[HN Gopher] Tailscale raises $100M ___________________________________________________________________ Tailscale raises $100M Author : gmemstr Score : 670 points Date : 2022-05-04 13:17 UTC (9 hours ago) (HTM) web link (tailscale.com) (TXT) w3m dump (tailscale.com) | joshbaptiste wrote: | "To paraphrase Larry Wall, Tailscale makes easy things easy" .. | Indeed, I run multiple devices via two regionally separated homes | and two cheap VPS's .. RaspberryPi, Linux, MacOS and an iPhone | all able to communicate effortlessly thanks to TS | madjam002 wrote: | Things I'm really looking forward to seeing from Tailscale / | projects I'd like to tinker with: | | - Better iOS battery life, there have been many improvements but | it's still too much to leave running 24/7, I understand they're | making improvements here | | - Their in built SSH server which seems to be in development | | - Using Tailscale ACLs to control access to Kubernetes ingress | resources, they recently released an nginx auth plugin so I | imagine this is now possible if you attach a Tailscale sidecar to | the nginx ingress controller | | - Arbitrary ACLs which also seem to be in progress, it would be | awesome to define in ACLs who has access to different parts of | e.g a backoffice application | | - Official support for DNS extra records, already using this with | the Headscale self hosted control plane for personal projects but | it would be great to use it on Tailscale too | | - Kernel Wireguard for the data plane, I think this is on the | roadmap? | | Overall a fantastic piece of software which I use for both | personal and professional projects. | lajamerr wrote: | I remember reading a previous HN post about Tailscale and a | certain commenter said that Tailscale is ideologically driven, | small-scale operation and they prefer an alternative like | NetMaker which has more backing. | | $100M seems more than a small-scale operation or is $100M in tech | actually small scale? | jonfw wrote: | Tailscale has been much larger than Netmaker for as long as | Netmaker has existed | syntaxing wrote: | Tailscale is absolutely amazing for accessing local first | platforms (like home assistant and jellyfin). Sure, I can set up | wireguard, but Tailscale is plug in play. Biggest gripe is that | it messes with my DNS like nextDNS on iOS. | nickysielicki wrote: | Tailscale has a fantastic product, I've been extremely happy from | day one. If you're waiting for a weekend to have a few hours to | try out Tailscale, don't, it takes 15 minutes to get every device | you own up and running and talking. This is the lowest friction | personal VPN to ever exist, and once you see how easy it is for | your own devices, you'll wish you had it at work. | | The biggest risk that this company has is that Cloudflare (in all | reality) should just buy them or reimplement it. It's the type of | product cloudflare would make, that's for sure. Being based on | open source wireguard, and being just a STUN/TURN server at its | core... I'm sure that Tailscale will be the first but maybe not | the best. | | I've been dreaming lately of a tor-like network that's based | loosely on the idea of tailnets. Rather than blockchain bullshit, | you'd have a direct ring of trust with friends, and then you | could set up access policies to forward packets for people you | don't trust, but who know someone you do trust. | | Web3 happens when people can host stuff on their phones, and | Tailscale is something that lets you host things on your phone. | Melatonic wrote: | I think your last point is what many of us are hoping Web3 | really is | systemvoltage wrote: | Well put, there is no moat. Corporate customers really don't | want yet another network infra if they have Cloudflare + ZTN | offerings. | | Cloudflare, please make a box I can buy and stick it in the | closet with a WAN connection. Routers suck, it's time to | reinvent them. Also please don't make them look like goddamn | spaceships. | jgrahamc wrote: | What's this box going to do? | systemvoltage wrote: | I was thinking a router that's connected to Cloudflare | network. Every device that connects to it is automatically | on Cloudflare tunnels or Tailscale like VPN. And generally | do the routing stuff better than ubiquity products (can | manage your home router through their control panel from | anywhere). | | Remote devices would need a client installed on it to | access the VPN, of course. | babelfish wrote: | https://blog.cloudflare.com/cloudflare-for-offices/ | zionic wrote: | tepitoperrito wrote: | Like a hybrid NNCP-GO and nebula sdn. Neat! | mnkmnk wrote: | Cloudflare already has a competing product | https://www.cloudflare.com/en-in/lp/ppc/cloudflare-for-teams... | nickysielicki wrote: | It's not really a competing product until they relaunch it | with a heavy consumer focus and with some of the properties | that Tailscale has, ie: avoiding going through the cloudflare | CDN. But more to my point, cloudflare is definitely in a | position to outcompete Tailscale, it's just a couple tweaks | and a marketing shift. | ThePhysicist wrote: | I don't think Tailscale will focus on the consumer market, | I'd be very surprised at least if they did. I think they | built a developer-friendly product to get mindshare and | early adoptors, but eventually the real market for such | such products is in the B2B space, i.e. implementing the | "BeyondCorp" model of zero-trust networking. There's also a | market for building cloud mesh services but I'm not sure if | Tailscale is well positioned for that as there are good | open-source solutions available for that already. | ignoramous wrote: | You're not wrong but they do seem to want to keep | focusing on consumers (not just developers), teams, and | enterprises all at the same time but _market_ [0] the | product differently. | | > _If we 're going to fix the Internet, there's no point | only fixing it for big companies who can pay a lot. That | misses the point of the whole adventure. The Internet is | for everyone. We have to fix it for everyone, or why | bother? We knew we had to design a business model and a | technical architecture that removes any incentive to | abuse your privacy. Providing an ever-expanding free tier | is how we help as many people as possible._ | | > ... | | > _Tailscale 's go-to-market strategy is what we call | bottom-up growth, or product-led growth (PLG). An earlier | name for this is "GTM 3.0", which is explained | beautifully in a presentation by Adam Gross... To | summarize: in GTM 3.0, you give away an unlimited free | tier for individual use (Not a trial, a free tier; this | is what makes it different from GTM 2.0). Then, for | collaboration in small teams, you charge a bit. Then, for | big company control and auditability, you charge even | more. At each level, the value proposition is different, | so that users use your tech differently and benefit | differently from it. And at each level, the buyer is | different, so the messaging is different._ | | From tailscale.com/blog: _How our free plan stays free_ , | https://archive.is/R7jqw | | [0] https://en.wikipedia.org/wiki/Marketing_mix | windexh8er wrote: | They already (sort of) do [0] as they have a "Personal | Pro" plan that's not too obvious - personally, I hope | they expand to make it more cloud-native via a la carte | pricing for those users as I'd pay an extra $x/month for | an additional subnet router or three. And, IMO, it's a | smart approach - those who are the targeted "Prosumer" | might leverage this for their homelab and carry it over | with them into the enterprise. I say that it's a smart | approach because in my time at a vendor that was slinging | security middle boxes - we used to give away our small | form factor product to those homelab'ers for free. They'd | take them home and see how much the solution could | provide, they got comfortable with the UI, and they | learned it for their own use cases. And then the path | into an enterprise conversation held much less friction. | | [0] https://tailscale.com/pricing/ | chipsa wrote: | I think they've said they don't actually enforce the | usage limits, so you can add an additional subnet router | and they largely don't care (because they haven't put the | engineering into enforcing the limits, because it doesn't | actually use up appreciably more resources for them when | you exceed those limits). I think they do enforce the | user limits though. | seedie wrote: | I remember Astaro did this with their Astaro Security | Gateway UTM solution. Provide a full featured software | appliance for home users and hope the admins are so | caught up that they don't want to change to another | vendor at work. Astaro got acquired by Sophos in 2011 but | I just checked, they still offer the Sophos UTM Gateway | in a Home edition. | | https://www.sophos.com/en-us/free-tools/sophos-xg- | firewall-h... | nickysielicki wrote: | It costs them so little to provide their free consumer | service (iirc: they fall-back to providing transit, but | it's very rare and only occurs when UDP is completely | blocked) that it benefits them to keep their focus on | consumers because if _everyone_ is using Tailscale, the | business customers are inevitable. | depingus wrote: | > I've been dreaming lately of a tor-like network that's based | loosely on the idea of tailnets. Rather than blockchain | bullshit, you'd have a direct ring of trust with friends, and | then you could set up access policies to forward packets for | people you don't trust, but who know someone you do trust. | | Might want to check out Yggdrasil. It lets you can create a | _real_ mesh routed, E2E encrypted network. You can keep your | network private, or connect it to the greater network and route | others. There 's no ring-of-trust (I can't imagine that as a | viable solution at scale). But the config file has an | AllowedPublicKeys section if you want to specify who can route | through your node. | | https://github.com/yggdrasil-network/yggdrasil-go | GekkePrutser wrote: | Thanks, I thought I knew all the major mesh VPN options | (tinc, nebula, tailscale, zero tier, hamachi) and yet I never | heard of yggdrasil. | | This is the kind of comment I love HN for! | ctrlc-root wrote: | Here's one more: | https://fastd.readthedocs.io/en/v22/index.html | siavosh wrote: | I'm pretty ignorant on this topic, but what are the benefits of | having a personal VPN? | stanmancan wrote: | You can access your home network and any machines on it | without exposing anything to the public internet. It's much | safer to connect to my home network over a VPN than to expose | all of the services to the public internet and hope they're | all secure. | criddell wrote: | Doesn't putting Tailscale in the middle mean you are now | hoping they are secure? I supposed that's probably better | than connecting to the VPN on your home gateway router that | your ISP has access to. | ziftface wrote: | Some of my friends used it to play older lan games | gzer0 wrote: | I am able to route traffic on my mobile device through my | home network via the use of their "exit node" option. It | allows one of my home devices to act as an exit node for my | entire personal tailscale network. | | This serves multiple benefits: the main one being that I | receive pi-hole filtered ad-free traffic on my mobile device | via a Wireguard VPN with my home IP 24/7/365 | antihero wrote: | Ah, the exit node thing is really cool, always handy to | have a residential IP to route through too :) | karlshea wrote: | I can do that without Tailscale though by just using the | WireGuard app. What is Tailscale adding to this? | ReverseCold wrote: | > For a Linux user, you can already build such a system | yourself quite trivially by getting an FTP account, | mounting it locally with curlftpfs, and then using SVN or | CVS on the mounted filesystem. From Windows or Mac, this | FTP account could be accessed through built-in software. | rrix2 wrote: | not having to generate, manage, and distribute wireguard | secrets and configurations was good enough reason for me | to switch. | | Tailscale also provides a "magic DNS" service which lets | you resolve your Tailscale device names without setting | up unbound etc, and which can relay other requests | through to your pi-hole or unbound or whatever, which can | then listen _only_ on the tailscale IP address, so no | need to run an open resolver or deal with source IP | filtering. | | e: also, you can share devices between tailscale users | without generating, managing, distributing wireguard | secrets. You send your pal/partner/kid a link and they | can access your fileserver or raspberry pi webserver or | pihole server for themselves wherever they are. | nickysielicki wrote: | NAT breaking, I can have a wireguard network with | Tailscale where every device only has an RFC1918 address | and a default route. | karlshea wrote: | Ahhh that is slick | devman0 wrote: | Is forwarding a single port that difficult in most | circumstances? I do realize there are some instances | where that is hard like CGNAT, but if I have easy access | to wireguard in my network already what does tailscale | buy me? | donaldihunter wrote: | I was running Wireguard exactly as you describe, but I'm | now using Tailscale because convenience. | anderspitman wrote: | For more background on just how much Tailscale is doing | for you with respect to NAT: | | https://tailscale.com/blog/how-nat-traversal-works/ | [deleted] | Sohcahtoa82 wrote: | What other benefits are there? I use a PiHole to block ads | on my phone already, but I do it via a PiHole installed on | an EC2 instance that I also use as an IRC bouncer and other | things. | pkulak wrote: | It means you can self host all kinds of things and never | worry about opening a port on your router. | anderspitman wrote: | As long as you don't need to share any of your services | with non-Tailscale users. Otherwise you'll need to set up | some sort of public server. | vineyardmike wrote: | But you can also try to get them to be Tailscale users | and effortlessly share the devices with access control | features they built. I share my home servers and game | servers with family/friends easily while still keeping | everything off the public internet. | anderspitman wrote: | But now your friends and family are locked into a | proprietary system, subject to whatever the future | incentives of Tailscale end up being. How many people can | you connect on the free plan? | Spooky23 wrote: | It's pretty similar as far as how it works for you. | | It may be cheaper to VPN to home vs a cloud server, and | you may avoid issues where sites block AWS. You can also | securely forward other ports. Sometimes I print or access | other services in my house that aren't internet safe. | Sohcahtoa82 wrote: | I have the PiHole VPN configured so that only DNS lookups | go through it. All other traffic is not tunneled. It | means I don't get billed for several gigabytes of traffic | from AWS and my traffic doesn't come from an AWS IP, but | I still get all the ad-blocking benefits of a PiHole. | | At home on my desktop, I just use uBlock Origin in my | browser. | newaccount74 wrote: | I use it so I can connect to my work machine (dynamic IP on | office wifi) from my laptop (dynamic IP, home Wifi). | | It's also great to be able to just ssh into your laptop at | home when you're at work and you forgot to push whatever you | were working on last night. | | It's not necessary, but Tailscale makes a lot of things just | easier. | yeswecatan wrote: | > It's also great to be able to just ssh into your laptop | at home when you're at work and you forgot to push whatever | you were working on last night. | | What's the difference between using Tailscale for this and | just opening the port on your router? | pkulak wrote: | Like a million times more secure. | colordrops wrote: | Someone answered above - it works even if you have no | router you can configure, using NAT busting. I do what | you suggest though, just setting up wireguard directly on | my OPNSense router. I don't want to get any private | company involved in my VPN setup. | pimeys wrote: | Easier. And you don't open the port to a public network. | GekkePrutser wrote: | For me: direct routing between endpoints, thus reducing the | lag and spec restrictions you get from routing through a | single VPN server. | | Other things are seamless transition to local networks, and | you can even have local network encryption. | shepherdjerred wrote: | I have a server at home with file syncing, personal media, | and home automation. I want to be able to access it remotely, | but I'd rather some of those things not be publicly | accessible for security. I could always do HTTP auth with an | nginx reverse proxy, but it's not a very smooth workflow and | it relies on me being able to configure my server/services | correctly. | | Instead I can bind my services to Tailscales network | interface and access it anywhere that I'm connected to my | Tailscale network. It's like authentication for free. | | As a side note I know this is an anti pattern since one | intruder can access all of my services, but that's not a | vector I'm really concerned about since I'm not exactly a | high value target. | jjeaff wrote: | I don't think that is an anti-pattern. One well secured | point of access is better than various http access points | with varying levels of security and maintenance levels, all | requiring frequent manual update to stay secure. | shepherdjerred wrote: | I meant that for larger organizations where security is a | concern you'd want both -- your network should be secured | and the individual applications should be as well. Again | it's contextual advice and really doesn't matter for my | internal site where there's not too much at stake. | anderspitman wrote: | > Web3 happens when people can host stuff on their phones | | This has essentially been the guiding principle of my side | projects for the last two years. Folks shouldn't need to | understand DNS, TLS, HTTPS, IP addresses, ports, NAT, CGNAT, | etc in order to own their data. Self-hosting a small server for | you and your friends shouldn't be any more difficult or less | secure than installing an app on your phone. | lazzlazzlazz wrote: | > a direct ring of trust with friends | | The vision you outlined is great, except it doesn't work. The | trust assumptions are too high, and even a great product like | Tailscale seems to rely completely on centralized identity | providers (you have to choose Google, Microsoft, or Github on | sign-in). | | Ultimately, if you want to maintain full control of your online | identity and network, you'll probably need some of the | decentralized (but economically aware) resources you seem to | have issues with -- or at the very least a means of | transitioning authentication to private key methods with DIDs. | nickysielicki wrote: | I feel like people are so concerned about infinite scaling | that nobody ever tries to scale to 5 anymore. | | I have a big collection of movies, and I'd like my mom- | technical blue collar friends to be able to watch them. I | trust them, and I have trusted communication channels with | them. We exchange keys _somehow_. | | With the sort of routing I'm describing, they could watch my | movies and I wouldn't have to have a public IP address. And I | wouldn't mind if their friends (that aren't my friends) watch | my movies, either, by forwarding through my friends. What's | the catch? This could work for that. How could I do this | _today_? | | I don't have any ideological or moral problem with | blockchains, I just think they suck at solving problems where | the requirements for trust are low or met elsewhere. | | edit: mom-technical was a typo of non-technical but I'm | leaving it because it's more accurate. | depingus wrote: | > And I wouldn't mind if their friends (that aren't my | friends) watch my movies, either, by forwarding through my | friends. | | This is the part that doesn't scale. Hell, this is | extremely risky even at a small scale. You don't know who | your friends' friends are, you will have friends that abuse | this, and you will end up with a much larger network than | you anticipated. | | How many of your friends and family are "friends" with bots | on Facebook? | anderspitman wrote: | Definitely stealing mom-technical. Though I do disagree | somewhat with the conflation with blue-collar. I would | almost argue white-collar folks are less likely to | understand computers. | cma wrote: | What are DIDs: Device IDs? | lazzlazzlazz wrote: | Decentralized Identifiers: https://www.w3.org/TR/did-core/ | zanny wrote: | I self host headscale as my control node of my tailscale vpn | so no sign ins required, I just give keys out to anyone I | want in my vpn. | | My problem is the client doesn't support multiple servers, so | I can't have a work vpn and a home vpn, not even with an easy | toggle - you have to run tailscale with different conf | options for both. Changing namespaces also isn't easy, so | having friends and family segregated even on one server is | also a pain point. | GekkePrutser wrote: | Thanks the main objection I have with tailscale is that you | can't self-host (and you need external identity providers). | I had no idea there was a self host option. I'll | investigate. I assume it's an unsupported community option? | seedie wrote: | op is talking about headscale [0] "An open source, self- | hosted implementation of the Tailscale control server" | | [0] https://github.com/juanfont/headscale | polote wrote: | > The biggest risk that this company has is that Cloudflare (in | all reality) should just buy them or reimplement it. It's the | type of product cloudflare would make, that's for sure. | | The same thing is being said on HN about all kind of network | software, but tell me one software that Cloudflare is really | known for except its cdn ? None. | | HN is really a strong echo chamber and some people believe | Cloudflare and Stripe are going to be the leader in all | software areas. (Even though Cloudflare is not the leading CDN | and Stripe is not the leading payment processor). They are both | amazing companies but they won't fix all problems of the world. | I would even argue that they won't even solve more than their | current core domains | freedomben wrote: | We must be in different circles, because WAF (web application | firewall) is what I would say they're most known for. But I | agree Cloudflare isn't well known (at least yet) fort many of | the other things they offer. Been a lot of buzz around | workers but I haven't tried it myself yet. | devman0 wrote: | CDN and Reverse Proxy are Cloudflare's bread and butter | really, WAF came later. The issue is that those | technologies are rather invisible to most users when they | are working correctly. | nickysielicki wrote: | I bring up cloudflare because the technologies involved with | Tailscale are really cloudflare core competencies. Cloudflare | runs 1.1.1.1/WARP which is a massive dns server and wireguard | VPN, respectively. They already have Cloudflare Access. It's | a natural fit. It's pretty easy to imagine that cloudflare is | better positioned to steal customers from Tailscale than | Cisco, F5, or Fortinet. | | Cloudflare needs to solve two problems: they need to | introduce a free tier of Access that doesn't use the CDN and | creates direct connections between endpoints (to basically | remove all operating costs), and they need to make the | onboarding process for hobbyists easier instead of having a | "contact sales" link on their homepage for these products. | That's doable. | 1vuio0pswjnm7 wrote: | "Being based on open source wireguard, and being just a | STUN/TURN server at its core... I'm sure that Tailscale will be | the first but maybe not the best." | | I like this assessment. "[J]ust a STUN/TURN server at its | core." It gives me hope maybe more people are starting to learn | how to look at peer-to-peer not as something that is | unreasonably complex and off-limits to ordinary users. LAN-like | connectivity is not just for offices and gamers. | | Of course, following a STUN/TURN standard is just one approach | to a rendezvous server. It isn't the first or last approach to | have worked. | | By "rendezvous server" I mean a program that accepts | connections and saves each client's address and open port | number and makes this data available to other connecting | clients, thereby allowing one client to connect _directly_ to | another client _without involving the rendezvous server_. The | server needs only to tell clients about IP addresses and port | numbers, nothing more.^1 Thus it can be a relatively small, | relatively simple program.^2 | | I hope that going forward there will be even more choice in | small, open source rendezvous servers, not created for | commercial purposes, that ordinary users can run on globally | reachable IP addresses. Most users must "lease" these addresses | from others. Because not every user has a globally reachable IP | address available, the use of "hosting" and now what people | today call "cloud" services has been necessary. | | Enormous amounts of traffic are passing through these third | party "cloud" providers. They are, to use a popular term, | "gatekeepers". Business customers, including ones who already | control globally reachable IPv4 address space, let alone | individual customers without such resources, are effectively | beholden to them if they want to be on the internet. Not only | that, the services are generally expensive. | | However no data needs to be sent to or received from a | rendezvous server other than address and port information. If | customers are charged based on ingress/egress, it could be | affordable for users to run these small programs on a "cloud | server" due to the smaller amount of data transfer. With less | data being sent to these third party providers, the privacy | concerns would arguably be reduced as well (cf. eliminated). | | The ability to connect devices directly over a network, | including the internet, should not be monopolised like so many | other aspects of the computers and the internet today. It | should be available for everyone. The only cost should be | paying for the globally reachable IP address and a tiny amount | of traffic required for running a rendezvous server. | | 1. The advantage here is that the program can be easier and | quicker to compile and users may be more inclined to read the | source code and, optionally, make edits and recompile. Non- | commercial, not a complex program like a web browser that is | prohibitively slow to compile that almost no one compiles for | themselves, nor one that few people have both the aptitude and | inclination to read, edit and improve its source code. | | 2. Yes, there can be exceptions. For example, in some cases two | clients using the same ISP might not be able to reach other | directly. But these cases are the exceptions, not the rule. | wackget wrote: | > Gets $100M investment | | > Still produces graphs without axis labels | mengibar10 wrote: | Excuse my ignorance but this is something I have been longing to | ask for. Do these services compromise security? Wouldn't you put | too much trust on these services, like 1Password. If that service | is compromised in someway aren't you exposed? Is these a good | article debate on this topic. Thanks. | anuvrat1 wrote: | There exists ZeroTier too, which can be self-hosted. | | [1]: https://www.zerotier.com/ | flemhans wrote: | What's the state of affairs when it comes to self-hosting? | | I'm waiting to deploy either Nebula, ZeroTier, or Tailscale, but | we don't want to rely on third parties for auth or coordination. | fullstackchris wrote: | Crap... is this literally the product I've been MVPing the past | few weeks? (https://kurynt.com) - or do I still have a chance? | | Full disclosure - there is little to no functionality yet, but | the homepage is enough | fullstackchris wrote: | OK, reading the comments it is a totally different product, but | I guess I have to try it! | | "Zero config VPN. Installs on any device in minutes, manages | firewall rules for you, and works from anywhere." | | Okay... at first I said to myself, _no way_. But then I | thought, "Any sufficiently advanced technology is | indistinguishable from magic." | api wrote: | As the founder of what some say is a competitor (ZeroTier) I'd | like to congratulate the Tailscale team. We don't really see | Tailscale as the competition. We see the competition as: | | (1) The old school castle and moat IT model that dominates at 99% | of companies. If we can disrupt this then TS, ZT, and four other | upstarts could all become billion dollar companies. Right now | 1-2% of this market has been disrupted at most. | | (2) The put everything in the cloud and everyone gets a thin | client model. If that wins then _all_ of us lose because there is | no market for endpoint connectivity. We also lose all privacy, | all data ownership, and all ability to experiment or innovate | without paying for it by the instance-hour with TOS-enforcement | bots looking over our shoulder. | hwpky wrote: | Agree with this Adam. | | Avery and the team at Tailscale are building a fantastic | product and totally deserve the round and recognition, huge | congratulations - we're super happy for them. | | In many ways they're also an ice-breaker for the zero trust | overlay network architecture, which means they've got the most | work to do. As the current top comment on this thread correctly | notes, with huge investment comes the obligation to eventually | pay it back. | | The market hasn't even come close yet to crossing the chasm and | seeped into mainstream conscience to become the accepted norm - | yet. | | That said, we believe fiercely that networks should be simple | to reason about, easy to use and safe to operate. That private | connectivity should "just work", and just work in exactly the | same way, everywhere too. Flexible to change, simple to | automate and only available to the right things at the right | times. | | When you think about it, building private networks is actually | pretty complex right now and can be pretty insecure too. It's | some unholy combination of spell casting meets a yak shaving | contest to wrangle firewalls, VPNs, MTUs, and manage IPs, | subnets, ACLs, NSGs, VPCs, NAT, routing, VLANs, certificates & | secret keys, then hoping a zero-day doesn't show up that drops | someone straight into the network via the VPN server, who then | starts poking around the squishy centre. | | Once you've used products like Enclave, Tailscale or ZeroTier | and seen how simple private networks really can be - at a | certain point you almost stop and ask the question, why would | you not do it like this. | | There will always be nay-sayers and people for whom this | approach just isn't a fit, and that's fine - but I personally | find it hard to imagine that this genie can be put back in the | bottle. | | - Founder @ https://enclave.io | api wrote: | What will happen over time is that as we disrupt old-school | IT and re-introduce the idea that you can own your own | compute (disrupting the everything-cloud model) the various | participants in this new area will find niches in which their | specific strengths and features shine the most. This always | happens. Look at databases. There are like 10 decent sized | database vendors for a reason, not to mention several | paradigms: SQL, NoSQL, NewSQL, GraphQL, etc. | | But if we don't succeed in disrupting the actual competition | everyone fails. | | At least that's how I look at this market. | | Of course I'm also a mostly-follower of the "ignore your | market peers, focus on the customer" philosophy. Your | greatest competition is always your own shortcomings. | ryanar wrote: | I am guessing two of the other startups are strongDM and | Teleport. Wonder what others are in this space and have gone to | Series B+ | Dave3of5 wrote: | Crazy how people can raise these sums of money, it's all about | who you know. | | I also notice they have a careers page so I had a gander. A 6 | stage interview process! Good lord tech companies really have | gone down the shitter | [deleted] | ineedasername wrote: | It sounds similar to what hamachi _could_ have been if it was | really invested in product management & enterprise features. | orliesaurus wrote: | interesting, that's the first thing I also thought of! (in fact | I grep'd "hamachi" on this thread) I totally agree - it's a | shame hamachi just gave up | jonfw wrote: | There is another interesting company in this space- Netmaker[0]. | It's been getting a lot of traction in the homelab space- namely | because it takes advantage of kernel wireguard, which is more | performant than the userspace wireguard that tailscale uses. | | [0] - https://www.netmaker.org/ | [deleted] | apeace wrote: | Tailscale's CEO has been tweeting a series of "rejected | headlines" for their fundraising announcement. They're pretty | funny. I thought the HN crowd would like this one: | | > Tailscale raises $100M to do what any Hacker News reader could | have done in a weekend [0] | | [0] | https://twitter.com/apenwarr/status/1521873453921583105?cxt=... | anderspitman wrote: | Makes me miss n-gate. | jrockway wrote: | There are already comments where people are showing their | simple 400 step procedure that can get you 1% of Tailscale. | | Never forget https://news.ycombinator.com/item?id=8863 | newhouseb wrote: | Tailscale is my favorite (product) discovery of 2022. I initially | set it up to use as a VPN to get around a misbehaving corporate | firewall and accidentally realized it solved a whole bunch of | other problems I didn't realize I had. Usually a new product | doesn't even live up to the intended use case and so TS is really | anomalous IMHO in how good it is. | | - SSH'ing into a raspberry pi I have at home that does random IoT | stuff. | | - Accessing servers on my local dev machine from other devices | for testing (i.e. a Windows box or phone) | | - Giving access to production bastion devices without publicly | exposing anything to the internet. | | And best of all I don't have to fiddle with the usual networking | stuff. It just works. Kudos on the raise! | | Non-disclaimer: I have no relation to anyone on the team. | Tailscale is just a delight to use. | cogogo wrote: | I've been using it since last summer to SSH to my pi too. Huge | relief in terms of securing it. Easy to install and it just | works. I'm not particularly savvy either. | | My only complaint is that if you use it on your phone (iphone | 11) and forget to turn it off it drains the battery like crazy. | natrys wrote: | When I tried Tailscale it seemed to have high CPU problem in | general under reasonable load. I don't remember the numbers, | but it made me uncomfortable to use it in my low powered | servers. I wonder if this is the consequence of being a | userspace program unlike wireguard kernel module. | fullstackchris wrote: | But HOW can this work? It MUST have config level access to each | machine, that's the only way I can see this working. I guess I | just have to try it to see. | ramary wrote: | It's a really neat piece of software - you're right that it | does have the ability to configure your system, routing | tables in particular. | | The Tailscale agent (thing that runs on your machine) changes | the system routing table (at least on Linux) and uses policy- | based routing (marks packets destined for the "Tailnet" | specially) to build the overlay network. Since everything is | done at L3 in the OSI model, iOS and Android clients (in the | form of an app) are also available without needing root | (jailbreaking). | | There are some things it can't do owing to the whole thing | operating at L3, but it's a really awesome implementation | nevertheless. And just to add, they aren't the first to build | a product like this, but they do it incredibly well and the | time to value for most users is extremely short, made even | better by the fact that the expectation is that the time to | value will be long(ish) and painful. | chrisweekly wrote: | Similar experience. It's profoundly good UX atop a | fundamentally strong stack. | jclardy wrote: | Same here - I've found a ton of uses, for one I can now access | my Home Assistant instance without actually exposing it to the | internet. Same for the linux VMs I run via ESXi on the same | Intel NUC. I can also access my QNAP NAS without exposing that | to the internet which is huge given how many vulnerabilities | have been found with it. | | It actually allows me to turn my iPad Pro into a proper | development machine as long as I have access to the internet | since I can write code locally via Textastic, push to my git | repo and test via the VM connected to Tailscale. Of course this | was possible with a box on DigitalOcean but I prefer not to pay | monthly for a machine just for noodling around. | planb wrote: | SSH'ing to a raspberry pi in my parent's basement where my beer | is fermenting has been the killer use case for me. Their crappy | IPS router does not allow port forwarding, but with Tailscale I | can directly access the sensors. Only today I learned that I | can even use Tailscale as an exit node (to the internet or the | local network) and therefore use it like a normal VPN. | bovermyer wrote: | So how do you use this for personal stuff? I know you mentioned | the Pi, but what else do you use it for? | anderspitman wrote: | Why use SSH? With Tailscale all you need is rsh ;) | aaronax wrote: | I have heard of but never really looked in to Tailscale until | today. I'm not impressed. | | "Fixing the Internet" is not done by layering more private | network garbage on top of it. | | Their claim[0] that after you install Tailscale on all your | devices: "This final configuration is called 'zero trust | networking'," is pretty interesting. It seems this would be more | like having a trusted internal network (sure it is overlaid on an | untrusted network). A true zero-trust network would mean all of | your clients and servers are secure in a manner that they can | operate on the public Internet...like O365, Salesforce, etc. To | say that you run a zero-trust network because you implement a | fancy VPN is C-suite dreaming at its finest. | | "get around a misbehaving corporate firewall" like newhouseb | sings praises for is exactly the sort of thing that should be | happening less, and the opposite of "fixing the Internet". Follow | the policies of the network you are being allowed to use, or | lobby for them the be fixed. Don't like ISPs messing with DNS | traffic? Get rules/laws implemented that prohibit that, instead | of garbage like hiding your DNS in DNS over HTTPS. (DNS over TLS | seems more acceptable to me.) | | [0] https://tailscale.com/blog/how-tailscale-works/ | newhouseb wrote: | To be fair, my "misbehaving corporate firewall" is actually my | apartment that has building-managed internet wherein everyone | is NAT'ed to the same fiber connection. | | For whatever reason, SYN flooding detection triggers when you | do more than a few TCP connections per second which makes most | TCP-based things super frustrating and their IT is clueless as | to how to fix it. | rcfox wrote: | "Don't like entities abusing their power over you? Just change | the laws that allow them to do that!" What. | gkbrk wrote: | This is how people fix things caused by commercial entities | being abusive. It's done quite a bit, most of the critical | things people rely on are regulated. | | Do you live in a place that doesn't regulate things? | rcfox wrote: | You could spend time to learn about the process, deal with | months or years of lobbying, deal with counter-lobbying, | and eventually win your position or maybe not. Or you could | use this technical workaround. | | And maybe we're all worse-off for it, but now you're done | dealing with that issue. | aaronax wrote: | Yes, so I think it is reasonable that someone who | stumbles upon $100,000,000 and wants to "fix the | Internet" aim a little higher than making it as easy as | possible to do the technical workarounds that leave us | all worse-off. | Thaxll wrote: | > Get rules/laws implemented that prohibit that | | You know this does not work in the real world right? | stephenanand wrote: | user3939382 wrote: | Every time I've looked at setting up distributed VPN I've wanted | layer 2, I haven't used WireGuard yet but apparently it's layer | 3. I would love to be able to connect remotely and have my newly | connected machine act like just another machine on the LAN. That | in turn makes all kinds of other network-related operations | simpler and homogeneous, in that the remote property of the | connected machine(s) is abstracted away. | Meleagris wrote: | Check out ZeroTier. I believe it fills the same needs as | Tailscale, but with layer 2. | jollybean wrote: | " What if we all just had a static IP address, and a DNS name? | ...and the address migrated around the world with you? ...and you | could connect to any of your devices no matter where they were? | ...and it was always encrypted? ...and there was always a | correctly configured firewall? ...and you never had to worry | about certificates? ...and every device in your organization was | tied to a user identity and SSO and MFA? ...and all this just | happened automatically? " | | So why do people care about that? | | Those all seem like positive things but they are in and of | themselves, not value creating. | | From this article and even their landing page ... I think they | might need an explanation that makes more sense than | IT/Networking Admin. | | Even as a developer, I don't quite see the obvious benefit. | | Instead of taking about 'what if you could have this tech that | does ABC' - instead, talk about it in terms of problems 'what if | you didn't have this problem or that one'. etc.. | MobiusHorizons wrote: | Have you ever tried running a server or sshing to things that | weren't in a cloud provider? Have you ever run something you | want access over the internet without wanting that thing on the | open internet getting attacked? Tailscale provides a solution | to the problems you run into in those situations. It gives you | a way to access (or selectively give specific people access to) | these devices from anywhere on the internet while still having | those assets behind a firewall. | HWR_14 wrote: | I know it was supposed to be a funny throwaway line, but I am | irked by the "with $100 million you could interrupt the Super | Bowl for 7 full minutes." That's not how sports advertising runs | works. You are bidding on a limited amount of space determined by | the game. I think there is also a non-linear cost. | jaywalk wrote: | Of course the NFL would never allow a 7 minute commercial | break, although I do believe that the cost is linear. A 60 | second commercial's cost is simply 2x 30 second commercials. | There's no reason to do anything differently, since in the end | it doesn't matter if that 60 seconds are filled by one or two | commercials (aside from making the ad sales team's job slightly | easier by having one less spot to fill). | HWR_14 wrote: | I think there are reasons why cost would be nonlinear. First, | there's simply demand. The people who want to do 60s clearly | have a reason that 30s won't work, so they may be willing to | pay more (certainly they won't pay less). It's a different | segmented market. There is a reason companies with lots of | commercials tend to also be official sponsors of the Super | Bowl. Second, practically it costs more. Ads are reshuffled | around in real-time and the number of times you can be sure | you can broadcast a 60 second spot are less than you being | able to broadcast a 30 second spot, since the action may | resume at an indeterminate time. Third, the Super Bowl | specifically sells itself on the quality of the ads. It could | do long term damage to the Super Bowl of the ads one year | were just one company and not the funny celebrity heavy spots | people expect. | jaywalk wrote: | > the action may resume at an indeterminate time. | | This is not true. The commercial breaks in all US pro | sports have a pre-determined length, and the game action | will not resume until the broadcast has rejoined (outside | of a mistake somewhere along the line). In the NFL, they | have a countdown timer on the stadium scoreboard indicating | how much time is left in the commercial break, and even a | dedicated guy who stands on the field next to a referee, | talking to the TV truck to confirm when the broadcast has | rejoined. | pilif wrote: | With such a huge investment comes the obligation to eventually | pay it back. Is this another one of my favourite tools going the | way of Dropbox, 1Password and all other companies that were | formed around what should be a platform feature, which took on | way too large investment sums and were eventually forced to | become the everything, losing sight of their core values? | | I sincerely hope not, but there's so much bad precedent. | IceWreck wrote: | Even if it does go away, youre not loosing anything. Its | functionality can be replicated with a USD 5 VPS using Slack's | nebula (not wireguard based) or any wireguard based tool like | headscale, innernet, netmaker or plain old wireguard. | oicU00 wrote: | It's a basic web UX over a built in Linux kernel feature | | There are Docker containerized apps that manage Wireguard too | | Maybe contribute to one and fret less about behavior of VC | funded business and wondering if they're actually respecting | your privacy to accomplish finance goals | airstrike wrote: | "It's just FTP with curlftpfs and SVN" | shepherdjerred wrote: | It handles a lot more than that, right? It does all of the | key distribution and rotation which is a pain. | oicU00 wrote: | If they can do it it's not impossible (they're just people | after all). | | With an open source implementation out there, anyone can do | it merely pulling a Docker container, and without paying | Tailscale. | | Regardless I manage a dozen users with no issue using | Embarks container; once they're setup I touch nothing. | | Paying people is not working with people; it's working with | a specific group. Open source is working with people. | [deleted] | samhw wrote: | If the open source implementation is equally good, I'm | sure people will use that instead of Tailscale. That | Tailscale exists makes me suspect that the open source | implementation - as is usually the case with these "just | use curlftpfs!" comments - _is not_ equally good. | | The reality is that making software, like any other human | endeavour, takes time and energy. Paying one another | money is a rather well-established mechanism of rewarding | and incentivising that time and energy (since not | everyone wants to work free of charge to make and | maintain software for you, out of the goodness of their | hearts, no matter how much you insist that you're owed | their unpaid labour). | | There are small and local means of getting free food, or | free woodworking, etc, but the general reality is that a | high-quality high-dependency maintained product, over the | long term, is more feasible when it's paid. | shepherdjerred wrote: | It's the same argument as the famous Dropbox comment[0]. | I'm generally going to prefer a polished service over a | technical solution. | | [0]: https://news.ycombinator.com/item?id=9224 | shepherdjerred wrote: | I haven't payed them a penny despite using their product | for a while. And now that I've realized this, I've signed | up for their personal pro plan. | ramraj07 wrote: | Dropbox has been fine ish? Like not stellar but it's still | something I use as one of my core tools and pay for. | skoskie wrote: | Ditto, but the fact that they still can't handle more than | ~300k files is a long-standing problem they have yet to | solve. I have close to a million syncing files and startup | time for the app takes about 20 minutes on a brand new MBP, | and CPU and overall energy usage is ridiculously high. All | while they keep pushing me to backup more files. | | I pay over $700/ yr for their business plan and would like to | have better performance for it. | kbumsik wrote: | Really? I have more than 1000k files and I have never faced | issues for more than 7 years. | YPPH wrote: | How has 1Password lost sight of its core values? | | Perhaps you refer to loss of local vaults? If so, they were | never really a viable option for me - I needed the app syncing | across multiple devices, including mobile, and doing so with a | third party sync solution wasn't suitable. | criddell wrote: | For me, it was their switch to an Electron app. "High | security" and "built from dozens of third party libraries and | running on a browser" don't belong together. | danenania wrote: | Electron actually offers some of the best dependency- | isolation capabilities of any language/platform given that | you can set a content-security policy and leverage Chrome's | extremely robust sandboxing to prevent front-end | dependencies from accessing the file system, making network | calls to untrusted domains, making system calls, calling | 'eval', etc. | | A fully native app will offer you no such protection. If a | dependency used for styling or animations or whatever is | compromised, it will have total access to the system and be | able to exfiltrate at will to any location. In Electron, | the equivalent dependencies can instead run inside the CSP | sandbox, preventing them from doing any serious harm. | | Supply chain vulnerabilities also aren't unique to npm. Any | project that uses dependencies (in any language) has the | same issue. | YPPH wrote: | The choice of tech stack for a desktop application seems | like an interesting basis to claim a company has lost touch | with its core values. | skoskie wrote: | I'm fully in the camp who believes critical, top-level | security should not co-exist with npm pulling dozens of | 3rd party libraries which each pull even more 4th party | code. | | Is there anyone here with a counter argument? Has a | security review been performed on each dependency? Any | reason to think my fear is unfounded? | dcow wrote: | And what should replace it? Rust? Cargo? Oops. (I believe | 1Password uses Rust for security-sensitive parts too, | btw.) I'd genuinely like to know what the correct tech | stack for a password manager is today because using the | right one is important to my current endeavor. | | Regardless at Uno we're working on a password manager | with a native app and rust core. It's geared more towards | everyday consumers than power HN users, but you might | find it interesting. The rust core including api server | is open source right now because that's one point where | we diverge from 1P. Whatever tech stack you choose, it | needs to be openly auditable so that the community can | collectively ensure it remains secure. | https://github.com/withuno/identity | smilespray wrote: | Moving from a native app to an Electron-based one has a | definitive impact on usability. Calling it a tech stack | choice is a bit dismissive. | | They used to have a kick-ass Mac app. That appealed to a | considerable amount of their users. Then they ditched the | native app for Electron, and those same users were | disappointed. | dcow wrote: | Which functionality was removed by switch stacks? What is | the actual usability impact? I currently use 1Password7 | and haven't updated to 8 so I'd like to know before | updating. | sleepybrett wrote: | > ... and doing so with a third party sync solution wasn't | suitable. | | why not? | | More importantly why was it necessary to remove the local | vaults feature (I don't need it to integrate with any | particular 3rd party syncing solution, I can handle that | myself without any features from them) entirely? | gowld wrote: | > should be a platform feature | | OK, but it's not. Now what? Do we just live without until the | platform overlords provide it, or does someone build it on top | of the platform? | | What even is the "platform", when my Android phone is | connecting to my iPad and my Windows laptop and Linux desktop | and Amazon cloud server? | | $100M = ~$0.20 / computer user in US and western Europe | (wealthy countries in connected software markets) | Lightbody wrote: | I haven't really felt like 1Password's product materially | strayed from the original mission. If anything, I'm even more | delighted with the team functionality, shared vaults, quick | keyboard access in 1Password 8, etc. | | I wouldn't put them in the Dropbox bucket. | | Also, I think the value Tailscale provides is fairly unique and | far from obviously a platform feature like file storage and | perhaps even password management. | kodah wrote: | 1Password went from being buy once upgrade forever to SaaS. A | lot of folks bought back when that was the package (and | business model) so it's viewed relatively negatively here | from some folks. I don't blame them, but also, I think | 1Password is a success. I just don't think they'd have been | viable under their original business model. | pottertheotter wrote: | That happened long before they took outside money, so it's | not related. | jjeaff wrote: | But is "buy once, upgrade forever" really a viable long | term business model? | samhw wrote: | I dunno, but you ought to figure it out (for your | business) before you make that offer! | skinnymuch wrote: | Why? 1PW is succeeding. They didn't do some huge moral | quandary either that would make stopping the one time | buying product a moral failing. People like the first | commenter and myself have used 1PW for many years too and | are fine with what has gone down. | | Vs a clear moral screw up like the big tech companies | colluding to not hire one another's employees. | xyzzy_plugh wrote: | Indeed, 1Password is practically a utility at this point, as | far as I'm concerned. I really like the direction they're | heading and they're solving some pretty tricky problems | without compromising on security, predominantly in the | enterprise domain. The experience is the same regardless of | whether you're an enterprise user or a personal or family | user. It's polished enough that my grandma can use it. | MrStonedOne wrote: | alberth wrote: | > I really like the direction [1Password] is heading | | I thought customers were complainingly loudly against their | new direction of making 1Password an Electron app. Is that | not the case? | | Note: I'm not a 1Password customer. | st3fan wrote: | > I thought customers were complainingly loudly against | ... | | No, you confuse "customers" with a vocal minority. | dimgl wrote: | I didn't even notice... 1Password is great. There are | some minor issues here and there but it always feels like | they very quickly patch it up. | davidwparker wrote: | Maybe technical customers who knew it were Electron. I | knew, and don't really care. My wife doesn't even know | what Electron is- everything is just another app to her. | throwaway894345 wrote: | I heard some people complaining a bit for a moment when | they made the transition, but that happens anytime anyone | changes anything and doubly so when that change is | Electron. But that faded quickly. | mmcclure wrote: | I...don't think it's faded. I could totally be wrong | here, but I don't think they'd actually made a transition | yet; the complaining you're talking about was over the | 1Password 8 _beta_. That actually just went GA this week, | and people were still upset. | | I get why they're doing it (or, at least, think I do), | and I'm not angry enough to go get angry on Twitter, but | I am going to avoid the upgrade for as long as I can. | That's kind of a bummer to get there with a product | you've historically really liked. | throwaway894345 wrote: | Honestly I haven't noticed and I use 1Password on all of | my devices every day. I heard some grumblings about | 1Password changing to electron months ago and just | assumed that they already made the transition. In | whatever case, I haven't heard a peep until this thread. | I don't like electron in theory and the industry should | collectively come up with a solution that incentivizes | app developers away from electron rather than hoping they | swim against the current of incentive. | skoskie wrote: | You might double check which version you're on. Might | still be on v7. | | > the industry should collectively come up with a | solution that incentivizes app developers away from | electron rather than hoping they swim against the current | of incentive. | | They have the financial resources to build it in ~Rust | but still chose electron. It's a mind boggling decision. | throwaway894345 wrote: | > They have the financial resources to build it in ~Rust | but still chose electron. It's a mind boggling decision. | | Respectfully, I think you may misunderstand the company's | mission. | jchw wrote: | Modern 1password using Electron is sad in some respects, | but hardly surprising. Even people who use Electron hate | Electron. The real differentiating factor is those who | understand why. | skinnymuch wrote: | A small vocal minority. The company's two relatively | recent fund raises are massive. | sleepybrett wrote: | Removing the ability to use it in a non-saas (local | vaults, vaults shared by other syncing solutions) | capacity is what drove the final nail into the 1password | coffin for me. I can't trust that they don't hold master | keys to all the vaults on their saas offerings. | | The swap from native to electron on macos was hugely | disappointing but something I could have probably lived | with if they hadn't gone full saas no alternative. | SparkyMcUnicorn wrote: | > I can't trust that they don't hold master keys to all | the vaults on their saas offerings. | | So you think they could be lying about their fundamental | selling point, and hiding it in all of their audits? | Personally, I'd trust them more than Apple/Google/etc. | | https://support.1password.com/1password-security/ | | https://1passwordstatic.com/files/security/1password- | white-p... | | https://support.1password.com/security-assessments/ | throwaway894345 wrote: | Fully agree. I'm a very happy 1Password customer, and I | rarely praise software. | biohax2015 wrote: | 1Password is a phenomenal product. Idk what HN's obsession | with ragging on it is about. | nikanj wrote: | It's been [0] days since the last time 1Password randomly | bombarded me with a "Upgrade to 1Password subscription today" | dialog. Not talking about the banner in the corner of the | app. this was a dialog that had to specifically be dismissed | prepend wrote: | I think they changed from their mission to make password | management easy and secure to extracting service fees | forever. | | I don't necessarily blame them but think their decision was | pushed along by the need for big money. | | For example, I think they'd still be able to do the pay once | model if they abstracted they storage to work with | Dropbox/icloud/OneDrive/whatever. | | There's really no value add as a user for a monthly fee. | Although lots of people don't mind. I'd rather not pay for | something as essential and simple as a synchronized, | encrypted data blob. I literally replaced it with a Google | doc and cutting and pasting more. A filter over Google docs | does not require a monthly fee. | | I have this problem with lots of SaaS products that could be | software if they didn't want or need lots of money. | ignoramous wrote: | > _We 've raised $100M in a Series B financing led by CRV and | Insight Partners_ | | I see they are staying away from a16z ;) | | > _We don 't want to put revenue ahead of quality, because our | stats say quality is where all our growth comes from._ | | Dr. Deming shining through here [0], but really, even this 1986 | article paints a neat little picture of how I presume tailscale's | operating at the moment: https://hbr.org/1986/01/the-new-new- | product-development-game | | > _How, Avery, on earth, are you all planning to spend one | hundred million dollars?_ | | Wireguard platinum sponsorship in 3, 2, 1...? | | > _Now I just tell people: We 're here to fix the Internet. If we | don't, who will?_ | | I called this a year ago, as it was pretty evident to me even | then (downvotes notwithstanding), but I'd not be surprised if | tailscale became a ISP someday, given their holistic approach to | product development: | https://news.ycombinator.com/item?id=26249199 But hey, there are | many more people working to _fix the internet_... including | tailscale clones and other over-funded /under-funded developers, | which brings me to... | | > _I mean, imagine. What if the Internet just worked like it was | supposed to? [and goes on to list e2ee + Mobile IP + SSO + DDNS + | NAT Traversal]_ | | If you squint just enough, it reads like the _MASQUE_ protocol | (built atop _QUIC_ ) that Google, Apple, Cloudflare are working | to standardize: https://ietf-wg-masque.github.io/ | | That said, in time, I see tailscale not only compete with | Zscaler, but also with Tanium, Cloudflare, CrowdStrike, F5, Palo | Alto Networks and the likes. Once they are embed in an | enterprise' network, there's very little their product couldn't | expand into to make other SaaS / solutions obsolete. | | [0] _Systems thinking and Deming_ , https://archive.is/tXJhw | eadmund wrote: | > For people who believe there's a catch -- and most still do -- | then I don't know how to write a blog post or hire a marketing or | sales team to change their minds. | | I think the catch is that (at least at the free level) one must | trust an identity providers. For many companies that's probably | fair enough, but for high-security companies and private | individuals one absolutely cannot trust anything running outside | of one's physical control. Service providers can be suborned, | either legally by corrupt regimes or illegally by employees. | There is no way that I would permit Google, Microsoft or GitHub | (their three supported options) to gate access to my private | devices. | | I _think_ that one must also trust Tailscale themselves, although | I could be wrong about that. | lvh wrote: | Tailscale will let you use any SAML or OIDC provider you like | in the Enterprise plan (presumably because of the cost of | supporting the long tail of nonsense IdPs will produce). | | (Disclosure: I'm a (small) investor via Latacora's sibling | fund, Lagomorphic.) | typical182 wrote: | Semi-related question: did Latacora or @tqbf ever open source | their Go-based SAML IDP: | https://twitter.com/tqbf/status/938501701526487040 | | (That tweet I think was a teaser saying it was coming. I | subsequently looked for it a few times and never found it, | but maybe plans changed, or maybe I just failed to find it). | lvh wrote: | Nope. It was pretty much just Thomas and Erin working on | it, and I don't think it's operational. Sorry :( | colordrops wrote: | Don't you have to also trust Tailscales closed source | coordinator node? | wmf wrote: | Which also applies to Tailscale's SD-WAN and cloud VPN | competitors. | colordrops wrote: | But doesn't apply to my wireguard setup on my OPNSense | installation at home. | wmf wrote: | This is the HN disconnect: people commenting here have | completely different concerns than Tailscale's actual | customers. | colordrops wrote: | That is true. Sometimes we are talking about the business | aspects of product-market fit, and sometimes we are | talking about our own personal use of the product or | domain. In this case it's both. | eadmund wrote: | That only addresses half the problem, though, right? Can't | Tailscale still add any nodes they want to one's network? | | Also, it doesn't address the individual case, but that's fair | enough: Tailscale isn't a charity. | [deleted] | lmeyerov wrote: | Yep we had it rejected w an enterprise we work with as the org | needed to own the full control plane so we couldn't bring it | in, and not on the schedule for the org's security team for | them to bring it in. Making a smarter, easier, and less | creepily managed VPN more palatable to enterprises would be | awesome, so the marketing value of their fundraise is real. | RL_Quine wrote: | There's a kind of WIP control server implementation, it's not | production ready in my opinion but it's definitely usable. | | https://github.com/juanfont/headscale | lmeyerov wrote: | Super cool, and a lot of contributors! | | Can this work the rest of the wireguard ecosystem (agents, | UIs, ...) for a full VPN soln without involving the VC-tied | company? | madjam002 wrote: | Yes it works with all of the Tailscale clients except for | iOS. No it does not work with clients from the broader | Wireguard ecosystem (e.g the Wireguard iOS app). | RL_Quine wrote: | Yes, it's usable with every tailscale client (except for | iOS). You provide an argument to make headscale your | controller, and then it works much the same as the hosted | Tailscale service, with some only minor differences in | configuration. | chipsa wrote: | I've seen them mention that they're looking at having the | coordination server being self-hostable (and is for some | client already), so I expect that to be one of the things you | can get at the higher price points in the near future. | tosh wrote: | Great product. One of the very few that "just works" and "gets | better all the time". | contravariant wrote: | I hope they don't eventually sacrifice the former in favour of | the latter like so many other companies did. | tomputer wrote: | For almost a decade I have worked with IPsec and OpenVPN | solutions for both client and site-to-site VPN tunnels. On | enterprise hardware, community/proprietary software and at public | cloud providers. I still work with these because today many | vendors only support IPsec. | | A few years ago I discovered WireGuard and I was really amazed | how easy it was to setup a tunnel. Especially if you've dealt | with IPsec before. It felt as easy as creating an SSH tunnel | between two servers, with only 4 or 5 lines of code in a config | on both sides. | | Then last year I discovered Tailscale and I was blown away! How | did this even work[1] without opening ports in the firewall? And | how cool is it that I no longer have overlapping addresses[2] | from other networks. Within 15 minutes I had my own mesh network | between my Mac, iPhone, Raspberry Pi and other servers. | Fantastic! | | I'm on the Personal/Free plan but if this would no longer be | free, I would be happy to pay for this service (shut up and take | my money). | | [1] https://tailscale.com/blog/how-tailscale-works/ | | [2] https://tailscale.com/kb/1015/100.x-addresses/ | boesboes wrote: | For anyone else who wonders wtf tailscale is: | | > Tailscale is a VPN service that makes the devices and | applications you own accessible anywhere in the world, securely | and effortlessly. It enables encrypted point-to-point connections | using the open source WireGuard protocol, which means only | devices on your private network can communicate with each other. | | It seems to take care of key distribution, nat-traversal, | authentication etc etc | | Neat! No sure how that is 'fixing internet' exactly, but really | cool anyway | yrro wrote: | Tailscale is one of the ways you can restore the end-to-end | connectivity principle that IP introduced and that NAT | destroyed. | legalcorrection wrote: | This is kind of overstated. Even if everyone went IPv6 and | gave every device a public IP address, pretty much every | network would have a firewall that behaved just like NAT. | zinekeller wrote: | This fact must be bundled everywhere someone mentioned | "IPv6 will allow direct connectivity again". While NAT | isn't a fully-functional firewall, it _did_ do things that | a firewall in a router would do. What equipment have proper | IPv6 firewalls? Routers, that 's who. | throw0101a wrote: | > _Even if everyone went IPv6 and gave every device a | public IP address, pretty much every network would have a | firewall that behaved just like NAT._ | | No, they do not behave just like NAT. With NAT you have two | problems: | | * figuring out your address | | * firewall hole punching | | With IPv6 you already know your address and just give it to | the peer you are communicating with. You then tell your | firewall to allow connections from the address(:port) that | the peer tells you. No STUN, no TURN, no ICE. | | * https://en.wikipedia.org/wiki/Hole_punching_(networking) | | * https://en.wikipedia.org/wiki/Port_Control_Protocol | | * https://en.wikipedia.org/wiki/Universal_Plug_and_Play | | * http://www.upnp.org/resources/documents/AnnexA- | IPv6_000.pdf | | This helps immensely for residential connections since | people (generally) control their gateways, and with more | and more higher speed (fibre) connections being done, it | could help in more self-hosted and peer-to-peer services. | | What one is allowed to do at the office would be dictated | by the policy(s) of your employer: they could allow | PCP/uPNP opening via authenticated requests for example. | irq-1 wrote: | > With IPv6 you already know your address and just give | it to the peer you are communicating with. You then tell | your firewall to allow connections from the | address(:port) that the peer tells you. No STUN, no TURN, | no ICE. | | What about phone networks? (in the US providers block all | incoming traffic.) Or other ISPs that block incoming | traffic? | | NAT has been used to address a fundamental problem of | what traffic can be trusted. That's what Tailscale fixes. | [deleted] | zinekeller wrote: | No, no, no, no. You haven't really experienced the | quality of IPv6 routers at home. The only thing that I | can (probably) say with confidence is you will _not_ need | TURN, and even that assumption _can_ be broken with even | more restrictive firewalls that block nearly all UDP | traffic or even not know your real public address because | IPv6 NAT _does exist_ | (https://blogs.infoblox.com/ipv6-coe/you-thought-there- | was-no..., | https://datatracker.ietf.org/doc/html/rfc6296), but | fortunately this is usually found in enterprise stuff. | NAT-PMP or router UPnP is probably the wildest: majority | don't (remember that I'm focusing on _ISP_ routers since | that most people don 't bother to switch to actual | routers...*), some only on IPv4 (which is even more | frustrating), and only few supports it correctly. Worse, | those same broken garbage-level routers have NAT-like | firewalls: at least you know what address and port you | will contact the other computer, but you will still need | UDP (TCP handshake will be very problematic) and you will | still need keepalives (or otherwise your firewall will | just close the port). | | * ... and most that do get another router (usually | because they have seen that their Wi-Fi on the "modem" is | bad) don't turn on** bridge mode which _will_ be a | definite headache on both IPv4 (double NAT) and IPv6 | (address conflict, especially if you 're using an ISP | like Comcast that would only allocate a /64 and no more. | | ** ... because you _need_ to call up the ISP or even | outright refused to bridge it (either because they 're | stupid but you don't have another ISP to switch or the | equipment manufacturer of their garbage special router | didn't program one). | throw0101a wrote: | > _No, no, no, no. You haven 't really experienced the | quality of IPv6 routers at home._ | | I've been running IPv6 at home >2 years. You're telling | me that my own experience is invalid? | zinekeller wrote: | No, not necessarily, but if you're using an aftermarket | router rather than an ISP-supplied router, then this | rather long list is not applicable to you. | Spivak wrote: | Yeah, no one is going to allow unsolicited inbound | connections even without NAT so you still have to have | something to hook up the two ends in a P2P setting. | throw0101a wrote: | > _Yeah, no one is going to allow unsolicited inbound | connections even without NAT so you still have to have | something to hook up the two ends in a P2P setting._ | | Sure they are. All home routers that I'm aware of allow | for port forwarding so folks can self-host a service: | perhaps a game server (e.g., Minecraft), web, e-mail, | etc. | | It's just going forward you can set up a separate subnet | to put your gear in (especially if you get multiple /64 | subnets from your ISP). You can have a DMZ, and use | either the router- and/or host-level firewall to dictate | which connections are allowed. | legalcorrection wrote: | The point is for the user to not have to go configure | their firewall. | throw0101a wrote: | Which can be done via UPnP and PCP, and without having to | maintain TURN/STUN/etc infrastructure. The latter of | which can only be done with IPv6, since with IPv4 you're | NATing. | | So IPv6 makes things easier--which was the point of my | post: IPv6 makes things easier. | zinekeller wrote: | ... if your definition of "home routers" excludes ISP- | provided ones, then I'll agree. Unfortunately, I'm pretty | sure that either you are on an ISP that actually cared | and found a good supplier or didn't check out what are | the capabilities of ISP-provided routers. | dsr_ wrote: | Of the three ISPs in my area that I have used, all of | them allowed inbound traffic and either had useful | controls in their routers or didn't supply a router, just | an ethernet handoff. RCN, Comcast, Verizon. | | All of them filtered out the SMB/CIFS ports. | | Two of them filtered outbound port 25; one of them was | willing to open it with the additional cost of a static | IP. | zinekeller wrote: | Yeah, it's inconsistent to be honest. I've found that | Hitron to not have any sort of firewalls (except for IPv4 | NAT if you consider it as a firewall), while Huawei | routers (which is not used in the US for reasons | hopefully known to you) _do_ have an IPv6 firewall that | is only an off or on switch, stupidly their enterprise | stuff _do_ have advanced controls, Alcatel /Nokia-branded | ones are inconsistent to say the least and the same can | be said for Zyxel. I'm actually interested in checking | out other routers used by ISPs, but those are the ones | I've actually seen. | throw0101a wrote: | With IPv4 I have to worry about UPnP/PCP working _and_ | TURN /STUN/etc non-sense when it comes to peer-to-peer | protocols. With IPv6 I only have to worry about about | UPnP/PCP working. In my books that's an improvement. | | If I want to self-host something, then with IPv4 I have | publish my IP and worry about the CPE supporting port | forwarding. With IPv6 I have publish my IP and use | UPnP/PCP to allow all connections. Is there any CPE gear | that does _not_ support UPnP /PCP? | dave_universetf wrote: | Our epic treatise on how NAT traversal works (in general, | not specific to Tailscale) mentions this. IPv6 greatly | reduces the amount of pain for p2p connections, but does | not eliminate some of the fundamentals (stateful firewall | traversal) if you want it to be zero-config: | https://tailscale.com/blog/how-nat-traversal-works/ | | But until deployment hits 100%, and until ISPs start caring | about IPv6 reliability the way they do about IPv4, "just | use IPv6" can't be your answer. It's lovely when it works, | but you need to do something other than "give up" when it | doesn't. (also, as long as the internet is dual-stacked, | doing IPv6 right also implies figuring out if NAT64 is in | play, and wielding it correctly; so arguably IPv6 adds more | complexity to the overall story, for now :) ) | boesboes wrote: | Ah yeah, that makes sense. | IanCal wrote: | I'm about to go away but having local access will be very | useful. | | I've just setup tailscale in a few minutes, very smoothly. I'm | impressed it scales down to this kind of simple use case | nicely, and it seems it has nice features as my use cases might | scale up. | zepearl wrote: | So basically Wireguard with automated key | setup/distribution/identity management? | | (btw. I love Wireguard - currenly using it to route traffic | between my servers + transfer media between my home and my | mother's mediacenter with both PCs being behind their own | router - she loves it too as so far there were no problems | hehe) | zellyn wrote: | That, plus fanatically good NAT Traversal: | https://tailscale.com/blog/how-nat-traversal-works/ | zepearl wrote: | But isn't that just part of Wireguard itself? In the end | that's what's happening in my case when I exchange data | through Wireguard between my flat and the one of my | parents... . | seabrookmx wrote: | No, wireguard is just the VPN itself. | | The NAT traversal stuff is all magic that happens before | the socket is given to wireguard. | [deleted] | ncmncm wrote: | I thought that Tailscale was pretty interesting. | | Avery Pennarun, its CTO, is somebody whose judgment I am used | to trusting. | | Then I learned that to use it, I would be dependent on | authenticating using a login on one of the unaccountable | internet behemoths who could take away my account for any | random reason or no expressed reason at all. | | No, thank you. | rrdharan wrote: | I agree, GitHub is awful. | naikrovek wrote: | Google does that, Microsoft doesn't. Microsoft will ban you | from a particular service if you egregiously violate the | terms of service for a particular application of theirs, but | never the whole account. | | Google will throw you on your ass in the blink of an eye. | skoskie wrote: | Is there anything in there TOS that states it or has this | just been their practice so far? | ncmncm wrote: | Does it matter? Whether they say they will do it, or just | do it without saying they will, the experience is the | same. | | What matters most is if they can. Then, if they ever have | done. What I want is that they can't. | naikrovek wrote: | you want a free service written, maintained, and hosted | by others that _they don 't control_. Am I understanding | you? | ncmncm wrote: | No. I would be happy to pay for service, but they offer | no choice but to rely on somebody else's authentication, | regardless. | naikrovek wrote: | read harder next time. https://tailscale.com/kb/1119/sso- | saml-oidc/ | __float wrote: | If you use an identity provider like Okta or OneLogin, then | you're not tied to any "contentful" services like GitHub or a | Google account that "historically" seem to have more problems | of this type. | | As far as threat models go, I can't really say I understand | this one too much. | DarylZero wrote: | Okta and OneLogin are both private corporations that have | each existed for 13 years. Does your threat model include | an estimate for how long they will stay in business? What | if one of them puts the other out of business? Does your | threat model choose a winner in that fight? | | As far as paid services the possibility also is there that | someday _you_ run out of money and have to stop paying | them. They tend to shut down your access when that happens. | Another financial threat you have to model. | | These things don't happen when you use public key | authentication. | orojackson wrote: | For enterprise, sure, using a separate IDM provider works, | but last I checked, neither Okta nor OneLogin cater to | individuals and their personal accounts. So as far as | threat models go, I understand why people view this | requirement from Tailscale as utter garbage for personal | accounts. | margalabargala wrote: | As an example: shortly after Russia invaded Ukraine, | Namecheap cancelled all accounts of all of its customers | who were located in Russia. This was done regardless of | what content if any was hosted by the account, whether or | not the person in question supported the war, or whether | the person in question was actively fleeing Russia and may | have been relying on technical infrastructure they had | previously set up to help them do so. | | Just because a service you sign up for is not contentful, | does not mean that they won't choose to boot you off for | some reason completely unrelated to anything you control or | anything you chose to do. | woodruffw wrote: | This is a strange example to pick given that (1) it's a | war, and (2) a significant percentage (majority?) of | Namecheap's employees and offices are in Ukraine. | | If we (the US) decided to invade Canada tomorrow, you can | be certain that the maple syrup would stop flowing. | | Edit: According to their website[1], the overwhelming | majority of their employees are in Ukraine. Two of the | three cities they have offices in are on the current | combat front. | | [1]: https://www.namecheap.com/careers/ukraine | kyawzazaw wrote: | Avery Pennarun is CEO. | | David Crawshaw is CTO. | ncmncm wrote: | I am corrected. | ibejoeb wrote: | Is that generally true? A third-party authentication servive | is needed just to get it going, or is that needed for | specific use cases? | ncmncm wrote: | Apparently the third-party authentication service is needed | just to get it going. If you get an "enterprise license" | you can choose among more authentication services, but not | yourself. | | Some people suggest trying Nebula instead. | systemvoltage wrote: | Yes. If they can't build basic auth and make sure it's | secure, it sends quite the message. | | Super annoying and borderline unacceptable. | chipsa wrote: | They don't want to build basic auth. They probably could, | but it gives them more headaches and customer service touch | points compared to delegating that out. Like: what if the | user forgets their password? Or what if they lose their 2FA | device? | systemvoltage wrote: | Yes, welcome to operating a SaaS. | boesboes wrote: | Oh, that is a shame. I can see why they do it like this for | businesses, but for personal accounts I refuse to use SSO. | Been bitten by that a few times too many. | | I _could_ use my github account, but I don't trust them at | all anymore. And I'm not going to setup an account with some | other service just to use this. So that is a hard pass for | personal use. | | For a company it makes sense to have to use whatever sso | provider you are already using i guess | gowld wrote: | "Fixing the internet" == you can comunicate with computers that | want to comunicate with you, and not with others. | contravariant wrote: | "Fixing the internet" == you can communicate with computers | that _you_ want to communicate with, and not with others. | lupire wrote: | You can do some things that you don't want to do. | | If someone uses a rubber hose, you might be forced to | communicate against your will, using the fixed Internet. | philipov wrote: | "Fixing the internet" == computers that mutually consent to | communicating with each other are able to communicate with | each other | xeyownt wrote: | "Fixing the internet" == computers whose _owners_mutually | consent to communicating with each other are able to | communicate with each other | tomc1985 wrote: | Another day, another overly hyperbolic press rele.... er, blog | post | | Le sigh... | | Let's make tech boring and demure again! | capableweb wrote: | > We're here to fix the Internet | | That's such a broad "mission statement" that I wonder if it's | effective at all. I mean, what SaaS wouldn't say that they fix | something with the internet? That's to whole reason for online | businesses solving one or another problem. | | How could that statement help them guide their implementations of | various solutions? | gowld wrote: | The internet, at its essence, means connecting machines aross | (intra)networks. Not everything those machines do. That's what | Tailscale (+wireguard) is for. | lvh wrote: | I think the best way to get a feel for what that means is | Remembering the LAN[0] and then just trying it out (really, | it's easy) and deciding for yourself if they're living up to | it. Or grep Twitter for "tailscale" -- all these nerds aren't | astroturfing :) | | (Disclosure: I'm a (small) investor via Latacora's sibling | fund, Lagomorphic.) | | [0]: https://tailscale.com/blog/remembering-the-lan/ | MatthiasPortzel wrote: | My understanding/hope is that the author uses "internet" to | mean the technology. Colloquially we use "internet" to also | refer to every technology that runs on top of the internet | (like the web), but 'connect devices together' is a meaningful | statement and the internet is the technology that we currently | use to do that. | klazutin wrote: | I've tried Tailscale recently after reading all the raving | reviews here on HN. The service is very easy to install and the | apps are nice to use, everything is just very well done. | | However, I just don't see much difference from my vanilla | Wireguard setup. Granted, my use case is very simple, just | connect a few devices at home and in the cloud into a single | network and use one of them as an exit node, but I'm still not | sure what would make me prefer Tailscale over Wireguard. | | So far the biggest difference has been that it makes me use an | external identity provider instead of having to manually exchange | keys between devices, and I'm not sure I'm very comfortable with | that. | lupire wrote: | The answer here depends on a side by side pair of walkthroughs | for setting up and maintaining Tailscale vs plain Wireguard. | bambax wrote: | I read almost all of TFA (started to jump paragraphs near the | end) and still couldn't figure out what it was or did, even after | being told, repeatedly, that they "make easy things easy". | | Apparently, it's a VPN. | gowld wrote: | The blog post is poor. It has TailScale's "house style" of | folksy reminiscence and Avery's stream-of-consciousness writing | stylewrapped around an announcement. It only says two things, | one at the top, and one at the bottom: "We raised a $100m for | our war chest; we don't have any plans for how to use it | besides extending runway for our current operations". The | middle is left trying to justify why that is a good thing, | despite not having a reason beyond "we know a lot of rich | people who know we are wicked smart and talented, so they want | a piece of equity in us". | | The home page is a pretty clear exposition of what TailScale | is: https://tailscale.com/ | MatthiasPortzel wrote: | I thought the post was remarkably well written. I had a vague | idea what Tailscale did going into it, but this post did a | good job of describing the company's values and vision. I'm | not sure what the intended audience of the announcement was, | but for me it was interesting. | isthisnametaken wrote: | I got bored long before then. It's a terrible piece of self- | backslapping drivel | crthpl wrote: | From their privacy policy: > The personal information we collect, | use, and disclose includes business contact information such as | names, job titles, and company email addresses, as well as | information about individual devices (such as device hardware and | operating system) and aggregated usage statistics (such as amount | of data transmitted in a period of time). | | > Your personal information will be transferred ... to certain | third parties that provide services on our behalf. | | > We use service providers to provide services such as ... data | analysis to better understand and improve product and website | usage, and providing advertising and marketing services. | | :/ | woopwoop24 wrote: | i wanted to to use tailscale really bad, but since you cannot | login without the given choices they provide, i am not sure any | security minded person would mind using it. | | i rolled my own with a simple vps, a haproxy and ansible. | RL_Quine wrote: | Unfortunately despite claiming that they would, they've never | allowed their iOS application to allow configuration of the | control server (every other client they have released does). | Maybe some more funding will allow them to focus on the client | quality. | pilif wrote: | also, their iOS client still has abysmal background battery | usage even when not connected. It has been more than a year | now, so, yes, seeing them improve in such areas would be cool. | | But given the huge amount of money invested, pressure will go | into other directions. I'm afraid my (aside of the iOS issues) | beloved Tailscale is on a path to expensive enterprisey bloat, | losing what made it so good (the JSON based ACLs, the external | authentication provider reliance, etc - GitHub Auth is a | killer-feature for me for example) | bradfitz wrote: | (Tailscale engineer here) | | That's https://github.com/tailscale/tailscale/issues/1572 which | we haven't given up on. It's just not done. We did it for macOS | and we thought the same thing would've worked for iOS (they | share ton of the same code) but it apparently didn't work. | | The mobile apps have been a low priority thus far. We just | recently hired some people to work on them, though. | | The highest priority for them currently is fixing battery life | (we do some dumb things when LTE + wifi are both available, and | when using exit nodes, and some unnecessary heart beating that | sucks on mobile) and then there's also a mobile app redesign | (or just "design" coming). | | We like Headscale and we're super glad that it exists. (they | saved us some work by doing it first, as our control server | wasn't in a releasable state) We keep Juan et al updated when | there's protocol changes or things they can do. (e.g. recent | https://github.com/juanfont/headscale/issues/552) | pilif wrote: | About the battery usage: what I can't explain is that there's | a lot of background energy usage on iOS when Tailscale is | running even when it's not connected. | | If this was about heart beating, I would expect that to only | happen when the client is connected. | | Also, in the battery stats, the background usage is there and | tailscale is listed, but with - % of battery usage. | | However, when I force quit tailscale, all of the background | energy usage goes away. | bradfitz wrote: | A lot of it was because we were using the cell radio when | wifi was available. | | Have you tried 1.24.2 that's just as of yesterday on the | App Store? It fixes one of the worst of the offenders (but | not all yet). | | In any case, we understand a lot of the problems now and | plan to work on it soon. | RL_Quine wrote: | Thanks for the response. I had misinterpreted the | communication from Tailscale to be adversarial rather than | just that it wasn't something that had engineering focus. | It's good to hear that there will be some progress towards | making the mobile app better. | [deleted] | Lightbody wrote: | We love Tailscale. Everyone employee has it, and we use it to | provide access to dev, staging, and prod environments as well. | | Fun little thing we did with it: nobody can access the prod | network without requesting access via a Slack bot (powered by | https://indent.com/). So somebody requests access, another | authorized person approves it, and the Tailscale ACLs are updated | for X minutes and then reset. | | Access to secure environments is super low friction but more | secure (with fantastic audit trails) than ever. | fwip wrote: | That's gonna be exciting next time Slack is down. | dx034 wrote: | I'd assume they have a fallback option to provide access. | Lightbody wrote: | It's a very safe assumption: we're just automating | Tailscale ACLs. Tailscale admins (3 of us) can still come | in and manually change them. | fwip wrote: | That's reassuring, the phrasing of "nobody can access | prod without a Slack bot" was worrying. | VWWHFSfQ wrote: | I wouldn't assume anything | obogobo wrote: | it was down for many folks about 2 hours after you posted | this lol | ignoramous wrote: | Well, we run our servers _without_ ssh access... no amount | escalation through ACLs / Security Groups let you in. Can't | say it would work for everyone, but at least, no one can | _mutate_ prod unless the code itself exposes those interfaces. | lettergram wrote: | "To fix the internet" | | I really wish we could get some clear copy on what that means in | a title. | arsome wrote: | I was going to try TailScale but then it seemed the only option | to do so as an individual was to login with a 3rd party cloud | provider, which I in no way want tied into my networks. | | I gave up and just setup wireguard directly instead, I don't | trust Tailscale either if that's their attitude towards privacy, | it's permanently marred my vision of their product. | paxys wrote: | Not sure why everyone is hung up on this. You don't have to use | a third party provider for auth. They support SAML and OIDC, | and it is pretty easy to set up your own auth server. There are | enough open source implementations out there you can use. | ptomato wrote: | only with an enterprise subscription. | aftbit wrote: | Same, I abandoned Tailscale sign up for this reason as well. | Perhaps consider https://github.com/juanfont/headscale ? | JeremyNT wrote: | Indeed, this is why I won't use it either. I settled on Slack's | Nebula [0] instead of wireguard because it handles direct p2p | communication between nodes automatically. | | There also exists an open source implementation of the | tailscale control server [1] that you could self host. | | [0] https://github.com/slackhq/nebula | | [1] https://github.com/juanfont/headscale | rhuber wrote: | (Nebula coauthor here) | | People sometimes ask me to describe the differences between | Nebula and Tailscale. One of the most important relates to | performance and scale. Nebula can handle the amount of | internal network traffic and scalability of nodes (100k+ | nodes, constant churn) required on a large network like | Slack's, but Tailscale cannot. Tailscale's performance is | fine for many situations, but not suitable for | infrastructure. It is just a fundamentally different set of | goals. | | Nebula was created and open sourced before Tailscale was | offering their product, but their architecture is similar to | older offerings in the market, and is something we purposely | avoided when creating Nebula. | | Fwiw, I even recommend Tailscale to friends who want to do | things like connect to their Plex server or Synology or | [other thing] at home remotely. It simplifies this kind of | thing greatly and doesn't require you to set up any | infrastructure you control directly, which can be a headache | for folks who just want to reach a handful of | computers/devices. | JeremyNT wrote: | > _Fwiw, I even recommend Tailscale to friends who want to | do things like connect to their Plex server or Synology or | [other thing] at home remotely. It simplifies this kind of | thing greatly and doesn 't require you to set up any | infrastructure you control directly, which can be a | headache for folks who just want to reach a handful of | computers/devices._ | | First thanks for working on Nebula! It's great. | | Nebula seems to be about 95% there. The functionality it | actually does provide once set up is really great. It's | just missing the 5% that is arguably the most important for | a huge number of people: a simple way to do the | configuration management bits such as device enrollment, | revocations, key rotations, that sort of thing. | | If you are a home user, with a small network, the overhead | of doing things manually is low, but you need to be patient | and technical enough to read the docs and do it right | initially. If you're a big enough organization I guess you | can write your own tooling. But for any small shop or any | non-technical home user this is not going to fly and you | will bounce off it. | | I don't know if the plan is to create a commercial offering | for this side of the house (it would make sense...) but as | far as I'm concerned, this is the only reason that | Tailscale is so successful and Nebula is lesser known | (despite Nebula's advantages in other ways that may be more | relevant to technical users). | rhuber wrote: | The Nebula CA we built at Slack was very specific to | Slack's internal devops, and just wasn't generalizable. | It is highly automated there, and is custom tooling, just | as you describe. The open source version is somewhat bare | bones (a command line tool for CA vs something like | vault). | | I will say that the OSS tooling of Nebula is everything | someone needs to stand up an entire working network on | every common platform (linux/mac/windows/ios/android), | but there is a definite gap in simplification that we | need to address to make it easier for smaller scale use | cases. | | We actually have a managed enterprise Nebula offering at | my current gig, but that's rather a different market than | Tailscale, so I'm avoiding talking as that company as | opposed to a Nebula OSS project lead. The commercial | offering is targeted at large enterprises, because that's | the market where Nebula has unique advantages. It also | means we don't currently have a freemium or smb type | offering, and are not prioritizing creating one at all. I | don't want to give people false hope that we will, and | would prefer to see the OSS project improve to address | the small-medium use cases. | vgel wrote: | > People sometimes ask me to describe the differences | between Nebula and Tailscale. One of the most important | relates to performance and scale. Nebula can handle the | amount of internal network traffic and scalability of nodes | (100k+ nodes, constant churn) required on a large network | like Slack's, but Tailscale cannot. Tailscale's performance | is fine for many situations, but not suitable for | infrastructure. It is just a fundamentally different set of | goals. | | Making broad claims like this without a source or links to | benchmarks feels like FUD to me. For example Tailscale's | comparison page on performance | (https://tailscale.com/kb/1148/tailscale-vs- | nebula/#performan...) doesn't mention a meaningful | performance difference, so if you're claiming they're not | telling the truth (by omission), I'd hope to see more to | that than just a straight assertion, even just "We tried | Tailscale in Slack's network and it wasn't able to keep up | with our usage patterns". | rhuber wrote: | Another fair criticism. We will publish the benchmarks | and make them repeatable (which most existing ones I've | found don't bother to do). We hadn't done so because | Tailscale isn't really seen as a direct competitor to | what the Nebula project is doing, but if people want | numbers, that's a thing we are happy to provide. | SahAssar wrote: | So "People sometimes ask me to describe the differences | between Nebula and Tailscale" and the answer is | "performance and scale", but you don't have clear | comparisons for those numbers? | rhuber wrote: | We have an automated set of ansible scripts that spin up | large groups of hosts for Nebula performance regression | testing, and a while back I added zerotier, tailscale, | wireguard-userspace, wireguard, tinc, ipsec, and openvpn | to that automation so I could get a sense of where things | stand. I spent a lot of time optimizing each of the above | options to make fair comparisons, but it was mostly for | mine and the team's curiosity, and we weren't interested | in playing benchmark-fight with similar softwares of the | world. | | Publishing repeatable benchmarks is hard, and when doing | open source work, it just hasn't been a priority. As I | replied above, if I'm going to say it I should prove it, | and I promised to do just that. | | And a counterpoint: tailscale does mention in the | "Tailscale vs Nebula" article on their website that | performance is just about the same but similarly provides | no proof. This is motivation enough for me to show proof | of the opposite, I guess. | stavros wrote: | Does Nebula have anything like Tailscale's rules engine? I | am absolutely in love with being able to configure all my | connections by just specifying a JSON file somewhere. No | need to have firewalls, the configuration specifies which | service or user can talk to which. | | That having been said, I also am wary of using Tailscale | for the same reasons as above, I have to trust Tailscale | _and_ Github? I can maybe justify trusting Tailscale, but | trusting GH /Microsoft/other SSO provider is a bridge too | far. | rhuber wrote: | It does! In fact replacing AWS security groups and making | them cross region and cross platform was probably the | first goal of the project. My coauthor, Nate, wrote | Nebula's internal firewall code before we wrote a single | line of the actual protocol, because he wanted to ensure | it was performant enough for massive scale. | stavros wrote: | Well that is great, thank you! I will play with it today. | stavros wrote: | Ah, it looks like the firewall rules need to be copied to | each host separately. That's not a dealbreaker, but not | as easy to deploy as having them managed centrally (by | the lighthouse, I guess?). | crawshaw wrote: | Tailscalar here. Tailscale can handle 100k+ nodes with lots | of churn just fine. | rhuber wrote: | Fair enough. I am sure the key distribution is fast and | all that, but not needing peer key distribution at all | was a goal and the overhead associated is less scalable | than just not doing it at all. Regardless, very cool that | you can handle that many nodes, which is a hard problem. | I assume you do just-in-time key distribution or | something, because (n-1) distribution of peer keys would | be ... less than ideal. | | Anywho, the more important bit is my point about | performance. Nebula is significantly faster than | userspace Wireguard, and plain userspace Wireguard is | (last I checked) a bit faster than Tailscale, due to the | additional code needed for things like your ACLs. At | gigabit type scale it is probably fine and not | noticeable, but at Slack, we needed to scale to 10G+ on | links, while ensuring we didn't take a significant hit on | CPU resources. | | Again, I think Tailscale is very good for its target use | case as a VPN replacement, and congrats on raising these | funds! | lupire wrote: | > the overhead associated is less scalable than just not | doing it at all | | That's only true if you can actually articulate a reason | why it won't scale to some matbitut that some user might | actually need today or at some point in the future. | | For example, Go may be "not as scalable at C" (or vice | versa! Or both!), but what matters is the scale to which | it is actually desired to be deployed. | rhuber wrote: | I mean... the title of the Tailscale blog post is | "Tailscale raises $100M... to fix the Internet", and | that's pretty massive scale. /s | | I don't have 100k hosts on a large network to test | deploying Tailscale, but if I did, I'd be benchmarking | the cpu/network/storage overhead of telling 99,999 hosts | about a new one that comes online, every time that | happens, or every time its pubkey changes. You can | optimize this away _if_ your "fan out" is not as large, | but there are plenty of cases where every host on your | network needs to talk to a particular host, so all of | them need to know about its keys as soon as possible. | | Again these aren't unsolvable problems, to a point, but | we didn't want to solve a problem when we could avoid it | entirely, so that's the path we chose. It removes | complexity and is a good part of the reason the system we | built has been resilient. | | A complaint some people express about tailscale is the | battery life on mobile (or at least iOS). This exists | because there is coordination overhead on even idle | tailscale nodes. Back when we ported Nebula to iOS, we | sweated details like "how often it wakes the radios" and | did a lot of profiling. I never turn Nebula "off" on my | iPhone, and it just sits in there in the background not | using any resources most of the time. | | We worked hard to optimize this out of our architecture, | so that Nebula avoids generating traffic that is | unrelated to the actual communication between hosts or | lookups to lighthouses. An idle nebula tunnel can truly | be idle indefinitely, and that also matters as the set of | hosts becomes larger. | | I do not think the Nebula project and Tailscale are | direct replacements for each other in any fashion, and | afaik neither is trying to be. I'm just pointing out that | different design goals led to unique advantages and | disadvantages to each architecture. | FL410 wrote: | Nebula rocks! | ncmncm wrote: | See, I have seen promotions of Tailscale and Zerotier | before, but this is the first I have heard of Nebula. If | with Nebula I am not beholden to some internet behemoth who | may cancel my authentication without notice, I am motivated | to try it. | depingus wrote: | Absolutely love nebula and really wanted it to win when I did | my overlay network shootout (for personal use). But device | on-boarding and management was overly complex for a lay | person (I have a couple users that would require access). | | I settled on ZeroTier for now. Unfortunately, I don't think | ZeroTier is my long term solution. Their self-hosted option | comes with a plethora of caveats that make it basically | unusable. And I'm always scared companies that offer free | versions of their paid product will eventually neuter the | free tier. | | I'll be keeping an eye on headscale. Hopefully they get their | mobile client situation in order. | FL410 wrote: | I am curious what you found complex - was it the PKI? I was | able to get Nebula up and running WAY faster than any of | the others. It's two (well really only one) binaries and a | config file - the simplicity is awesome. | JeremyNT wrote: | It's easy to get started, but the issues come mostly from | managing that "just a config file" over time. | | Have a bunch of new nodes? Replacing a lighthouse? | Revoking and replacing certs? | | Here's a mistake that I made personally. Did you read the | docs fully and realize that the default expiration for a | CA is one year? The same is true for certificates. You | need some kind of tooling to rotate certs every year, by | default, or one day you'll find your entire overlay | network disappears. | | What about the ACL lists? Well, they're just stored in | that same config file. What if you add a new service you | didn't count on initially? Or you have a new class of | clients? | | What if your lighthouse needs to change its IP address? | Or you need to retire and replace it outright? | | And if you have hosts coming and going a lot, suddenly | managing all those configuration files looks like quite a | pain indeed... | | None of this is unsolvable - assuming you have root on | all the nodes you care about. You could even create | tooling to automate these things with some kind of | configuration management system (which indeed, if you are | deploying to more than a handful of systems, you | basically _must_ do). But these pain points will | eventually add up if you are just trying to connect to | friends. | depingus wrote: | Just FYI, when you create a CA cert or sign certs with | nebula-cert you can specify a -duration. Which I know | doesn't help you after the fact, but it might help | someone going forward. | JeremyNT wrote: | Very good to know! I did learn this and used 10 year | certs/ca when my originals expired... as will presumably | most of the other people who didn't fully grok the | implications of the defaults :) | rhuber wrote: | We need to do a better job of this and I'm really sorry | you had a not-great experience with expiration. Totally | agree with your take. | depingus wrote: | I found it too complex _for a lay person_. On a regular | computer or server its not too bad. I can send someone a | config file with the certs and keys already built in. | That 's easy enough. But on mobile it requires a back and | forth exchange of keys over a different medium. | | Compare that to ZeroTier where I can just tell someone, | "install this app and punch in this Network ID". Also, ZT | lets me control the entire network firewall from a | centralized place. Where Nebula is doing it on a per- | client basis and requires new certs if device groups | change. | | I don't want to talk up ZT too much though. Their self- | hosted option is a joke. There is no webui. You have to | do everything via the API...including the firewall rules; | And you have to write those rules in the non-human | readable format that their webui abstracts away. Worse | still, their mobile apps won't work with the self-hosted | option. I used them to get something up and running | quickly, but I'll probably end up on Nebula anyways. | api wrote: | > Their self-hosted option is a joke. There is no webui. | | There's a community developed one: | | https://github.com/key-networks/ztncui | jupp0r wrote: | What's your concern, specifically? To me it sounds like | understanding in detail how oauth works would make you feel | much better about this. | aborsy wrote: | I don't understand why these mesh VPN companies don't take | themselves out of the trust loop? For example, by supporting | Wireguard preshared keys (if that makes sense). | | In light of the recent incidence at Okta, the risk of the VPN | company or the identity provider getting compromised, or | provided with a gag order by the government, should be | accounted for. | Pr0ject217 wrote: | Interesting. That's a non-starter for me as well. | web007 wrote: | Your personal dislike of cloud SSO is not the same as "their | attitude towards privacy". Before you do anything "permanently" | you should read their reasoning behind that decision: | | https://tailscale.com/kb/1013/sso-providers/ | | > Tailscale works on top of the SSO/IDP/IAM identity provider | you or your company already use. | | > We don't support sign-up with email addresses. By design, | Tailscale is not an identity provider: there are no Tailscale | passwords. | | > Using an identity provider is not only more secure than email | and password, but it allow us to automatically rotate | connection encryption keys, follow security policies set by | your team (e.g., 2FA), and more. | | You can BYO SAML provider if you like, you'll just have to pay | for it: https://tailscale.com/kb/1119/sso-saml-oidc | SahAssar wrote: | Requiring you to disclose info to google, microsoft, okta or | onelogin can very clearly be an "attitude towards privacy", | right? | lupire wrote: | I can't afford Enterprise "contact us" pricing for personal | use or small team. | | They don't even give the option to try to debug my own | identity provider. | | aka the BYO SAML feature does not exist for personal or small | team/business users. | | But maybe that's the point? TailScale's product is actually | an identity integration layer for Wireguard? If you don't | need an identity provider, Tailscale doesn't add value over | Wireguard? | colordrops wrote: | Agreed, if you have no need to bust a NAT, just set up | wireguard directly yourself, and avoid closed source products | from corporations managing your most secure and private data. | Saris wrote: | Yeah that's the biggest hangup I have, it just seems strange to | rely on a third party login to be able to access something as | important as a VPN. If my google account or whatever gets shut | off for any reason I'd be pretty hosed. | ignoramous wrote: | Avery, co-founder at Tailscale, has some strong opinions | about why SSO is sufficient for their product. | | They wrote a bit about their thought process: _Factors in | authentication_ (2019), https://apenwarr.ca/log/20190114 | | > _It seems to me that the above successful enrollment | patterns all use one or more of the following techniques:_ | | > _A human authenticates you and issues you a token (usually | in person)._ | | > _A short-distance, physical link (proximity-based | authentication) like a biometric sensor, or USB or bluetooth | connection._ | | > _Delegation to an existing authenticator [SSO]..._ | | > _What people tend to miss... is that enrollment is | necessary whether or not you send a push notification to the | phone during login. The push notification is only secure if | this specific browser instance is enrolled; but if this | browser is enrolled, then the push notification adds no extra | security... The enrollment was the security._ | | Fully expect them to ship u2f authenticators or sell them at | tsCare shops! | nsm wrote: | I'm curious. Why not create a new google account that is not | used for anything but Tailscale and use that? | tmikaeld wrote: | I guess their biggest competitor will be Cloudflare Tunnels with | Access, which does the same thing and more, for free. | [deleted] | benjaminwootton wrote: | Every time I refresh my feed I read about another company raising | tens of $millions. | | A lot of that is Crypto related, but money seems to be absolutely | flooding into tech at the moment despite all of the doom and | gloom around | kall wrote: | Congratulations to Tailscale. Imagine how many times you can | migrate to a new novel database architecture with that kind of | money. | tomhallett wrote: | I'm trying to connect Tailscale's product with their goal "The | internal dashboard and CI system that will never need to be | public-facing. The HR database that will always have far less | than a thousand queries per second. The dozens or hundreds of | devs that ssh or RDP into servers, not the millions of users | being served." | | Does this mean - instead of deploying a dashboard/ci to aws, I | should host it "locally" on a single computer (macbook, raspberry | pi) and then internal employees can access that site via | Tailscale's network layer? | atonse wrote: | As I've said in a past thread for another product (oxide), I LOVE | Tailscale and am really happy for the team for their well earned | growth and success. | | However this is the path that could move them towards being | pressured to add a bunch of bloat, followed by acquisition | pressure and a big payout that will likely eventually cause the | product to stagnate after the founding team leaves and the buyers | don't care. | | I really hope they're all already rich enough that they aren't | tempted by that. :-) | | Update: altered content to add more speculative version. | jbverschoor wrote: | Congrats1 solid productg, good interface, great positioning | towards the enterpise | sk8terboi wrote: | So it's a way around any firewall and security? Interesting. | cpuguy83 wrote: | An phenomenal read on how it works: | https://tailscale.com/blog/how-nat-traversal-works/ | rvz wrote: | I bet they will get acquired by Cloudflare. If they reject their | offer then Cloudflare will kill them. | | Sorry. | mywaifuismeta wrote: | Nice charts without axes. I use those all the time. Especially in | pitch decks. | nix23 wrote: | I use them in benchmarks too! | throwaway92394 wrote: | Am I the only one that has an issue with a VPN that I can't self | host? Presumably if Tailscale get's PWN'd or subpoenaed then your | network is breached no? | moloch wrote: | No, they don't have access to the Wireguard keys and everything | is point-to-point. They'd have to push a backdoored software | update to gain access (and this is a threat with any vendor | product). | soraminazuki wrote: | IIUC Tailscale controls key distribution, so you'd still have | to trust them. However, it might still be possible to | eliminate that need for trust by verifying peer connections | out of band. | bfm wrote: | A self hosted alternative we've been using for our | infrastructure is innernet, which was discussed on | https://news.ycombinator.com/item?id=26628285 last year | cassianoleal wrote: | You're certainly not the only one. There is headscale [0] if | you're worried about that though. | | [0] https://github.com/juanfont/headscale | aborsy wrote: | Yes, Tailscale distributes public keys, and can add arbitrary | nodes to anyone's network. | | Not that they do it, but the possibility is there, and one has | to account for risks. | cpuguy83 wrote: | Tailscale's data plane is [1] mostly p2p except for some cases | where it doesn't work and it goes through an encrypted relay. | So your data does not run through Tailscale servers. | | There is an oss [2]coordination server that does let you | totally self-host. | | [1] https://tailscale.com/blog/how-nat-traversal-works/ | | [2] https://github.com/juanfont/headscale | atsmyles wrote: | Just install wireguard yourself. With Bullseye on the RPi, it | is easier than ever. There is a learning curve, but it is worth | it. | lvh wrote: | Depends on the kind of breach. Tailscale is extremely carefully | designed to minimize that risk. Notably: Tailscale doesn't get | your keys. (Granted: a compromised agent would still be a | problem. It's a thing I have some plans for :-)) | | (Disclosure: I'm a (small) investor via Latacora's sibling | fund, Lagomorphic.) | abetlen wrote: | If you run a Kubernetes cluster for self-hosting software or | development I highly recommend setting up a Tailscale subnet | router [1]. This will allow you to access any IP (pods or | services) in your cluster from any of your Tailscale-connected | computers. You can even configure Tailscale DNS to point to the | DNS server in your cluster to connect using the service names | directly ie. http://my-service.namespace.svc.cluster.local | | [1] https://tailscale.com/kb/1185/kubernetes/#subnet-router | nitsky wrote: | I'm a huge fan of Tailscale and the team I work with uses it | daily, for free, to connect to our servers and each other's | computers. Thanks! | adtac wrote: | >To put the market in perspective, there are VPNs that only work | if [...] UDP isn't blocked | | isn't that true with WireGuard/Tailscale too? | xena wrote: | Tailscale employee here. Tailscale has a fallback that does | connections to a relay server called DERP. DERP works over | HTTPS, so if you can't access the outside world via HTTPS then | you have much bigger problems than Tailscale not working. | anderspitman wrote: | Is DERP raw HTTP or based on WebSockets? | stephenanand wrote: | Ansil849 wrote: | I couldn't readily find any mention of any third-party security | audits. | | Compare that to the numerous audits a VPN like Mullvad has had - | https://mullvad.net/en/blog/tag/audits/. | knur wrote: | I love tailscale. | | Lately I have been migrating all my self-hosted stuff into a | raspberry pi (instead of running a public instance in the cloud). | It gives me a bit of piece of mind knowing that it adds an extra | layer of security (to hit any of my endpoints/apps you would need | to infiltrate my VPN). And it will save me a lot of money on | hosting. | | I don't need to expose my computers publicly or enable upnp or | anything. It just works. | hu3 wrote: | They are open source too: https://github.com/tailscale/tailscale | | edit: Only the client is open source. See clarification below. | bfm wrote: | The control server is not open source. Thankfully headspace | https://github.com/juanfont/headscale is filling that gap | cassianoleal wrote: | The clients are. The control server, which is the bit that | Tailscale host, is not. | | There is an open source alternative called headscale [0]. The | main downside is that you'll need to run it. | | The closed source centralised control server has other | potential issues though, and it ends up being up to the user to | decide what's the right balance of security vs convenience. | | [0] https://github.com/juanfont/headscale | hu3 wrote: | Thanks for clarifying. I did not know that. | gowld wrote: | To be clear, headscale is an alternative to the control | server, compatible with Tailscale clients. | cassianoleal wrote: | Yes, sorry if my phrasing was confusing. Thanks for | clarifying. | l30n4da5 wrote: | Ive been using Tailscale for my local machines for a month or so | now. don't really have any complaints about them. | chimen wrote: | Funding scares me. It bring sharks onboard who do not share the | same vision. They will demand revenue and ROI above all else. I | like Tailscale but I hate this business model down to the core | (Netlify as an example). Tailscale was doing fine as it was, | capable people there already. It quickly became an "exit type of | business", too quickly. | | These companies usually bring something really easy to use, let | people onboard and modify their network/DNS/etc to hell until | they get vendor stuck and then they squeeze every possible dollar | out of their pockets. Once you're in, after days or weeks of fine | tuning, after you managed to pollute your codebase with their | configs and IP addresses, it's hard to get out. | | I suspect those "free slots" will change soon ,but we won't see | those types of graphs anywhere soon and be prepared to get | charged for bandwidth and everything else possible. | jnsaff2 wrote: | > They will demand revenue and ROI above all else. | | I don't think this is true. They mostly demand growth over all | else. | AceJohnny2 wrote: | Growth as a precursor for revenue. | | Massive growth just means you can dominate the market then | have more flexibility on the price you'll charge. | mrkurt wrote: | Tailscale raised a Series A two years ago. They've been doing | fine as it was - running a venture funded, high growth startup. | | I am wary of investors wrecking incentives for founders but | that ship sails when you raise an A round. They've done an | incredibly good job for me in that time, I think they'll keep | on doing that. | | Why would their free service change? They're going to make | money off big companies. They're not going to make money off me | with a bait-n-switch to capture my $10/mo personal budget. | josephruscio wrote: | Tailscale investor here. I can assure you we share the same | vision with the founders. | anderspitman wrote: | The problem is that vision has a pretty poor track record | when going head-to-head with incentives. | ayewo wrote: | > Tailscale investor here. I can assure you we share the same | vision. | | Outside of say, Garry Tan and Leo Polovets, who could be | considered regulars, it's rare that an investor shows up in | the HN comments. Hi! | | Your comment is reassuring, but the reality is that other | investors will look at their portfolio companies, review the | competitive landscape, then decide that they no longer share | the vision, in the not too distant future. | ncmncm wrote: | You cannot do that. You might personally share a vision with | somebody identifiable. But the vision you say you share is | anyway not implemented. | | Make the service usable without depending on some internet | behemoth who might yank my authentication credentials anytime | without notice, and we can talk. | josephruscio wrote: | vision: (noun) the ability to think about or plan the | future with imagination or wisdom. (verb) imagine | ncmncm wrote: | Vision is one thing, shared vision entirely another. | lupire wrote: | I have no reason to mistrust your vision or current intent, | but I also have no reason to believe that you are stronger | than the weight of $100M dollars. | archon810 wrote: | For those curious: https://www.linkedin.com/in/josephruscio. | | Seed investor in Tailscale since 2019. | brightball wrote: | How does it work for something like a security DVR where you | can't access the system itself? Is there an equivalent way to | just access the network like a VPN? | smackeyacky wrote: | Yes, you can set up one node as a gateway to the network, then | access everything on that local network. | | I use it this way to access devices that can't run the | tailscale software. | bruckie wrote: | Yes. Tailscale subnet router. | https://tailscale.com/kb/1019/subnets/ | falcolas wrote: | First - congratulations! I like the idea behind your product. | Easily configured VPN tunnels are something I enjoy having. | | But, and I'm probably just shouting into the void at this point, | relying upon your network being secured as a method of securing | your office/product will only result in heartache. | | If you're a company SEO or similar trying to protect your company | from threats, your first assumption _must_ be "the network is | compromised" no matter whether it's on the internet, or VPN | tunnels, or firewalled local network. | AndyNemmity wrote: | Tailscale is one of the products I most love. It does what I want | it to do. I don't have to think about it after that. | | If all tools were this reasonable, I'd be very happy. | RobertRoberts wrote: | This sounds just creepy that they are suggesting no more | anonymity on the internet... as a "fix". | jaywalk wrote: | What a strange and utterly incorrect way to interpret | Tailscale's mission. | orangepurple wrote: | From the website: | | What if we all just had a static IP address, and a DNS name? | ...and the address migrated around the world with you? ...and | you could connect to any of your devices no matter where they | were? | | Does this not promote the destruction of anonymity on the | Internet? | jaywalk wrote: | I think you've got a fundamental misunderstanding of what | Tailscale does. It's all about accessing _your own_ | devices. You don 't need or want anonymity in that case. | They are not a general purpose VPN service, and can't even | be used as one. | RobertRoberts wrote: | No, I think you misunderstand that companies like this | have huge visions, not tiny one like "just your own | devices". | | They are claiming they are on the road to "fix the | internet", their own words. | cassianoleal wrote: | > They are not a general purpose VPN service, and can't | even be used as one. | | I'm not sure what you mean by this, but this sounds like | exactly what they are, with some functionality on top. | It's what I use to VPN into my LAN from outside, and it's | pretty general purpose from where I stand. | jaywalk wrote: | I'm talking about services like NordVPN, Mullvad, etc. | They do not funnel your Internet connection through their | servers. | cassianoleal wrote: | Ah, fair enough. | | Those are not general purpose VPNs though. | | In fact, they are not even VPNs in the first place. They | merely use the same technology to provide a private | tunnel to the public Internet (and use the name in | marketing material because by now people are familiar | with it). | | What they are not is general purpose private networks. | jaywalk wrote: | They are absolutely VPNs. If you don't like my term | "general purpose" that's fine, but they 100% fit the | definition of VPN. | cassianoleal wrote: | A VPN is a Virtual Private Network. Those services you | mentioned merely provide a secure tunnel to the same | public Internet you'd have access without them, avoiding | eavesdropping by your ISP or other intermediaries, whilst | handing over that capability to the "VPN" provider. There | is no private network anywhere in this case. | | An actual VPN provides you with a _private_ network that | just happens to workover of the public Internet, usually | encrypted, but is inaccessible from it. | A virtual private network (VPN) extends a private network | across a public network and enables users to send and | receive data across shared or public networks as if their | computing devices were directly connected to the private | network. The benefits of a VPN include increases in | functionality, security, and management of the private | network. It provides access to resources that are | inaccessible on the public network and is typically used | for remote workers. Encryption is common, although not an | inherent part of a VPN connection. | | * https://en.wikipedia.org/wiki/Virtual_private_network | jaywalk wrote: | Sticking with Wikipedia: | https://en.wikipedia.org/wiki/VPN_service | | Saying that these services are "not VPNs" is unnecessary | pedantry. Definitions evolve over time, and these | services meet the common definition of a VPN. | RobertRoberts wrote: | If they start off as VPN but morph into something more | (like Cloudflare, Google, etc...) then it really doesn't | matter how you define them "today" if their goal as a | company is to become something more/different. | lvh wrote: | No? The fact that some machines (notably: all your _own | devices_) need to be able to reliably talk to each other | does nothing to impact anonymity on the Internet. Sure, you | can route everything out of your own IP using Tailscale | also, and that might be desirable if you're on a crappy | connection, but it's still completely orthogonal to | privacy-preserving techniques like Tor (and may in fact | make those easier to deploy). | | Tailscale doesn't make privacy worse any more than the fact | that to a first approximation, no residential Internet | provider in the US has rotated an IP in recent memory. | | (Disclosure: I'm a (small) investor via Latacora's sibling | fund, Lagomorphic.) | RobertRoberts wrote: | It's not their "mission" but it is their system. If you have | a static IP address where "...the address migrated around the | world with you..." how do you think that will work for people | that _NEED_ anonymity? | | Will they be left out of this new internet? | jaywalk wrote: | Tailscale is for accessing _your own_ devices, it 's not a | general purpose VPN service. Anonymity is not a factor. | RobertRoberts wrote: | The title of the article from Tailscale is "...to fix the | Internet"... if it was "only" about "your own devices" | then you are assuming they are thinking small. | jaywalk wrote: | You're assuming that they're thinking something | completely outside of anything they've ever said, and | something that nobody actually wants. Your assumption is | the one that's out of left field, not mine. | RobertRoberts wrote: | You haven't proved me wrong, you just said I am wrong. | jaywalk wrote: | I don't have to prove you wrong, I'm not making an | assertion. It's on you to prove that your assertion is | correct, and you have nothing more than your opinion | backing you up. | RobertRoberts wrote: | The idea of "you have something permanently static that | identifies what is yours" on the internet that never goes | away, and it runs through a corporation's server, that | supposedly is marketed as "fixing the internet"... do you | really think this sounds good? ___________________________________________________________________ (page generated 2022-05-04 23:00 UTC)