Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I didn’t really get the allure of it TBH. For most home-based nerds a simple Wireguard host (or OpnSense, OpenWRT etc running such) should be fine, and there are better options for commercial from better-known vendors in the network security space
Ok and?
I never really understood the point of using Tailscale over plain ol’ WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won’t be complex beyond a regular old wireguard config
Simplicity?
I mean sure, but I don’t think it’s simpler than setting up a wireguard config IMO. For tailscale you gotta make an account, register devices, connect them. Feel like wireguard is about the same except you don’t have to make an account.
Wireguard doesn’t do NAT/Firewall traversal nor does it have SSO
Tailscale manages the underlying Wireguard for you. I would be great if Wireguard had native NAT traversal but that isn’t the case.
Same thing here, either tailscale selfhosted or Netbird selfhosted I’d the way to go for all the nice features, having the free tier or tailscale for personal data never sounded right to me.
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
a long runway that allows us to become profitable when needed
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Vps can be really inexpensive, I pay $3 a month for mine
~$1.91 a month (paid 22.99 for a year) at racknerd!
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
The vps is the wg server and my home server is a client and it uses pihole as the dns server. Once your clients hang around for a minute, their hostnames will populate on pihole and become available just like TS.
You do have to set available ips to wg’s subnet so your clients don’t all exit node from the server, so you’ll be able to use 192.168.0.0 at home still for speed.
As for NPM, run it on the proxy, aim (for example) Jellyfin at 10.243.21.4 on the wg network and bam.
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
the VPS uses the pi-hole through the tunnel
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server’s wg address
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn’t aware I host anything at all.
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
Pihole (in my case) can’t see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that’s how TS works.
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
If I host headscale on a VPS, is that as seamless of an experience as Tailscale? And would I miss out on features, like the Tailscale dashboard? How does the experience change for me (an admin type) and my users (non-technical types)?
There are some community webUIs for Headscale, headplane in particular looks pretty good: https://headscale.net/stable/ref/integration/web-ui/
I’m not sure otherwise how different the experience would be.
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
Is there an issue with Netbird’s servers at the moment? In my testing devices are connected and reach eachother, but the web admin is missing a lot of functionality compared to what’s in the docs. The peer devices section is there, but everything else, user settings, rules etc, isn’t showing/says I don’t have admin permission (of my own account… Lol?)
Honestly, no idea, worth checking their GitHub etc or their status pages if they have any
Join our Discord server for a chat and community support.
Sigh…
And even worse:
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.
everything is open source except half of all things.
Lol
Huh, I actually didn’t know this because I don’t use Windows/macOS/iOS. Somehow completely missed this.
Granted this is not Headscale’s fault, they’re just using Tailscale clients. Either way I’m glad I use a roll-your-own Wireguard.
I and my partner also don’t use those OSs, but it’s more the point of using FOSS when we can.
To be fair, anything the GUI clients do can be done with the CLI which is still open source and on all desktop platforms and headscale is literally their open source control server.
Yea, but in iOS?
I mean is anything iOS really open source?
The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.
Friendly reminder that Tailscale is VC-funded and driving towards IPO
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
I spent an afternoon doing precisely that. Bought a domain, a vps, and setup pangolin. Can’t believe how smooth it went.
I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?
I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.
My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.
Yeah, as I said, it’s a friendly reminder. I’m personally probably doing it this year. It’s entirely possible that enshittification could come even years from now. It all depends on how their enterprise adoption goes I think. The more money they make there, the longer the individual users are gonna be left unsqueezed.
Crap, I really need to switch of Tailscale but currently it is an easy way for me to access my stuff outside of home as a temporary solution while I am on a 5G modem.
I can recommend to take a look at netbird.io
Much more user friendly
Json is awful for config
Crockford is a good and smart person but he really dropped the fucking ball on JSON.
Double-quotes-only and no comments kill the whole spec for me. Extremely opinionated and dumb. I fucking hate JSON.
My boss once sent me a machine generated config. He’s terminally addicted to double-quotes (like, a fatal condition). I searched and there were 27k sequences of
\".Edit: my point is - all that compute and network wasted, every single time the file is requested and parsed. Completely pointless waste
I can’t. I tried it first and installed it on my phone from f-droid. After opening it up, it connected to an already existing network with other people’s old machines from years ago on it. I was horrified.
So then I tried to delete my whole account and couldn’t due to an error. I sent them an email about it and they took like two weeks to respond.
Do you pay for a domain? They likely provide dynamic DNS (DNS). If you’re lucky, they have an API for it, instead of an app, and you can configure a cronjob on your home server to run every 1-5 minutes (or more often, if your IP is super unstable!).
Yeah I can always do that, but putting stuff behind something like Tailscale is (or atleast feels) more secure than making my IP known to the public. I have a DMZ setup though so it should be fine.
Your “IP address” is already public. That’s why an IPv4 address is assigned to you as a “public IP address” and you NAT to a private space. When using IPv6, everything is public.
The key is to secure everything with access restrictions.
Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes
Chances are you’ve had the same public IP for a long time. Mine hasn’t changed in 2 years.
@chronicledmonocle @Vinstaal0 I used to work for a dial-up ISP. Every IP is registered to an account, if you’re going through your ISP (as opposed to, say, coffee shop or hotel wifi). Though the people who have the information are different (ICANN/registrar vs your internet provider), there’s no anonymity in your home IP address even with CGNAT.
As far as your domain, you should have privacy protection enabled so people can’t find your personal info via whois.
That was the case when I lived with my parents, but now it changes every 5 minutes sadly.
So I had to shut down my Minecraft server etc for now because I am on a 5G modem which makes it really annoying to open up ports and point a domain to your IP
If your IP changed every 5 minutes, you would not be able to have a voice call or anything similar. Your IP probably changes every 24 hours
I’ve realized how easy it is to just actually run a network rather than half ass it with tailscale. I recommend this, it’s fun.
Tell me more.
Yeah and steam is closed source DRM platform. Great software sometimes is worth the trade off.
Steam is a private company, not publicly traded and has no VC funding.
VC funding and potential IPO normally means enshittification is inevitable, as they will eventually need to make insane profits by turning the screws on its users, as their business model wasn’t self sustaining.
Enshittification is inevitable for all free services (services as in with a server component). Thankfully the functions of tailscale are open source so until enshittification actually happens I will be happy with using a a useful but VC funded project. When I am not willing to make the trade off anymore I will use headscale or some other drop in replacement.
Realistically Tailscale seems to currently be running on a model of get all of the self hosters to love running it at home so then they advocate to run it at work where all of the pricey enterprises licenses make the real money.
I’ve actually seen some real world usecases where if I had more political push, I would’ve put Tailscale onto the running as a potential solution
Hopefully they have the right people in place to push back at the VC firms about maintaining their current strategy rather than scaring away all of their best advocates before they can truly get off the ground. Having worked at a company owned by a hedgefund, part of the trick is having the right people in place in the company who can block the worst decisions by the capital-hungry owners
Enshittification is inevitable for all free services (services as in with a server component).
No, it is not that bleak. It is only inevitable when there is an active push for a short-term maximization of user base monetization (which is very much in the nature of VC). It can usually be avoided with products that are wholly under the ownership of all users (such as a cooperative or a government-provided service) or - only if one is lucky - with products of financially independent private enterprises under vaguely benevolent and unhurried leadership (such as Steam, to some extent)
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it’s a known-to-them freemail address. And it was by design “to reduce friction”.
I don’t think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
Headscale maintainer hours contributed by Tailscale
Could you expand on this?
There’s a disclaimer in the readme: https://github.com/juanfont/headscale/?tab=readme-ov-file#disclaimer
The maintainer Tailscale contributes happens to be the lead developer by commit count at the moment.
Thank you!
pre-emptive pikachu face strike
