[HN Gopher] Tailscale raises $100M
___________________________________________________________________
Tailscale raises $100M
Author : gmemstr
Score : 670 points
Date : 2022-05-04 13:17 UTC (9 hours ago)
(HTM) web link (tailscale.com)
(TXT) w3m dump (tailscale.com)
| joshbaptiste wrote:
| "To paraphrase Larry Wall, Tailscale makes easy things easy" ..
| Indeed, I run multiple devices via two regionally separated homes
| and two cheap VPS's .. RaspberryPi, Linux, MacOS and an iPhone
| all able to communicate effortlessly thanks to TS
| madjam002 wrote:
| Things I'm really looking forward to seeing from Tailscale /
| projects I'd like to tinker with:
|
| - Better iOS battery life, there have been many improvements but
| it's still too much to leave running 24/7, I understand they're
| making improvements here
|
| - Their in built SSH server which seems to be in development
|
| - Using Tailscale ACLs to control access to Kubernetes ingress
| resources, they recently released an nginx auth plugin so I
| imagine this is now possible if you attach a Tailscale sidecar to
| the nginx ingress controller
|
| - Arbitrary ACLs which also seem to be in progress, it would be
| awesome to define in ACLs who has access to different parts of
| e.g a backoffice application
|
| - Official support for DNS extra records, already using this with
| the Headscale self hosted control plane for personal projects but
| it would be great to use it on Tailscale too
|
| - Kernel Wireguard for the data plane, I think this is on the
| roadmap?
|
| Overall a fantastic piece of software which I use for both
| personal and professional projects.
| lajamerr wrote:
| I remember reading a previous HN post about Tailscale and a
| certain commenter said that Tailscale is ideologically driven,
| small-scale operation and they prefer an alternative like
| NetMaker which has more backing.
|
| $100M seems more than a small-scale operation or is $100M in tech
| actually small scale?
| jonfw wrote:
| Tailscale has been much larger than Netmaker for as long as
| Netmaker has existed
| syntaxing wrote:
| Tailscale is absolutely amazing for accessing local first
| platforms (like home assistant and jellyfin). Sure, I can set up
| wireguard, but Tailscale is plug in play. Biggest gripe is that
| it messes with my DNS like nextDNS on iOS.
| nickysielicki wrote:
| Tailscale has a fantastic product, I've been extremely happy from
| day one. If you're waiting for a weekend to have a few hours to
| try out Tailscale, don't, it takes 15 minutes to get every device
| you own up and running and talking. This is the lowest friction
| personal VPN to ever exist, and once you see how easy it is for
| your own devices, you'll wish you had it at work.
|
| The biggest risk that this company has is that Cloudflare (in all
| reality) should just buy them or reimplement it. It's the type of
| product cloudflare would make, that's for sure. Being based on
| open source wireguard, and being just a STUN/TURN server at its
| core... I'm sure that Tailscale will be the first but maybe not
| the best.
|
| I've been dreaming lately of a tor-like network that's based
| loosely on the idea of tailnets. Rather than blockchain bullshit,
| you'd have a direct ring of trust with friends, and then you
| could set up access policies to forward packets for people you
| don't trust, but who know someone you do trust.
|
| Web3 happens when people can host stuff on their phones, and
| Tailscale is something that lets you host things on your phone.
| Melatonic wrote:
| I think your last point is what many of us are hoping Web3
| really is
| systemvoltage wrote:
| Well put, there is no moat. Corporate customers really don't
| want yet another network infra if they have Cloudflare + ZTN
| offerings.
|
| Cloudflare, please make a box I can buy and stick it in the
| closet with a WAN connection. Routers suck, it's time to
| reinvent them. Also please don't make them look like goddamn
| spaceships.
| jgrahamc wrote:
| What's this box going to do?
| systemvoltage wrote:
| I was thinking a router that's connected to Cloudflare
| network. Every device that connects to it is automatically
| on Cloudflare tunnels or Tailscale like VPN. And generally
| do the routing stuff better than ubiquity products (can
| manage your home router through their control panel from
| anywhere).
|
| Remote devices would need a client installed on it to
| access the VPN, of course.
| babelfish wrote:
| https://blog.cloudflare.com/cloudflare-for-offices/
| zionic wrote:
| tepitoperrito wrote:
| Like a hybrid NNCP-GO and nebula sdn. Neat!
| mnkmnk wrote:
| Cloudflare already has a competing product
| https://www.cloudflare.com/en-in/lp/ppc/cloudflare-for-teams...
| nickysielicki wrote:
| It's not really a competing product until they relaunch it
| with a heavy consumer focus and with some of the properties
| that Tailscale has, ie: avoiding going through the cloudflare
| CDN. But more to my point, cloudflare is definitely in a
| position to outcompete Tailscale, it's just a couple tweaks
| and a marketing shift.
| ThePhysicist wrote:
| I don't think Tailscale will focus on the consumer market,
| I'd be very surprised at least if they did. I think they
| built a developer-friendly product to get mindshare and
| early adoptors, but eventually the real market for such
| such products is in the B2B space, i.e. implementing the
| "BeyondCorp" model of zero-trust networking. There's also a
| market for building cloud mesh services but I'm not sure if
| Tailscale is well positioned for that as there are good
| open-source solutions available for that already.
| ignoramous wrote:
| You're not wrong but they do seem to want to keep
| focusing on consumers (not just developers), teams, and
| enterprises all at the same time but _market_ [0] the
| product differently.
|
| > _If we 're going to fix the Internet, there's no point
| only fixing it for big companies who can pay a lot. That
| misses the point of the whole adventure. The Internet is
| for everyone. We have to fix it for everyone, or why
| bother? We knew we had to design a business model and a
| technical architecture that removes any incentive to
| abuse your privacy. Providing an ever-expanding free tier
| is how we help as many people as possible._
|
| > ...
|
| > _Tailscale 's go-to-market strategy is what we call
| bottom-up growth, or product-led growth (PLG). An earlier
| name for this is "GTM 3.0", which is explained
| beautifully in a presentation by Adam Gross... To
| summarize: in GTM 3.0, you give away an unlimited free
| tier for individual use (Not a trial, a free tier; this
| is what makes it different from GTM 2.0). Then, for
| collaboration in small teams, you charge a bit. Then, for
| big company control and auditability, you charge even
| more. At each level, the value proposition is different,
| so that users use your tech differently and benefit
| differently from it. And at each level, the buyer is
| different, so the messaging is different._
|
| From tailscale.com/blog: _How our free plan stays free_ ,
| https://archive.is/R7jqw
|
| [0] https://en.wikipedia.org/wiki/Marketing_mix
| windexh8er wrote:
| They already (sort of) do [0] as they have a "Personal
| Pro" plan that's not too obvious - personally, I hope
| they expand to make it more cloud-native via a la carte
| pricing for those users as I'd pay an extra $x/month for
| an additional subnet router or three. And, IMO, it's a
| smart approach - those who are the targeted "Prosumer"
| might leverage this for their homelab and carry it over
| with them into the enterprise. I say that it's a smart
| approach because in my time at a vendor that was slinging
| security middle boxes - we used to give away our small
| form factor product to those homelab'ers for free. They'd
| take them home and see how much the solution could
| provide, they got comfortable with the UI, and they
| learned it for their own use cases. And then the path
| into an enterprise conversation held much less friction.
|
| [0] https://tailscale.com/pricing/
| chipsa wrote:
| I think they've said they don't actually enforce the
| usage limits, so you can add an additional subnet router
| and they largely don't care (because they haven't put the
| engineering into enforcing the limits, because it doesn't
| actually use up appreciably more resources for them when
| you exceed those limits). I think they do enforce the
| user limits though.
| seedie wrote:
| I remember Astaro did this with their Astaro Security
| Gateway UTM solution. Provide a full featured software
| appliance for home users and hope the admins are so
| caught up that they don't want to change to another
| vendor at work. Astaro got acquired by Sophos in 2011 but
| I just checked, they still offer the Sophos UTM Gateway
| in a Home edition.
|
| https://www.sophos.com/en-us/free-tools/sophos-xg-
| firewall-h...
| nickysielicki wrote:
| It costs them so little to provide their free consumer
| service (iirc: they fall-back to providing transit, but
| it's very rare and only occurs when UDP is completely
| blocked) that it benefits them to keep their focus on
| consumers because if _everyone_ is using Tailscale, the
| business customers are inevitable.
| depingus wrote:
| > I've been dreaming lately of a tor-like network that's based
| loosely on the idea of tailnets. Rather than blockchain
| bullshit, you'd have a direct ring of trust with friends, and
| then you could set up access policies to forward packets for
| people you don't trust, but who know someone you do trust.
|
| Might want to check out Yggdrasil. It lets you can create a
| _real_ mesh routed, E2E encrypted network. You can keep your
| network private, or connect it to the greater network and route
| others. There 's no ring-of-trust (I can't imagine that as a
| viable solution at scale). But the config file has an
| AllowedPublicKeys section if you want to specify who can route
| through your node.
|
| https://github.com/yggdrasil-network/yggdrasil-go
| GekkePrutser wrote:
| Thanks, I thought I knew all the major mesh VPN options
| (tinc, nebula, tailscale, zero tier, hamachi) and yet I never
| heard of yggdrasil.
|
| This is the kind of comment I love HN for!
| ctrlc-root wrote:
| Here's one more:
| https://fastd.readthedocs.io/en/v22/index.html
| siavosh wrote:
| I'm pretty ignorant on this topic, but what are the benefits of
| having a personal VPN?
| stanmancan wrote:
| You can access your home network and any machines on it
| without exposing anything to the public internet. It's much
| safer to connect to my home network over a VPN than to expose
| all of the services to the public internet and hope they're
| all secure.
| criddell wrote:
| Doesn't putting Tailscale in the middle mean you are now
| hoping they are secure? I supposed that's probably better
| than connecting to the VPN on your home gateway router that
| your ISP has access to.
| ziftface wrote:
| Some of my friends used it to play older lan games
| gzer0 wrote:
| I am able to route traffic on my mobile device through my
| home network via the use of their "exit node" option. It
| allows one of my home devices to act as an exit node for my
| entire personal tailscale network.
|
| This serves multiple benefits: the main one being that I
| receive pi-hole filtered ad-free traffic on my mobile device
| via a Wireguard VPN with my home IP 24/7/365
| antihero wrote:
| Ah, the exit node thing is really cool, always handy to
| have a residential IP to route through too :)
| karlshea wrote:
| I can do that without Tailscale though by just using the
| WireGuard app. What is Tailscale adding to this?
| ReverseCold wrote:
| > For a Linux user, you can already build such a system
| yourself quite trivially by getting an FTP account,
| mounting it locally with curlftpfs, and then using SVN or
| CVS on the mounted filesystem. From Windows or Mac, this
| FTP account could be accessed through built-in software.
| rrix2 wrote:
| not having to generate, manage, and distribute wireguard
| secrets and configurations was good enough reason for me
| to switch.
|
| Tailscale also provides a "magic DNS" service which lets
| you resolve your Tailscale device names without setting
| up unbound etc, and which can relay other requests
| through to your pi-hole or unbound or whatever, which can
| then listen _only_ on the tailscale IP address, so no
| need to run an open resolver or deal with source IP
| filtering.
|
| e: also, you can share devices between tailscale users
| without generating, managing, distributing wireguard
| secrets. You send your pal/partner/kid a link and they
| can access your fileserver or raspberry pi webserver or
| pihole server for themselves wherever they are.
| nickysielicki wrote:
| NAT breaking, I can have a wireguard network with
| Tailscale where every device only has an RFC1918 address
| and a default route.
| karlshea wrote:
| Ahhh that is slick
| devman0 wrote:
| Is forwarding a single port that difficult in most
| circumstances? I do realize there are some instances
| where that is hard like CGNAT, but if I have easy access
| to wireguard in my network already what does tailscale
| buy me?
| donaldihunter wrote:
| I was running Wireguard exactly as you describe, but I'm
| now using Tailscale because convenience.
| anderspitman wrote:
| For more background on just how much Tailscale is doing
| for you with respect to NAT:
|
| https://tailscale.com/blog/how-nat-traversal-works/
| [deleted]
| Sohcahtoa82 wrote:
| What other benefits are there? I use a PiHole to block ads
| on my phone already, but I do it via a PiHole installed on
| an EC2 instance that I also use as an IRC bouncer and other
| things.
| pkulak wrote:
| It means you can self host all kinds of things and never
| worry about opening a port on your router.
| anderspitman wrote:
| As long as you don't need to share any of your services
| with non-Tailscale users. Otherwise you'll need to set up
| some sort of public server.
| vineyardmike wrote:
| But you can also try to get them to be Tailscale users
| and effortlessly share the devices with access control
| features they built. I share my home servers and game
| servers with family/friends easily while still keeping
| everything off the public internet.
| anderspitman wrote:
| But now your friends and family are locked into a
| proprietary system, subject to whatever the future
| incentives of Tailscale end up being. How many people can
| you connect on the free plan?
| Spooky23 wrote:
| It's pretty similar as far as how it works for you.
|
| It may be cheaper to VPN to home vs a cloud server, and
| you may avoid issues where sites block AWS. You can also
| securely forward other ports. Sometimes I print or access
| other services in my house that aren't internet safe.
| Sohcahtoa82 wrote:
| I have the PiHole VPN configured so that only DNS lookups
| go through it. All other traffic is not tunneled. It
| means I don't get billed for several gigabytes of traffic
| from AWS and my traffic doesn't come from an AWS IP, but
| I still get all the ad-blocking benefits of a PiHole.
|
| At home on my desktop, I just use uBlock Origin in my
| browser.
| newaccount74 wrote:
| I use it so I can connect to my work machine (dynamic IP on
| office wifi) from my laptop (dynamic IP, home Wifi).
|
| It's also great to be able to just ssh into your laptop at
| home when you're at work and you forgot to push whatever you
| were working on last night.
|
| It's not necessary, but Tailscale makes a lot of things just
| easier.
| yeswecatan wrote:
| > It's also great to be able to just ssh into your laptop
| at home when you're at work and you forgot to push whatever
| you were working on last night.
|
| What's the difference between using Tailscale for this and
| just opening the port on your router?
| pkulak wrote:
| Like a million times more secure.
| colordrops wrote:
| Someone answered above - it works even if you have no
| router you can configure, using NAT busting. I do what
| you suggest though, just setting up wireguard directly on
| my OPNSense router. I don't want to get any private
| company involved in my VPN setup.
| pimeys wrote:
| Easier. And you don't open the port to a public network.
| GekkePrutser wrote:
| For me: direct routing between endpoints, thus reducing the
| lag and spec restrictions you get from routing through a
| single VPN server.
|
| Other things are seamless transition to local networks, and
| you can even have local network encryption.
| shepherdjerred wrote:
| I have a server at home with file syncing, personal media,
| and home automation. I want to be able to access it remotely,
| but I'd rather some of those things not be publicly
| accessible for security. I could always do HTTP auth with an
| nginx reverse proxy, but it's not a very smooth workflow and
| it relies on me being able to configure my server/services
| correctly.
|
| Instead I can bind my services to Tailscales network
| interface and access it anywhere that I'm connected to my
| Tailscale network. It's like authentication for free.
|
| As a side note I know this is an anti pattern since one
| intruder can access all of my services, but that's not a
| vector I'm really concerned about since I'm not exactly a
| high value target.
| jjeaff wrote:
| I don't think that is an anti-pattern. One well secured
| point of access is better than various http access points
| with varying levels of security and maintenance levels, all
| requiring frequent manual update to stay secure.
| shepherdjerred wrote:
| I meant that for larger organizations where security is a
| concern you'd want both -- your network should be secured
| and the individual applications should be as well. Again
| it's contextual advice and really doesn't matter for my
| internal site where there's not too much at stake.
| anderspitman wrote:
| > Web3 happens when people can host stuff on their phones
|
| This has essentially been the guiding principle of my side
| projects for the last two years. Folks shouldn't need to
| understand DNS, TLS, HTTPS, IP addresses, ports, NAT, CGNAT,
| etc in order to own their data. Self-hosting a small server for
| you and your friends shouldn't be any more difficult or less
| secure than installing an app on your phone.
| lazzlazzlazz wrote:
| > a direct ring of trust with friends
|
| The vision you outlined is great, except it doesn't work. The
| trust assumptions are too high, and even a great product like
| Tailscale seems to rely completely on centralized identity
| providers (you have to choose Google, Microsoft, or Github on
| sign-in).
|
| Ultimately, if you want to maintain full control of your online
| identity and network, you'll probably need some of the
| decentralized (but economically aware) resources you seem to
| have issues with -- or at the very least a means of
| transitioning authentication to private key methods with DIDs.
| nickysielicki wrote:
| I feel like people are so concerned about infinite scaling
| that nobody ever tries to scale to 5 anymore.
|
| I have a big collection of movies, and I'd like my mom-
| technical blue collar friends to be able to watch them. I
| trust them, and I have trusted communication channels with
| them. We exchange keys _somehow_.
|
| With the sort of routing I'm describing, they could watch my
| movies and I wouldn't have to have a public IP address. And I
| wouldn't mind if their friends (that aren't my friends) watch
| my movies, either, by forwarding through my friends. What's
| the catch? This could work for that. How could I do this
| _today_?
|
| I don't have any ideological or moral problem with
| blockchains, I just think they suck at solving problems where
| the requirements for trust are low or met elsewhere.
|
| edit: mom-technical was a typo of non-technical but I'm
| leaving it because it's more accurate.
| depingus wrote:
| > And I wouldn't mind if their friends (that aren't my
| friends) watch my movies, either, by forwarding through my
| friends.
|
| This is the part that doesn't scale. Hell, this is
| extremely risky even at a small scale. You don't know who
| your friends' friends are, you will have friends that abuse
| this, and you will end up with a much larger network than
| you anticipated.
|
| How many of your friends and family are "friends" with bots
| on Facebook?
| anderspitman wrote:
| Definitely stealing mom-technical. Though I do disagree
| somewhat with the conflation with blue-collar. I would
| almost argue white-collar folks are less likely to
| understand computers.
| cma wrote:
| What are DIDs: Device IDs?
| lazzlazzlazz wrote:
| Decentralized Identifiers: https://www.w3.org/TR/did-core/
| zanny wrote:
| I self host headscale as my control node of my tailscale vpn
| so no sign ins required, I just give keys out to anyone I
| want in my vpn.
|
| My problem is the client doesn't support multiple servers, so
| I can't have a work vpn and a home vpn, not even with an easy
| toggle - you have to run tailscale with different conf
| options for both. Changing namespaces also isn't easy, so
| having friends and family segregated even on one server is
| also a pain point.
| GekkePrutser wrote:
| Thanks the main objection I have with tailscale is that you
| can't self-host (and you need external identity providers).
| I had no idea there was a self host option. I'll
| investigate. I assume it's an unsupported community option?
| seedie wrote:
| op is talking about headscale [0] "An open source, self-
| hosted implementation of the Tailscale control server"
|
| [0] https://github.com/juanfont/headscale
| polote wrote:
| > The biggest risk that this company has is that Cloudflare (in
| all reality) should just buy them or reimplement it. It's the
| type of product cloudflare would make, that's for sure.
|
| The same thing is being said on HN about all kind of network
| software, but tell me one software that Cloudflare is really
| known for except its cdn ? None.
|
| HN is really a strong echo chamber and some people believe
| Cloudflare and Stripe are going to be the leader in all
| software areas. (Even though Cloudflare is not the leading CDN
| and Stripe is not the leading payment processor). They are both
| amazing companies but they won't fix all problems of the world.
| I would even argue that they won't even solve more than their
| current core domains
| freedomben wrote:
| We must be in different circles, because WAF (web application
| firewall) is what I would say they're most known for. But I
| agree Cloudflare isn't well known (at least yet) fort many of
| the other things they offer. Been a lot of buzz around
| workers but I haven't tried it myself yet.
| devman0 wrote:
| CDN and Reverse Proxy are Cloudflare's bread and butter
| really, WAF came later. The issue is that those
| technologies are rather invisible to most users when they
| are working correctly.
| nickysielicki wrote:
| I bring up cloudflare because the technologies involved with
| Tailscale are really cloudflare core competencies. Cloudflare
| runs 1.1.1.1/WARP which is a massive dns server and wireguard
| VPN, respectively. They already have Cloudflare Access. It's
| a natural fit. It's pretty easy to imagine that cloudflare is
| better positioned to steal customers from Tailscale than
| Cisco, F5, or Fortinet.
|
| Cloudflare needs to solve two problems: they need to
| introduce a free tier of Access that doesn't use the CDN and
| creates direct connections between endpoints (to basically
| remove all operating costs), and they need to make the
| onboarding process for hobbyists easier instead of having a
| "contact sales" link on their homepage for these products.
| That's doable.
| 1vuio0pswjnm7 wrote:
| "Being based on open source wireguard, and being just a
| STUN/TURN server at its core... I'm sure that Tailscale will be
| the first but maybe not the best."
|
| I like this assessment. "[J]ust a STUN/TURN server at its
| core." It gives me hope maybe more people are starting to learn
| how to look at peer-to-peer not as something that is
| unreasonably complex and off-limits to ordinary users. LAN-like
| connectivity is not just for offices and gamers.
|
| Of course, following a STUN/TURN standard is just one approach
| to a rendezvous server. It isn't the first or last approach to
| have worked.
|
| By "rendezvous server" I mean a program that accepts
| connections and saves each client's address and open port
| number and makes this data available to other connecting
| clients, thereby allowing one client to connect _directly_ to
| another client _without involving the rendezvous server_. The
| server needs only to tell clients about IP addresses and port
| numbers, nothing more.^1 Thus it can be a relatively small,
| relatively simple program.^2
|
| I hope that going forward there will be even more choice in
| small, open source rendezvous servers, not created for
| commercial purposes, that ordinary users can run on globally
| reachable IP addresses. Most users must "lease" these addresses
| from others. Because not every user has a globally reachable IP
| address available, the use of "hosting" and now what people
| today call "cloud" services has been necessary.
|
| Enormous amounts of traffic are passing through these third
| party "cloud" providers. They are, to use a popular term,
| "gatekeepers". Business customers, including ones who already
| control globally reachable IPv4 address space, let alone
| individual customers without such resources, are effectively
| beholden to them if they want to be on the internet. Not only
| that, the services are generally expensive.
|
| However no data needs to be sent to or received from a
| rendezvous server other than address and port information. If
| customers are charged based on ingress/egress, it could be
| affordable for users to run these small programs on a "cloud
| server" due to the smaller amount of data transfer. With less
| data being sent to these third party providers, the privacy
| concerns would arguably be reduced as well (cf. eliminated).
|
| The ability to connect devices directly over a network,
| including the internet, should not be monopolised like so many
| other aspects of the computers and the internet today. It
| should be available for everyone. The only cost should be
| paying for the globally reachable IP address and a tiny amount
| of traffic required for running a rendezvous server.
|
| 1. The advantage here is that the program can be easier and
| quicker to compile and users may be more inclined to read the
| source code and, optionally, make edits and recompile. Non-
| commercial, not a complex program like a web browser that is
| prohibitively slow to compile that almost no one compiles for
| themselves, nor one that few people have both the aptitude and
| inclination to read, edit and improve its source code.
|
| 2. Yes, there can be exceptions. For example, in some cases two
| clients using the same ISP might not be able to reach other
| directly. But these cases are the exceptions, not the rule.
| wackget wrote:
| > Gets $100M investment
|
| > Still produces graphs without axis labels
| mengibar10 wrote:
| Excuse my ignorance but this is something I have been longing to
| ask for. Do these services compromise security? Wouldn't you put
| too much trust on these services, like 1Password. If that service
| is compromised in someway aren't you exposed? Is these a good
| article debate on this topic. Thanks.
| anuvrat1 wrote:
| There exists ZeroTier too, which can be self-hosted.
|
| [1]: https://www.zerotier.com/
| flemhans wrote:
| What's the state of affairs when it comes to self-hosting?
|
| I'm waiting to deploy either Nebula, ZeroTier, or Tailscale, but
| we don't want to rely on third parties for auth or coordination.
| fullstackchris wrote:
| Crap... is this literally the product I've been MVPing the past
| few weeks? (https://kurynt.com) - or do I still have a chance?
|
| Full disclosure - there is little to no functionality yet, but
| the homepage is enough
| fullstackchris wrote:
| OK, reading the comments it is a totally different product, but
| I guess I have to try it!
|
| "Zero config VPN. Installs on any device in minutes, manages
| firewall rules for you, and works from anywhere."
|
| Okay... at first I said to myself, _no way_. But then I
| thought, "Any sufficiently advanced technology is
| indistinguishable from magic."
| api wrote:
| As the founder of what some say is a competitor (ZeroTier) I'd
| like to congratulate the Tailscale team. We don't really see
| Tailscale as the competition. We see the competition as:
|
| (1) The old school castle and moat IT model that dominates at 99%
| of companies. If we can disrupt this then TS, ZT, and four other
| upstarts could all become billion dollar companies. Right now
| 1-2% of this market has been disrupted at most.
|
| (2) The put everything in the cloud and everyone gets a thin
| client model. If that wins then _all_ of us lose because there is
| no market for endpoint connectivity. We also lose all privacy,
| all data ownership, and all ability to experiment or innovate
| without paying for it by the instance-hour with TOS-enforcement
| bots looking over our shoulder.
| hwpky wrote:
| Agree with this Adam.
|
| Avery and the team at Tailscale are building a fantastic
| product and totally deserve the round and recognition, huge
| congratulations - we're super happy for them.
|
| In many ways they're also an ice-breaker for the zero trust
| overlay network architecture, which means they've got the most
| work to do. As the current top comment on this thread correctly
| notes, with huge investment comes the obligation to eventually
| pay it back.
|
| The market hasn't even come close yet to crossing the chasm and
| seeped into mainstream conscience to become the accepted norm -
| yet.
|
| That said, we believe fiercely that networks should be simple
| to reason about, easy to use and safe to operate. That private
| connectivity should "just work", and just work in exactly the
| same way, everywhere too. Flexible to change, simple to
| automate and only available to the right things at the right
| times.
|
| When you think about it, building private networks is actually
| pretty complex right now and can be pretty insecure too. It's
| some unholy combination of spell casting meets a yak shaving
| contest to wrangle firewalls, VPNs, MTUs, and manage IPs,
| subnets, ACLs, NSGs, VPCs, NAT, routing, VLANs, certificates &
| secret keys, then hoping a zero-day doesn't show up that drops
| someone straight into the network via the VPN server, who then
| starts poking around the squishy centre.
|
| Once you've used products like Enclave, Tailscale or ZeroTier
| and seen how simple private networks really can be - at a
| certain point you almost stop and ask the question, why would
| you not do it like this.
|
| There will always be nay-sayers and people for whom this
| approach just isn't a fit, and that's fine - but I personally
| find it hard to imagine that this genie can be put back in the
| bottle.
|
| - Founder @ https://enclave.io
| api wrote:
| What will happen over time is that as we disrupt old-school
| IT and re-introduce the idea that you can own your own
| compute (disrupting the everything-cloud model) the various
| participants in this new area will find niches in which their
| specific strengths and features shine the most. This always
| happens. Look at databases. There are like 10 decent sized
| database vendors for a reason, not to mention several
| paradigms: SQL, NoSQL, NewSQL, GraphQL, etc.
|
| But if we don't succeed in disrupting the actual competition
| everyone fails.
|
| At least that's how I look at this market.
|
| Of course I'm also a mostly-follower of the "ignore your
| market peers, focus on the customer" philosophy. Your
| greatest competition is always your own shortcomings.
| ryanar wrote:
| I am guessing two of the other startups are strongDM and
| Teleport. Wonder what others are in this space and have gone to
| Series B+
| Dave3of5 wrote:
| Crazy how people can raise these sums of money, it's all about
| who you know.
|
| I also notice they have a careers page so I had a gander. A 6
| stage interview process! Good lord tech companies really have
| gone down the shitter
| [deleted]
| ineedasername wrote:
| It sounds similar to what hamachi _could_ have been if it was
| really invested in product management & enterprise features.
| orliesaurus wrote:
| interesting, that's the first thing I also thought of! (in fact
| I grep'd "hamachi" on this thread) I totally agree - it's a
| shame hamachi just gave up
| jonfw wrote:
| There is another interesting company in this space- Netmaker[0].
| It's been getting a lot of traction in the homelab space- namely
| because it takes advantage of kernel wireguard, which is more
| performant than the userspace wireguard that tailscale uses.
|
| [0] - https://www.netmaker.org/
| [deleted]
| apeace wrote:
| Tailscale's CEO has been tweeting a series of "rejected
| headlines" for their fundraising announcement. They're pretty
| funny. I thought the HN crowd would like this one:
|
| > Tailscale raises $100M to do what any Hacker News reader could
| have done in a weekend [0]
|
| [0]
| https://twitter.com/apenwarr/status/1521873453921583105?cxt=...
| anderspitman wrote:
| Makes me miss n-gate.
| jrockway wrote:
| There are already comments where people are showing their
| simple 400 step procedure that can get you 1% of Tailscale.
|
| Never forget https://news.ycombinator.com/item?id=8863
| newhouseb wrote:
| Tailscale is my favorite (product) discovery of 2022. I initially
| set it up to use as a VPN to get around a misbehaving corporate
| firewall and accidentally realized it solved a whole bunch of
| other problems I didn't realize I had. Usually a new product
| doesn't even live up to the intended use case and so TS is really
| anomalous IMHO in how good it is.
|
| - SSH'ing into a raspberry pi I have at home that does random IoT
| stuff.
|
| - Accessing servers on my local dev machine from other devices
| for testing (i.e. a Windows box or phone)
|
| - Giving access to production bastion devices without publicly
| exposing anything to the internet.
|
| And best of all I don't have to fiddle with the usual networking
| stuff. It just works. Kudos on the raise!
|
| Non-disclaimer: I have no relation to anyone on the team.
| Tailscale is just a delight to use.
| cogogo wrote:
| I've been using it since last summer to SSH to my pi too. Huge
| relief in terms of securing it. Easy to install and it just
| works. I'm not particularly savvy either.
|
| My only complaint is that if you use it on your phone (iphone
| 11) and forget to turn it off it drains the battery like crazy.
| natrys wrote:
| When I tried Tailscale it seemed to have high CPU problem in
| general under reasonable load. I don't remember the numbers,
| but it made me uncomfortable to use it in my low powered
| servers. I wonder if this is the consequence of being a
| userspace program unlike wireguard kernel module.
| fullstackchris wrote:
| But HOW can this work? It MUST have config level access to each
| machine, that's the only way I can see this working. I guess I
| just have to try it to see.
| ramary wrote:
| It's a really neat piece of software - you're right that it
| does have the ability to configure your system, routing
| tables in particular.
|
| The Tailscale agent (thing that runs on your machine) changes
| the system routing table (at least on Linux) and uses policy-
| based routing (marks packets destined for the "Tailnet"
| specially) to build the overlay network. Since everything is
| done at L3 in the OSI model, iOS and Android clients (in the
| form of an app) are also available without needing root
| (jailbreaking).
|
| There are some things it can't do owing to the whole thing
| operating at L3, but it's a really awesome implementation
| nevertheless. And just to add, they aren't the first to build
| a product like this, but they do it incredibly well and the
| time to value for most users is extremely short, made even
| better by the fact that the expectation is that the time to
| value will be long(ish) and painful.
| chrisweekly wrote:
| Similar experience. It's profoundly good UX atop a
| fundamentally strong stack.
| jclardy wrote:
| Same here - I've found a ton of uses, for one I can now access
| my Home Assistant instance without actually exposing it to the
| internet. Same for the linux VMs I run via ESXi on the same
| Intel NUC. I can also access my QNAP NAS without exposing that
| to the internet which is huge given how many vulnerabilities
| have been found with it.
|
| It actually allows me to turn my iPad Pro into a proper
| development machine as long as I have access to the internet
| since I can write code locally via Textastic, push to my git
| repo and test via the VM connected to Tailscale. Of course this
| was possible with a box on DigitalOcean but I prefer not to pay
| monthly for a machine just for noodling around.
| planb wrote:
| SSH'ing to a raspberry pi in my parent's basement where my beer
| is fermenting has been the killer use case for me. Their crappy
| IPS router does not allow port forwarding, but with Tailscale I
| can directly access the sensors. Only today I learned that I
| can even use Tailscale as an exit node (to the internet or the
| local network) and therefore use it like a normal VPN.
| bovermyer wrote:
| So how do you use this for personal stuff? I know you mentioned
| the Pi, but what else do you use it for?
| anderspitman wrote:
| Why use SSH? With Tailscale all you need is rsh ;)
| aaronax wrote:
| I have heard of but never really looked in to Tailscale until
| today. I'm not impressed.
|
| "Fixing the Internet" is not done by layering more private
| network garbage on top of it.
|
| Their claim[0] that after you install Tailscale on all your
| devices: "This final configuration is called 'zero trust
| networking'," is pretty interesting. It seems this would be more
| like having a trusted internal network (sure it is overlaid on an
| untrusted network). A true zero-trust network would mean all of
| your clients and servers are secure in a manner that they can
| operate on the public Internet...like O365, Salesforce, etc. To
| say that you run a zero-trust network because you implement a
| fancy VPN is C-suite dreaming at its finest.
|
| "get around a misbehaving corporate firewall" like newhouseb
| sings praises for is exactly the sort of thing that should be
| happening less, and the opposite of "fixing the Internet". Follow
| the policies of the network you are being allowed to use, or
| lobby for them the be fixed. Don't like ISPs messing with DNS
| traffic? Get rules/laws implemented that prohibit that, instead
| of garbage like hiding your DNS in DNS over HTTPS. (DNS over TLS
| seems more acceptable to me.)
|
| [0] https://tailscale.com/blog/how-tailscale-works/
| newhouseb wrote:
| To be fair, my "misbehaving corporate firewall" is actually my
| apartment that has building-managed internet wherein everyone
| is NAT'ed to the same fiber connection.
|
| For whatever reason, SYN flooding detection triggers when you
| do more than a few TCP connections per second which makes most
| TCP-based things super frustrating and their IT is clueless as
| to how to fix it.
| rcfox wrote:
| "Don't like entities abusing their power over you? Just change
| the laws that allow them to do that!" What.
| gkbrk wrote:
| This is how people fix things caused by commercial entities
| being abusive. It's done quite a bit, most of the critical
| things people rely on are regulated.
|
| Do you live in a place that doesn't regulate things?
| rcfox wrote:
| You could spend time to learn about the process, deal with
| months or years of lobbying, deal with counter-lobbying,
| and eventually win your position or maybe not. Or you could
| use this technical workaround.
|
| And maybe we're all worse-off for it, but now you're done
| dealing with that issue.
| aaronax wrote:
| Yes, so I think it is reasonable that someone who
| stumbles upon $100,000,000 and wants to "fix the
| Internet" aim a little higher than making it as easy as
| possible to do the technical workarounds that leave us
| all worse-off.
| Thaxll wrote:
| > Get rules/laws implemented that prohibit that
|
| You know this does not work in the real world right?
| stephenanand wrote:
| user3939382 wrote:
| Every time I've looked at setting up distributed VPN I've wanted
| layer 2, I haven't used WireGuard yet but apparently it's layer
| 3. I would love to be able to connect remotely and have my newly
| connected machine act like just another machine on the LAN. That
| in turn makes all kinds of other network-related operations
| simpler and homogeneous, in that the remote property of the
| connected machine(s) is abstracted away.
| Meleagris wrote:
| Check out ZeroTier. I believe it fills the same needs as
| Tailscale, but with layer 2.
| jollybean wrote:
| " What if we all just had a static IP address, and a DNS name?
| ...and the address migrated around the world with you? ...and you
| could connect to any of your devices no matter where they were?
| ...and it was always encrypted? ...and there was always a
| correctly configured firewall? ...and you never had to worry
| about certificates? ...and every device in your organization was
| tied to a user identity and SSO and MFA? ...and all this just
| happened automatically? "
|
| So why do people care about that?
|
| Those all seem like positive things but they are in and of
| themselves, not value creating.
|
| From this article and even their landing page ... I think they
| might need an explanation that makes more sense than
| IT/Networking Admin.
|
| Even as a developer, I don't quite see the obvious benefit.
|
| Instead of taking about 'what if you could have this tech that
| does ABC' - instead, talk about it in terms of problems 'what if
| you didn't have this problem or that one'. etc..
| MobiusHorizons wrote:
| Have you ever tried running a server or sshing to things that
| weren't in a cloud provider? Have you ever run something you
| want access over the internet without wanting that thing on the
| open internet getting attacked? Tailscale provides a solution
| to the problems you run into in those situations. It gives you
| a way to access (or selectively give specific people access to)
| these devices from anywhere on the internet while still having
| those assets behind a firewall.
| HWR_14 wrote:
| I know it was supposed to be a funny throwaway line, but I am
| irked by the "with $100 million you could interrupt the Super
| Bowl for 7 full minutes." That's not how sports advertising runs
| works. You are bidding on a limited amount of space determined by
| the game. I think there is also a non-linear cost.
| jaywalk wrote:
| Of course the NFL would never allow a 7 minute commercial
| break, although I do believe that the cost is linear. A 60
| second commercial's cost is simply 2x 30 second commercials.
| There's no reason to do anything differently, since in the end
| it doesn't matter if that 60 seconds are filled by one or two
| commercials (aside from making the ad sales team's job slightly
| easier by having one less spot to fill).
| HWR_14 wrote:
| I think there are reasons why cost would be nonlinear. First,
| there's simply demand. The people who want to do 60s clearly
| have a reason that 30s won't work, so they may be willing to
| pay more (certainly they won't pay less). It's a different
| segmented market. There is a reason companies with lots of
| commercials tend to also be official sponsors of the Super
| Bowl. Second, practically it costs more. Ads are reshuffled
| around in real-time and the number of times you can be sure
| you can broadcast a 60 second spot are less than you being
| able to broadcast a 30 second spot, since the action may
| resume at an indeterminate time. Third, the Super Bowl
| specifically sells itself on the quality of the ads. It could
| do long term damage to the Super Bowl of the ads one year
| were just one company and not the funny celebrity heavy spots
| people expect.
| jaywalk wrote:
| > the action may resume at an indeterminate time.
|
| This is not true. The commercial breaks in all US pro
| sports have a pre-determined length, and the game action
| will not resume until the broadcast has rejoined (outside
| of a mistake somewhere along the line). In the NFL, they
| have a countdown timer on the stadium scoreboard indicating
| how much time is left in the commercial break, and even a
| dedicated guy who stands on the field next to a referee,
| talking to the TV truck to confirm when the broadcast has
| rejoined.
| pilif wrote:
| With such a huge investment comes the obligation to eventually
| pay it back. Is this another one of my favourite tools going the
| way of Dropbox, 1Password and all other companies that were
| formed around what should be a platform feature, which took on
| way too large investment sums and were eventually forced to
| become the everything, losing sight of their core values?
|
| I sincerely hope not, but there's so much bad precedent.
| IceWreck wrote:
| Even if it does go away, youre not loosing anything. Its
| functionality can be replicated with a USD 5 VPS using Slack's
| nebula (not wireguard based) or any wireguard based tool like
| headscale, innernet, netmaker or plain old wireguard.
| oicU00 wrote:
| It's a basic web UX over a built in Linux kernel feature
|
| There are Docker containerized apps that manage Wireguard too
|
| Maybe contribute to one and fret less about behavior of VC
| funded business and wondering if they're actually respecting
| your privacy to accomplish finance goals
| airstrike wrote:
| "It's just FTP with curlftpfs and SVN"
| shepherdjerred wrote:
| It handles a lot more than that, right? It does all of the
| key distribution and rotation which is a pain.
| oicU00 wrote:
| If they can do it it's not impossible (they're just people
| after all).
|
| With an open source implementation out there, anyone can do
| it merely pulling a Docker container, and without paying
| Tailscale.
|
| Regardless I manage a dozen users with no issue using
| Embarks container; once they're setup I touch nothing.
|
| Paying people is not working with people; it's working with
| a specific group. Open source is working with people.
| [deleted]
| samhw wrote:
| If the open source implementation is equally good, I'm
| sure people will use that instead of Tailscale. That
| Tailscale exists makes me suspect that the open source
| implementation - as is usually the case with these "just
| use curlftpfs!" comments - _is not_ equally good.
|
| The reality is that making software, like any other human
| endeavour, takes time and energy. Paying one another
| money is a rather well-established mechanism of rewarding
| and incentivising that time and energy (since not
| everyone wants to work free of charge to make and
| maintain software for you, out of the goodness of their
| hearts, no matter how much you insist that you're owed
| their unpaid labour).
|
| There are small and local means of getting free food, or
| free woodworking, etc, but the general reality is that a
| high-quality high-dependency maintained product, over the
| long term, is more feasible when it's paid.
| shepherdjerred wrote:
| It's the same argument as the famous Dropbox comment[0].
| I'm generally going to prefer a polished service over a
| technical solution.
|
| [0]: https://news.ycombinator.com/item?id=9224
| shepherdjerred wrote:
| I haven't payed them a penny despite using their product
| for a while. And now that I've realized this, I've signed
| up for their personal pro plan.
| ramraj07 wrote:
| Dropbox has been fine ish? Like not stellar but it's still
| something I use as one of my core tools and pay for.
| skoskie wrote:
| Ditto, but the fact that they still can't handle more than
| ~300k files is a long-standing problem they have yet to
| solve. I have close to a million syncing files and startup
| time for the app takes about 20 minutes on a brand new MBP,
| and CPU and overall energy usage is ridiculously high. All
| while they keep pushing me to backup more files.
|
| I pay over $700/ yr for their business plan and would like to
| have better performance for it.
| kbumsik wrote:
| Really? I have more than 1000k files and I have never faced
| issues for more than 7 years.
| YPPH wrote:
| How has 1Password lost sight of its core values?
|
| Perhaps you refer to loss of local vaults? If so, they were
| never really a viable option for me - I needed the app syncing
| across multiple devices, including mobile, and doing so with a
| third party sync solution wasn't suitable.
| criddell wrote:
| For me, it was their switch to an Electron app. "High
| security" and "built from dozens of third party libraries and
| running on a browser" don't belong together.
| danenania wrote:
| Electron actually offers some of the best dependency-
| isolation capabilities of any language/platform given that
| you can set a content-security policy and leverage Chrome's
| extremely robust sandboxing to prevent front-end
| dependencies from accessing the file system, making network
| calls to untrusted domains, making system calls, calling
| 'eval', etc.
|
| A fully native app will offer you no such protection. If a
| dependency used for styling or animations or whatever is
| compromised, it will have total access to the system and be
| able to exfiltrate at will to any location. In Electron,
| the equivalent dependencies can instead run inside the CSP
| sandbox, preventing them from doing any serious harm.
|
| Supply chain vulnerabilities also aren't unique to npm. Any
| project that uses dependencies (in any language) has the
| same issue.
| YPPH wrote:
| The choice of tech stack for a desktop application seems
| like an interesting basis to claim a company has lost touch
| with its core values.
| skoskie wrote:
| I'm fully in the camp who believes critical, top-level
| security should not co-exist with npm pulling dozens of
| 3rd party libraries which each pull even more 4th party
| code.
|
| Is there anyone here with a counter argument? Has a
| security review been performed on each dependency? Any
| reason to think my fear is unfounded?
| dcow wrote:
| And what should replace it? Rust? Cargo? Oops. (I believe
| 1Password uses Rust for security-sensitive parts too,
| btw.) I'd genuinely like to know what the correct tech
| stack for a password manager is today because using the
| right one is important to my current endeavor.
|
| Regardless at Uno we're working on a password manager
| with a native app and rust core. It's geared more towards
| everyday consumers than power HN users, but you might
| find it interesting. The rust core including api server
| is open source right now because that's one point where
| we diverge from 1P. Whatever tech stack you choose, it
| needs to be openly auditable so that the community can
| collectively ensure it remains secure.
| https://github.com/withuno/identity
| smilespray wrote:
| Moving from a native app to an Electron-based one has a
| definitive impact on usability. Calling it a tech stack
| choice is a bit dismissive.
|
| They used to have a kick-ass Mac app. That appealed to a
| considerable amount of their users. Then they ditched the
| native app for Electron, and those same users were
| disappointed.
| dcow wrote:
| Which functionality was removed by switch stacks? What is
| the actual usability impact? I currently use 1Password7
| and haven't updated to 8 so I'd like to know before
| updating.
| sleepybrett wrote:
| > ... and doing so with a third party sync solution wasn't
| suitable.
|
| why not?
|
| More importantly why was it necessary to remove the local
| vaults feature (I don't need it to integrate with any
| particular 3rd party syncing solution, I can handle that
| myself without any features from them) entirely?
| gowld wrote:
| > should be a platform feature
|
| OK, but it's not. Now what? Do we just live without until the
| platform overlords provide it, or does someone build it on top
| of the platform?
|
| What even is the "platform", when my Android phone is
| connecting to my iPad and my Windows laptop and Linux desktop
| and Amazon cloud server?
|
| $100M = ~$0.20 / computer user in US and western Europe
| (wealthy countries in connected software markets)
| Lightbody wrote:
| I haven't really felt like 1Password's product materially
| strayed from the original mission. If anything, I'm even more
| delighted with the team functionality, shared vaults, quick
| keyboard access in 1Password 8, etc.
|
| I wouldn't put them in the Dropbox bucket.
|
| Also, I think the value Tailscale provides is fairly unique and
| far from obviously a platform feature like file storage and
| perhaps even password management.
| kodah wrote:
| 1Password went from being buy once upgrade forever to SaaS. A
| lot of folks bought back when that was the package (and
| business model) so it's viewed relatively negatively here
| from some folks. I don't blame them, but also, I think
| 1Password is a success. I just don't think they'd have been
| viable under their original business model.
| pottertheotter wrote:
| That happened long before they took outside money, so it's
| not related.
| jjeaff wrote:
| But is "buy once, upgrade forever" really a viable long
| term business model?
| samhw wrote:
| I dunno, but you ought to figure it out (for your
| business) before you make that offer!
| skinnymuch wrote:
| Why? 1PW is succeeding. They didn't do some huge moral
| quandary either that would make stopping the one time
| buying product a moral failing. People like the first
| commenter and myself have used 1PW for many years too and
| are fine with what has gone down.
|
| Vs a clear moral screw up like the big tech companies
| colluding to not hire one another's employees.
| xyzzy_plugh wrote:
| Indeed, 1Password is practically a utility at this point, as
| far as I'm concerned. I really like the direction they're
| heading and they're solving some pretty tricky problems
| without compromising on security, predominantly in the
| enterprise domain. The experience is the same regardless of
| whether you're an enterprise user or a personal or family
| user. It's polished enough that my grandma can use it.
| MrStonedOne wrote:
| alberth wrote:
| > I really like the direction [1Password] is heading
|
| I thought customers were complainingly loudly against their
| new direction of making 1Password an Electron app. Is that
| not the case?
|
| Note: I'm not a 1Password customer.
| st3fan wrote:
| > I thought customers were complainingly loudly against
| ...
|
| No, you confuse "customers" with a vocal minority.
| dimgl wrote:
| I didn't even notice... 1Password is great. There are
| some minor issues here and there but it always feels like
| they very quickly patch it up.
| davidwparker wrote:
| Maybe technical customers who knew it were Electron. I
| knew, and don't really care. My wife doesn't even know
| what Electron is- everything is just another app to her.
| throwaway894345 wrote:
| I heard some people complaining a bit for a moment when
| they made the transition, but that happens anytime anyone
| changes anything and doubly so when that change is
| Electron. But that faded quickly.
| mmcclure wrote:
| I...don't think it's faded. I could totally be wrong
| here, but I don't think they'd actually made a transition
| yet; the complaining you're talking about was over the
| 1Password 8 _beta_. That actually just went GA this week,
| and people were still upset.
|
| I get why they're doing it (or, at least, think I do),
| and I'm not angry enough to go get angry on Twitter, but
| I am going to avoid the upgrade for as long as I can.
| That's kind of a bummer to get there with a product
| you've historically really liked.
| throwaway894345 wrote:
| Honestly I haven't noticed and I use 1Password on all of
| my devices every day. I heard some grumblings about
| 1Password changing to electron months ago and just
| assumed that they already made the transition. In
| whatever case, I haven't heard a peep until this thread.
| I don't like electron in theory and the industry should
| collectively come up with a solution that incentivizes
| app developers away from electron rather than hoping they
| swim against the current of incentive.
| skoskie wrote:
| You might double check which version you're on. Might
| still be on v7.
|
| > the industry should collectively come up with a
| solution that incentivizes app developers away from
| electron rather than hoping they swim against the current
| of incentive.
|
| They have the financial resources to build it in ~Rust
| but still chose electron. It's a mind boggling decision.
| throwaway894345 wrote:
| > They have the financial resources to build it in ~Rust
| but still chose electron. It's a mind boggling decision.
|
| Respectfully, I think you may misunderstand the company's
| mission.
| jchw wrote:
| Modern 1password using Electron is sad in some respects,
| but hardly surprising. Even people who use Electron hate
| Electron. The real differentiating factor is those who
| understand why.
| skinnymuch wrote:
| A small vocal minority. The company's two relatively
| recent fund raises are massive.
| sleepybrett wrote:
| Removing the ability to use it in a non-saas (local
| vaults, vaults shared by other syncing solutions)
| capacity is what drove the final nail into the 1password
| coffin for me. I can't trust that they don't hold master
| keys to all the vaults on their saas offerings.
|
| The swap from native to electron on macos was hugely
| disappointing but something I could have probably lived
| with if they hadn't gone full saas no alternative.
| SparkyMcUnicorn wrote:
| > I can't trust that they don't hold master keys to all
| the vaults on their saas offerings.
|
| So you think they could be lying about their fundamental
| selling point, and hiding it in all of their audits?
| Personally, I'd trust them more than Apple/Google/etc.
|
| https://support.1password.com/1password-security/
|
| https://1passwordstatic.com/files/security/1password-
| white-p...
|
| https://support.1password.com/security-assessments/
| throwaway894345 wrote:
| Fully agree. I'm a very happy 1Password customer, and I
| rarely praise software.
| biohax2015 wrote:
| 1Password is a phenomenal product. Idk what HN's obsession
| with ragging on it is about.
| nikanj wrote:
| It's been [0] days since the last time 1Password randomly
| bombarded me with a "Upgrade to 1Password subscription today"
| dialog. Not talking about the banner in the corner of the
| app. this was a dialog that had to specifically be dismissed
| prepend wrote:
| I think they changed from their mission to make password
| management easy and secure to extracting service fees
| forever.
|
| I don't necessarily blame them but think their decision was
| pushed along by the need for big money.
|
| For example, I think they'd still be able to do the pay once
| model if they abstracted they storage to work with
| Dropbox/icloud/OneDrive/whatever.
|
| There's really no value add as a user for a monthly fee.
| Although lots of people don't mind. I'd rather not pay for
| something as essential and simple as a synchronized,
| encrypted data blob. I literally replaced it with a Google
| doc and cutting and pasting more. A filter over Google docs
| does not require a monthly fee.
|
| I have this problem with lots of SaaS products that could be
| software if they didn't want or need lots of money.
| ignoramous wrote:
| > _We 've raised $100M in a Series B financing led by CRV and
| Insight Partners_
|
| I see they are staying away from a16z ;)
|
| > _We don 't want to put revenue ahead of quality, because our
| stats say quality is where all our growth comes from._
|
| Dr. Deming shining through here [0], but really, even this 1986
| article paints a neat little picture of how I presume tailscale's
| operating at the moment: https://hbr.org/1986/01/the-new-new-
| product-development-game
|
| > _How, Avery, on earth, are you all planning to spend one
| hundred million dollars?_
|
| Wireguard platinum sponsorship in 3, 2, 1...?
|
| > _Now I just tell people: We 're here to fix the Internet. If we
| don't, who will?_
|
| I called this a year ago, as it was pretty evident to me even
| then (downvotes notwithstanding), but I'd not be surprised if
| tailscale became a ISP someday, given their holistic approach to
| product development:
| https://news.ycombinator.com/item?id=26249199 But hey, there are
| many more people working to _fix the internet_... including
| tailscale clones and other over-funded /under-funded developers,
| which brings me to...
|
| > _I mean, imagine. What if the Internet just worked like it was
| supposed to? [and goes on to list e2ee + Mobile IP + SSO + DDNS +
| NAT Traversal]_
|
| If you squint just enough, it reads like the _MASQUE_ protocol
| (built atop _QUIC_ ) that Google, Apple, Cloudflare are working
| to standardize: https://ietf-wg-masque.github.io/
|
| That said, in time, I see tailscale not only compete with
| Zscaler, but also with Tanium, Cloudflare, CrowdStrike, F5, Palo
| Alto Networks and the likes. Once they are embed in an
| enterprise' network, there's very little their product couldn't
| expand into to make other SaaS / solutions obsolete.
|
| [0] _Systems thinking and Deming_ , https://archive.is/tXJhw
| eadmund wrote:
| > For people who believe there's a catch -- and most still do --
| then I don't know how to write a blog post or hire a marketing or
| sales team to change their minds.
|
| I think the catch is that (at least at the free level) one must
| trust an identity providers. For many companies that's probably
| fair enough, but for high-security companies and private
| individuals one absolutely cannot trust anything running outside
| of one's physical control. Service providers can be suborned,
| either legally by corrupt regimes or illegally by employees.
| There is no way that I would permit Google, Microsoft or GitHub
| (their three supported options) to gate access to my private
| devices.
|
| I _think_ that one must also trust Tailscale themselves, although
| I could be wrong about that.
| lvh wrote:
| Tailscale will let you use any SAML or OIDC provider you like
| in the Enterprise plan (presumably because of the cost of
| supporting the long tail of nonsense IdPs will produce).
|
| (Disclosure: I'm a (small) investor via Latacora's sibling
| fund, Lagomorphic.)
| typical182 wrote:
| Semi-related question: did Latacora or @tqbf ever open source
| their Go-based SAML IDP:
| https://twitter.com/tqbf/status/938501701526487040
|
| (That tweet I think was a teaser saying it was coming. I
| subsequently looked for it a few times and never found it,
| but maybe plans changed, or maybe I just failed to find it).
| lvh wrote:
| Nope. It was pretty much just Thomas and Erin working on
| it, and I don't think it's operational. Sorry :(
| colordrops wrote:
| Don't you have to also trust Tailscales closed source
| coordinator node?
| wmf wrote:
| Which also applies to Tailscale's SD-WAN and cloud VPN
| competitors.
| colordrops wrote:
| But doesn't apply to my wireguard setup on my OPNSense
| installation at home.
| wmf wrote:
| This is the HN disconnect: people commenting here have
| completely different concerns than Tailscale's actual
| customers.
| colordrops wrote:
| That is true. Sometimes we are talking about the business
| aspects of product-market fit, and sometimes we are
| talking about our own personal use of the product or
| domain. In this case it's both.
| eadmund wrote:
| That only addresses half the problem, though, right? Can't
| Tailscale still add any nodes they want to one's network?
|
| Also, it doesn't address the individual case, but that's fair
| enough: Tailscale isn't a charity.
| [deleted]
| lmeyerov wrote:
| Yep we had it rejected w an enterprise we work with as the org
| needed to own the full control plane so we couldn't bring it
| in, and not on the schedule for the org's security team for
| them to bring it in. Making a smarter, easier, and less
| creepily managed VPN more palatable to enterprises would be
| awesome, so the marketing value of their fundraise is real.
| RL_Quine wrote:
| There's a kind of WIP control server implementation, it's not
| production ready in my opinion but it's definitely usable.
|
| https://github.com/juanfont/headscale
| lmeyerov wrote:
| Super cool, and a lot of contributors!
|
| Can this work the rest of the wireguard ecosystem (agents,
| UIs, ...) for a full VPN soln without involving the VC-tied
| company?
| madjam002 wrote:
| Yes it works with all of the Tailscale clients except for
| iOS. No it does not work with clients from the broader
| Wireguard ecosystem (e.g the Wireguard iOS app).
| RL_Quine wrote:
| Yes, it's usable with every tailscale client (except for
| iOS). You provide an argument to make headscale your
| controller, and then it works much the same as the hosted
| Tailscale service, with some only minor differences in
| configuration.
| chipsa wrote:
| I've seen them mention that they're looking at having the
| coordination server being self-hostable (and is for some
| client already), so I expect that to be one of the things you
| can get at the higher price points in the near future.
| tosh wrote:
| Great product. One of the very few that "just works" and "gets
| better all the time".
| contravariant wrote:
| I hope they don't eventually sacrifice the former in favour of
| the latter like so many other companies did.
| tomputer wrote:
| For almost a decade I have worked with IPsec and OpenVPN
| solutions for both client and site-to-site VPN tunnels. On
| enterprise hardware, community/proprietary software and at public
| cloud providers. I still work with these because today many
| vendors only support IPsec.
|
| A few years ago I discovered WireGuard and I was really amazed
| how easy it was to setup a tunnel. Especially if you've dealt
| with IPsec before. It felt as easy as creating an SSH tunnel
| between two servers, with only 4 or 5 lines of code in a config
| on both sides.
|
| Then last year I discovered Tailscale and I was blown away! How
| did this even work[1] without opening ports in the firewall? And
| how cool is it that I no longer have overlapping addresses[2]
| from other networks. Within 15 minutes I had my own mesh network
| between my Mac, iPhone, Raspberry Pi and other servers.
| Fantastic!
|
| I'm on the Personal/Free plan but if this would no longer be
| free, I would be happy to pay for this service (shut up and take
| my money).
|
| [1] https://tailscale.com/blog/how-tailscale-works/
|
| [2] https://tailscale.com/kb/1015/100.x-addresses/
| boesboes wrote:
| For anyone else who wonders wtf tailscale is:
|
| > Tailscale is a VPN service that makes the devices and
| applications you own accessible anywhere in the world, securely
| and effortlessly. It enables encrypted point-to-point connections
| using the open source WireGuard protocol, which means only
| devices on your private network can communicate with each other.
|
| It seems to take care of key distribution, nat-traversal,
| authentication etc etc
|
| Neat! No sure how that is 'fixing internet' exactly, but really
| cool anyway
| yrro wrote:
| Tailscale is one of the ways you can restore the end-to-end
| connectivity principle that IP introduced and that NAT
| destroyed.
| legalcorrection wrote:
| This is kind of overstated. Even if everyone went IPv6 and
| gave every device a public IP address, pretty much every
| network would have a firewall that behaved just like NAT.
| zinekeller wrote:
| This fact must be bundled everywhere someone mentioned
| "IPv6 will allow direct connectivity again". While NAT
| isn't a fully-functional firewall, it _did_ do things that
| a firewall in a router would do. What equipment have proper
| IPv6 firewalls? Routers, that 's who.
| throw0101a wrote:
| > _Even if everyone went IPv6 and gave every device a
| public IP address, pretty much every network would have a
| firewall that behaved just like NAT._
|
| No, they do not behave just like NAT. With NAT you have two
| problems:
|
| * figuring out your address
|
| * firewall hole punching
|
| With IPv6 you already know your address and just give it to
| the peer you are communicating with. You then tell your
| firewall to allow connections from the address(:port) that
| the peer tells you. No STUN, no TURN, no ICE.
|
| * https://en.wikipedia.org/wiki/Hole_punching_(networking)
|
| * https://en.wikipedia.org/wiki/Port_Control_Protocol
|
| * https://en.wikipedia.org/wiki/Universal_Plug_and_Play
|
| * http://www.upnp.org/resources/documents/AnnexA-
| IPv6_000.pdf
|
| This helps immensely for residential connections since
| people (generally) control their gateways, and with more
| and more higher speed (fibre) connections being done, it
| could help in more self-hosted and peer-to-peer services.
|
| What one is allowed to do at the office would be dictated
| by the policy(s) of your employer: they could allow
| PCP/uPNP opening via authenticated requests for example.
| irq-1 wrote:
| > With IPv6 you already know your address and just give
| it to the peer you are communicating with. You then tell
| your firewall to allow connections from the
| address(:port) that the peer tells you. No STUN, no TURN,
| no ICE.
|
| What about phone networks? (in the US providers block all
| incoming traffic.) Or other ISPs that block incoming
| traffic?
|
| NAT has been used to address a fundamental problem of
| what traffic can be trusted. That's what Tailscale fixes.
| [deleted]
| zinekeller wrote:
| No, no, no, no. You haven't really experienced the
| quality of IPv6 routers at home. The only thing that I
| can (probably) say with confidence is you will _not_ need
| TURN, and even that assumption _can_ be broken with even
| more restrictive firewalls that block nearly all UDP
| traffic or even not know your real public address because
| IPv6 NAT _does exist_
| (https://blogs.infoblox.com/ipv6-coe/you-thought-there-
| was-no...,
| https://datatracker.ietf.org/doc/html/rfc6296), but
| fortunately this is usually found in enterprise stuff.
| NAT-PMP or router UPnP is probably the wildest: majority
| don't (remember that I'm focusing on _ISP_ routers since
| that most people don 't bother to switch to actual
| routers...*), some only on IPv4 (which is even more
| frustrating), and only few supports it correctly. Worse,
| those same broken garbage-level routers have NAT-like
| firewalls: at least you know what address and port you
| will contact the other computer, but you will still need
| UDP (TCP handshake will be very problematic) and you will
| still need keepalives (or otherwise your firewall will
| just close the port).
|
| * ... and most that do get another router (usually
| because they have seen that their Wi-Fi on the "modem" is
| bad) don't turn on** bridge mode which _will_ be a
| definite headache on both IPv4 (double NAT) and IPv6
| (address conflict, especially if you 're using an ISP
| like Comcast that would only allocate a /64 and no more.
|
| ** ... because you _need_ to call up the ISP or even
| outright refused to bridge it (either because they 're
| stupid but you don't have another ISP to switch or the
| equipment manufacturer of their garbage special router
| didn't program one).
| throw0101a wrote:
| > _No, no, no, no. You haven 't really experienced the
| quality of IPv6 routers at home._
|
| I've been running IPv6 at home >2 years. You're telling
| me that my own experience is invalid?
| zinekeller wrote:
| No, not necessarily, but if you're using an aftermarket
| router rather than an ISP-supplied router, then this
| rather long list is not applicable to you.
| Spivak wrote:
| Yeah, no one is going to allow unsolicited inbound
| connections even without NAT so you still have to have
| something to hook up the two ends in a P2P setting.
| throw0101a wrote:
| > _Yeah, no one is going to allow unsolicited inbound
| connections even without NAT so you still have to have
| something to hook up the two ends in a P2P setting._
|
| Sure they are. All home routers that I'm aware of allow
| for port forwarding so folks can self-host a service:
| perhaps a game server (e.g., Minecraft), web, e-mail,
| etc.
|
| It's just going forward you can set up a separate subnet
| to put your gear in (especially if you get multiple /64
| subnets from your ISP). You can have a DMZ, and use
| either the router- and/or host-level firewall to dictate
| which connections are allowed.
| legalcorrection wrote:
| The point is for the user to not have to go configure
| their firewall.
| throw0101a wrote:
| Which can be done via UPnP and PCP, and without having to
| maintain TURN/STUN/etc infrastructure. The latter of
| which can only be done with IPv6, since with IPv4 you're
| NATing.
|
| So IPv6 makes things easier--which was the point of my
| post: IPv6 makes things easier.
| zinekeller wrote:
| ... if your definition of "home routers" excludes ISP-
| provided ones, then I'll agree. Unfortunately, I'm pretty
| sure that either you are on an ISP that actually cared
| and found a good supplier or didn't check out what are
| the capabilities of ISP-provided routers.
| dsr_ wrote:
| Of the three ISPs in my area that I have used, all of
| them allowed inbound traffic and either had useful
| controls in their routers or didn't supply a router, just
| an ethernet handoff. RCN, Comcast, Verizon.
|
| All of them filtered out the SMB/CIFS ports.
|
| Two of them filtered outbound port 25; one of them was
| willing to open it with the additional cost of a static
| IP.
| zinekeller wrote:
| Yeah, it's inconsistent to be honest. I've found that
| Hitron to not have any sort of firewalls (except for IPv4
| NAT if you consider it as a firewall), while Huawei
| routers (which is not used in the US for reasons
| hopefully known to you) _do_ have an IPv6 firewall that
| is only an off or on switch, stupidly their enterprise
| stuff _do_ have advanced controls, Alcatel /Nokia-branded
| ones are inconsistent to say the least and the same can
| be said for Zyxel. I'm actually interested in checking
| out other routers used by ISPs, but those are the ones
| I've actually seen.
| throw0101a wrote:
| With IPv4 I have to worry about UPnP/PCP working _and_
| TURN /STUN/etc non-sense when it comes to peer-to-peer
| protocols. With IPv6 I only have to worry about about
| UPnP/PCP working. In my books that's an improvement.
|
| If I want to self-host something, then with IPv4 I have
| publish my IP and worry about the CPE supporting port
| forwarding. With IPv6 I have publish my IP and use
| UPnP/PCP to allow all connections. Is there any CPE gear
| that does _not_ support UPnP /PCP?
| dave_universetf wrote:
| Our epic treatise on how NAT traversal works (in general,
| not specific to Tailscale) mentions this. IPv6 greatly
| reduces the amount of pain for p2p connections, but does
| not eliminate some of the fundamentals (stateful firewall
| traversal) if you want it to be zero-config:
| https://tailscale.com/blog/how-nat-traversal-works/
|
| But until deployment hits 100%, and until ISPs start caring
| about IPv6 reliability the way they do about IPv4, "just
| use IPv6" can't be your answer. It's lovely when it works,
| but you need to do something other than "give up" when it
| doesn't. (also, as long as the internet is dual-stacked,
| doing IPv6 right also implies figuring out if NAT64 is in
| play, and wielding it correctly; so arguably IPv6 adds more
| complexity to the overall story, for now :) )
| boesboes wrote:
| Ah yeah, that makes sense.
| IanCal wrote:
| I'm about to go away but having local access will be very
| useful.
|
| I've just setup tailscale in a few minutes, very smoothly. I'm
| impressed it scales down to this kind of simple use case
| nicely, and it seems it has nice features as my use cases might
| scale up.
| zepearl wrote:
| So basically Wireguard with automated key
| setup/distribution/identity management?
|
| (btw. I love Wireguard - currenly using it to route traffic
| between my servers + transfer media between my home and my
| mother's mediacenter with both PCs being behind their own
| router - she loves it too as so far there were no problems
| hehe)
| zellyn wrote:
| That, plus fanatically good NAT Traversal:
| https://tailscale.com/blog/how-nat-traversal-works/
| zepearl wrote:
| But isn't that just part of Wireguard itself? In the end
| that's what's happening in my case when I exchange data
| through Wireguard between my flat and the one of my
| parents... .
| seabrookmx wrote:
| No, wireguard is just the VPN itself.
|
| The NAT traversal stuff is all magic that happens before
| the socket is given to wireguard.
| [deleted]
| ncmncm wrote:
| I thought that Tailscale was pretty interesting.
|
| Avery Pennarun, its CTO, is somebody whose judgment I am used
| to trusting.
|
| Then I learned that to use it, I would be dependent on
| authenticating using a login on one of the unaccountable
| internet behemoths who could take away my account for any
| random reason or no expressed reason at all.
|
| No, thank you.
| rrdharan wrote:
| I agree, GitHub is awful.
| naikrovek wrote:
| Google does that, Microsoft doesn't. Microsoft will ban you
| from a particular service if you egregiously violate the
| terms of service for a particular application of theirs, but
| never the whole account.
|
| Google will throw you on your ass in the blink of an eye.
| skoskie wrote:
| Is there anything in there TOS that states it or has this
| just been their practice so far?
| ncmncm wrote:
| Does it matter? Whether they say they will do it, or just
| do it without saying they will, the experience is the
| same.
|
| What matters most is if they can. Then, if they ever have
| done. What I want is that they can't.
| naikrovek wrote:
| you want a free service written, maintained, and hosted
| by others that _they don 't control_. Am I understanding
| you?
| ncmncm wrote:
| No. I would be happy to pay for service, but they offer
| no choice but to rely on somebody else's authentication,
| regardless.
| naikrovek wrote:
| read harder next time. https://tailscale.com/kb/1119/sso-
| saml-oidc/
| __float wrote:
| If you use an identity provider like Okta or OneLogin, then
| you're not tied to any "contentful" services like GitHub or a
| Google account that "historically" seem to have more problems
| of this type.
|
| As far as threat models go, I can't really say I understand
| this one too much.
| DarylZero wrote:
| Okta and OneLogin are both private corporations that have
| each existed for 13 years. Does your threat model include
| an estimate for how long they will stay in business? What
| if one of them puts the other out of business? Does your
| threat model choose a winner in that fight?
|
| As far as paid services the possibility also is there that
| someday _you_ run out of money and have to stop paying
| them. They tend to shut down your access when that happens.
| Another financial threat you have to model.
|
| These things don't happen when you use public key
| authentication.
| orojackson wrote:
| For enterprise, sure, using a separate IDM provider works,
| but last I checked, neither Okta nor OneLogin cater to
| individuals and their personal accounts. So as far as
| threat models go, I understand why people view this
| requirement from Tailscale as utter garbage for personal
| accounts.
| margalabargala wrote:
| As an example: shortly after Russia invaded Ukraine,
| Namecheap cancelled all accounts of all of its customers
| who were located in Russia. This was done regardless of
| what content if any was hosted by the account, whether or
| not the person in question supported the war, or whether
| the person in question was actively fleeing Russia and may
| have been relying on technical infrastructure they had
| previously set up to help them do so.
|
| Just because a service you sign up for is not contentful,
| does not mean that they won't choose to boot you off for
| some reason completely unrelated to anything you control or
| anything you chose to do.
| woodruffw wrote:
| This is a strange example to pick given that (1) it's a
| war, and (2) a significant percentage (majority?) of
| Namecheap's employees and offices are in Ukraine.
|
| If we (the US) decided to invade Canada tomorrow, you can
| be certain that the maple syrup would stop flowing.
|
| Edit: According to their website[1], the overwhelming
| majority of their employees are in Ukraine. Two of the
| three cities they have offices in are on the current
| combat front.
|
| [1]: https://www.namecheap.com/careers/ukraine
| kyawzazaw wrote:
| Avery Pennarun is CEO.
|
| David Crawshaw is CTO.
| ncmncm wrote:
| I am corrected.
| ibejoeb wrote:
| Is that generally true? A third-party authentication servive
| is needed just to get it going, or is that needed for
| specific use cases?
| ncmncm wrote:
| Apparently the third-party authentication service is needed
| just to get it going. If you get an "enterprise license"
| you can choose among more authentication services, but not
| yourself.
|
| Some people suggest trying Nebula instead.
| systemvoltage wrote:
| Yes. If they can't build basic auth and make sure it's
| secure, it sends quite the message.
|
| Super annoying and borderline unacceptable.
| chipsa wrote:
| They don't want to build basic auth. They probably could,
| but it gives them more headaches and customer service touch
| points compared to delegating that out. Like: what if the
| user forgets their password? Or what if they lose their 2FA
| device?
| systemvoltage wrote:
| Yes, welcome to operating a SaaS.
| boesboes wrote:
| Oh, that is a shame. I can see why they do it like this for
| businesses, but for personal accounts I refuse to use SSO.
| Been bitten by that a few times too many.
|
| I _could_ use my github account, but I don't trust them at
| all anymore. And I'm not going to setup an account with some
| other service just to use this. So that is a hard pass for
| personal use.
|
| For a company it makes sense to have to use whatever sso
| provider you are already using i guess
| gowld wrote:
| "Fixing the internet" == you can comunicate with computers that
| want to comunicate with you, and not with others.
| contravariant wrote:
| "Fixing the internet" == you can communicate with computers
| that _you_ want to communicate with, and not with others.
| lupire wrote:
| You can do some things that you don't want to do.
|
| If someone uses a rubber hose, you might be forced to
| communicate against your will, using the fixed Internet.
| philipov wrote:
| "Fixing the internet" == computers that mutually consent to
| communicating with each other are able to communicate with
| each other
| xeyownt wrote:
| "Fixing the internet" == computers whose _owners_mutually
| consent to communicating with each other are able to
| communicate with each other
| tomc1985 wrote:
| Another day, another overly hyperbolic press rele.... er, blog
| post
|
| Le sigh...
|
| Let's make tech boring and demure again!
| capableweb wrote:
| > We're here to fix the Internet
|
| That's such a broad "mission statement" that I wonder if it's
| effective at all. I mean, what SaaS wouldn't say that they fix
| something with the internet? That's to whole reason for online
| businesses solving one or another problem.
|
| How could that statement help them guide their implementations of
| various solutions?
| gowld wrote:
| The internet, at its essence, means connecting machines aross
| (intra)networks. Not everything those machines do. That's what
| Tailscale (+wireguard) is for.
| lvh wrote:
| I think the best way to get a feel for what that means is
| Remembering the LAN[0] and then just trying it out (really,
| it's easy) and deciding for yourself if they're living up to
| it. Or grep Twitter for "tailscale" -- all these nerds aren't
| astroturfing :)
|
| (Disclosure: I'm a (small) investor via Latacora's sibling
| fund, Lagomorphic.)
|
| [0]: https://tailscale.com/blog/remembering-the-lan/
| MatthiasPortzel wrote:
| My understanding/hope is that the author uses "internet" to
| mean the technology. Colloquially we use "internet" to also
| refer to every technology that runs on top of the internet
| (like the web), but 'connect devices together' is a meaningful
| statement and the internet is the technology that we currently
| use to do that.
| klazutin wrote:
| I've tried Tailscale recently after reading all the raving
| reviews here on HN. The service is very easy to install and the
| apps are nice to use, everything is just very well done.
|
| However, I just don't see much difference from my vanilla
| Wireguard setup. Granted, my use case is very simple, just
| connect a few devices at home and in the cloud into a single
| network and use one of them as an exit node, but I'm still not
| sure what would make me prefer Tailscale over Wireguard.
|
| So far the biggest difference has been that it makes me use an
| external identity provider instead of having to manually exchange
| keys between devices, and I'm not sure I'm very comfortable with
| that.
| lupire wrote:
| The answer here depends on a side by side pair of walkthroughs
| for setting up and maintaining Tailscale vs plain Wireguard.
| bambax wrote:
| I read almost all of TFA (started to jump paragraphs near the
| end) and still couldn't figure out what it was or did, even after
| being told, repeatedly, that they "make easy things easy".
|
| Apparently, it's a VPN.
| gowld wrote:
| The blog post is poor. It has TailScale's "house style" of
| folksy reminiscence and Avery's stream-of-consciousness writing
| stylewrapped around an announcement. It only says two things,
| one at the top, and one at the bottom: "We raised a $100m for
| our war chest; we don't have any plans for how to use it
| besides extending runway for our current operations". The
| middle is left trying to justify why that is a good thing,
| despite not having a reason beyond "we know a lot of rich
| people who know we are wicked smart and talented, so they want
| a piece of equity in us".
|
| The home page is a pretty clear exposition of what TailScale
| is: https://tailscale.com/
| MatthiasPortzel wrote:
| I thought the post was remarkably well written. I had a vague
| idea what Tailscale did going into it, but this post did a
| good job of describing the company's values and vision. I'm
| not sure what the intended audience of the announcement was,
| but for me it was interesting.
| isthisnametaken wrote:
| I got bored long before then. It's a terrible piece of self-
| backslapping drivel
| crthpl wrote:
| From their privacy policy: > The personal information we collect,
| use, and disclose includes business contact information such as
| names, job titles, and company email addresses, as well as
| information about individual devices (such as device hardware and
| operating system) and aggregated usage statistics (such as amount
| of data transmitted in a period of time).
|
| > Your personal information will be transferred ... to certain
| third parties that provide services on our behalf.
|
| > We use service providers to provide services such as ... data
| analysis to better understand and improve product and website
| usage, and providing advertising and marketing services.
|
| :/
| woopwoop24 wrote:
| i wanted to to use tailscale really bad, but since you cannot
| login without the given choices they provide, i am not sure any
| security minded person would mind using it.
|
| i rolled my own with a simple vps, a haproxy and ansible.
| RL_Quine wrote:
| Unfortunately despite claiming that they would, they've never
| allowed their iOS application to allow configuration of the
| control server (every other client they have released does).
| Maybe some more funding will allow them to focus on the client
| quality.
| pilif wrote:
| also, their iOS client still has abysmal background battery
| usage even when not connected. It has been more than a year
| now, so, yes, seeing them improve in such areas would be cool.
|
| But given the huge amount of money invested, pressure will go
| into other directions. I'm afraid my (aside of the iOS issues)
| beloved Tailscale is on a path to expensive enterprisey bloat,
| losing what made it so good (the JSON based ACLs, the external
| authentication provider reliance, etc - GitHub Auth is a
| killer-feature for me for example)
| bradfitz wrote:
| (Tailscale engineer here)
|
| That's https://github.com/tailscale/tailscale/issues/1572 which
| we haven't given up on. It's just not done. We did it for macOS
| and we thought the same thing would've worked for iOS (they
| share ton of the same code) but it apparently didn't work.
|
| The mobile apps have been a low priority thus far. We just
| recently hired some people to work on them, though.
|
| The highest priority for them currently is fixing battery life
| (we do some dumb things when LTE + wifi are both available, and
| when using exit nodes, and some unnecessary heart beating that
| sucks on mobile) and then there's also a mobile app redesign
| (or just "design" coming).
|
| We like Headscale and we're super glad that it exists. (they
| saved us some work by doing it first, as our control server
| wasn't in a releasable state) We keep Juan et al updated when
| there's protocol changes or things they can do. (e.g. recent
| https://github.com/juanfont/headscale/issues/552)
| pilif wrote:
| About the battery usage: what I can't explain is that there's
| a lot of background energy usage on iOS when Tailscale is
| running even when it's not connected.
|
| If this was about heart beating, I would expect that to only
| happen when the client is connected.
|
| Also, in the battery stats, the background usage is there and
| tailscale is listed, but with - % of battery usage.
|
| However, when I force quit tailscale, all of the background
| energy usage goes away.
| bradfitz wrote:
| A lot of it was because we were using the cell radio when
| wifi was available.
|
| Have you tried 1.24.2 that's just as of yesterday on the
| App Store? It fixes one of the worst of the offenders (but
| not all yet).
|
| In any case, we understand a lot of the problems now and
| plan to work on it soon.
| RL_Quine wrote:
| Thanks for the response. I had misinterpreted the
| communication from Tailscale to be adversarial rather than
| just that it wasn't something that had engineering focus.
| It's good to hear that there will be some progress towards
| making the mobile app better.
| [deleted]
| Lightbody wrote:
| We love Tailscale. Everyone employee has it, and we use it to
| provide access to dev, staging, and prod environments as well.
|
| Fun little thing we did with it: nobody can access the prod
| network without requesting access via a Slack bot (powered by
| https://indent.com/). So somebody requests access, another
| authorized person approves it, and the Tailscale ACLs are updated
| for X minutes and then reset.
|
| Access to secure environments is super low friction but more
| secure (with fantastic audit trails) than ever.
| fwip wrote:
| That's gonna be exciting next time Slack is down.
| dx034 wrote:
| I'd assume they have a fallback option to provide access.
| Lightbody wrote:
| It's a very safe assumption: we're just automating
| Tailscale ACLs. Tailscale admins (3 of us) can still come
| in and manually change them.
| fwip wrote:
| That's reassuring, the phrasing of "nobody can access
| prod without a Slack bot" was worrying.
| VWWHFSfQ wrote:
| I wouldn't assume anything
| obogobo wrote:
| it was down for many folks about 2 hours after you posted
| this lol
| ignoramous wrote:
| Well, we run our servers _without_ ssh access... no amount
| escalation through ACLs / Security Groups let you in. Can't
| say it would work for everyone, but at least, no one can
| _mutate_ prod unless the code itself exposes those interfaces.
| lettergram wrote:
| "To fix the internet"
|
| I really wish we could get some clear copy on what that means in
| a title.
| arsome wrote:
| I was going to try TailScale but then it seemed the only option
| to do so as an individual was to login with a 3rd party cloud
| provider, which I in no way want tied into my networks.
|
| I gave up and just setup wireguard directly instead, I don't
| trust Tailscale either if that's their attitude towards privacy,
| it's permanently marred my vision of their product.
| paxys wrote:
| Not sure why everyone is hung up on this. You don't have to use
| a third party provider for auth. They support SAML and OIDC,
| and it is pretty easy to set up your own auth server. There are
| enough open source implementations out there you can use.
| ptomato wrote:
| only with an enterprise subscription.
| aftbit wrote:
| Same, I abandoned Tailscale sign up for this reason as well.
| Perhaps consider https://github.com/juanfont/headscale ?
| JeremyNT wrote:
| Indeed, this is why I won't use it either. I settled on Slack's
| Nebula [0] instead of wireguard because it handles direct p2p
| communication between nodes automatically.
|
| There also exists an open source implementation of the
| tailscale control server [1] that you could self host.
|
| [0] https://github.com/slackhq/nebula
|
| [1] https://github.com/juanfont/headscale
| rhuber wrote:
| (Nebula coauthor here)
|
| People sometimes ask me to describe the differences between
| Nebula and Tailscale. One of the most important relates to
| performance and scale. Nebula can handle the amount of
| internal network traffic and scalability of nodes (100k+
| nodes, constant churn) required on a large network like
| Slack's, but Tailscale cannot. Tailscale's performance is
| fine for many situations, but not suitable for
| infrastructure. It is just a fundamentally different set of
| goals.
|
| Nebula was created and open sourced before Tailscale was
| offering their product, but their architecture is similar to
| older offerings in the market, and is something we purposely
| avoided when creating Nebula.
|
| Fwiw, I even recommend Tailscale to friends who want to do
| things like connect to their Plex server or Synology or
| [other thing] at home remotely. It simplifies this kind of
| thing greatly and doesn't require you to set up any
| infrastructure you control directly, which can be a headache
| for folks who just want to reach a handful of
| computers/devices.
| JeremyNT wrote:
| > _Fwiw, I even recommend Tailscale to friends who want to
| do things like connect to their Plex server or Synology or
| [other thing] at home remotely. It simplifies this kind of
| thing greatly and doesn 't require you to set up any
| infrastructure you control directly, which can be a
| headache for folks who just want to reach a handful of
| computers/devices._
|
| First thanks for working on Nebula! It's great.
|
| Nebula seems to be about 95% there. The functionality it
| actually does provide once set up is really great. It's
| just missing the 5% that is arguably the most important for
| a huge number of people: a simple way to do the
| configuration management bits such as device enrollment,
| revocations, key rotations, that sort of thing.
|
| If you are a home user, with a small network, the overhead
| of doing things manually is low, but you need to be patient
| and technical enough to read the docs and do it right
| initially. If you're a big enough organization I guess you
| can write your own tooling. But for any small shop or any
| non-technical home user this is not going to fly and you
| will bounce off it.
|
| I don't know if the plan is to create a commercial offering
| for this side of the house (it would make sense...) but as
| far as I'm concerned, this is the only reason that
| Tailscale is so successful and Nebula is lesser known
| (despite Nebula's advantages in other ways that may be more
| relevant to technical users).
| rhuber wrote:
| The Nebula CA we built at Slack was very specific to
| Slack's internal devops, and just wasn't generalizable.
| It is highly automated there, and is custom tooling, just
| as you describe. The open source version is somewhat bare
| bones (a command line tool for CA vs something like
| vault).
|
| I will say that the OSS tooling of Nebula is everything
| someone needs to stand up an entire working network on
| every common platform (linux/mac/windows/ios/android),
| but there is a definite gap in simplification that we
| need to address to make it easier for smaller scale use
| cases.
|
| We actually have a managed enterprise Nebula offering at
| my current gig, but that's rather a different market than
| Tailscale, so I'm avoiding talking as that company as
| opposed to a Nebula OSS project lead. The commercial
| offering is targeted at large enterprises, because that's
| the market where Nebula has unique advantages. It also
| means we don't currently have a freemium or smb type
| offering, and are not prioritizing creating one at all. I
| don't want to give people false hope that we will, and
| would prefer to see the OSS project improve to address
| the small-medium use cases.
| vgel wrote:
| > People sometimes ask me to describe the differences
| between Nebula and Tailscale. One of the most important
| relates to performance and scale. Nebula can handle the
| amount of internal network traffic and scalability of nodes
| (100k+ nodes, constant churn) required on a large network
| like Slack's, but Tailscale cannot. Tailscale's performance
| is fine for many situations, but not suitable for
| infrastructure. It is just a fundamentally different set of
| goals.
|
| Making broad claims like this without a source or links to
| benchmarks feels like FUD to me. For example Tailscale's
| comparison page on performance
| (https://tailscale.com/kb/1148/tailscale-vs-
| nebula/#performan...) doesn't mention a meaningful
| performance difference, so if you're claiming they're not
| telling the truth (by omission), I'd hope to see more to
| that than just a straight assertion, even just "We tried
| Tailscale in Slack's network and it wasn't able to keep up
| with our usage patterns".
| rhuber wrote:
| Another fair criticism. We will publish the benchmarks
| and make them repeatable (which most existing ones I've
| found don't bother to do). We hadn't done so because
| Tailscale isn't really seen as a direct competitor to
| what the Nebula project is doing, but if people want
| numbers, that's a thing we are happy to provide.
| SahAssar wrote:
| So "People sometimes ask me to describe the differences
| between Nebula and Tailscale" and the answer is
| "performance and scale", but you don't have clear
| comparisons for those numbers?
| rhuber wrote:
| We have an automated set of ansible scripts that spin up
| large groups of hosts for Nebula performance regression
| testing, and a while back I added zerotier, tailscale,
| wireguard-userspace, wireguard, tinc, ipsec, and openvpn
| to that automation so I could get a sense of where things
| stand. I spent a lot of time optimizing each of the above
| options to make fair comparisons, but it was mostly for
| mine and the team's curiosity, and we weren't interested
| in playing benchmark-fight with similar softwares of the
| world.
|
| Publishing repeatable benchmarks is hard, and when doing
| open source work, it just hasn't been a priority. As I
| replied above, if I'm going to say it I should prove it,
| and I promised to do just that.
|
| And a counterpoint: tailscale does mention in the
| "Tailscale vs Nebula" article on their website that
| performance is just about the same but similarly provides
| no proof. This is motivation enough for me to show proof
| of the opposite, I guess.
| stavros wrote:
| Does Nebula have anything like Tailscale's rules engine? I
| am absolutely in love with being able to configure all my
| connections by just specifying a JSON file somewhere. No
| need to have firewalls, the configuration specifies which
| service or user can talk to which.
|
| That having been said, I also am wary of using Tailscale
| for the same reasons as above, I have to trust Tailscale
| _and_ Github? I can maybe justify trusting Tailscale, but
| trusting GH /Microsoft/other SSO provider is a bridge too
| far.
| rhuber wrote:
| It does! In fact replacing AWS security groups and making
| them cross region and cross platform was probably the
| first goal of the project. My coauthor, Nate, wrote
| Nebula's internal firewall code before we wrote a single
| line of the actual protocol, because he wanted to ensure
| it was performant enough for massive scale.
| stavros wrote:
| Well that is great, thank you! I will play with it today.
| stavros wrote:
| Ah, it looks like the firewall rules need to be copied to
| each host separately. That's not a dealbreaker, but not
| as easy to deploy as having them managed centrally (by
| the lighthouse, I guess?).
| crawshaw wrote:
| Tailscalar here. Tailscale can handle 100k+ nodes with lots
| of churn just fine.
| rhuber wrote:
| Fair enough. I am sure the key distribution is fast and
| all that, but not needing peer key distribution at all
| was a goal and the overhead associated is less scalable
| than just not doing it at all. Regardless, very cool that
| you can handle that many nodes, which is a hard problem.
| I assume you do just-in-time key distribution or
| something, because (n-1) distribution of peer keys would
| be ... less than ideal.
|
| Anywho, the more important bit is my point about
| performance. Nebula is significantly faster than
| userspace Wireguard, and plain userspace Wireguard is
| (last I checked) a bit faster than Tailscale, due to the
| additional code needed for things like your ACLs. At
| gigabit type scale it is probably fine and not
| noticeable, but at Slack, we needed to scale to 10G+ on
| links, while ensuring we didn't take a significant hit on
| CPU resources.
|
| Again, I think Tailscale is very good for its target use
| case as a VPN replacement, and congrats on raising these
| funds!
| lupire wrote:
| > the overhead associated is less scalable than just not
| doing it at all
|
| That's only true if you can actually articulate a reason
| why it won't scale to some matbitut that some user might
| actually need today or at some point in the future.
|
| For example, Go may be "not as scalable at C" (or vice
| versa! Or both!), but what matters is the scale to which
| it is actually desired to be deployed.
| rhuber wrote:
| I mean... the title of the Tailscale blog post is
| "Tailscale raises $100M... to fix the Internet", and
| that's pretty massive scale. /s
|
| I don't have 100k hosts on a large network to test
| deploying Tailscale, but if I did, I'd be benchmarking
| the cpu/network/storage overhead of telling 99,999 hosts
| about a new one that comes online, every time that
| happens, or every time its pubkey changes. You can
| optimize this away _if_ your "fan out" is not as large,
| but there are plenty of cases where every host on your
| network needs to talk to a particular host, so all of
| them need to know about its keys as soon as possible.
|
| Again these aren't unsolvable problems, to a point, but
| we didn't want to solve a problem when we could avoid it
| entirely, so that's the path we chose. It removes
| complexity and is a good part of the reason the system we
| built has been resilient.
|
| A complaint some people express about tailscale is the
| battery life on mobile (or at least iOS). This exists
| because there is coordination overhead on even idle
| tailscale nodes. Back when we ported Nebula to iOS, we
| sweated details like "how often it wakes the radios" and
| did a lot of profiling. I never turn Nebula "off" on my
| iPhone, and it just sits in there in the background not
| using any resources most of the time.
|
| We worked hard to optimize this out of our architecture,
| so that Nebula avoids generating traffic that is
| unrelated to the actual communication between hosts or
| lookups to lighthouses. An idle nebula tunnel can truly
| be idle indefinitely, and that also matters as the set of
| hosts becomes larger.
|
| I do not think the Nebula project and Tailscale are
| direct replacements for each other in any fashion, and
| afaik neither is trying to be. I'm just pointing out that
| different design goals led to unique advantages and
| disadvantages to each architecture.
| FL410 wrote:
| Nebula rocks!
| ncmncm wrote:
| See, I have seen promotions of Tailscale and Zerotier
| before, but this is the first I have heard of Nebula. If
| with Nebula I am not beholden to some internet behemoth who
| may cancel my authentication without notice, I am motivated
| to try it.
| depingus wrote:
| Absolutely love nebula and really wanted it to win when I did
| my overlay network shootout (for personal use). But device
| on-boarding and management was overly complex for a lay
| person (I have a couple users that would require access).
|
| I settled on ZeroTier for now. Unfortunately, I don't think
| ZeroTier is my long term solution. Their self-hosted option
| comes with a plethora of caveats that make it basically
| unusable. And I'm always scared companies that offer free
| versions of their paid product will eventually neuter the
| free tier.
|
| I'll be keeping an eye on headscale. Hopefully they get their
| mobile client situation in order.
| FL410 wrote:
| I am curious what you found complex - was it the PKI? I was
| able to get Nebula up and running WAY faster than any of
| the others. It's two (well really only one) binaries and a
| config file - the simplicity is awesome.
| JeremyNT wrote:
| It's easy to get started, but the issues come mostly from
| managing that "just a config file" over time.
|
| Have a bunch of new nodes? Replacing a lighthouse?
| Revoking and replacing certs?
|
| Here's a mistake that I made personally. Did you read the
| docs fully and realize that the default expiration for a
| CA is one year? The same is true for certificates. You
| need some kind of tooling to rotate certs every year, by
| default, or one day you'll find your entire overlay
| network disappears.
|
| What about the ACL lists? Well, they're just stored in
| that same config file. What if you add a new service you
| didn't count on initially? Or you have a new class of
| clients?
|
| What if your lighthouse needs to change its IP address?
| Or you need to retire and replace it outright?
|
| And if you have hosts coming and going a lot, suddenly
| managing all those configuration files looks like quite a
| pain indeed...
|
| None of this is unsolvable - assuming you have root on
| all the nodes you care about. You could even create
| tooling to automate these things with some kind of
| configuration management system (which indeed, if you are
| deploying to more than a handful of systems, you
| basically _must_ do). But these pain points will
| eventually add up if you are just trying to connect to
| friends.
| depingus wrote:
| Just FYI, when you create a CA cert or sign certs with
| nebula-cert you can specify a -duration. Which I know
| doesn't help you after the fact, but it might help
| someone going forward.
| JeremyNT wrote:
| Very good to know! I did learn this and used 10 year
| certs/ca when my originals expired... as will presumably
| most of the other people who didn't fully grok the
| implications of the defaults :)
| rhuber wrote:
| We need to do a better job of this and I'm really sorry
| you had a not-great experience with expiration. Totally
| agree with your take.
| depingus wrote:
| I found it too complex _for a lay person_. On a regular
| computer or server its not too bad. I can send someone a
| config file with the certs and keys already built in.
| That 's easy enough. But on mobile it requires a back and
| forth exchange of keys over a different medium.
|
| Compare that to ZeroTier where I can just tell someone,
| "install this app and punch in this Network ID". Also, ZT
| lets me control the entire network firewall from a
| centralized place. Where Nebula is doing it on a per-
| client basis and requires new certs if device groups
| change.
|
| I don't want to talk up ZT too much though. Their self-
| hosted option is a joke. There is no webui. You have to
| do everything via the API...including the firewall rules;
| And you have to write those rules in the non-human
| readable format that their webui abstracts away. Worse
| still, their mobile apps won't work with the self-hosted
| option. I used them to get something up and running
| quickly, but I'll probably end up on Nebula anyways.
| api wrote:
| > Their self-hosted option is a joke. There is no webui.
|
| There's a community developed one:
|
| https://github.com/key-networks/ztncui
| jupp0r wrote:
| What's your concern, specifically? To me it sounds like
| understanding in detail how oauth works would make you feel
| much better about this.
| aborsy wrote:
| I don't understand why these mesh VPN companies don't take
| themselves out of the trust loop? For example, by supporting
| Wireguard preshared keys (if that makes sense).
|
| In light of the recent incidence at Okta, the risk of the VPN
| company or the identity provider getting compromised, or
| provided with a gag order by the government, should be
| accounted for.
| Pr0ject217 wrote:
| Interesting. That's a non-starter for me as well.
| web007 wrote:
| Your personal dislike of cloud SSO is not the same as "their
| attitude towards privacy". Before you do anything "permanently"
| you should read their reasoning behind that decision:
|
| https://tailscale.com/kb/1013/sso-providers/
|
| > Tailscale works on top of the SSO/IDP/IAM identity provider
| you or your company already use.
|
| > We don't support sign-up with email addresses. By design,
| Tailscale is not an identity provider: there are no Tailscale
| passwords.
|
| > Using an identity provider is not only more secure than email
| and password, but it allow us to automatically rotate
| connection encryption keys, follow security policies set by
| your team (e.g., 2FA), and more.
|
| You can BYO SAML provider if you like, you'll just have to pay
| for it: https://tailscale.com/kb/1119/sso-saml-oidc
| SahAssar wrote:
| Requiring you to disclose info to google, microsoft, okta or
| onelogin can very clearly be an "attitude towards privacy",
| right?
| lupire wrote:
| I can't afford Enterprise "contact us" pricing for personal
| use or small team.
|
| They don't even give the option to try to debug my own
| identity provider.
|
| aka the BYO SAML feature does not exist for personal or small
| team/business users.
|
| But maybe that's the point? TailScale's product is actually
| an identity integration layer for Wireguard? If you don't
| need an identity provider, Tailscale doesn't add value over
| Wireguard?
| colordrops wrote:
| Agreed, if you have no need to bust a NAT, just set up
| wireguard directly yourself, and avoid closed source products
| from corporations managing your most secure and private data.
| Saris wrote:
| Yeah that's the biggest hangup I have, it just seems strange to
| rely on a third party login to be able to access something as
| important as a VPN. If my google account or whatever gets shut
| off for any reason I'd be pretty hosed.
| ignoramous wrote:
| Avery, co-founder at Tailscale, has some strong opinions
| about why SSO is sufficient for their product.
|
| They wrote a bit about their thought process: _Factors in
| authentication_ (2019), https://apenwarr.ca/log/20190114
|
| > _It seems to me that the above successful enrollment
| patterns all use one or more of the following techniques:_
|
| > _A human authenticates you and issues you a token (usually
| in person)._
|
| > _A short-distance, physical link (proximity-based
| authentication) like a biometric sensor, or USB or bluetooth
| connection._
|
| > _Delegation to an existing authenticator [SSO]..._
|
| > _What people tend to miss... is that enrollment is
| necessary whether or not you send a push notification to the
| phone during login. The push notification is only secure if
| this specific browser instance is enrolled; but if this
| browser is enrolled, then the push notification adds no extra
| security... The enrollment was the security._
|
| Fully expect them to ship u2f authenticators or sell them at
| tsCare shops!
| nsm wrote:
| I'm curious. Why not create a new google account that is not
| used for anything but Tailscale and use that?
| tmikaeld wrote:
| I guess their biggest competitor will be Cloudflare Tunnels with
| Access, which does the same thing and more, for free.
| [deleted]
| benjaminwootton wrote:
| Every time I refresh my feed I read about another company raising
| tens of $millions.
|
| A lot of that is Crypto related, but money seems to be absolutely
| flooding into tech at the moment despite all of the doom and
| gloom around
| kall wrote:
| Congratulations to Tailscale. Imagine how many times you can
| migrate to a new novel database architecture with that kind of
| money.
| tomhallett wrote:
| I'm trying to connect Tailscale's product with their goal "The
| internal dashboard and CI system that will never need to be
| public-facing. The HR database that will always have far less
| than a thousand queries per second. The dozens or hundreds of
| devs that ssh or RDP into servers, not the millions of users
| being served."
|
| Does this mean - instead of deploying a dashboard/ci to aws, I
| should host it "locally" on a single computer (macbook, raspberry
| pi) and then internal employees can access that site via
| Tailscale's network layer?
| atonse wrote:
| As I've said in a past thread for another product (oxide), I LOVE
| Tailscale and am really happy for the team for their well earned
| growth and success.
|
| However this is the path that could move them towards being
| pressured to add a bunch of bloat, followed by acquisition
| pressure and a big payout that will likely eventually cause the
| product to stagnate after the founding team leaves and the buyers
| don't care.
|
| I really hope they're all already rich enough that they aren't
| tempted by that. :-)
|
| Update: altered content to add more speculative version.
| jbverschoor wrote:
| Congrats1 solid productg, good interface, great positioning
| towards the enterpise
| sk8terboi wrote:
| So it's a way around any firewall and security? Interesting.
| cpuguy83 wrote:
| An phenomenal read on how it works:
| https://tailscale.com/blog/how-nat-traversal-works/
| rvz wrote:
| I bet they will get acquired by Cloudflare. If they reject their
| offer then Cloudflare will kill them.
|
| Sorry.
| mywaifuismeta wrote:
| Nice charts without axes. I use those all the time. Especially in
| pitch decks.
| nix23 wrote:
| I use them in benchmarks too!
| throwaway92394 wrote:
| Am I the only one that has an issue with a VPN that I can't self
| host? Presumably if Tailscale get's PWN'd or subpoenaed then your
| network is breached no?
| moloch wrote:
| No, they don't have access to the Wireguard keys and everything
| is point-to-point. They'd have to push a backdoored software
| update to gain access (and this is a threat with any vendor
| product).
| soraminazuki wrote:
| IIUC Tailscale controls key distribution, so you'd still have
| to trust them. However, it might still be possible to
| eliminate that need for trust by verifying peer connections
| out of band.
| bfm wrote:
| A self hosted alternative we've been using for our
| infrastructure is innernet, which was discussed on
| https://news.ycombinator.com/item?id=26628285 last year
| cassianoleal wrote:
| You're certainly not the only one. There is headscale [0] if
| you're worried about that though.
|
| [0] https://github.com/juanfont/headscale
| aborsy wrote:
| Yes, Tailscale distributes public keys, and can add arbitrary
| nodes to anyone's network.
|
| Not that they do it, but the possibility is there, and one has
| to account for risks.
| cpuguy83 wrote:
| Tailscale's data plane is [1] mostly p2p except for some cases
| where it doesn't work and it goes through an encrypted relay.
| So your data does not run through Tailscale servers.
|
| There is an oss [2]coordination server that does let you
| totally self-host.
|
| [1] https://tailscale.com/blog/how-nat-traversal-works/
|
| [2] https://github.com/juanfont/headscale
| atsmyles wrote:
| Just install wireguard yourself. With Bullseye on the RPi, it
| is easier than ever. There is a learning curve, but it is worth
| it.
| lvh wrote:
| Depends on the kind of breach. Tailscale is extremely carefully
| designed to minimize that risk. Notably: Tailscale doesn't get
| your keys. (Granted: a compromised agent would still be a
| problem. It's a thing I have some plans for :-))
|
| (Disclosure: I'm a (small) investor via Latacora's sibling
| fund, Lagomorphic.)
| abetlen wrote:
| If you run a Kubernetes cluster for self-hosting software or
| development I highly recommend setting up a Tailscale subnet
| router [1]. This will allow you to access any IP (pods or
| services) in your cluster from any of your Tailscale-connected
| computers. You can even configure Tailscale DNS to point to the
| DNS server in your cluster to connect using the service names
| directly ie. http://my-service.namespace.svc.cluster.local
|
| [1] https://tailscale.com/kb/1185/kubernetes/#subnet-router
| nitsky wrote:
| I'm a huge fan of Tailscale and the team I work with uses it
| daily, for free, to connect to our servers and each other's
| computers. Thanks!
| adtac wrote:
| >To put the market in perspective, there are VPNs that only work
| if [...] UDP isn't blocked
|
| isn't that true with WireGuard/Tailscale too?
| xena wrote:
| Tailscale employee here. Tailscale has a fallback that does
| connections to a relay server called DERP. DERP works over
| HTTPS, so if you can't access the outside world via HTTPS then
| you have much bigger problems than Tailscale not working.
| anderspitman wrote:
| Is DERP raw HTTP or based on WebSockets?
| stephenanand wrote:
| Ansil849 wrote:
| I couldn't readily find any mention of any third-party security
| audits.
|
| Compare that to the numerous audits a VPN like Mullvad has had -
| https://mullvad.net/en/blog/tag/audits/.
| knur wrote:
| I love tailscale.
|
| Lately I have been migrating all my self-hosted stuff into a
| raspberry pi (instead of running a public instance in the cloud).
| It gives me a bit of piece of mind knowing that it adds an extra
| layer of security (to hit any of my endpoints/apps you would need
| to infiltrate my VPN). And it will save me a lot of money on
| hosting.
|
| I don't need to expose my computers publicly or enable upnp or
| anything. It just works.
| hu3 wrote:
| They are open source too: https://github.com/tailscale/tailscale
|
| edit: Only the client is open source. See clarification below.
| bfm wrote:
| The control server is not open source. Thankfully headspace
| https://github.com/juanfont/headscale is filling that gap
| cassianoleal wrote:
| The clients are. The control server, which is the bit that
| Tailscale host, is not.
|
| There is an open source alternative called headscale [0]. The
| main downside is that you'll need to run it.
|
| The closed source centralised control server has other
| potential issues though, and it ends up being up to the user to
| decide what's the right balance of security vs convenience.
|
| [0] https://github.com/juanfont/headscale
| hu3 wrote:
| Thanks for clarifying. I did not know that.
| gowld wrote:
| To be clear, headscale is an alternative to the control
| server, compatible with Tailscale clients.
| cassianoleal wrote:
| Yes, sorry if my phrasing was confusing. Thanks for
| clarifying.
| l30n4da5 wrote:
| Ive been using Tailscale for my local machines for a month or so
| now. don't really have any complaints about them.
| chimen wrote:
| Funding scares me. It bring sharks onboard who do not share the
| same vision. They will demand revenue and ROI above all else. I
| like Tailscale but I hate this business model down to the core
| (Netlify as an example). Tailscale was doing fine as it was,
| capable people there already. It quickly became an "exit type of
| business", too quickly.
|
| These companies usually bring something really easy to use, let
| people onboard and modify their network/DNS/etc to hell until
| they get vendor stuck and then they squeeze every possible dollar
| out of their pockets. Once you're in, after days or weeks of fine
| tuning, after you managed to pollute your codebase with their
| configs and IP addresses, it's hard to get out.
|
| I suspect those "free slots" will change soon ,but we won't see
| those types of graphs anywhere soon and be prepared to get
| charged for bandwidth and everything else possible.
| jnsaff2 wrote:
| > They will demand revenue and ROI above all else.
|
| I don't think this is true. They mostly demand growth over all
| else.
| AceJohnny2 wrote:
| Growth as a precursor for revenue.
|
| Massive growth just means you can dominate the market then
| have more flexibility on the price you'll charge.
| mrkurt wrote:
| Tailscale raised a Series A two years ago. They've been doing
| fine as it was - running a venture funded, high growth startup.
|
| I am wary of investors wrecking incentives for founders but
| that ship sails when you raise an A round. They've done an
| incredibly good job for me in that time, I think they'll keep
| on doing that.
|
| Why would their free service change? They're going to make
| money off big companies. They're not going to make money off me
| with a bait-n-switch to capture my $10/mo personal budget.
| josephruscio wrote:
| Tailscale investor here. I can assure you we share the same
| vision with the founders.
| anderspitman wrote:
| The problem is that vision has a pretty poor track record
| when going head-to-head with incentives.
| ayewo wrote:
| > Tailscale investor here. I can assure you we share the same
| vision.
|
| Outside of say, Garry Tan and Leo Polovets, who could be
| considered regulars, it's rare that an investor shows up in
| the HN comments. Hi!
|
| Your comment is reassuring, but the reality is that other
| investors will look at their portfolio companies, review the
| competitive landscape, then decide that they no longer share
| the vision, in the not too distant future.
| ncmncm wrote:
| You cannot do that. You might personally share a vision with
| somebody identifiable. But the vision you say you share is
| anyway not implemented.
|
| Make the service usable without depending on some internet
| behemoth who might yank my authentication credentials anytime
| without notice, and we can talk.
| josephruscio wrote:
| vision: (noun) the ability to think about or plan the
| future with imagination or wisdom. (verb) imagine
| ncmncm wrote:
| Vision is one thing, shared vision entirely another.
| lupire wrote:
| I have no reason to mistrust your vision or current intent,
| but I also have no reason to believe that you are stronger
| than the weight of $100M dollars.
| archon810 wrote:
| For those curious: https://www.linkedin.com/in/josephruscio.
|
| Seed investor in Tailscale since 2019.
| brightball wrote:
| How does it work for something like a security DVR where you
| can't access the system itself? Is there an equivalent way to
| just access the network like a VPN?
| smackeyacky wrote:
| Yes, you can set up one node as a gateway to the network, then
| access everything on that local network.
|
| I use it this way to access devices that can't run the
| tailscale software.
| bruckie wrote:
| Yes. Tailscale subnet router.
| https://tailscale.com/kb/1019/subnets/
| falcolas wrote:
| First - congratulations! I like the idea behind your product.
| Easily configured VPN tunnels are something I enjoy having.
|
| But, and I'm probably just shouting into the void at this point,
| relying upon your network being secured as a method of securing
| your office/product will only result in heartache.
|
| If you're a company SEO or similar trying to protect your company
| from threats, your first assumption _must_ be "the network is
| compromised" no matter whether it's on the internet, or VPN
| tunnels, or firewalled local network.
| AndyNemmity wrote:
| Tailscale is one of the products I most love. It does what I want
| it to do. I don't have to think about it after that.
|
| If all tools were this reasonable, I'd be very happy.
| RobertRoberts wrote:
| This sounds just creepy that they are suggesting no more
| anonymity on the internet... as a "fix".
| jaywalk wrote:
| What a strange and utterly incorrect way to interpret
| Tailscale's mission.
| orangepurple wrote:
| From the website:
|
| What if we all just had a static IP address, and a DNS name?
| ...and the address migrated around the world with you? ...and
| you could connect to any of your devices no matter where they
| were?
|
| Does this not promote the destruction of anonymity on the
| Internet?
| jaywalk wrote:
| I think you've got a fundamental misunderstanding of what
| Tailscale does. It's all about accessing _your own_
| devices. You don 't need or want anonymity in that case.
| They are not a general purpose VPN service, and can't even
| be used as one.
| RobertRoberts wrote:
| No, I think you misunderstand that companies like this
| have huge visions, not tiny one like "just your own
| devices".
|
| They are claiming they are on the road to "fix the
| internet", their own words.
| cassianoleal wrote:
| > They are not a general purpose VPN service, and can't
| even be used as one.
|
| I'm not sure what you mean by this, but this sounds like
| exactly what they are, with some functionality on top.
| It's what I use to VPN into my LAN from outside, and it's
| pretty general purpose from where I stand.
| jaywalk wrote:
| I'm talking about services like NordVPN, Mullvad, etc.
| They do not funnel your Internet connection through their
| servers.
| cassianoleal wrote:
| Ah, fair enough.
|
| Those are not general purpose VPNs though.
|
| In fact, they are not even VPNs in the first place. They
| merely use the same technology to provide a private
| tunnel to the public Internet (and use the name in
| marketing material because by now people are familiar
| with it).
|
| What they are not is general purpose private networks.
| jaywalk wrote:
| They are absolutely VPNs. If you don't like my term
| "general purpose" that's fine, but they 100% fit the
| definition of VPN.
| cassianoleal wrote:
| A VPN is a Virtual Private Network. Those services you
| mentioned merely provide a secure tunnel to the same
| public Internet you'd have access without them, avoiding
| eavesdropping by your ISP or other intermediaries, whilst
| handing over that capability to the "VPN" provider. There
| is no private network anywhere in this case.
|
| An actual VPN provides you with a _private_ network that
| just happens to workover of the public Internet, usually
| encrypted, but is inaccessible from it.
| A virtual private network (VPN) extends a private network
| across a public network and enables users to send and
| receive data across shared or public networks as if their
| computing devices were directly connected to the private
| network. The benefits of a VPN include increases in
| functionality, security, and management of the private
| network. It provides access to resources that are
| inaccessible on the public network and is typically used
| for remote workers. Encryption is common, although not an
| inherent part of a VPN connection.
|
| * https://en.wikipedia.org/wiki/Virtual_private_network
| jaywalk wrote:
| Sticking with Wikipedia:
| https://en.wikipedia.org/wiki/VPN_service
|
| Saying that these services are "not VPNs" is unnecessary
| pedantry. Definitions evolve over time, and these
| services meet the common definition of a VPN.
| RobertRoberts wrote:
| If they start off as VPN but morph into something more
| (like Cloudflare, Google, etc...) then it really doesn't
| matter how you define them "today" if their goal as a
| company is to become something more/different.
| lvh wrote:
| No? The fact that some machines (notably: all your _own
| devices_) need to be able to reliably talk to each other
| does nothing to impact anonymity on the Internet. Sure, you
| can route everything out of your own IP using Tailscale
| also, and that might be desirable if you're on a crappy
| connection, but it's still completely orthogonal to
| privacy-preserving techniques like Tor (and may in fact
| make those easier to deploy).
|
| Tailscale doesn't make privacy worse any more than the fact
| that to a first approximation, no residential Internet
| provider in the US has rotated an IP in recent memory.
|
| (Disclosure: I'm a (small) investor via Latacora's sibling
| fund, Lagomorphic.)
| RobertRoberts wrote:
| It's not their "mission" but it is their system. If you have
| a static IP address where "...the address migrated around the
| world with you..." how do you think that will work for people
| that _NEED_ anonymity?
|
| Will they be left out of this new internet?
| jaywalk wrote:
| Tailscale is for accessing _your own_ devices, it 's not a
| general purpose VPN service. Anonymity is not a factor.
| RobertRoberts wrote:
| The title of the article from Tailscale is "...to fix the
| Internet"... if it was "only" about "your own devices"
| then you are assuming they are thinking small.
| jaywalk wrote:
| You're assuming that they're thinking something
| completely outside of anything they've ever said, and
| something that nobody actually wants. Your assumption is
| the one that's out of left field, not mine.
| RobertRoberts wrote:
| You haven't proved me wrong, you just said I am wrong.
| jaywalk wrote:
| I don't have to prove you wrong, I'm not making an
| assertion. It's on you to prove that your assertion is
| correct, and you have nothing more than your opinion
| backing you up.
| RobertRoberts wrote:
| The idea of "you have something permanently static that
| identifies what is yours" on the internet that never goes
| away, and it runs through a corporation's server, that
| supposedly is marketed as "fixing the internet"... do you
| really think this sounds good?
___________________________________________________________________
(page generated 2022-05-04 23:00 UTC)