Tailscale has raised $160M

I'm a fan of TS and have been a paying customer for work infra for almost a year now. It really is well put together and easy to use, but I do run up against some issues/complaints when diving deep that I hope they can work out:

* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.

* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!

* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.

Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.

> * Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.

Tailscale touts all the perf benefits of the wireguard protocol but in practice between the userland wireguard that seems to be used all the time on all platform (even linux) and the over reliance on DERP, it has none of the performance benefits of the real thing.

>$6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m.

It's market segmentation, needing ACLs is a sign you're at least an SMB, and to a business of nearly any actual size, the difference between $6/user and $18/user is 0.

Um, it's 3x the cost to get one feature. By your logic they should be charging $100/user/mo for the feature since that must also be the same. This is typical "enterprise" nonsense pricing and it will absolutely drive some adopters to look elsewhere.

It's a perfectly valid part of a pricing strategy to drive people away if they are not the customers you want.

I really hope with this funding they can improve observability and give more love to power users who occasionally need to dig deeper without going full bare metal

Do you mind sharing the better solutions you'd consider at the higher price point?

Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.

We don't even use windows enterprise for the same reason, we have legacy office 365 plans and lifetime windows licenses without the M365 addons because it saves is a few bucks per head. At our size, a few bucks a head quickly add up to millions per year. Microsoft keeps trying to dissuade us and they even pretend office 365 plans don't exist anymore ("office 365 is now microsoft 365") but they do: https://www.microsoft.com/en-us/microsoft-365/enterprise/off... . The same with their Copilot stuff. 30$ is a non starter. Our users want it but nope (and we did a trial in one big team and only 10% actually bothered to use it after the first month so I think it's more the idea of it that want rather than the actual product)

We don't use Tailscale but $6 would be feasible where $18 would be a complete nonstarter.

In fact our company is a lot more cost conscious than I am as a consumer.

"Subnet routing broke on Ubuntu (maybe other distros) recently"

Do you have more infos on this one? I use Debian and that would be a major problem for me.

All too often it's those companies that worry excessively about saving a few dollars that also have meetings for everything, glacial decision making, poor strategic focus, tons of internal politics, and so on.

At that scale, you need the "Call us" plan. No one at that scale is paying full price.

They also seem to be needlessly doing DERP over TCP in some cases where UDP would actually work.

zerotier maybe?

> Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid.

This is my experience too.

I actually came to believe the TS dream of device based VPN as opposed to AP or router based is the wrong thing because it gets confused by subnets and subnet routing so often, but also that the big security problem on networks is bad devices which it's not going to help you with unless you can wrap them up anyway.

That's one of the reasons I started playing with AP to AP real time video like https://github.com/atomirex/umbrella which is a nightmare case from the TS pov. The intention is to eventually wrap clients up on separate networks so they can only see each other via the (locally run) relay.

> difference between $6/user and $18/user is 0

I wouldn't go that far. Big companies put a lot of effort into saving $12/seat.

But, if you can convince them they get >$18 of value from it they're usually happy to pay. With hobbyists it's more emotional. $6 is "just a coffee" and can be justified just to try it out. At $18/m is one of your household bills, and many will decide they enjoy watching Netflix more than messing around with Tailscale.

There's nothing about ZeroTier's solution which deserves a higher price point than Tailscale. As a long-time user, ZT's administration UI is much worse and the product has been essentially unchanged for a decade.

Better solutions would be things that make the VPN invisible, rather than 'easy'. Tools such as Teleport, IOW.

Agreed. This is why imho Tailscale does not scale very well. Awesome for home labs and small orgs as a VPN replacement, but not enterprise scale with abstrations that actually remove complexity. I wrote about it in this blog - https://netfoundry.io/vpns/tailscale-and-wireguard-versus-ne...

Enterprise math is interesting --

For a global all-you-can-eat enterprise-wide rollout:

* base: 20K users x $200/yr

* 50% discount: volume + multi-year + ...

=> enterprise: $1M/yr

=> 200 person division in the enterprise: $10K/yr

It's not cheap, but averaging out a global rollout, not terrible afaict

(This is super rough. Ex: Add in BYO hardware, internal staffing, pro serv, and who knows the real discounting!)

> NAT/STUN world you were trying to avoid

The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.

Some of that we have, yes. Glacial decision making definitely. Internal politics crap too. Meetings not so bad though (and especially flying all over the world for business meetings is heavily frowned upon since 2015 which is great because I always hated that)

Strategy is pretty good I think. And they are also not backing down on inclusivity and sustainability despite the threats from Trump (companies with inclusivity aren't allowed to do business with the US govt blahblah). We're an EU company but this worried me a bit (I'm heavily involved in the inclusivity program). But they've already said they are absolutely not giving in on that point.

Yeah no idea of the discounts there nor of how much we spend on our current VPN provider (I don't work in that team). I guess for a VPN they might have higher spending limits as a VPN is always required to be on on all of our endpoints.

> I don't understand why people pretend this is an acceptable solution for professional networking

Because it IS acceptable for many cases.

Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.

Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.

Dynamic IP addresses typically also have a forced disconnect at a regular interval. Not really what I want to host services on.

Also DERP relays having QOS that isn't controlled by myself and I have to hope to get bandwidth through doesn't exactly make me confident about the solution

Sure, but your data is only getting relayed through DERP servers if it cant otherwise establish a direct p2p connection. This can usually be resolved at either side of the connection - if you know about it (which is what the parent was suggesting could be made more clear).

As for your bandwidth concerns in the case of needing to relay, you can even set up your own relay (https://tailscale.com/kb/1118/custom-derp-servers), which would satisfy your desire to be more centralised (i guess you could force all traffic through it, but cant think why you would want to) while still allowing the flexibility of the overlay that tailscale provides.

That seems like even more reason to use an overlay - it abstracts all that instability away and gives you a consistent, secure network regardless of what the underlying IPs are doing. Obviously peers can have static IPs too if you think that makes them more stable to routing changes (it doesn't).

Who said you can't do both? NAT makes things easier and you can still properly configure your firewall to keep track of all the NAT traversal rules

> I shudder to imagine what the next tier (cal us') costs.

There is no enterprise tier, instead you pay for any additional features you need. I.e. log streaming is 2$/month/user and SSH recording is 3$/month/user.

possibly referring to https://github.com/tailscale/tailscale/issues/13863 which broke subnet routing for us

Do you really think that a tailscale VPN is necessary to deal with link failures? It is not BGP and SD-WAN or MPLS l2 VPN can do that.

I never said I had a desire to be more centralised. I just said that static IPs and open ports remove the necessity for hole punching/STUN. You can have multiple sites without a central and all use static IPs and open ports.

It's zero for small businesses with a dozen employees. The moment you have a large business you run into an obvious problem: only a subset of your employees actually use the software, but if even a single user needs a higher tier you have to upgrade all users.

I have been using ZeroTier for a few years with great success. It’s not an Enterprise, but for my lil’ shop I get 100 endpoints for $0.10/ea/month, and that includes all features.

Namely, customers too stupid to know how to use something else, and/or customers you’ve managed to lock-in sufficiently to make them too scared to do so. I guess that’s a good strategy if you hate what you do and the people you do it for.

I didn't mention Tailscale. I said "overlay", and both SD-WAN and MPLS L2 VPN are overlay networks.

I was replying to your comment about you wanting to control QoS for relaying.

I thought they vastly improved user-space wireguard performance?

https://tailscale.com/blog/more-throughput

Not sure if the kernel implementation pulled ahead again, I don't really follow these things.

Also not defending tailscale, I respect them but I agree they are a one size fits some solution.

Idk what you mean with routing instability. Changes to routing as a result of failures are a feature not the problem.

You said "Dynamic IP addresses typically also have a forced disconnect at a regular interval.", which is false in pretty much every DHCP scenario I have ever seen.

A change in an IP lease should result in no downtime whatsoever, because addressing is not the same as routing. A routing change would have exactly the same effect on a static IP.

I then pointed out that an overlay network means you don't have to worry about that anyway.

I think you need to reread whatever comments you think you are responding to, as there is clearly something out of sync with your replies.

>> Uh I work for an enterprise of tens of thousands of users and $18 a month is not nothing for us. In fact considering the discounts we get at our size that would be so high we'd never consider it.

This doesn't make sense to me. It shouldn't matter if you are a small company or a large one, a few bucks per person per month is noise. I get trying to leverage scale to get a better price, but if something saves time / money, a company shouldn't refuse it just because they are large. Whoever is gatekeeping these decisions is ultimately eroding the company's value.

I switched to netburd and havent looked back. Jetbird android cliwnt is pretty usable

My 100ish person company the differnnce was using and not using between those prices. 18 a month for acls is insane

exactly. there is none.