Friendly reminder that Tailscale is VC-funded and driving towards IPO
(betakit.com)
from avidamoeba@lemmy.ca to selfhosted@lemmy.world on 09 Jun 08:54
https://lemmy.ca/post/45767627
from avidamoeba@lemmy.ca to selfhosted@lemmy.world on 09 Jun 08:54
https://lemmy.ca/post/45767627
Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
threaded - newest
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
I guess so, my previous ISP also gave me IPv6 address (I could navigate using it) but I could never access my NAS services with it from an IPv6 ready network, I thought it would be the same with the newer ISP, but nope.
Maybe some firewall is active by the ISP? I could not do much thinker back then as I used the stock modem (router) and it was heavily locked.
Vps can be really inexpensive, I pay $3 a month for mine
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
The vps is the wg server and my home server is a client and it uses pihole as the dns server. Once your clients hang around for a minute, their hostnames will populate on pihole and become available just like TS.
You do have to set available ips to wg’s subnet so your clients don’t all exit node from the server, so you’ll be able to use 192.168.0.0 at home still for speed.
As for NPM, run it on the proxy, aim (for example) Jellyfin at 10.243.21.4 on the wg network and bam.
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server’s wg address
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn’t aware I host anything at all.
Pihole (in my case) can’t see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that’s how TS works.
Thanks for the info, I appreciate it.
~$1.91 a month (paid 22.99 for a year) at racknerd!
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
I don’t think that would solve the cgnat issue. I use a vps because I don’t want to pay 250 a month for a starlink routable ip
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
pre-emptive pikachu face strike
<img alt="" src="https://sopuli.xyz/pictrs/image/4adf16d7-66e9-4be9-a141-008fab0e8f54.webp">
What’s the benefit over just WG?
Easier/zero configuration compared to manual WG setup. Takes care of ports and providing transparent relay when no direct connection works.
You dont need to manually handle the WG config files. This isn’t really an issue when it’s just you and your two devices, but once you start supporting more people, like non-technical family members, this gets really annoying really quickly.
Tailscale (and headscale) just require you to log in, which even those family members can manage and then does the rest for you. They also support SSO in which case you wouldn’t even have to create new accounts.
No need to port forward, almost 0 config.
tailscale.com/blog/how-tailscale-works
Your tech illiterate grandma can set it up. It’s that easy.
Personally, my ISP (T-Mobile 5G) has CGNAT and blocks all incoming traffic. I can’t simply Wireguard into my network. Tailscale has been my intermediary to get remote access.
I guess it’s time to figure how how to host an alternative on a VPS (I see Headscale mentioned in these comments).
Tailscale uses WG though, so it’s fundamentally the same thing. Like you said - just do Headscale on a VPS.
Or Wireguard on a VPS
WG is worthless in a CGNAT environment… And as we are in 2025 and time doesn’t stop it will be irrelevant for everyone someday, unless they fully support IPv6 (which I don’t know if they do, if you can use WG in a CGNATED network with IPv6 I’d like to know though, I am very rusty setting it up, but it might worth checking it out).
CGNAT is for IPv4, the IPv6 network is separate. But if you have IPv6 connectivity on both ends setting up WG is the same as with IPv4.
I usually have IPv6 access in my home, on the outside it varies from the ISPs :/
Are there better alternatives? I was planning on using tailscale until now. :P
For me personally, the next step is using Headscale - a FOSS replacement of the Tailscale control server. The Tailscale clients are already open source and can be used with Headscale.
Someone else could give other suggestions.
I’ve been meaning to switch from Tailscale to Headscale but I have been to busy. Do you have any instructions, write-ups/walk-thrus you could recommend to set this up? I have three sites with 1GB internet I can use. One has a whole house UPS but dynamic IP, another has a static IP but no UPS, and the third is Google fiber with no UPS, but I can use the app to get the current IP anytime. I also own a number of domain names I could use.
No writeups. I tried following the Headscale doc for a test last year. Set it up on the smallest DigitalOcean VM. Worked fine. Didn’t use a UI, had to add new clients via CLI on the server. When I set it up for real, I’d likely setup a UI as well and put it in a cloud outside of the US. It would work at home too but any other connection would die if my home internet dies or the power does. E.g. accessing one laptop from another, or accessing the off-site backup location.
I use the built in wireguard VPN in my router. If you just need local network access elsewhere it’s usually really easy to setup if your router provides it. I would look into it!
Wireguard if you're just using it yourself. Many various ways to manage it, and it's built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
Pivpn is really easy, and since pivpn is just scripts, it always installs current wireguard even if they lax on updating pivpn that often.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn’t actually access it if I wasn’t initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn’t take long to get it going, but realistically my setup’s access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I’ve been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
Well a VPS or an exposed service, but I feel like the latter ends up somewhat defeating the purpose anyway.
When running locally (not exposed), it worked great until I tried to make the initial connection from mobile data - can’t establish a connection to headscale if it can’t reach it in the first place. Unless I’m mistaken, the headscale service needs to be publicly accessible in some way.
Oh gotcha yes it does. Are you on CGNAT with your ISP so you can't forward ports?
Nah, but personally I have no need to expose anything and would rather avoid the security headaches and such that come with it
ive been eyeing up netbird but havnt got around to trying it yet. its fully open source at least, and theyre based in germany is anyone cares about that
Just looked at NetBird, it looks suspiciously similar to Tailscale in what it does except they also got an open-source control server. They have self-hosting doc right in their web site. Looks interesting. Can’t find much about the company other than it’s based in Berlin and it’s currently private - Wiretrustee UG.
What’s the difference with their open-source control server, from headscale? That it’s officially published by the company?
i used netbird heavily at my last job and i use it for a few things at home. it works pretty well.
A bunch really, Headscale with Tailscale client, Nebula VPN, Netmaker, Zerotier.
@exu @Wahots Yggdrasil, too.
Yeah, I also use that, but it’s not quite as easy as the others. Either you’re open to the whole network or you need some form of external key management to add/remove peers from your network.
I use Nebula. It’s lightweight, well-engineered and fully under your control. But you do need a computer with a fixed IP and accessible port. (E.g. a cheap VPS)
You can also use “managed nebula” if you want to enjoy the same risk of the control point of your network depending on a new business ;-)
Depends on your use case. If you’re just looking to expose services and are ok having them publicly accessible, there’s Cloudflare Tunnel, or you can run WireGuard on a cheap VPS
If I host headscale on a VPS, is that as seamless of an experience as Tailscale? And would I miss out on features, like the Tailscale dashboard? How does the experience change for me (an admin type) and my users (non-technical types)?
There are some community webUIs for Headscale, headplane in particular looks pretty good: https://headscale.net/stable/ref/integration/web-ui/
I'm not sure otherwise how different the experience would be.
I actually did this instead of tailscale first; installing tailscale on a pfsense router was a challenge, iirc i had to find and install the freebsd tailscale pkg from the command line because the plugin doesn’t give the option to connect to a non-tailscale control plane.
After I did that and connected to my headscale server (on my vps) I could ping pfsense’s local ip over the tailnet, but couldn’t get any traffic out from pfsense. Turns out I had forgotten the pfsense tailscale plugin automatically sets up outbound rules for you.
That was a rabbit hole I didn’t feeling like falling down, so I turned off headscale and just used tailscale account and the normal pfsense tailscale plugin. But it’s there and it does work fine if I ever wanted to go figure out the outbound traffic rules.
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it's a known-to-them freemail address. And it was by design "to reduce friction".
I don't think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Could you expand on this?
There's a disclaimer in the readme: https://github.com/juanfont/headscale/?tab=readme-ov-file#disclaimer
The maintainer Tailscale contributes happens to be the lead developer by commit count at the moment.
Thank you!
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
What is even the point of tailscale? What can it do that other VPN solutions don’t? I feel like this is a problem that was solved like 20 years ago and still we’re coming up with novel solutions for some reason. At my company they want to start using tailscale and I don’t see why we don’t just set up wireguard on a node in our k8s cluster instead
Because it offers much more than just VPN even though that’s what most users use it for. Read their documentation and you’ll see
If you are capable of setting up your own personal VPN, you don’t need Tailscale. You still may want to use it though, depending on how much of a novelty Network Fun is for you in your spare time.
For me, the main advantage to Tailscale et al is that it is on a per device basis. So I can access my SMB shares or Frigate setup remotely while still keeping the rest of my internal network isolated( to the degree I trust the software and network setup). You CAN accomplish that with some fancy firewall rules and vlanning but… yeah.
Because I can have 3 phones, 2 tablets, 3 computers and 4 server on the same Tailnet in 15 minutes when starting from scratch
I guess that’s neat but I don’t think I’ve ever needed more than one connection to a corpo VPN at a time
Tailscale/headscale/wire guard is different from a normal vpn setup.
VPN: you tunnel into a remote network and all your connections flow through as if you’re on that remote network.
Tailscale: your devices each run the daemon and basically create a separate, encrypted, dedicated overlay network between them no matter where they are or what network they are on. You can make an exit node where network traffic can exit the overlay network to the local network for a specific cidr, but without that, you’re only devices on the network are the devices connected to the overlay. I can setup a set of severs to be on the Tailscale overlay and only on that network, and it will only serve data with the devices also on the overlay network, and they can be distributed anywhere without any crazy router configuration or port forwarding or NAT or whatever.
And on Unraid you can add individual docker containers to the tailnet too.
So you can just go ssh <container> on any device in the Tailnet and it’ll connect
Was listening to some computer podcast a while ago and the co-host and ex- hacker was saying that more and more VPNs are getting targeted and it’s just a matter of time we see quite a bit of them owned. (I think he was talking about implementation of VPNs for remote workers, rather than actual VPN providers. Sorry, it was some time ago)
Anyway, the host asked „What about wireguard?“
And the co-host: „Oh yeah, wireguard is solid! But all the services building up on wireguard? … They’ll get popped.“
Doesn’t have to be true, but something to keep in mind.
I’ve realized how easy it is to just actually run a network rather than half ass it with tailscale. I recommend this, it’s fun.
Tell me more.
Didnt even work for me, i use mullvad so if i wanted to use tailscale on my android to connect to my desktop, it wants me to disable mullvad unlike on my desktop…
Yeah this was a deal-breaker for me too.
I think that’s because both work on Android by being a VPN, and the system can’t handle doing two vpns simultaneously
Well not really but most people don’t like manually editing routing tables
You can do that? On ordinary, non-rooted Android?
Hmmm. I run PIA and Tailscale simultaneously on my devices. I did have to tinker around with the settings in PIA such as the VPN & Advanced Kill Switch. So, now Tailscale is for administrating remote servers, and PIA for everything else. DNS leak checks, etc all check out.
Tailscale offers a paid Mullvad integration, where you can select most Mullvad servers as exit nodes. Works quite well.
Yes, I’m using it as well. It works very well on android and Linux.
Headscale is great if you like networking fun, but that aside I'm not understanding why VC funding is such a black mark to the poster. Tailscale doesn't generate meaningful revenue streams as its early-stage, so it has to secure funding to continue operations until they achieve high enough revenue to go public. That's pretty standard in a business life-cycle, though. It seems like the main complaint is that Tailscale is a business. And what about the Linux Foundation? They are funded through private equity. Should you consider switching away because of that?
Yup, I don’t know if that is OP’s intention, but I would agree myself with the complaint that “Tailscale is a business”
The way I see it, if it’s a business it must generate revenue (either now or down the road), and that is enough to have me worried. I do have a Tailscale registration, and the way they approach email communication is already a yellow flag to me (too many ad emails)
That's not really a justifiable reason, though. The Linux Foundation provides grants and scholarships to the open source community, but they do that through private equity business. So transitively, many open source projects are funded by businesses looking to capitalize on that innovation. Do you consider that when pulling from a git repository? No, that's overbearing. Additionally Headscale is in part maintained by a Tailscale employee. That would surely create a conflict of interest given Tailscale is solely interested in generating revenue.
To you it isn’t, but to some of us it is. For me the standard business cycle is not acceptable because I almost inevitably end up under the bus.
The Linux Foundation isn’t a comparable example for me since it’s a non-profit. As a result it isn’t subject to the same market pressures for-profit businesses do, let alone VC-funded ones.
At this point, with everything I know and have experienced about the economy, politics and the world, I am trying to avoid depending on for-profit businesses as much as I can. I know how businesses operate, I know why they operate the way they do, I know what dynamics push them in the directions they go and I’m tired of being run over by the bus. If I ever form a business myself it would either be a non-profit, or a worker co-op, or both, as this will signal everyone who knows what I know what the direction of this business would be about.
Firstly, I'm not trying to start a flame war with commenters, I genuinely just disagree on something and some people are getting a little hot under the collar by it. The Linux Foundation comment I made because ultimately VC touches more than people think. Even its something that isn't directly tied to VC, that money filters through groups like LF which is a non-profit and most would argue a quite legitimate organization. The point is there really is no separation or clear line of demarcation on what is "good" funding and what is "bad" funding.
I understand and I disagree. A demarcation emerges from the goal of the funding and its effects. For me, one example of bad funding is funding that drives user acquisition at unsustainable prices by a firm that is also significantly controlled by the funding source. This is predominantly what VC-funding goes to. VC-funding that goes to a non-profit that the VC has no control over, where the VC can’t and does not demand financial return from, is not bad funding in my books. Corporate funding doing the same thing is also not bad funding. Government funding often has the least strings attached as it does not demand direct return, and this also is not bad funding. To top that off citizens can exercise control over government funding via the democratic process, unlike corporate or VC funding, where the vast majority have zero control, and are owed no accountability by the businesses.
Historically, Accel has never pushed acquisition. On the contrary, they do the opposite. Its why they VC fund over 300 companies, but you've never heard of them. That's not to say they couldn't, but they haven't ever acted in that manner previously so logically it would be safe to assume that trend continues with Tailscale. I think that's important here: its not about ability its about intent. If as a organization you give funding to another organization (even non-profits) you exercise at least some control over them as they are dependent on that money to function. This is actually a point other commenters have made in regards to Headscale. Headscale is maintained by a Tailscale employee. As they fund him personally, they can exercise some control over him as he depends on that money/employment. Again, even their comments circle back to ability vs intent. Tailscale could influence their employee, but would they? That's where a lot of the VC argument goes. Its just speculation as what a group could do, not what they would do.
“The trend” is making money no matter what. That means they’re gonna screw you over eventually, the countdown has already begun, and it’s just a matter of time
Is there an actual example you can provide of Accel doing that or is this more an emotionally driven statement you have?
The specific company does not, in fact, matter because VCs have the same set of incentives in the end
.
So, even if Accel doesn't do that, which they haven't done that, they are still guilty of doing that. Ok, yeah. That's some solid irrefutable logic you got going there. I think I'll go back to arguing this with commenters who are a little less emotional and more grounded in real world points about the topic.
Not what I said. I in fact said the specific company doesn’t matter because all VC money seeks to make more money and the easiest way to do that is parasitically jacking up costs to customers every quarter no matter what until the company collapses. Then rinse and repeat, making money each time. Does this screw people over? Absolutely. Are there legal consequences? Nope, so they can do it as many times as they want, forever
So... if all VC money does, then you can provide an example of Accel doing this... right? So, go ahead and do that now.
What you’re apparently not getting is that even if it’s not happening right now, it will in the end. What they happen to be doing or not doing right now doesn’t matter. Look at the rules of the system
So.. even if Accel doesn't do that, which they haven't done that, they are still guilty of doing that. You have no argument, just strong feelings.
You haven’t accurately summarized my argument in a single comment and are using strawmen
Ok, this is your summarized argument: Accel is going to gut the company and run it into the ground because that's what they do, but they haven't ever done that, but they could, so they will, so that's the same as doing it, although they haven't, but it will happen in the end because that's what they do, but they don't.
Its not a strawman if what you say is in fact a weakly constructed idea. Its just a weakly constructed idea then. Its nothing but vague generalizations and "what ifs" you posted. Let me just put it this way: evidence or stfu.
I get your point, though Tailscale specifically crosses a line for me in this sense:
I am not that big of an enthusiast, but the way I see it, if a company goes rogue and you’re using their open source code, it’s just a matter of forking it (I’m thinking about Emby/Jellyfin as an example) If you rely on their infrastructure (such as Tailscale servers) then you are at the mercy of the companies
To that end: I’d say that OP is prettt on point by suggesting Headscale, you’re still “using Tailscale” in a sense, but without chaining yourself to the business
🏅
Weird. I’m not saying you’re lying, but besides the registration email, and onboarding welcome email, I can’t think of any others I’ve received from Tailscale. In fact, I just did a search of my email client, and those were the only ones I’ve received.
I do believe my experience in this regard is not representative of everyone, I probably failed to untick some checkbox (regarding communications) and the “too many ad emails” are a handful (in 3 months), which to me is a handful too much (having to untick a box should not be necessary)
That’s cool. I don’t like spam either. You are correct in that you should have to opt in instead of opt out.
I don’t know where people ever got the idea that normal = acceptable. I hear this used to justify all sorts of awful crap. It was only ever normalized because users were apathetic.
Does The Linux Foundation have complete control over Linux?
So, companies should not be allowed to invest in other companies? Who is allowed to invest in companies then? Only private individuals? But those individuals are apathetic, so they have to be made to? Or if they don't want to, then since other companies aren't allowed, wealthy private individuals would need to? Its not normal because its acceptable, its normal because the alternative is fantastical and unrealistic.
To the other point, does Tailscale have complete control over Wireguard? They don't control the technology behind that. They do for their control server tech and to some extent Headscale, but that's not what its built on anymore then what's built on Linux.
That’s not what I’m saying. I’m just saying you need to be wary of companies that do because the inevitable end of that train is enshittification. Every. Single. Time.
Who’s talking about WireGuard? We were talking about Tailscale.
Tailscale builds on top of the Wireguard protocol, LF builds on top of (through grants/scholarships) the Linux OS. You can't argue that it doesn't matter that LF doesn't have control over the underlying technology, but then argue that it does matter in Tailscale's cause.
It doesn’t matter in either case. Neither of them have control over the underlying technology.
You're the one who said it, though.
Yes I did say that. I don’t understand what you’re trying to communicate. TLF does not control Linux, just as Tailscale does not control WireGuard. Tailscale does control Tailscale. There’s nothing wrong with using Linux and there’s nothing wrong with using WireGuard. There may be something wrong with using Tailscale. I don’t know how to be more clear about this.
Linus is fairly vocal over what is and is not allowed into the Linux Kernel. Pretty sure he has the final say on every commit.
The problem, though, is that VC-funded projects bite off way more than they can chew from the start and have to enshittify to keep shareholders happy at that level.
Growth for the sake of growth is a fundamentally broken concept. Tailscale provides a free service that many use. They already offer a paid support tier for companies, like other certain FOSS projects do, so why not call it good there? Grow based on actual customer needs, instead of shareholder bullshit “needs” (line must go up 🙄).
The Linux Foundation is not a business.
The businesses that fund the Linux Foundation through private equity are though, aren't they?
Sure. Do you have a point?
Yeah, I think you missed that. Go back through and reread comments please. Thank you.
Could you summarise for us please? It’s not clear.
Not that it is a business but is a specific kind of business. VC funded startups eyeing an IPO more often than not start doing things users are not happy with. Maybe tailscale won’t, but might as well be aware what kind of company they are acknowledge there is a decent chance of rugpulls
Meh. I will keep using it
Tailscale never sat right with me. The convenience was nice, but - like other VC-funded projects - it followed that ever-familiar pattern of an “easy” service popping up out of nowhere and gaining massive popularity seemingly overnight. 🚩🚩🚩
I can’t say I’m surprised by any of this.
Would you rather a difficult and hard to use program?
Easy to use means people will want to adopt it, and that’s what VC companies want. Nobody wants to pay millions of dollars to make a program that nobody wants to use.
My problem isn’t directly with the programs - my problem lies with VC funding in general. Because they will come back for their money, and the project will inevitably enshittify and shove out enthusiasts in the never-ending search for infinite money.
The solution is getting rid of VC bullshit entirely. But we all know that will never happen.
I’m just a rat who got pied pipered AGAIN
If it means no VC, yes, without a doubt. That’s kind of the point.
Maybe this is a pet peeve but it’s a vpn tool that forces you to log in with an “identity provider”. Yeah, no thanks.
That’s a basic requirement for almost any company. If you’re into hard coding credentials just use wireguard directly.
There are tons and tons of websites where you can create an account with just your email. I wouldn’t expect a third party account to be mandatory. Specially from a product like this one.
I think there’s room in the world for a selfhosted, foss version of their software, even if a little simplified.
Just use normal wireguard, why do you need tails or heads at all?
Accessing your home network that is kept inside a NAT by your ISP, without you having to acquire an online server somewhere.
You really don’t though. I use wireguard myself under the same scenario without issue. You just need to use some form of dynamic DNS to mitigate the potentially changing IP. Even if you’re using Tailscale you’ll still need to have something running a service all the time anyways, so may as well skip the proxy.
Your approach won’t work if you’re behind carrier grade NAT or you can’t open ports. My landlord provides my internet so I use tailscale (with headscale on my long distance vps) to connect everything and it works great. It uses LAN when I’m home, and NAT punches when I’m elsewhere.
If you only need to worry about the IP changing, then your ISP is not using NAT, or CGNAT as it is better known. I’m pretty sure that you can also use port forwarding, which is not commonly available under CGNAT.
Ah, I see where I got confused. Yeah, CGNAT isn’t very common around here. I don’t think I’ve ever run into an ISP that uses it. I can see how that complicates things.
It’s more common with mobile-based connections like satellite connections or mobile-LTE data based connections, I believe.
Except you do need to acquire an online server somewhere, its just one that tailscale owns and controls instead of you, and when tailscale decides to enshittify and kill of their free tier you’ll be left wondering why you didn’t just rent a cheap VPS sooner.
Ask yourself, what is tailscale getting out of those “free” users that makes it worth providing services to them that they’d otherwsie need to rent a VPS for? What do you think their response would be if for example they got pressured about maybe too many users on their network are running a certain video streaming app?
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
I’m curious what kind of a use case you can think of that “traditional wireguard” can’t replace tailscale for.
Tailscale has a maximum of 3 users on their free tier, so it seems like a super limited use case of people who DIY their own servers for Jellyfin or HomAssistant or whatever, but just a tad too lazy to setup their own Wireguard service in addition to whatever it is they’d be using it for… I think the vast majority of free tailscale users have simply never actually tried wg-easy , because if they did they wouldnt need to use a third party service.
@gravitywell you miss the whole goodie-part like funnels, acls, certs etc.
ACLs for me are really valuable as i'm using for a small team (3ppl) for server/app admin. @ShortN0te
I think ACL is a paid feature with TS, but maybe im wrong. Once you get to the paid tier, you are just paying someone else to manage your VPN, which is fair enough but its not something you could’t also pay someone to do with wireguard (or openVPN for that matter). I think its fair to say “I pay for this service because i don’t want to have to deal with configuring it myself”, it might be easier to setup for some use cases, but if someone is already self-hosting things and has a DIY attitude to it, I don’t think tailscale can do anything wireguard can’t also do (it is based on WG afterall)
Maybe I’m not familiar enough with other kinds of setups to think of things though. My wireguard setup is basically a meshnet between several people’s home servers, each person has their own subnet only they can use, but the wider 10.X.X.X is shared by everyone, its certainly not the most secure because it doesnt need to be, but if i wanted to restrict one persons access to something i certainly could do that.
ACLs are on the free tier too.
Big difference in users and devices here. Tailscale might have a 3 user limit, but you can add up to 100 devices for free. So for me for example I have tailscale running in each and every docker container in my NAS. So each and every container can now act as a node on my tailnet. Users isn’t a big deal, any one node can activate funnel with a simple command and poof its available to the public. The convenience coupled with simplicity is what makes Tailscale so god damn good.
Can you segregate connections between different nodes on the tailnet, like say node G and H can only talk to each other and no other nodes?
Not sure, not tried that as that’s outside my use case. But I would assume its possible with ACLs!
Or be like me stuck in the 2000s using OpenVPN still in 2025 lol
Question: if I setup Headscale on my network, I would have to open a port on my router to connect to it right? And also if I setup Headscale with some cloud provider, could they theoretically go and use the setup to get to my home network? I know its unlikely, I just mean if the technology is like e2e from clients to my home network, or if the cloud headscale ‘centre’ would be also an unguarded entry point (from the perspective of cloud admins). I hope I am clear 😀 Thanks (btw you probably guess why I currently use Tailscale 😀)
The way I understand it is:
Yes
If they are able to authorize their own node to your Headscale server, then their node gets on your network. If they take over the Headscale node, they might also be able to access your network, either by changing Headscale’s config to auth another node or perhaps if the Headscale node is part of the network, which it might be, I don’t recall. But I think that’s immaterial. If someone takes over the Headscale machine, they can get on your network either way.
So there has to be some trust between you and the cloud provider then. Thank you
I always knew it was too nice to stay non-shitty forever.
Guess it’s time for me to pester my ISP to let me open some ports
Tailscale is great. The principle concern to me is that your super easy mesh network depends on Tailscale so if they want it they have control, and if they change their pricing or options you depend on them, and though they can’t see the data you send they can see the topology of your network and where all your computers/devices are.
I use Nebula, which is more work to set up and doesn’t have some of the features, not But if you slap the ‘lighthouse’ (administrating node) on a cheap VPS it works great. And it has some advantages. But Nebula also troubles me: though it’s fully open source and fully in your control, the documentation isn’t great. Instead, you can now get “managed nebula”, which puts you in the same problem as Tailscale: the company sees and controls your network topology. I fear the company (Defined Networking) is trying to push things that way. Even their android app you can’t fully configure unless you use their ‘managed’ service.
For now, Nebula is great, and my preferred mesh network (I looked into all the main ones). And for Tailscale you can run the administration server yourself with Headscale and be fully in your control.
Actually I wish Tailscale the best as a profitable business. They’ve created a fantastic service and system. But for me, I’d rather my network be in my own hands and for my own eyes. And, as is OP’s main point, once they have enough dependent users, the service might turn much worse.
Nice to hear your experience with Nebula. I considered it when I went with Tailscale years ago. Now you gotta migrate off of lemm.ee as it’s shutting down soon. :D
Yep. It’s on the TODO list…
Netbird seemed to go in a similar way, though still good. I want to try zrok next, looks interesting
Netbird you can still run unlike tailscale with headscale right?
At least hope the backend can be fully ran ?
Yes, and I think it’s the full fat option as well
What do you mean by going in a similar way? Towards an IPO?
Maybe not ipo, but it seemed like it had a strong monetisation push a while ago
Tailscale is a business seeking profit? (clutches pearls gasp)
.
…and what are current Plex users, that don’t like the direction Plex has taken, doing ? Riding the next horse. When Tailscale gets unbearable with their business practices, there are a lot of other options. Tailscale is just easy and it flippin’ works.
.
So, I don’t run the arr stack, or any of it’‘s components. In fact, I’ve never even test run Plex. However, I hear that Emby is a better replacement coupled with Symfonium to take the place of PlexAmp. That seems to be the ‘next horse’ everyone is switching to, even tho Emby does seem to have some unresolved issues.
I just find the constant grind against profitability and capitalism to be a bit worn. I guess you could say I am fully ensconced in capitalism as I run three tax paying, for profit businesses. The issues I take with capitalism is unbridled, uncontrolled greed…when we place profit over principal. By all means tho, make yo’ paper son.
These are my opinions. There are many like them, but these ones are mine.
If there’s no one who can replace you with someone else, if you don’t deliver profit growth that they expect, then there’s a chance for you to apply principle over profit because it’s up to you. Many if not most corporations however can and do replace corporate leadership that doesn’t deliver profit growth with one that does. In these circumstances, leadership can rarely put principle over profit without being replaced. Many if not most of us see the direct effects of this process on our lives, working to get ever more of our incomes and health. This process hasn’t stopped and hasn’t slowed down. The opposite. This is why you’re hearing us grinding against capitalism as we can see the system all around us grinding us down. This is why it’s likely you’ll keep hearing it and it’s likely gonna get louder. I might not have your product in my home. If I do, I might be very happy with it because you’re not trying to get as much money out of me as you can. However I am certain without checking that I have Unilever, Kraft, Nestle, PepsiCo, Google and so on, and I know they are. You probably do too and they’re probably skinning you just as much. This is what capitalism is for us and we will grind against it because our standard of living is falling and it’s not because of people like you. Small businesses have much more in common with us in this, than large corporations, or small corporations funded by large capital of different kinds. I’m an employee of a very large, well known American corporation that has strategically stopped making products that were objectively better for its customers but had lower margins, replacing them with much more expensive, higher margin ones. I’m not getting anything from the difference. Our major shareholders do.
I get all of that. I really do feel ya. However, I find it quite difficult to raise my ire over a free product (Tailscale) that I use in conjunction with my hobby, changing up their game and going IPO. I guess I do not take my network as seriously as others here do.
Not so much ire than awareness and planning so we don’t get caught pants down. I’ve been using them for 5 years, in part because their clients (for my OSes) are open source and there was a path out of their infrastructure. I paid for it and have a pretty elaborate setup which supports services for family and friends. I’ve been happy so far, but will be decoupling from their infrastructure. No ire for them, just for the system. The system makes people and firms do what they do. 😄
Ok I can understand awareness. This whole time I’ve been thinking, Plex started in 2008 and ‘Plex Hate’ followed about two years into it’s existence and has perpetuated itself for these 15 +/- years now. So I’m wondering, if during this time, anyone’s personal narrator went off in their head with something like:
Perhaps I misread the tone of the article.
What you want to look at is the size of the hate and the material reasons for it. And that’s fairly difficult to measure if you’re not paying close attention. Plex hate has been growing dramatically over the last few years because they materially changed their service. They began collecting data some time ago and now they are selling it unless you go and opt out. So the hate is much larger and louder for that reason. For me those last changes were the straw that made it clear we’re just one small push for profit away from my sailing habits getting sold to the American copyright lobby. So I’m currently trialling Jellyfin.
In addition as some have highlighted Jellyfin is markedly different from Plex or Emby in that it’s open source and if something happens to it, forking is the way out, which already happened since Jellyfin is a fork of Emby. Migrating from one open source project to its fork is usually trivial compared to migrating from a proprietary service to another one. And there’s no reasonable chance of my data ending up in the RIAA/MPAA’s hands. So the Plex -> Jellyfin switch everyone is doing is not merely switching to another horse. It’s more like switching to completely different vehicle that you can maintain indefinitely.
E: This process we currently call “enshittification” (not a new process) has now been experienced by wide swaths of people where previously only a small minority understood it. I think that drives faster and wider reaction to these patterns as they’re now very familiar. I think that’s a good thing. I used to give corporations more benefit of the doubt and think in balance but then I did not understand why they do what they do. Now I do and the benefit of the doubt is gone unless there’s something material to support it. Like having open source clients.
Well, I have had dealings with the RIAA back in the pre-Napster era when audio on the internet had not really come into it’s own and most people associated audio on the internet with GeoCities midis…pretty crappy stuff. I ran a fairly successful, fully liscensed, internet radio station with a company called the IM Radio Networks. They along with Phillips created one of the world’s first bookshelf stereos that could ‘tune in’ internet radio as well as AM/FM. Even went to Washington with others to plead our case before a hearing that included Senator Leahy. Yeah, the RIAA are a bunch of reactive assholes and have never been proactive since AM radio first crackled into people’s homes.
I’ve always figured that if it was offered for free on the internet, there were always going to be strings and at some point I’d have to do something different to achieve the same results I was looking for.
.
Plex actively removes features though that hasn’t happened and like other comments says it’s easy to move away in this case
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
netbird.io
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
Is there an issue with Netbird’s servers at the moment? In my testing devices are connected and reach eachother, but the web admin is missing a lot of functionality compared to what’s in the docs. The peer devices section is there, but everything else, user settings, rules etc, isn’t showing/says I don’t have admin permission (of my own account… Lol?)
Honestly, no idea, worth checking their GitHub etc or their status pages if they have any
Am I totally off-base in thinking that MagicDNS and pluggable DNS nameserver overrides are a huge feature of tailscale?
I love that I can refer to my tailnet devices just via their machine name. I use it everywhere. And also that I can just slot in my NextDNS ID so that any device running tailscale now automatically uses that, and I don’t have to mess with my shared router settings or per device settings. Is all that actually really easy to set up outside of tailscale? Cuz if it is and I just somehow missed that when doing all my research, I’ll happily give plain wireguard or other mesh orchestrators like NetBird a go.
And I already know that mDNS is not the answer. That protocol is simply not reliable enough.
Nah, DNS is separate and these features are indeed pretty great. I think Headscale can also do them. I think I tested MagicDNS if I recall correctly.
I use wireguard and have public DNS refer to private IPs.
For example if my server is accessible at 10.0.0.1 via wireguard then I point *.myserver.mydomain.com to that IP.
Sorry if I’ve misunderstood your question.
.
So glad my router supports WireGuard/OVPN server hosting, doing it this way also relieves resources off your homelab and for whatever reason your homelab shuts off or loses network access you can at least rely on your router to re-establish the VPN server without further intervention.
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
I spent an afternoon doing precisely that. Bought a domain, a vps, and setup pangolin. Can’t believe now smooth it went.
@cooopsspace pangolin is not a replacement for tailscale/headscale. different usecase imho. @avidamoeba
Ziti isn’t though.
Point is, you know Tailscale will turn to shit the same way all VC stuff does.
Make no mistakes VC aren’t giving money out of the goodness of their heart, they expect a profit.
.
.
AI SLOPPPPPPPPPPPPP delete this nephew
Fine I deleted it. But it worked so whatever don’t need opinions now anyway. I was just asking for advice, it’s not like I was trying to pass it off as my own comment or something.
.
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
It also doesn’t cost them much of anything
Positive PR and little draw backs means that everyone is generally pretty happy
Sigh…
And even worse:
Lol
Huh, I actually didn’t know this because I don’t use Windows/macOS/iOS. Somehow completely missed this.
Granted this is not Headscale’s fault, they’re just using Tailscale clients. Either way I’m glad I use a roll-your-own Wireguard.
I and my partner also don’t use those OSs, but it’s more the point of using FOSS when we can.
To be fair, anything the GUI clients do can be done with the CLI which is still open source and on all desktop platforms and headscale is literally their open source control server.
Yea, but in iOS?
The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.
I mean is anything iOS really open source?
Yes? There are Lemmy clients that are open source, for instance. And the Wireguard client is.
I just replaced my entire setup with base wireguard as a challenge, easier than I expected it to be, and not hard to mimic tailscale.
I did this was well awhile ago. Felt nice to completely control everything.
Any helpful guids or links you feel like sharing for interested parties?
Can you elaborate how?
Pihole and pivpn get along like peas and carrots.
Make the “available ips” your pivpn subnet and ta-da, the mesh functionality of tailscale without the entire connection.
Want to exit node from the server? Just change the value back to 0.0.0.0/0.
If you just have to talk from many devices to the one server sure, but Tailscale sure makes it easy for many to many. Also if a direct connection is impossible (e.g. firewall of china, CGNAT etc) tailscale puts a relay server in the middle for you.
My entire setup might not be your entire setup, I have the basic functionality of connecting multiple systems into one mesh network. That’s all I needed so it’s all I did.
I’m not that worried as there are alternatives like Netbird. The underlying tech really isn’t hard to replicate since Wireguard is pretty standard.
I think it would be cool if Tailscale made it into the enterprise arena.
I think they already have started. Telus is on their list of clients.
I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?
I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.
My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.
Yeah, as I said, it’s a friendly reminder. I’m personally probably doing it this year. It’s entirely possible that enshittification could come even years from now. It all depends on how their enterprise adoption goes I think. The more money they make there, the longer the individual users are gonna be left unsqueezed.
Headscale requires tailscale client so it’s a no-go for me. I’m still trying to block cloudflare from my network.
Tailscale needs Tailscale to work
That seems obvious
Yeah and steam is closed source DRM platform. Great software sometimes is worth the trade off.
Steam is a private company, not publicly traded and has no VC funding.
VC funding and potential IPO normally means enshittification is inevitable, as they will eventually need to make insane profits by turning the screws on its users, as their business model wasn’t self sustaining.
Enshittification is inevitable for all free services (services as in with a server component). Thankfully the functions of tailscale are open source so until enshittification actually happens I will be happy with using a a useful but VC funded project. When I am not willing to make the trade off anymore I will use headscale or some other drop in replacement.
No, it is not that bleak. It is only inevitable when there is an active push for a short-term maximization of user base monetization (which is very much in the nature of VC). It can usually be avoided with products that are wholly under the ownership of all users (such as a cooperative or a government-provided service) or - only if one is lucky - with products of financially independent private enterprises under vaguely benevolent and unhurried leadership (such as Steam, to some extent)
Realistically Tailscale seems to currently be running on a model of get all of the self hosters to love running it at home so then they advocate to run it at work where all of the pricey enterprises licenses make the real money.
I’ve actually seen some real world usecases where if I had more political push, I would’ve put Tailscale onto the running as a potential solution
Hopefully they have the right people in place to push back at the VC firms about maintaining their current strategy rather than scaring away all of their best advocates before they can truly get off the ground. Having worked at a company owned by a hedgefund, part of the trick is having the right people in place in the company who can block the worst decisions by the capital-hungry owners
Crap, I really need to switch of Tailscale but currently it is an easy way for me to access my stuff outside of home as a temporary solution while I am on a 5G modem.
I can recommend to take a look at netbird.io
I can’t. I tried it first and installed it on my phone from f-droid. After opening it up, it connected to an already existing network with other people’s old machines from years ago on it. I was horrified.
So then I tried to delete my whole account and couldn’t due to an error. I sent them an email about it and they took like two weeks to respond.
Netbird isn’t on F-droid
Are we talking about the same thing?
It used to be
It has never been on F-droid. I’ve been following the service since it started. It didn’t even have a mobile app not that long ago.
It’s possible I misremembered and got the apk from their website or github. Doesn’t change anything though.
I just went back though my emails, I got a reply email from their CTO promising to look into it and they would get back to me, but they never did.
Much more user friendly
Json is awful for config
Crockford is a good and smart person but he really dropped the fucking ball on JSON.
Double-quotes-only and no comments kill the whole spec for me. Extremely opinionated and dumb. I fucking hate JSON.
My boss once sent me a machine generated config. He’s terminally addicted to double-quotes (like, a fatal condition). I searched and there were 27k sequences of
\".Edit: my point is - all that compute and network wasted, every single time the file is requested and parsed. Completely pointless waste
Do you pay for a domain? They likely provide dynamic DNS (DNS). If you’re lucky, they have an API for it, instead of an app, and you can configure a cronjob on your home server to run every 1-5 minutes (or more often, if your IP is super unstable!).
Yeah I can always do that, but putting stuff behind something like Tailscale is (or atleast feels) more secure than making my IP known to the public. I have a DMZ setup though so it should be fine.
Your “IP address” is already public. That’s why an IPv4 address is assigned to you as a “public IP address” and you NAT to a private space. When using IPv6, everything is public.
The key is to secure everything with access restrictions.
Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes
Chances are you’ve had the same public IP for a long time. Mine hasn’t changed in 2 years.
@chronicledmonocle @Vinstaal0 I used to work for a dial-up ISP. Every IP is registered to an account, if you're going through your ISP (as opposed to, say, coffee shop or hotel wifi). Though the people who have the information are different (ICANN/registrar vs your internet provider), there's no anonymity in your home IP address even with CGNAT.
As far as your domain, you should have privacy protection enabled so people can't find your personal info via whois.
That was the case when I lived with my parents, but now it changes every 5 minutes sadly.
So I had to shut down my Minecraft server etc for now because I am on a 5G modem which makes it really annoying to open up ports and point a domain to your IP
If your IP changed every 5 minutes, you would not be able to have a voice call or anything similar. Your IP probably changes every 24 hours
I just checked, yes it is every 24 hours, but I have to restart that thing regularly so that it is why it feels quicker I gues
And here I am, still using OpenVPN in 2025 lol
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
Yeah, OpenVPN definitely doesn’t have light spec requirements 😅 thankfully hardware is unfathomably powerful these days.
Sure but wireguards connection is just faster.
I can highly recommend Netbird selfhosted, it has SSO support, logins, complex network topologies, it uses wireguard under the hood and it’s open source.
That sounds kinda cool. I’ll have to check it out. It’s kinda hard sometimes to push FOSS stuff in a largercorporate environment but this looks like something I could recommend/build for small-mid private SOHO clients.
This is what I used in a small/mid sized company to replace a legacy VPN, generally we had only very few issues but probably the employee personal computer is to blame, right now is very stable.
Nerds stop recommending corporate crap: challenge: impossible
Ok and?
I didn’t really get the allure of it TBH. For most home-based nerds a simple Wireguard host (or OpnSense, OpenWRT etc running such) should be fine, and there are better options for commercial from better-known vendors in the network security space
The “well known vendors” tend to be crap especially on a security level
I never really understood the point of using Tailscale over plain ol’ WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won’t be complex beyond a regular old wireguard config
Simplicity?
I mean sure, but I don’t think it’s simpler than setting up a wireguard config IMO. For tailscale you gotta make an account, register devices, connect them. Feel like wireguard is about the same except you don’t have to make an account.
Wireguard doesn’t do NAT/Firewall traversal nor does it have SSO
Tailscale manages the underlying Wireguard for you. I would be great if Wireguard had native NAT traversal but that isn’t the case.
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
Same thing here, either tailscale selfhosted or Netbird selfhosted I’d the way to go for all the nice features, having the free tier or tailscale for personal data never sounded right to me.
is this some kind of furry porn CDN
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
Just came here to say that the guy looks like a creep!
Good thing I deleted it from my homeserver a month ago.