[HN Gopher] How our free plan stays free
___________________________________________________________________
How our free plan stays free
Author : tosh
Score : 369 points
Date : 2022-03-16 17:14 UTC (5 hours ago)
(HTM) web link (tailscale.com)
(TXT) w3m dump (tailscale.com)
| qbasic_forever wrote:
| Had a heart skip for a moment from the headline, it reads exactly
| like the kind of corporate "Here's how [thing we're taking away]
| is actually a good thing for you" line we hear so often.
| Pleasantly surprised this is actually just a deep dive into how
| they keep their costs low and free tier still tenable.
| [deleted]
| tomjen3 wrote:
| I like the idea of Tailscale, because it gets us a little closer
| to the network where all devices are connected instead of 99% of
| them being behind NAT.
|
| But I don't want to use them when they don't support email based
| logins. I did read their explanation[0], but I am not sure how it
| actually makes sense - if they don't want to have passwords, why
| not a client cert?
|
| [0]: https://tailscale.com/kb/1013/sso-providers/
| tptacek wrote:
| You can imagine them getting to some fussy custom
| authentication scheme like client certificates at some point,
| but IdP-based SSO logins --- usually email-backed --- are a
| practically-universal security best practice for corporate
| security now. The goal is to make it easy to enroll and
| offboard people and make it difficult to miss a step in
| offboarding and thus leave people with undesired access, and to
| have a single source of authentication truth that can be
| regularly audited.
| jlokier wrote:
| I wouldn't trust an IdP-based SSO login for any critical
| service that I need continuous access to, unless I control
| the IdP.
|
| All those stories like "Google blocked my account without
| recourse and don't answer tickets anyway" have put me off. I
| lost editing rights to a Google My Business profile that I
| was the sole owner of, because they gave third party input
| precedence over the owner's own entered data (opening times
| of all things) then locked the ability to update it, so I
| know loss of control over one's own account isn't that rare
| with Google.
|
| It's not just Google. So I trust my domain provider more than
| I trust any third party SSO, because I believe I have legal
| ownership of domains in case all else fails. I don't seem to
| have equivalent rights over SSO accounts at any third party.
| So, for now until something better is available, email-based
| accounts are a must-have for any critical service.
| tptacek wrote:
| You do you, but that first sentence puts you wildly out of
| step with most security practices at most companies, very
| much including most tech companies.
| davidjgraph wrote:
| Do a significant % of users realistically read stuff like this?
| We've had exactly the same ongoing problem for over a decade, and
| walls of text, FAQs, etc just don't allay concerns. People are
| just too cycnical to believe it, maybe rightly.
|
| We found the best solution was to claim that pricing kicked in at
| certain usage tiers, whereas everything is actually free all the
| time.
| mooreds wrote:
| That's funny. Are you saying you had a website or product doc
| somewhere that said "When you get to 20k connections, you'll be
| charged $X/month" and then you never bothered implementing
| payment logic?
| davidjgraph wrote:
| Yeah, it's the google drive integration on
| draw.io/diagrams.net . Big companies want some cozy feeling
| so we tell them over 25 users per org is pay for.
|
| We don't measure it at all, but there's plenty of companies
| we know are over 1k users.
| Drdrdrq wrote:
| Thank you for providing such a great service! Especially
| love the fact that exporting to PNG allows embedding the
| diagram data into the image, so it can be still edited
| later. Genius idea and implementation!
| gowld wrote:
| How does that help? people on free tier still have no reason to
| trust you to keep it free.
| ketzo wrote:
| Well, now they've got a well-written explanation they can link
| to any time someone asks "so.. how is this free?"
|
| Plus, this is a great blog post on its own merits. Someone like
| me (who has never used Tailscale) might find this interesting
| just as an explanation of SaaS economics. That might lead to me
| actually _using_ Tailscale, or applying for a job there, or
| whatever.
|
| Even if 1% of users are satisfied by this post... that's a lot
| of people!
|
| And if it _gains them_ even one enterprise client, I 'm sure
| that's a massive ROI.
| sschueller wrote:
| Free until it isn't. If anyone could eat the cost of a free tier
| it would be Google but they decided that the Google apps for
| business free tier has to go after 12+ years.
| mooreds wrote:
| Sure, but you can get great use of it for a long time, as long
| as they judge the viral growth outweighs the possible revenue
| they could get.
|
| I'd be more worried about the VC funding they've taken ($15M
| according to crunchbase). It may take years, but eventually,
| somehow, VCs will need to get their money back. That may be an
| IPO and then public market scrutiny, it may be acquisition, but
| if the company is a going concern, the VCs will want ROI.
| judge2020 wrote:
| Cloudflare, which went public in 2019, has done pretty well
| with their free tier, with their reasoning being[0]:
|
| > Our free customers create scale, serve as efficient brand
| marketing, and help us attract developers, customers, and
| potential employees...
|
| So for as long as they note that free Tailscale users are
| worthwhile for how they are effectively free marketing and
| attract clientele, it shouldn't be a problem. Tailscale
| doesn't proxy traffic either so the overhead of having free
| tier customers shouldn't be huge.
|
| 0: https://github.com/judge2020/cloudflare-connectivity-
| test/wi...
| scarface74 wrote:
| I've only known one company that was customer focused that
| wasn't ruined by VC funding - Backblaze.
| gowld wrote:
| 12 years is longer than most startup free tiers. Longer than
| most startups.
| dsl wrote:
| The worst thing Google did was put the highest potential source
| of new revenue (GSuite) and the product losing the most money
| (GCP) under the same executive and tie their compensation to
| performance. The former gets milked in every was possible
| rather than what would make the most sense as an individual
| business unit.
| mooreds wrote:
| While I don't disagree that this wasn't helpful to GSuite, it
| is simply cross-subsidization in pursuit of a higher goal and
| a bigger strategic threat (AWS/Azure).
| ac29 wrote:
| According to Google, they havent offered free GSuite accounts
| since 2012: https://support.google.com/a/answer/2855120?hl=en.
|
| Grandfathering in old ones for a decade after that seems about
| as generous as businesses get.
| muhammadusman wrote:
| would using Tailscale to let my Plex server have a consistent
| connection be a good idea or is that a use case for this service?
| ackatz wrote:
| Yes! I have had zero issues throwing Tailscale on an iPad and
| streaming content remotely. No buffering or other weird issues
| to report.
| aberoham wrote:
| If my enterprise network managers could buy a Tailscale Box,
| they'd readily consider it. As-is, this is a bit far-fetched
| relative to their current modus operandi -- `Advanced corporate
| VPNs like Tailscale can abolish concentrators completely: every
| server can run Tailscale directly, and individual clients can
| form point-to-point connections to each server it needs to talk
| to.`
|
| Anyone figured out how to bridge the gap from legacy here?
| mintplant wrote:
| Subnet routers?
|
| https://tailscale.com/kb/1019/subnets/
| meestaplu wrote:
| Yes - you run one or more Tailscale subnet routers instead of
| your existing concentrators, then slowly migrate to running
| Tailscale directly from new deployments at your convenience.
|
| Running a subnet router is a matter of installing the Tailscale
| package on a server and authorizing it to route traffic to
| certain subnets over Tailscale.
| aberoham wrote:
| It's an entirely different set of teams who run anything "on
| a server". Besides the gap in teams or legacy demarcations of
| responsibility, their next disqualifier is having to think
| about maintaining a server. At best, the network team has
| just barely automated their switches & routers with Ansible.
| The VPN concentrators are treated as black box. And NetEng
| seem to prefer to stay within that box!
|
| Maybe we're just not normal? (UK/EMEA, public company)
| apenwarr wrote:
| (I wrote the article.) You're not that unusual, we just
| haven't had time to address that use case directly yet. I
| expect an ecosystem of MSPs may arise to offer physical
| boxes, or some such thing, since the tailscale client is
| open source. (Or you could buy a Synology with tailscale on
| it I suppose!)
|
| Many companies just run tailscale in a VM to replace their
| physical VPN concentrator boxes.
| genewitch wrote:
| If someone pointedly asked me this in a meeting, my off the
| cuff response would be "bastion hosts, probably".
|
| if the named service completely integrates with whatever access
| control a company uses (radius, SAP, whatever) then there
| shouldn't be any reason to not use this in lieu of
| concentrators. At least you lose that bottleneck and point of
| failure. For larger and more geographically disparate
| companies, i could see this being an even better proposition,
| but only because this is merely the second time i've seen
| tailscale at all.
|
| All i know is i've used wireguard recently, and it took me a
| few tries to get it to do what i wanted. a decade ago i was
| trying to get some corporate VPN software working on Gentoo,
| and i managed to cobble enough correct settings to get it
| working, too. I don't wish that on any user.
|
| I loathe setting up a dialer to connect to a VPN, and even
| worse is the 3rd party app "ssl VPN" junk - most of the ones
| we've tried just lose settings on my computers, to the point
| where dark fiber seems like a better investment of my time.
| Graffur wrote:
| This is the first I have heard of Tailscale. Who uses it? Is it
| appropriate to put something like this together for a family
| household?
| aaomidi wrote:
| Its not great for family because the free tier is limited to
| one user.
|
| It's also not super great for some workplaces because tailscale
| kinda...gets superpowers in your network.
|
| It is definitely something smaller companies are using though.
| kevinsundar wrote:
| Having one user isn't really that bad of a limitation for a
| family, just share the login. Unless you want to prevent
| certain family members from accessing certain devices at a
| network level for some reason.
| aaomidi wrote:
| They limit it to auth providers, so I don't know if that'd
| be the best thing.
|
| https://login.tailscale.com/start
| detaro wrote:
| It ties to OAuth logins (Google, github), that doesn't fit
| soo well with "just share login", although you could make a
| dedicated Github account just for it I guess.
| kevinsundar wrote:
| Ah yeah forgot about that part, I do have a throw away
| google account used for these things
| stavros wrote:
| They address that in their pricing page (and linked article):
|
| > The Community on GitHub plan can get you up to 25 users, 5
| devices per user, and 2 admins for free.
| calcifer wrote:
| > It's also not super great for some workplaces because
| tailscale kinda...gets superpowers in your network. It is
| definitely something smaller companies are using though.
|
| There are banks [1] using Tailscale. If _their_ security
| concerns can be addressed, I 'm sure it can work for pretty
| much any company.
|
| [1] https://tailscale.com/customers/versabank/
| aaomidi wrote:
| Tailscale may have given them a custom solution. If not
| it'd be pretty irresponsible to run it the way tailscale
| runs right now in a banking situation.
| tptacek wrote:
| How's that? Lots of banks use, for instance, hosted Okta
| as their source of truth for all authentication.
| ethanmad wrote:
| It's fine for families with the sharing nodes feature[0]. My
| family and I use it for a few services hosted on different
| machines in different locations (Jellyfin, Home Assistant,
| and some others).
|
| It's an easy way to get remote access to services when away
| from home, or when the family lives in different homes but
| wants to share services. I wrote a guide explaining how to
| set up remote access for Jellyfin using Tailscale[1], which
| may illustrate the use case.
|
| [0]: https://tailscale.com/kb/1084/sharing/ [1]:
| https://www.ethanmad.com/post/jellyfin_remote_access/
| kevinsundar wrote:
| I use it for a simple use case of connecting to my home
| assistant server from outside my network without having to open
| ports.
|
| I just installed the tailscale app on my home assistant server
| (ubuntu) and then installed it on my iPhone. Then once they're
| both logged in I can use the IP address in the tailscale app to
| connect to the server from anywhere.
|
| Like mentioned in the article it just works and is perfect just
| the way it is, for free. I don't need any extra features or
| improvements.
| geodel wrote:
| So, will it be possible to do ssh to my home machine with my
| office laptop, if both have tailscale app? I imagine even if
| it were possible, office network security might block it.
| colonelxc wrote:
| yes, though you should make sure you are allowed to install
| such software on your office laptop.
| Rebelgecko wrote:
| I use it for remote access to a fileserver and SSHing into a
| machine from my phone while I'm on the go, without having to
| expose a port to the internet. I tried a few alternatives and
| found them to be clunky. Tailscale just worked, even with
| someone more complicated parts of networking like
| Bonjour/Rendezvous/Avahi/mDNS
| dhc02 wrote:
| Using Tailscale is like using Dropbox back when it was new: it's
| "just X but without the setup or maintenance", which shouldn't be
| so gosh darn satisfying to use, but by jove, it is. It makes you
| feel less shackled by the constraints that defined your world
| before. Awesome.
| jakedata wrote:
| Running a Tailscale POC now.
|
| Paranoid firewalls blocking NAT traversal are a pain. I am
| running a private DERP relay to get around public relay
| congestion. I also have a subnet relay running - I am watching
| which solution will be long-term more performant and reliable.
|
| Their ACLs definitely take some getting used to but I think I
| have things about where I want them.
|
| Surprising issue - conflicting address ranges between home users
| and corporate network prevent subnet relays from working
| seamlessly.
|
| Centralized logging would be a cash-worthy feature.
|
| Adoption by the team is a bit slow, most people are still using
| SSH tunnels despite the clumsy nature.
| jrockway wrote:
| > Next, we keep the DERP network costs under control... by trying
| to never use it. When using Tailscale, almost all of your traffic
| goes peer to peer, so DERP is only used as a backup. We continue
| to improve our core product so it can build point-to-point links
| in ever-more-obscure situations.
|
| This is mentioned in passing, but shows a very good technique.
| They incentivize technical excellence by tying it to a concrete
| cost. A free plan, with DERP, is the sacred cow that must not
| ever be removed. If they don't fix the "ever more obscure
| situations", then the cost goes up. If they pay an engineer to
| investigate and fix this, not only does the engineer get to do
| interesting technical work, and not only does the system become
| more reliable and "good", they can also think of it as increasing
| the profit margin of the product (by not increasing costs).
|
| I worked with Avery on Google Fiber, and we did the same thing.
| Our sacred cow was excellent US-based phone support. That is
| quite expensive. If there were bugs in our product, users would
| call in, and our call center costs would increase because we'd
| have to have more people working. So every week in our team
| meeting, we would look at summaries of calls, and take on
| engineering work to address the most common class of problems.
| That let us scale up the business and still provide friendly and
| competent phone support, because we were reducing the problems
| that people called in about. (This was things like having our
| Wifi access points steer 5GHz capable devices away from flakier
| 2.4GHz signals, or fixing "black screen" bugs where TV randomly
| stopped playing for software or network reasons.) Because we had
| that "sacred cow", every obscure bug that we spent months fixing
| not only made the product better and were intellectually
| stimulating to finally figure out, but had a concrete impact on
| how costly it was to deliver the service.
|
| What most companies would do here to reduce costs is simple.
| Don't fix DERP bugs, just charge for it. Don't fix "black screen"
| bugs, just hide the phone number on your website so people can't
| figure out to call.
|
| Avery has found the perfect balance between cost reduction,
| interesting engineering, and the somewhat nebulous "good
| product". Normally conflicting concerns, all living together in
| harmony. If everyone copied his technique here, the world would
| be a better place.
| gowld wrote:
| This is free market economics: improve the product or lower the
| cost, or fold.
| technobabbler wrote:
| Or just bribe lawmakers at every level of government so you
| can keep increasing prices while worsening your product,
| using the funds from your captive audience to preemptively
| destroy every upstart challenger.
|
| There is a reason Comcast is everywhere and Google Fiber is
| nowhere...
| Shish2k wrote:
| I'm on the free plan at the moment, and it's pretty neat, but I'd
| actually be willing to pay for a self-hosted version :P (But I
| guess the existence of such an option might tempt some paying
| enterprise customers to attempt self-hosting instead?)
|
| (I'm aware of headscale as an open-source control plane, but the
| iOS client is still closed-source and hard-coded to only use the
| first-party control plane :( )
| therein wrote:
| I have been experimenting with headscale as well. I have it set
| up and everything works nicely but the Tailscale OSX client
| actually cannot automatically relogin.
|
| Headscale has the preauthkey, it is still valid even but I need
| to do the tailscale up --login-server ... dance every time to
| get it connected.
|
| Not ideal.
| SparkyMcUnicorn wrote:
| Interesting. I've been running Headscale since the beginning
| of 2022, and haven't had any issues like this (MacOS
| Monterey). Have about 5-6 other MacOS users, and they haven't
| mentioned anything like this either.
|
| I've probably logged in a grand total of two or three times
| (during initial testing in Jan). Everything "just works" for
| us.
| [deleted]
| kradalby wrote:
| You can get macOS specific overrides that solve this by going
| to /apple on your headscale instance
| aborsy wrote:
| For me it's the opposite: I actually don't mind paying for a
| great product such as Tailscale (which I really like), but have
| security and privacy concerns!
|
| Mesh VPNs have substantial control over networks that they manage
| (they bypass firewalls by having users instal agents from
| within). They could add hidden nodes to networks, which is a
| major security concern, and see who is taking to who, how long,
| what service they are running, etc, which can be a privacy
| concern. They are targets.
|
| Is there a way to address these concerns, and make them "really"
| (not just on website) zero trust or at least minimal trust? Will
| Wireguard preshared keys as an option help (a maliciously added
| public key lacks a secret key exchanged among peers out of band)?
|
| What are the implications of the substantial control that
| Tailscale has?
|
| Or we have no way, but to trust someone? Looking at events of the
| past decade, I don't have a good feeling about this!
| tptacek wrote:
| They're the same as the implications for using something like
| Okta as your source of truth for authentication, and Okta is
| ubiquitous in large enterprises.
|
| It's not _not_ a concern, it is something you can think about
| and work out how to mitigate, but the benefits to their product
| of Tailscale hosting the control plane are going to outweigh
| the objections.
| ffk wrote:
| Agreed, one way to help mitigate this is to establish Layer 7
| security controls, rather than implicitly trust the network.
| Tailscale shouldn't be the sole security control in any
| environment.
| tptacek wrote:
| I pretty much agree. Tailscale makes this pretty easy: you
| get role-based default-deny port-granular ACLs, so it was
| easy for us to establish a regime where we're only exposing
| HTTP-type services, on specific machines rather than whole
| swathes of address space. We then require SSO logins on
| those services (which in turn enforce things like 2FA).
|
| Just getting access to our Tailscale networks doesn't get
| you anything; having your account in a group with access to
| an application gets you the right to attempt an SSO login
| to it and nothing else.
| judge2020 wrote:
| You could run your own encryption on top of Tailscale; for web
| properties, you can use use Tailscale's HTTPS[0] via an ACME
| client (thus Tailscale doesn't see your HTTPS private keys) or
| SSH which is inherently encrypted and verified via host
| identification. For anything else I don't think you can manage
| it much, you've always had to trust your network operator for
| unencrypted/unverified traffic.
|
| 0: https://tailscale.com/kb/1153/enabling-https/
| [deleted]
| aborsy wrote:
| The concern is not encryption. Wireguard encrypts the
| traffic, and users could indeed verify this fact before
| traffic leaves their machines.
|
| The concern is that, if an attacker (such as a government)
| compromises Tailscale, or Tailscale wants, they could probe
| your applications. It would be like your SSH being exposed to
| internet.
|
| These products bypass firewalls, which is a good thing if
| they are secure, and a terrible thing if they are not.
|
| There have been cases where the coordination servers have
| been (sometimes silently) compromised; see stories about
| encrypted phones. Users thought they were secure.
|
| And unfortunately small companies may not have sufficient
| resources to secure their infrastructure against more
| resourceful adversaries.
|
| That's why it's better to pay, so that the startups have
| funds to improve the product.
| dblohm7 wrote:
| Tailscale ACLs can prevent that.
| infogulch wrote:
| This doesn't solve the problem it just shifts it so that
| the attacker also has to control ACL assignments as well
| as node creation.
| imran-iq wrote:
| Would something like headscale
| (https://github.com/juanfont/headscale) solve that concern?
| jrockway wrote:
| I think by "adding encryption", they mean using mTLS
| internally. Your application can request that the client
| authenticate the connection by presenting a certificate,
| your application then applies whatever validation it wants
| before allowing that session to do anything. If someone
| were to compromise Tailscale, they can open a TCP
| connection to your application, but your application will
| then reject the connection because it doesn't trust the
| certificate. That's "zero trust" as I understand it.
|
| This is the direction I'd like to see networking go in
| general. Everything can have a public IP, but applications
| won't talk to anything that's unauthenticated. No more
| VPCs, VPNs, "kubectl port-forward", jumpboxes, etc. In
| practice, this is a colossal pain that nobody really knows
| how to do right. It requires rewriting all existing
| software, a secure way of issuing certificates (ideally not
| controlled by the cloud provider that runs your
| applications), and it can very easily fail open.
|
| (I do mTLS for my personal projects, but my cloud provider
| can easily issue themselves a trusted cert and use that to
| poke around if they really wanted to. They own the machines
| that my CA runs on, so they are the root of trust. At some
| point, what you end up with is something that feels
| correct, but is in practice the same thing as just trusting
| Tailscale. The first 99% of security is making sure some
| rando on the Internet can't download your HR database and
| secret plans for world domination. The remaining 99% of
| security is making sure the NSA can't do that. Maybe you're
| OK with the NSA mucking about with your internal network,
| and in that case, you can save yourself a lot of trouble.)
| topdancing wrote:
| Just deploy https://github.com/slackhq/nebula somewhere and
| voila - you have your own completely self-hosted version of
| Tailscale.
| anthropodie wrote:
| Wow I had not heard of this. Thank you for sharing. It says
| lighthouses are optional but recommended. Any idea how it can
| work without a lighthouse?
| alexeldeib wrote:
| Haven't used, but I believe lighthouses are primarily for
| host discovery (dns) + hole punching. I think if you
| configure static hosts on all nodes you're good:
|
| https://www.defined.net/nebula/config/#static_host_map
| psanford wrote:
| That's correct.
| stavros wrote:
| My bigger issue is them adding hidden nodes that can
| potentially access my services. If I use Tailscale to provide
| (otherwise unauthenticated, since I've already authenticated to
| Tailscale) access to, say, a file server, a hidden node can
| just see all my files.
| oarsinsync wrote:
| Isn't this where the ideas of zero trust networking come into
| play?
|
| It doesn't matter that you've authenticated to the network,
| you still need to authenticate to the application. SSO and
| the like become increasingly important in this kind of world
| mind.
| tmikaeld wrote:
| There is also Cloudflare Zero Trust (Teams), which is free for
| 50 users and accomplish the same thing (Wireguard = Tunnels),
| with a lot more years of "trust" and security behind it.
|
| However, it's very cumbersome to setup, nowhere near as easy as
| Tailscale.
| historynops wrote:
| There's also HashiCorp Boundary, which deviates from the
| traditional VPN or jump box based approaches such as a VPC.
| https://www.boundaryproject.io/
| vinay_ys wrote:
| Yes, this is a real concern. No matter how good tail scale guys
| are, their control plane services become super attractive
| target for attackers (solar wind style attack). Tailscale could
| provide a "Github Enterprise" style on-prem deployable control
| plane services running on enterprise controlled domain and with
| its own BYOK infra. This would majorly address the concern.
| chipsa wrote:
| Tailscale doesn't, but there's another opensource project
| which does provide control plane:
| https://github.com/juanfont/headscale.
|
| Even with a on-prem control plane, you probably want logging
| setup to detect when unusual nodes get pushed to the
| accessible list of nodes on your clients.
| bradfitz wrote:
| FWIW, we do sell an on-prem version to certain customers.
| It's not widely available anybody yet, but it exists.
|
| (I work at Tailscale)
| vinay_ys wrote:
| That's awesome. When it becomes widely available, I would
| be inclined to talk to my boss about it :-)
| GSGBen wrote:
| A generally available version of this would be a killer
| feature.
| slowbdotro wrote:
| You could look into using tor hidden onions instead
| [deleted]
| gz5 wrote:
| OpenZiti and NetFoundry address by enabling you to close all
| your inbound firewall ports (and link listeners) such that even
| your OpenZiti (open source) or NetFoundry (SaaS) Fabric Routers
| can't initiate sessions into your network.
| genewitch wrote:
| I'll probably have to look at this GTM3.0 ideal. I've found, that
| in the general case, it is fine to underprovision and just let
| stuff fall over, if no one is paying. I'll get around to fixing
| it eventually, even if no one alerts me. One of my goal projects
| is to have a 1U racked in Los Angeles or Dallas that's hiding
| 8-12 raspberry pi or intel celeron/atoms inside of it, including
| a pair of switches and all the redundant PSU you can shove in
| there. A nice "NAS" device for cold storage would be awesome,
| too.
|
| I run a pastebin server using the legacy t1.micro AWS instance -
| or even less, i run it on lightsail now. upon reboot, it sets up
| ~250MB of tmpfs, unzips the actual server code - nodejs in this
| instance - to tmpfs, and sets the data directory in tmpfs as
| well. The only way it could cost me a ton of money is someone
| maliciously requesting the same paste from thousands of remote
| machines, but my understanding is amazon would reverse the
| charges, and i'd probably just not run the service anymore. I can
| almost as easily paste and link stuff using mattermost - except
| full-frame images from one of my cellphones, which i can't figure
| out! there's _no setting_ to allow larger format images anywhere
| in the configs. So i 'd be out a few dollars, know that someone
| had it out for me or one of my anonymous users, and just walk
| away.
|
| I would miss being able to upload obscenely large (108MP) images
| and pinch zoom them forever, which is a quirk of the pastebin
| software i chose.
| chrisweekly wrote:
| Tailscale reminds me of Fly.io; fantastic tech that "just works",
| run by people who know what they're doing and know how to write
| about it. What other companies belong in this all-too-exclusive
| cohort?
| SkyMarshal wrote:
| Stripe
| technobabbler wrote:
| IMHO: Vercel/Next.js and their wonderful changelogs and
| documentation. Probably the "coolest" tech company in my book.
|
| Cloudflare, who almost single-handedly pushes the CDN industry
| ahead. So much respect for what they do and how they explain it
| in easy to understand terms.
|
| IntelliJ family of IDEs and their extensive release notes and
| forum discussions; it can be a bit overwhelming and
| disorganized at times though
|
| My personal favorite headless CMS: DatoCMS, small company but
| highly involved devs and iterating very quickly
|
| Google USED to be really good at this long ago, but since
| Alphabet, they've become less and less transparent and more and
| more evil
|
| Airtable, for bridging that gap between Excel and a proper
| database, with a heavy focus on UX and great release notes
| ternaryoperator wrote:
| I'd include Backblaze
| mtremsal wrote:
| I have the same two companies on the infra-side. A third, on
| the security-side of things is Thinkst (https://canary.tools/).
| tptacek wrote:
| Thinkst is so great.
| muhammadusman wrote:
| I used to think Cloudflare was in this category but maybe not
| anymore?
| pestaa wrote:
| What changed your mind?
| hoten wrote:
| Could anyone ELI5 to me why I might use tailscale? If I don't
| have a use case for a VPN is there any use case for this product,
| or if I did want a VPN, why this and not some other service like
| Nord?
|
| Asking from a place of curiosity, I don't quite understand this
| company. I suspect it solves a lot of issues related to
| provisioning your own networks ... Which would explain why I
| don't quite get it because I've never done that.
| andrewnc wrote:
| I use it to code on my deep learning machine from my macbook.
| It makes things a bit more secure and ssh-ing is painless that
| way.
|
| Then I can check experiments from wherever without worrying
| about a lot of the fiddly details.
| pSYoniK wrote:
| A service like Nord VPN or other such VPN providers setup a
| connection between your device and an exit point that they
| manage (a server to keep things in a client-server structure).
| So the idea there is that no one monitoring your traffic should
| ideally see what websites you visit, what things you download
| or what devices you connect to (I'm keeping this broad and very
| surface level to be able to reach a common point of
| understanding and if anyone adds to this, by all means, let's
| clarify this as it's quite a complex topic).
|
| So let's say the local government blocks access to certain
| content, you can connect to a VPN provider's network, select an
| exit point (a server) and your traffic is routed through them.
| But this can be monitored by that provider and I read an
| article recently that highlighted a lot of free VPN providers
| cannot be tracked down to companies, so you couldn't say who is
| running those servers. Which means, you don't know if all your
| traffic isn't actually recorded in the end and sold on to
| someone.
|
| This brings me to the first difference - you can setup your own
| server (at home or more likely through an infrastructure as a
| service provider like Hetzner, Ovh, DigitalOcean, etc) and
| install Tailscale on it and on your device(s). This way your
| connection is secured to the server and the server is the exit
| point now. Your provider in this case, cannot see what your
| server is serving you. The added control here is that the
| server IS YOURS, so you can clear logs, take it down and setup
| another one and so on.
|
| The second difference is that a VPN in most canonical cases has
| a client-server construction. But this means that there is a
| hierarchy and that all your devices use that server as a
| gateway of sorts. If I understand it correctly, Tailscale acts
| as a mesh that is laid on top of your existing connections, but
| it means that devices that you connect to the same mesh, behave
| as if they were on the same LAN network, but over the internet.
| So let's say you're on holiday, you can connect to your home
| computer (assuming your device and your home system have
| Tailscale, an internet connection and are running ofc) as if it
| was on the same network. Because it is. It's on a virtual
| network where Tailscale creates these connections and manages
| the IPs on the network. So you can view your movies, copy over
| your pictures from your phone to your home computer and so on.
|
| You could also maybe have a home server which might be running
| a number of services. Enabling SSH over the internet has it's
| risks, but Tailscale could alleviate a lot of these risks
| because you would have a fixed IP on this virtual network and
| so does your server. So suddenly, you can define a rule on your
| server firewall that says "hey, block everyone, except THIS
| ip".
|
| Lastly, you could maybe even just share pictures, documents and
| whatever else with friends, family or anyone else who is
| running on the same Tailscale network.
|
| I really hope I haven't completely misunderstood the service
| and I'd be happy to get more clarity or some better examples.
| These are SOME of the use cases I can think of, but there are
| probably more! Btw, I don't use Tailscale, I am considering it
| after having considered other mesh networks like Yggdrasil as
| that's the part I'd be interested in...
| kelp wrote:
| I struggled with a use case at first as an individual user, but
| now I'm using it in a few different places.
|
| I have a Synology on my home network which I use for Time
| Machine backups among other things. My Mac has a Tailscale
| client and I can backup to my Synology from anywhere.
|
| I have a number of random servers I keep for hobby stuff, a mix
| of hosted bare metal, VMs and VPS. None of them have SSH open
| to the internet. My access is all over Tailscale. It was super
| easy to setup, and now I never have to touch it. Occasionally
| I'll see that the Tailscale daemon was updated on some host.
|
| If I were starting a company today, as soon as I had any
| resources that needed any kind of remote access for the team,
| I'd use Tailscale to provide that access.
| mercutio2 wrote:
| How did you get your Synology on Tailscale?
|
| I have been pondering setting up Tailscale just to get remote
| access but I haven't found good examples of people doing
| this.
| xanaxagoras wrote:
| I've wondered this as well. Everyone seems to rave about it,
| but I run my own wireguard and don't find it too hard to add
| devices to the network. I think maybe you can use it to expose
| certain things to the internet easily? I don't have a lot of
| trouble doing that either. I've scrolled around their marketing
| site for a few minutes before and I just don't really get what
| all the fuss is about. I'm sure I'm missing something.
|
| I will say, and I think this is right, the proposition here
| isn't a VPN like Nord which you'd use to hide your traffic from
| your ISP or masquerade into a different geolocation, but rather
| a VPN for connecting to your own devices.
| mikeyschaefer wrote:
| If your ISP does CGNAT a typical WireGuard setup won't work
| without a public IP address. Tailscale makes it possible to
| use a VPN without a public IP. I use Tailscale with Starlink
| which uses CGNAT.
| willstrafach wrote:
| I think the pitch here is "Semi-managed WireGuard peer
| provisioning and NAT punching as a service" usable by anyone
| who may not otherwise have a clue how WireGuard works (eg.
| friends sharing access to a file/media server), within 5
| minutes or less from download/login to "done"
| hobofan wrote:
| > I'm sure I'm missing something.
|
| Can you really not see the difference between this[0] and
| this[1]?
|
| This really feels like a "What's the value in Dropbox when
| everyone has access to rsync and bash?" situation.
|
| [0]: https://www.wireguard.com/quickstart/
|
| [1]: https://tailscale.com/kb/1017/install/
| xanaxagoras wrote:
| I can see that it's easier to setup for someone who doesn't
| know how to use WireGuard, but not how it would benefit me
| personally. I guess SSO is nice.
|
| I think it's more like... "What's the value in Dropbox when
| I'm already running Nextcloud?"
| gowld wrote:
| The value is you can stop running Nextcloud.
| tptacek wrote:
| It's very easy to run your own WireGuard, and if that's all
| you want, by all means, do that. A lot of work went into
| making WireGuard the easiest-to-configure VPN --- it's
| deceptively sophisticated (the best kind of sophisticated).
|
| Tailscale is also deceptively powerful, and that's why people
| love it. In particular: getting WireGuard deployed across a
| whole team with a single source of authentication truth and
| role-based default-deny ACLs is not, in fact, very easy to
| do. The _massively_ more common pattern in tech companies
| with access VPNs is something like OpenVPN, with separately-
| managed credential stores (that get desynced and lock people
| out --- or accidentally retain access for separated team
| members) and default-allow network policy that gives anyone
| with access to the VPN direct access to Redis, databases,
| staging instances, and stuff like that.
|
| I don't just like Tailscale. I fucking _hate_ Tailscale for
| how simple they 've made one of the larger problems in
| corpsec. It's maddening.
| TheFlyingFish wrote:
| Tailscale has three main pieces of functionality over vanilla
| Wireguard: Automatic peer configuration, NAT holepunching,
| and network ACLs.
|
| I won't talk much about ACLs since if you're the only user on
| your VPN, they don't matter. E.g. I use Tailscale but I don't
| use ACLs because who am I going to block from connecting to
| what? Am I concerned about my server trying to compromise my
| Raspberry Pi? (Maybe I should be, but life's too short so I
| don't bother.)
|
| Automatic peer configuration is a pretty killer feature,
| though. If you're just running plain vanilla Wireguard, then
| you have to manually copy keys between every pair of devices
| that need to be able to talk to each other. That's fine if
| you only have a few devices, or if you have a large number of
| devices but you're happy to use a hub-and-spoke model where
| each "client" only talks to the hub, and the hub routes all
| traffic. But once your number of devices starts to grow, or
| you decide you want direct links instead of hub-and-spoke, it
| can start to get unpleasant.
|
| NAT holepunching may seem unnecessary if you're used to
| having a VPN hub and just port-forwarding to it. But it opens
| up a whole set of possibilities that would just be non-
| starters without it. Just off the top of my head, here are
| some things that I would consider easy with Tailscale but
| cumbersome-to-impossible without:
|
| 1. Not having to worry about static IP assignments on my LAN.
| Admittedly, this is more of a convenience than a true barrier
| to anything, but with vanilla wireguard one of the devices
| needs to be able to initiate the connection, meaning that the
| other has to be able to receive unsolicted traffic on some
| port. Normally I'd do that with port forwarding, but all of
| the port forwarding I've ever done requires a fixed internal
| IP to which to forward the port. Instead, with Tailscale, you
| can just plug in your server/RPi/whatever and forget about
| it.
|
| 2. Similarly, you can take advantage of this to get a window
| into a network that you don't control. (It sounds bad when I
| put it that way.) Say you've got a relative a long ways away,
| and they're constantly calling you for help with their
| network and you're constantly walking them through how to
| fiddle with their router settings or something - with
| Tailscale, you could just preconfigure a Raspberry Pi, ship
| it over, and not have to worry about being able to connect to
| it once they plug it in. Voila, you have an entrypoint into
| Grandma's network or whatever.
|
| 3. Self-hosting afficionados like myself tend to turn to "can
| I put a thing on a server somewhere" as a solution to many
| problems involving cross-device communication: file
| synchronization is an obvious example. But what if all the
| devices could seamlessly talk to each other, anywhere and
| anytime? Then you could pop, say, Syncthing on each device
| and not have to worry about having a server up.
|
| Tailscale also has some extra goodies like being able to
| share a device to someone else's Tailnet, so if you run (say)
| a Plex server and you want to let someone else talk to it
| without exposing it to the greater internet that's pretty
| easy.
|
| Their "Magic DNS" feature is also quite convenient - I used
| to pride myself on being able to remember all the IPs I had
| assigned to all my network-connected stuff and therefore not
| needing DNS, but since I've started using Tailscale I've
| found myself defaulting to DNS names more and more without
| ever even consciously deciding on it. Words are just more
| memorable than numbers, there's no need to fight it.
|
| All that said, if none of those use cases seem compelling to
| you then maybe Tailscale just isn't for you. Different
| strokes for different folks.
| tptacek wrote:
| This is all great stuff, and reasons to respect Tailscale,
| but honestly the killer feature for their big-money
| customers, and the reason I have such strong feelings about
| it, is much simpler: Tailscale does SSO login, and does it
| extremely well. If you're running a security practice for a
| growing tech company, one of the most important early jobs
| you have is getting all your services migrated to SSO. VPNs
| are notoriously annoying to SSO (I have seen some _janky_
| Okta integrations for OpenVPN).
| shinypokemon wrote:
| I have some services running on my home network (e.g Kubernetes
| and some stuff on a Raspberry Pi) that I'd like access when I'm
| away from home. Tailscale made that really easy. I just setup
| their client on the devices that need to communicate, and
| that's it. I can access those devices on my home network from
| my Macbook when I'm out and about. What's really neat is I can
| even set my Raspberry Pi as a DNS server for devices in my
| Tailscale mesh (using their DNS features) and use Pi-hole to
| setup custom DNS rules for those devices. Wrote a short piece
| about it here: https://evanshortiss.com/crc-tailscale
| 2Gkashmiri wrote:
| i dont know man.... been using zerotier quietly for like last 2
| years, never i remember i have had problems or anything messed
| up.
|
| if i have to add a node, i install the app on the device, open
| the account, copy the code and authorize it and done. no config,
| ever.
|
| can anyone tell me what is the difference between free account of
| zerotier and tailscale? the configuration, management, setup,
| ease, limits?
|
| again, zerotier is set up once and forget. oh, no login on the
| clients as well, they are preconfigured because they use a key
| and that key gets verified in the client so no login issues even
| kevinsundar wrote:
| They discuss this here:
| https://tailscale.com/kb/1139/tailscale-vs-zerotier/
| mooreds wrote:
| I like how they call out that you can do this with a SaaS
| offering as long as you keep a handle on scaling costs with the
| hybrid architecture. Their system architecture enables their
| business model!
|
| I see the same thing with $CURJOB, which has a downloadable,
| self-hostable fully featured solution. The operational dynamics
| are different (it is harder to convince folks to run software
| themselves than to sign up for a SaaS, all other things being
| equal) but the overall dynamic is the same: offer a spectacular
| free product to allow for scaling customer discovery and word of
| mouth, then charge for things that people with money care about:
|
| > At each level, the value proposition is different, so that
| users use your tech differently and benefit differently from it.
| And at each level, the buyer is different, so the messaging is
| different.
|
| This is market segmentation 101, but it's nice to read about it
| from an infrastructure company perspective.
|
| One thing they didn't mention which I would in their shoes is how
| powerful $0 is in terms of letting folks kick tires and self-
| select their solution. (Or not select it, which is fine too.)
| Especially for dev focused products, a $0.01/month charge is such
| a barrier compared to a free solution.
| stavros wrote:
| > One thing they didn't mention which I would in their shoes is
| how powerful $0 is in terms of letting folks kick tires and
| self-select their solution. (Or not select it, which is fine
| too.) Especially for dev focused products, a $0.01/month charge
| is such a barrier compared to a free solution.
|
| I was just thinking about this, I tried a hosted solution with
| $25 in free credits the other day and liked it, so we're now
| using it. It's not that we needed the $25, but if I had to talk
| to finance and get authorization first, we would never have
| gone with it.
|
| Free trials work, I guess!
| mooreds wrote:
| > Free trials work, I guess!
|
| They reduce the sand in the gears, for sure.
|
| Same with educational material, especially if it useful
| beyond the service providing it. (See Digital Ocean's
| playbook, including their purchase of CSS Tricks.)
|
| > It's not that we needed the $25, but if I had to talk to
| finance and get authorization first, we would never have gone
| with it.
|
| This is it, this is the truth!
|
| Every single developer tooling company should have this
| tatooed on their collective forehead. Or something like that
| :) .
| sockaddr wrote:
| Zerotier offers more nodes for free just FYI, and as far as I can
| tell they are pretty allergic to collecting user data.
| kosikond wrote:
| Just last quarter I migrated my home tiny poor stack (9 nodes)
| from Zerotier to Tailscale and this blog confirms it was a good
| call.
|
| Performance and stability especially on SMB shares and ARM based
| SBCs is so far way better than on zt
| linsomniac wrote:
| I've been a fairly big ZeroTier fan for a year or more, playing
| around with it on my own machines. They do some really slick
| things with public networks and braodcast traffic and those
| "public network with an open firewall for port X" (their name
| escapes me), and I like their web interface (vs managing files
| like Wireguard or Nebula).
|
| They were on the short list for deploying an overlay network
| for work, and when I started thinking hard about it, I was
| concerned about availability if their controllers went down, I
| didn't want to tie our availability to theirs.
|
| So I asked their sales a question about if we could host a
| backup controller or something to allow our network to operate
| if their controllers went offline. It took (IIRC) a couple
| weeks to get a reply and that reply was along the lines of
| "It's impossible for all our controllers to go down, but if you
| want to self hose you lose the web UI." I replied linking to a
| ZeroTier tweet saying "Hosted controllers are coming back up"
| and asking "What was the event referred to in this tweet", and
| got only crickets in response.
|
| So I'm planning on going with Nebula, but also keeping an eye
| on DefinedNetworking.
|
| https://twitter.com/ZeroTier/status/1389766385480372225?s=20
| OpenZiggy wrote:
| If you're looking for alternatives you might find the free,
| open source project I'm a dev on interesting too. you can run
| your own network if you want. Give us a peek?
| https://openziti.github.io/ If you like the project just give
| us a star on github so we can spread the word :) Right now we
| also have "a single controller" but you don't lose any
| network traffic if you have to restart it and of course - we
| are right in the midst of going "distributed controller" to
| eliminate that spof.
| gw67 wrote:
| Could you share your best practices about writing documentation?
| jlokier wrote:
| I already know how NAT traversal works, and I've read a lot about
| it before.
|
| But credit to David Anderson at Tailscale. Their NAT traversal
| article is excellent, the best I've seen on the topic:
| https://tailscale.com/blog/how-nat-traversal-works/
| paxys wrote:
| For pretty much every SaaS app out there with a freemium model
| users on the free plan aren't "the product" and their info isn't
| being sold to anyone. Rather, the free plans are considered a
| business expense to motivate a percentage of the user base to
| move to paid ones.
|
| So what they are saying makes sense but is very far from
| revolutionary.
___________________________________________________________________
(page generated 2022-03-16 23:00 UTC)