WingNews logo WingNews
top | item 47063593

(no title)

behnamoh | 11 days ago

How does Tailscale make money? I really like their service but I'm worried about a rug pull in the future. Has anyone tried alternative FOSS solutions?

Also, sometimes it seems like I get rate limited on Tailscale. Has anyone had that experience? This usually happens with multiple SSH connections at the same time.

discuss

order

dimatura|11 days ago

Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH.

On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user).

tamimio|11 days ago

Zerotier is not the same as tailscale although both can be used to do the same, but under the hood both are fundamentally different, ZT is layer2 like switch, so it’s like an Ethernet meanwhile TS is built on top of wireguard and is layer3. ZT allows broadcast/multicast and has own protocol, TS don’t. I use both among others, and ZT since around 2019, I found it reliable in some cases in IoT world while TS had better throughput in usual applications.

gpm|11 days ago

I've used serve/funnel on the tailscale free tier... definitely agree that the team size limit seems like it would move companies to the paid plan though.

lysace|11 days ago

How do you handle the do-before-thinking devs? Or the kinda low-to-mid performing devs? Most companies has one or a few of those, right? They help the company machine go around by doing the somewhat boring stuff over and over again.

Tailscale in a company/developer env seems awesome when you know what you are doing and (potentially) terrifying otherwise.

Does someone set up detailed ACLs for what's allowed? How well does that work?

vizzier|11 days ago

> Also, sometimes it seems like I get rate limited on Tailscale.

As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post.

As for opensource alternatives:

https://github.com/juanfont/headscale can replace tailscales initial coordination servers

and https://netbird.io/ seemed to be a rapidly developing full stack alternative.

arsome|11 days ago

Headscale also offers a relay server of its own.

kkapelon|11 days ago

There is also netmaker

evmar|11 days ago

They wrote a blog post addressing this concern: https://tailscale.com/blog/free-plan

riknos314|11 days ago

The Tl;Dr here is that the cost to them of operating the free tier is lower than what they estimate their Customer Acquisition Cost would be without a free tier, so the free tier generates better leads/conversions to their paid products at a lower cost than traditional sales and marketing.

As long as these economics continue to hold they'd be stupid to discontinue the free tier.

Aurornis|11 days ago

Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans.

zephen|11 days ago

I wonder about this.

The hoops you have to jump through to be on two different tailnets might dissuade some home users from even bringing it up at work.

allthetime|11 days ago

Facilitating peer to peer connections is cheap.

Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in.

prodigycorp|11 days ago

I love tailscale but you may be right, it's entering that acquisition zone that'll inevitably bum everyone out.

Salesforce, stay away from it!

tomxor|11 days ago

I have the same fears. Last year they have publicly stated they are not interested in acquisition [0]

> Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).

> “Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”

Nothing is set in stone, after all it's VC backed. I have a strong aversion to becoming dependent upon proprietary services, however i have chosen to integrate TS into my infrastructure, because the value and simplicity it provides is worth it. I considered the various copy cat services and pure FOSS clones, but TS are the ones who started this space and are the ones continuously innovating in it, I'm onboard with their ethos and mission and have made use of apenwarrs previous work - In other words, they are the experts, they appear to be pretty dedicated to this space, so I'm putting my trust in them... I hope I'm right!

[0] https://betakit.com/corporate-vpn-startup-tailscale-secures-...

politelemon|11 days ago

Dearest Salesforce, Apple, Oracle, and IBM. Please look elsewhere for acquisitions to ruin for everyone. Cheers.

nsbk|11 days ago

At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise!

[0]: https://headscale.net/

sureglymop|11 days ago

I've been smoothly running headscale on a hetzner vps for many months now. Works without issues (note that it does lack some features still).

allthetime|11 days ago

Facilitating peer to peer connections is cheap.

Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support.

tiernano|11 days ago

It's free for up to 3 users. After that you need to start paying.

criddell|11 days ago

I have a family of 4 so I pay and it's still crazy cheap. I've wonder how sustainable it is.

thecapybara|11 days ago

I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan.

mrsssnake|11 days ago

Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people. And then they make money.

QuercusMax|11 days ago

1000%. Tailscale is the first VPN I've used that makes my life easier, and I'm using it for personal access to my selfhosted servers at home. I will definitely recommend it to companies I work for in the future.

eurg|11 days ago

Companies pay for it. And except for their DERP servers, free users don't cost them much.

dec0dedab0de|11 days ago

Wouldn't the FOSS alternative be to simply use wireguard?

iso1631|11 days ago

Most posters on HN barely know what a subnet is so it's not that simple

There's two key features

1) Tunnel management

Tailscale will configure your p2p tunnels itself - if you have 10 devices, to do that yourself you'd have to manage 90 tunnels. Add another device and that goes upto 100. Remove a device and you have 9 other devices to update.

2) Firewall punching

They provide an orchestration system which allows two devices both behind a nat or stateful firewall to communicate with each other without having to open holes in the firewall (because most firewalls will allow "established" connections - including measuring established UDP as "packet went from ipa:porta to ipb:portb 'outbound', thus until a timeout period any traffic from ipb:portb to ipa:porta will be let through (and natted as appropriate)".

The orchestration sends traffic from ipa to ipb and ipb to ipa on known ports at the same time so both firewalls think the traffic is established. For nats which do source-port scrambling it uses the birthday paradox to get a matching stream.

I believe you can run a similar headend using "headscale" yourself.

newsoftheday|11 days ago

I do, I use a VPS (at OCI free) to host Wireguard. My home systems (running my production web sites and email) are on my VPN and mine and my wife's phones. I hand configured it all but it wasn't difficult for me.

NoiseBert69|11 days ago

Yes and no. It's much manual work to get WG to behave like Tailscale.

nagaiaida|10 days ago

a simpler setup with broad feature parity would probably look more similar to nebula than bare wireguard

zaphar|11 days ago

There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways.

cbility|10 days ago

https://netbird.io/ is open source, with a freemium hosted option. Works for us and I find it easier to configure than tailscale for routing rules.

Lammy|11 days ago

> How does Tailscale make money?

They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326

jzelinskie|11 days ago

I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true.

I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway). From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro).

Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing:

     echo "TS_NO_LOGS_NO_SUPPORT=true" > ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt
[0]: https://login.tailscale.com/admin/logs/network

nickburns|11 days ago

Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.

I highly doubt any of this can actually be opted-out of. How else would they stay in business?

db48x|10 days ago

That’s misleading; you have to pay extra to get access to that feature.

gz5|11 days ago

OpenZiti (Apache 2.0):

https://github.com/openziti/ziti

bityard|11 days ago

This is a secure mesh network, but it appears to be for embedding into applications, not a "private VPN" like Tailscale, or do I misunderstand?

resiros|11 days ago

I use netbird and can only recommend it

UltraSane|11 days ago

Companies pay per user for TailScale as an alternative to conventional VPNs like Cisco AnyConnect.

Suffocate5100|11 days ago

Nebula is what we use. It's definitely not as convenient, but it's 100% self-ownable.

pkulak|11 days ago

I pay $5 a month, and my company has a license for every employee.

jacquesm|11 days ago

Through paying users like me.

fdefitte|11 days ago

[deleted]

batrat|11 days ago

It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc.