Tailscale has raised $160M

I'm a fan of TS and have been a paying customer for work infra for almost a year now. It really is well put together and easy to use, but I do run up against some issues/complaints when diving deep that I hope they can work out:

* The pricing tiers and included features by tier penalizes you in frustrating ways. The base plan is a reasonable $6/user/m, but if you want to use ACLs to control anything in a workable way, it jumps 3x to $18/u/m. Better solutions are available for that kind of money, and I shudder to imagine what the next tier ('call us') costs.

* Subnet routing broke on Ubuntu (maybe other distros) recently, and there were no alerts, communication from TS, or TS tools to pinpoint/figure out what was going on. I stumbled on a solution (install subnet router on a Windows box), and from there I searched and found others with that issue. Lost half a day in emergency mode over that!

* Better tooling to determine why it's falling back to DERP instead of direct for remote clients. DERP relays should be an absolute last resort to provide connectivity for Business-plan-level customers (very slow), and the way TS works just assumes any connectivity is fine.

Overall, the simplicity and abstraction of complex VPN networking is wonderful, but if you have issues or advanced needs, you are immediately thrust into the low-level UDP/NAT/STUN world you were trying to avoid. At that point, you're better off using a traditional VPN (WG, OpenVPN, or heaven forbid, IPSec), because it ends up being more straightforward (not easier) without the abstractions and easy-button stuff.

> NAT/STUN world you were trying to avoid

The clean way to build this is with firewall configuration, opening ports, and static IPs. NAT/STUN and dynamic IPs are just a hack and I don't understand why people pretend this is an acceptable solution for professional networking. Working around an infrastructure that isn't a natural law but can be changed at our will seems like a big waste of time.

> I don't understand why people pretend this is an acceptable solution for professional networking

Because it IS acceptable for many cases.

Many businesses don't operate in such a way as to have centralised infrastructure solely for providing internal networking, nor would they want to add the additional administrative or unnecessary routing overhead.

Even locations that would traditionally be considered highly centralised often have some form of dynamic network fabric as an overlay. Pretty much the entirety of cloud infrastructure runs on such systems, and they seem to do OK.

Also DERP relays having QOS that isn't controlled by myself and I have to hope to get bandwidth through doesn't exactly make me confident about the solution

Sure, but your data is only getting relayed through DERP servers if it cant otherwise establish a direct p2p connection. This can usually be resolved at either side of the connection - if you know about it (which is what the parent was suggesting could be made more clear).

As for your bandwidth concerns in the case of needing to relay, you can even set up your own relay (https://tailscale.com/kb/1118/custom-derp-servers), which would satisfy your desire to be more centralised (i guess you could force all traffic through it, but cant think why you would want to) while still allowing the flexibility of the overlay that tailscale provides.