Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
Join our Discord server for a chat and community support.
Sigh…
And even worse:
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.
everything is open source except half of all things.
Lol
To be fair, anything the GUI clients do can be done with the CLI which is still open source and on all desktop platforms and headscale is literally their open source control server.
Yea, but in iOS?
The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.
I mean is anything iOS really open source?
Yes? There are Lemmy clients that are open source, for instance. And the Wireguard client is.
Huh, I actually didn’t know this because I don’t use Windows/macOS/iOS. Somehow completely missed this.
Granted this is not Headscale’s fault, they’re just using Tailscale clients. Either way I’m glad I use a roll-your-own Wireguard.
I and my partner also don’t use those OSs, but it’s more the point of using FOSS when we can.
Ok and?
Good thing I deleted it from my homeserver a month ago.
Yeah and steam is closed source DRM platform. Great software sometimes is worth the trade off.
Steam is a private company, not publicly traded and has no VC funding.
VC funding and potential IPO normally means enshittification is inevitable, as they will eventually need to make insane profits by turning the screws on its users, as their business model wasn’t self sustaining.
Enshittification is inevitable for all free services (services as in with a server component). Thankfully the functions of tailscale are open source so until enshittification actually happens I will be happy with using a a useful but VC funded project. When I am not willing to make the trade off anymore I will use headscale or some other drop in replacement.
Enshittification is inevitable for all free services (services as in with a server component).
No, it is not that bleak. It is only inevitable when there is an active push for a short-term maximization of user base monetization (which is very much in the nature of VC). It can usually be avoided with products that are wholly under the ownership of all users (such as a cooperative or a government-provided service) or - only if one is lucky - with products of financially independent private enterprises under vaguely benevolent and unhurried leadership (such as Steam, to some extent)
Realistically Tailscale seems to currently be running on a model of get all of the self hosters to love running it at home so then they advocate to run it at work where all of the pricey enterprises licenses make the real money.
I’ve actually seen some real world usecases where if I had more political push, I would’ve put Tailscale onto the running as a potential solution
Hopefully they have the right people in place to push back at the VC firms about maintaining their current strategy rather than scaring away all of their best advocates before they can truly get off the ground. Having worked at a company owned by a hedgefund, part of the trick is having the right people in place in the company who can block the worst decisions by the capital-hungry owners
Tailscale is a business seeking profit? (clutches pearls gasp)
deleted by creator
Plex actively removes features though that hasn’t happened and like other comments says it’s easy to move away in this case
…and what are current Plex users, that don’t like the direction Plex has taken, doing ? Riding the next horse. When Tailscale gets unbearable with their business practices, there are a lot of other options. Tailscale is just easy and it flippin’ works.
deleted by creator
So, I don’t run the arr stack, or any of it’'s components. In fact, I’ve never even test run Plex. However, I hear that Emby is a better replacement coupled with Symfonium to take the place of PlexAmp. That seems to be the ‘next horse’ everyone is switching to, even tho Emby does seem to have some unresolved issues.
I just find the constant grind against profitability and capitalism to be a bit worn. I guess you could say I am fully ensconced in capitalism as I run three tax paying, for profit businesses. The issues I take with capitalism is unbridled, uncontrolled greed…when we place profit over principal. By all means tho, make yo’ paper son.
These are my opinions. There are many like them, but these ones are mine.
If there’s no one who can replace you with someone else, if you don’t deliver profit growth that they expect, then there’s a chance for you to apply principle over profit because it’s up to you. Many if not most corporations however can and do replace corporate leadership that doesn’t deliver profit growth with one that does. In these circumstances, leadership can rarely put principle over profit without being replaced. Many if not most of us see the direct effects of this process on our lives, working to get ever more of our incomes and health. This process hasn’t stopped and hasn’t slowed down. The opposite. This is why you’re hearing us grinding against capitalism as we can see the system all around us grinding us down. This is why it’s likely you’ll keep hearing it and it’s likely gonna get louder. I might not have your product in my home. If I do, I might be very happy with it because you’re not trying to get as much money out of me as you can. However I am certain without checking that I have Unilever, Kraft, Nestle, PepsiCo, Google and so on, and I know they are. You probably do too and they’re probably skinning you just as much. This is what capitalism is for us and we will grind against it because our standard of living is falling and it’s not because of people like you. Small businesses have much more in common with us in this, than large corporations, or small corporations funded by large capital of different kinds. I’m an employee of a very large, well known American corporation that has strategically stopped making products that were objectively better for its customers but had lower margins, replacing them with much more expensive, higher margin ones. I’m not getting anything from the difference. Our major shareholders do.
I get all of that. I really do feel ya. However, I find it quite difficult to raise my ire over a free product (Tailscale) that I use in conjunction with my hobby, changing up their game and going IPO. I guess I do not take my network as seriously as others here do.
Not so much ire than awareness and planning so we don’t get caught pants down. I’ve been using them for 5 years, in part because their clients (for my OSes) are open source and there was a path out of their infrastructure. I paid for it and have a pretty elaborate setup which supports services for family and friends. I’ve been happy so far, but will be decoupling from their infrastructure. No ire for them, just for the system. The system makes people and firms do what they do. 😄
deleted by creator
I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?
I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.
My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.
Yeah, as I said, it’s a friendly reminder. I’m personally probably doing it this year. It’s entirely possible that enshittification could come even years from now. It all depends on how their enterprise adoption goes I think. The more money they make there, the longer the individual users are gonna be left unsqueezed.
become profitable when needed
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
Is there an issue with Netbird’s servers at the moment? In my testing devices are connected and reach eachother, but the web admin is missing a lot of functionality compared to what’s in the docs. The peer devices section is there, but everything else, user settings, rules etc, isn’t showing/says I don’t have admin permission (of my own account… Lol?)
Honestly, no idea, worth checking their GitHub etc or their status pages if they have any
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
It also doesn’t cost them much of anything
Positive PR and little draw backs means that everyone is generally pretty happy
Are there better alternatives? I was planning on using tailscale until now. :P
I use the built in wireguard VPN in my router. If you just need local network access elsewhere it’s usually really easy to setup if your router provides it. I would look into it!
ive been eyeing up netbird but havnt got around to trying it yet. its fully open source at least, and theyre based in germany is anyone cares about that
i used netbird heavily at my last job and i use it for a few things at home. it works pretty well.
Just looked at NetBird, it looks suspiciously similar to Tailscale in what it does except they also got an open-source control server. They have self-hosting doc right in their web site. Looks interesting. Can’t find much about the company other than it’s based in Berlin and it’s currently private - Wiretrustee UG.
What’s the difference with their open-source control server, from headscale? That it’s officially published by the company?
For me personally, the next step is using Headscale - a FOSS replacement of the Tailscale control server. The Tailscale clients are already open source and can be used with Headscale.
Someone else could give other suggestions.
I’ve been meaning to switch from Tailscale to Headscale but I have been to busy. Do you have any instructions, write-ups/walk-thrus you could recommend to set this up? I have three sites with 1GB internet I can use. One has a whole house UPS but dynamic IP, another has a static IP but no UPS, and the third is Google fiber with no UPS, but I can use the app to get the current IP anytime. I also own a number of domain names I could use.
No writeups. I tried following the Headscale doc for a test last year. Set it up on the smallest DigitalOcean VM. Worked fine. Didn’t use a UI, had to add new clients via CLI on the server. When I set it up for real, I’d likely setup a UI as well and put it in a cloud outside of the US. It would work at home too but any other connection would die if my home internet dies or the power does. E.g. accessing one laptop from another, or accessing the off-site backup location.
I use Nebula. It’s lightweight, well-engineered and fully under your control. But you do need a computer with a fixed IP and accessible port. (E.g. a cheap VPS)
You can also use “managed nebula” if you want to enjoy the same risk of the control point of your network depending on a new business ;-)
Depends on your use case. If you’re just looking to expose services and are ok having them publicly accessible, there’s Cloudflare Tunnel, or you can run WireGuard on a cheap VPS
A bunch really, Headscale with Tailscale client, Nebula VPN, Netmaker, Zerotier.
Yeah, I also use that, but it’s not quite as easy as the others. Either you’re open to the whole network or you need some form of external key management to add/remove peers from your network.
Wireguard if you’re just using it yourself. Many various ways to manage it, and it’s built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
Pivpn is really easy, and since pivpn is just scripts, it always installs current wireguard even if they lax on updating pivpn that often.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn’t actually access it if I wasn’t initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn’t take long to get it going, but realistically my setup’s access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I’ve been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
Well a VPS or an exposed service, but I feel like the latter ends up somewhat defeating the purpose anyway.
When running locally (not exposed), it worked great until I tried to make the initial connection from mobile data - can’t establish a connection to headscale if it can’t reach it in the first place. Unless I’m mistaken, the headscale service needs to be publicly accessible in some way.
Oh gotcha yes it does. Are you on CGNAT with your ISP so you can’t forward ports?
Nah, but personally I have no need to expose anything and would rather avoid the security headaches and such that come with it
Didnt even work for me, i use mullvad so if i wanted to use tailscale on my android to connect to my desktop, it wants me to disable mullvad unlike on my desktop…
Hmmm. I run PIA and Tailscale simultaneously on my devices. I did have to tinker around with the settings in PIA such as the VPN & Advanced Kill Switch. So, now Tailscale is for administrating remote servers, and PIA for everything else. DNS leak checks, etc all check out.
Yeah this was a deal-breaker for me too.
I think that’s because both work on Android by being a VPN, and the system can’t handle doing two vpns simultaneously
Well not really but most people don’t like manually editing routing tables
You can do that? On ordinary, non-rooted Android?
Tailscale offers a paid Mullvad integration, where you can select most Mullvad servers as exit nodes. Works quite well.
I’ve realized how easy it is to just actually run a network rather than half ass it with tailscale. I recommend this, it’s fun.
Tell me more.
Just use normal wireguard, why do you need tails or heads at all?
Accessing your home network that is kept inside a NAT by your ISP, without you having to acquire an online server somewhere.
You really don’t though. I use wireguard myself under the same scenario without issue. You just need to use some form of dynamic DNS to mitigate the potentially changing IP. Even if you’re using Tailscale you’ll still need to have something running a service all the time anyways, so may as well skip the proxy.
If you only need to worry about the IP changing, then your ISP is not using NAT, or CGNAT as it is better known. I’m pretty sure that you can also use port forwarding, which is not commonly available under CGNAT.
Ah, I see where I got confused. Yeah, CGNAT isn’t very common around here. I don’t think I’ve ever run into an ISP that uses it. I can see how that complicates things.
It’s more common with mobile-based connections like satellite connections or mobile-LTE data based connections, I believe.
Your approach won’t work if you’re behind carrier grade NAT or you can’t open ports. My landlord provides my internet so I use tailscale (with headscale on my long distance vps) to connect everything and it works great. It uses LAN when I’m home, and NAT punches when I’m elsewhere.
Except you do need to acquire an online server somewhere, its just one that tailscale owns and controls instead of you, and when tailscale decides to enshittify and kill of their free tier you’ll be left wondering why you didn’t just rent a cheap VPS sooner.
Ask yourself, what is tailscale getting out of those “free” users that makes it worth providing services to them that they’d otherwsie need to rent a VPS for? What do you think their response would be if for example they got pressured about maybe too many users on their network are running a certain video streaming app?
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
I’m curious what kind of a use case you can think of that “traditional wireguard” can’t replace tailscale for.
Tailscale has a maximum of 3 users on their free tier, so it seems like a super limited use case of people who DIY their own servers for Jellyfin or HomAssistant or whatever, but just a tad too lazy to setup their own Wireguard service in addition to whatever it is they’d be using it for… I think the vast majority of free tailscale users have simply never actually tried wg-easy , because if they did they wouldnt need to use a third party service.
Big difference in users and devices here. Tailscale might have a 3 user limit, but you can add up to 100 devices for free. So for me for example I have tailscale running in each and every docker container in my NAS. So each and every container can now act as a node on my tailnet. Users isn’t a big deal, any one node can activate funnel with a simple command and poof its available to the public. The convenience coupled with simplicity is what makes Tailscale so god damn good.
Can you segregate connections between different nodes on the tailnet, like say node G and H can only talk to each other and no other nodes?
Not sure, not tried that as that’s outside my use case. But I would assume its possible with ACLs!
@gravitywell you miss the whole goodie-part like funnels, acls, certs etc.
ACLs for me are really valuable as i’m using for a small team (3ppl) for server/app admin. @ShortN0teI think ACL is a paid feature with TS, but maybe im wrong. Once you get to the paid tier, you are just paying someone else to manage your VPN, which is fair enough but its not something you could’t also pay someone to do with wireguard (or openVPN for that matter). I think its fair to say “I pay for this service because i don’t want to have to deal with configuring it myself”, it might be easier to setup for some use cases, but if someone is already self-hosting things and has a DIY attitude to it, I don’t think tailscale can do anything wireguard can’t also do (it is based on WG afterall)
Maybe I’m not familiar enough with other kinds of setups to think of things though. My wireguard setup is basically a meshnet between several people’s home servers, each person has their own subnet only they can use, but the wider 10.X.X.X is shared by everyone, its certainly not the most secure because it doesnt need to be, but if i wanted to restrict one persons access to something i certainly could do that.
ACLs are on the free tier too.
Or be like me stuck in the 2000s using OpenVPN still in 2025 lol
a long runway that allows us to become profitable when needed
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Vps can be really inexpensive, I pay $3 a month for mine
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
I don’t think that would solve the cgnat issue. I use a vps because I don’t want to pay 250 a month for a starlink routable ip
~$1.91 a month (paid 22.99 for a year) at racknerd!
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
The vps is the wg server and my home server is a client and it uses pihole as the dns server. Once your clients hang around for a minute, their hostnames will populate on pihole and become available just like TS.
You do have to set available ips to wg’s subnet so your clients don’t all exit node from the server, so you’ll be able to use 192.168.0.0 at home still for speed.
As for NPM, run it on the proxy, aim (for example) Jellyfin at 10.243.21.4 on the wg network and bam.
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
the VPS uses the pi-hole through the tunnel
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server’s wg address
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn’t aware I host anything at all.
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
Pihole (in my case) can’t see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that’s how TS works.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
I guess so, my previous ISP also gave me IPv6 address (I could navigate using it) but I could never access my NAS services with it from an IPv6 ready network, I thought it would be the same with the newer ISP, but nope.
Maybe some firewall is active by the ISP? I could not do much thinker back then as I used the stock modem (router) and it was heavily locked.
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
deleted by creator
Tailscale needs Tailscale to work
That seems obvious
