is the new fund raise to enable Tailscale perform these complex tasks or for scaling it?

I've once read few years back that seamless and secure cloud independent computing or cross-cloud system is the next frontier, and it seems it's a legit problem and a business opportunity for security company like Tailscale and Crowdstrike (investor). The record breaking acquisition of Wiz kind of cemented this problem space and the pain points, and it seems that Tailscale is riding on the opportunity [1].

[1]Google to buy Wiz for $32B (845 comments):

https://news.ycombinator.com/item?id=43398518

> NAT/STUN world you were trying to avoid

The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.

Some of that we have, yes. Glacial decision making definitely. Internal politics crap too. Meetings not so bad though (and especially flying all over the world for business meetings is heavily frowned upon since 2015 which is great because I always hated that)

Strategy is pretty good I think. And they are also not backing down on inclusivity and sustainability despite the threats from Trump (companies with inclusivity aren't allowed to do business with the US govt blahblah). We're an EU company but this worried me a bit (I'm heavily involved in the inclusivity program). But they've already said they are absolutely not giving in on that point.

Why is that smart? I signed up for a Microsoft Account with my email and I can use Microsoft Account to log in to Tail scale but I can't use the email directly? How does the middle man bring anything to the table?

Yeah no idea of the discounts there nor of how much we spend on our current VPN provider (I don't work in that team). I guess for a VPN they might have higher spending limits as a VPN is always required to be on on all of our endpoints.

> I don't understand why people pretend this is an acceptable solution for professional networking

Because it IS acceptable for many cases.

Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.

Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.

What is tailscale going to do with GPUs? It's about as far removed from NL interaction as you can get, I really don't see any sane AI fit. Maybe they are using them for AI driven dev work? Probably need to think more laterally.

What's wrong with Steam (Valve) business model?

If 20$/user/month is too much, maybe you could apin up headscale and plug in your OIDC provider?

Never tried it myself, I only manage small tailnets so the free tier is fine

Dynamic IP addresses typically also have a forced disconnect at a regular interval. Not really what I want to host services on.

Also DERP relays having QOS that isn't controlled by myself and I have to hope to get bandwidth through doesn't exactly make me confident about the solution

Companies hide their employees, especialy the real value adding ones, for fear of them getting poached.

It is commendable that TS has created a market in an already crowded marketplace of VPN tools. They're competing with Palo Alto, Netskope, Check Point, and Cisco, to name a few.

One key understanding from my brief market experience is that you must build a firewall or router if you really want to own the VPN market. The way the sale is done is that the vendor goes in with the firewall, router, and switch, offering office space connectivity with the infrastructure and various network locations and upselling the VPN. This often accounts for the subpar quality of VPN software. There is a trend called SASE, which includes technologies like TS; people are questioning the enterprise value of SASE. Netskope and Cato Networks are some examples.

I believe that their enterprise journey will be challenging, given the player's extensive experience in upmarket sales. Although TS appears appealing and has potential for improvement, the GTM is entirely unique for enterprise. You need to build reseller network, System integrator partners, high value customizations, etc.

If you decide to embrace the security positioning, you must have a diverse portfolio of products. If you model the org. around Palo Alto et al., you need a huge diversity of products, VPN, hardware, cloud security tools, app security tools, etc., as the ICP (CISO) is trying to optimize their allocated budget. People in enterprise are ok with good enough products as long as they meet compliance standards, fit the budget, and does not disrupt operations.

It could be that they might acquire bunch of companies with this capital.

Sure, but your data is only getting relayed through DERP servers if it cant otherwise establish a direct p2p connection. This can usually be resolved at either side of the connection - if you know about it (which is what the parent was suggesting could be made more clear).

As for your bandwidth concerns in the case of needing to relay, you can even set up your own relay (https://tailscale.com/kb/1118/custom-derp-servers), which would satisfy your desire to be more centralised (i guess you could force all traffic through it, but cant think why you would want to) while still allowing the flexibility of the overlay that tailscale provides.

That seems like even more reason to use an overlay - it abstracts all that instability away and gives you a consistent, secure network regardless of what the underlying IPs are doing. Obviously peers can have static IPs too if you think that makes them more stable to routing changes (it doesn't).

Who said you can't do both? NAT makes things easier and you can still properly configure your firewall to keep track of all the NAT traversal rules

You are still trusting the tailscale coordination server for proper key exchange. Yes, traffic is end-to-end encrypted and the private keys stay on the device but there's no way to verify that tailscale is negotiating keys for the machine you asked for

This might be true for HFT companies. They usually start at 200-300k and mid senior engineers probably make close to a million

What? The original coordination server, which is not running headscale, is closed source so yes, they are still a closed source company

Yes, a move to static IPv6 addresses everywhere would help a lot.

Maybe try out promising alternatives such as netbird, teleport, zerotier, etc

Im pretty sure thats not correct, as you can authorise the nodes that get added, and it is only authorised nodes that can participate in the tailnet.

The problem IIRC is that it is the coordination server that decides what is authorised, so if Tailscale was hacked (or otherwise malicious), nodes could get added to your tailnet without explicit authorisation from the tailnet "owner", which is obviously not good. To prevent this, they introduced tailnet-lock, which requires other peers to participate in node authentication: https://tailscale.com/kb/1226/tailnet-lock#how-it-works

It’s pretty hobbled compared with OG Tailscale, so much so that I moved completely to self-hosted NetBird and haven’t looked back.

There is a open source clone for the Tailscale server named headscale fwiw.

Good call, I started using it a few months ago, and now it is something I can't live without.

So is Basecamp. Profitability is not a dirty word.

Tailscale not having reached profitability yet and having to raise more is bad news, as it increases the odds of future enshitification.

Yes, they allow that.

Because then tailscale doesn’t store a username and password for you, so unless microsoft is hacked you won’t be- theoretically.

> I shudder to imagine what the next tier (cal us') costs.

There is no enterprise tier, instead you pay for any additional features you need. I.e. log streaming is 2$/month/user and SSH recording is 3$/month/user.

but at the same time, now Microsoft knows you are using Tailscale (and they use this data in their tracking + analytics). And all the other products. They get a very good insight of your online habbit, because they have a list of all other products and apps you use where you sign in with your microsoft account. And due to the way token refresh works, they even have a good idea how frequently you use each individual one.

And if you for whatever reason get locked out of your microsoft account (and I say this as someone who had this happen with a Google account) your are basically locked out of your online life.

I own my own domain for my email address (xxxx@mydomain.com). As long as I can set the MX record of that domain freely, I can always restore access to my email adress no matter what any email provider decides to do or block me for.

sure, then spin up a keycloak.

Its not hard.

If you don’t feel comfortable doing so: maybe that is telling.

congrats to the tailscale team

possibly referring to https://github.com/tailscale/tailscale/issues/13863 which broke subnet routing for us

Assuming they wouldn't want to take on server maintenance workload, wouldn't something like NetBird be a better fit? The free version has ACL already, the $5/user/month has OIDC integration, and the business version (MDM integration and auditing) is $12. Then the server is still open source so if they wanted to transition to doing it themselves they still would have that option down the road.

> I can only assume it's focused on killing old school VPN products.

Given how goddamn terrible Cisco anyconnect is, I hope they succeed.

One gives up a decent amount of control for the first 12m, then a bunch more at 100m. Unless you work there, you frankly have no idea how much control the founders have.

Do you really think that a tailscale VPN is necessary to deal with link failures? It is not BGP and SD-WAN or MPLS l2 VPN can do that.

I never said I had a desire to be more centralised. I just said that static IPs and open ports remove the necessity for hole punching/STUN. You can have multiple sites without a central and all use static IPs and open ports.

Thank God Microsoft never got hacked

What are you on about. For years logging in with email was possible even on the most amateurish projects. Now that's not possible for tailscale? Why

Because they don't want your password and as a security company, I applaud that.

Account issues, recovery, support that can be manipulated, a single breach or bad password that grants access to their admin interfaces, implementing their own 2FA.

And, serious people want SSO anyway, and most people have some kind of authentication they can lean on.

You can make a stodgy password login if you want, or you can run a keycloak yourself.

If you don't want to run an OIDC provider for yourself, why would you want them to?

Genuinely I applaud the idea that they're SSO first, and have as little information as possible to handle things. If you don't like it; well, run your own, run headscale - or, use wireguard another way.

Not every company needs their own login system. I fucking hate it.

12m? What are you talking about? Tailscale had already raised 115m previously.

It's zero for small businesses with a dozen employees. The moment you have a large business you run into an obvious problem: only a subset of your employees actually use the software, but if even a single user needs a higher tier you have to upgrade all users.

I have been using ZeroTier for a few years with great success. It’s not an Enterprise, but for my lil’ shop I get 100 endpoints for $0.10/ea/month, and that includes all features.

Namely, customers too stupid to know how to use something else, and/or customers you’ve managed to lock-in sufficiently to make them too scared to do so. I guess that’s a good strategy if you hate what you do and the people you do it for.

I didn't mention Tailscale. I said "overlay", and both SD-WAN and MPLS L2 VPN are overlay networks.

I was replying to your comment about you wanting to control QoS for relaying.

Totally fair to bring up IPv6 vs. IPv4. However, I think Tailscale’s approach might sidestep some of that pain.

Avery (Tailscale CEO) has actually written about IPv6 in the past:

    - https://apenwarr.ca/log/20170810 (2017)
    - https://tailscale.com/blog/two-internets-both-flakey (2020)

IPv6 has struggled in adoption not because it’s bad, but because it requires a full-stack cutover, from edge devices all the way to ISP infra. That’s a non-starter unless you’re doing greenfield deployments.

Tailscale, on the other hand, doesn’t need to wait for the Internet to upgrade. Their model sits on top of the existing stack, works through NATs, and focuses on "identity-first networking". They could evolve at the transport or app layer rather than rip and replacing at the network layer. That gives them way more flexibility to innovate without requiring global consensus.

Again, I don’t know what their specific plans are, but if they’re chasing something at that layer, it’s not crazy to think of it more like building a new abstraction on top of TCP/IP vs. trying to replace it.

I thought they vastly improved user-space wireguard performance?

https://tailscale.com/blog/more-throughput

Not sure if the kernel implementation pulled ahead again, I don't really follow these things.

Also not defending tailscale, I respect them but I agree they are a one size fits some solution.

Microsoft was hacked before and I don't trust them but I trust the email provider at the company I work for now what

Idk what you mean with routing instability. Changes to routing as a result of failures are a feature not the problem.

Microsoft getting hacked proves my point more than you think, they're less likely to get hacked now because they have scar tissue. You're basically saying: "If you ever get hacked your reputation is burned forever, but I want these guys who have never done it before to handle logins for me even though they are saying that they are not comfortable with the extra responsibility". Get over yourself.

If you trust your email provider: Ask them to set up an OIDC provider then.

Email is insecure. I can't be the first person to tell you this.

Multiplying your logins is not more security, it's less in the majority of cases.

You said "Dynamic IP addresses typically also have a forced disconnect at a regular interval.", which is false in pretty much every DHCP scenario I have ever seen.

A change in an IP lease should result in no downtime whatsoever, because addressing is not the same as routing. A routing change would have exactly the same effect on a static IP.

I then pointed out that an overlay network means you don't have to worry about that anyway.

I think you need to reread whatever comments you think you are responding to, as there is clearly something out of sync with your replies.

All the more reason to invest!

t weekend was looking into setting up a personal networking solution- and looked hard at TailScale and their competitors. I do not like- that Tailscale has chosen to only allow SSO sign-in - as that forces one to have a Microsoft,Github[MS], Google, or Apple account- and I presume that leaves one at the mercy of those companies for the free option.

What is going on with your sentences man.

I get it, words matter, but this itself was a reference to the "I understood that reference" meme from Avengers. Thank you for your concern.

Read. The. Fine. Article.

I mean, it is obvious that you cannot sustain efficiency as you scale (Amdahl's law) but (1) $100M is not that crazy to be able to keep track of in your head, even for a single individual (I can imagine a successful real estate developer with a handful of ongoing projects and various other personal investments), and (2) in a high growth situation, it makes financial sense to sacrifice some economic gain for scale. In your original example, sure an investor would be better off, if they could actually find 10 good investments with zero cost, to spread their money, but very likely they'd be better off taking the big one and spend their energy raising more money.

>> Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.

This doesn't make sense to me. It shouldn't matter if you are a small company or a large one, a few bucks per person per month is noise. I get trying to leverage scale to get a better price, but if something saves time / money, a company shouldn't refuse it just because they are large. Whoever is gatekeeping these decisions is ultimately eroding the company's value.

In my experience, many if not most tech executives don’t believe in the concept of truth vs lying. There are only “competing narratives.”

If I have to spin up a keycloak instance (you forgot to say on a public-facing data center that runs 24/7) to use a single service I would usually signup with an email and password, I might as well spin up my private vpn server.

yep!

Or use a login system you already have.

Their series A was 12m. Their series B was 100m.

No their "real" backend is proprietary. Headscale is a separate implementation that they also maintain. It's intended for self-hosting your individual Tailnet. I'm assuming if you tried to use it as a corporate VPN you would run into limitations.

Their clients for proprietary OSs are at least partly proprietary too.

To be honest I find this all a very reasonable set of compromises. It means I'm comfortable using their proprietary service without feeling like I'm getting locked into a completely closed ecosystem.

this is not true at all lmao

of COURSE you can raise money and not use it.

The fine article seems to say lots of companies are using Tailscale to connect to servers with GPUs -- nothing in that implies that Tailscale would own the GPUs.

I think you mean to say:

The. fine. article. seems. to. say. lots. of. companies. are. using. Tailscale. to. connect. to. servers. with. GPUs. -- nothing. in. that. implies. that. Tailscale. would. own. the. GPUs.

Besides my joke, you are bang on, nothing implies needing to buy GPUs and based on my knowledge of their product/the space, absolutely no reason to.

There is tons of competition for Tailscale. Its 'just' an easier to use VPN with a great GTM exceution. I think they need more money as they need to fundamentally re-architect their solution to sell into enterprise use cases they their valuation requires.

Their is tons of competition depending on how you want to attack the problem. Tailscale's problem imho is that their product does not scale well as required by large enterprises. One could argue nor do traditional VPNs, but they are already in place and workking so that product config already works, no need for change. The market is massive, but you need to be at a high abstration layer in my opinion, so that you can replace far more than just the VPN.

Do they? What does it do that nothing else does?

VC funding is on a whole other level, though

I switched to netburd and havent looked back. Jetbird android cliwnt is pretty usable

My 100ish person company the differnnce was using and not using between those prices. 18 a month for acls is insane

For a single user, email signup is easy. But if they were to offer it they would also need to offer it to business customers. That means they have to build a role system and link that to AD etc. That is why they don't have it. (Their CEO discusses this in a recent interview).