
Tailscale has reached general availability - kenrose
https://tailscale.com/blog/tailscale-launch/
======
sho
I've said this before - I really love the concept but I can't get past the
pricing. I don't think I'm cheap, but I work in a startup and have to justify
what I spend, and USD$10/user/month is very steep for the hard-to-explain
benefit of doing away with jump servers. I already use Wireguard, I have a
script to add users, update configs and bounce the servers.. it's not as cool
and automatic and "zero trust" but it also doesn't cost hundreds of dollars
per month to access my own servers I'm already paying for!

GSuite is easy to justify for me. Github is. JIRA is. Tailscale is more
expensive than all of them and it's hard for me to make the case, even to
myself, that it's worth it.

I'd like to ask Tailscale to think about alternative pricing models of maybe
$20/month per admin account, which comes with 10 bundled "member" accounts or
similar. That would get me to $40 or $60 a month, which I can stomach. But I
won't pay $300+/month to save myself a little bit of inconvenience every few
weeks so my devs can securely log into our servers.

~~~
dfcarney
(Tailscale co-founder here). I certainly appreciate the feedback and
suggestions. We've had pricing inquiries from individuals all the way to
enterprise. Finding the right set of features at the right price is something
we're going to spend a lot of time exploring (for instance, some larger
companies don't care too much about ACLs, but some smaller ones really, really
do). Right now, all I can say for certain is that our pricing page will change
and that we're open to discussion.

I'd love to hear more of your thoughts on where you think we can add value and
what it might be worth to you. If you're up for it, please email me at
dfcarney@tailscale.com Regardless, thanks again for the input.

~~~
cpr
Yes, at $10/mo as the GP says, it's more than Slack or G-Suite or Microsoft
365(?).

It sounds like a great product, but it would definitely have less value to us
than the above products.

That seems to set a price ceiling, but of course, you're free to find the
price elasticity curve by exploration...

------
jedieaston
I don't know if it's really ready without what they're calling "magic DNS":
[https://tailscale.com/kb/1054/dns](https://tailscale.com/kb/1054/dns)

Something that bugs me about ZeroTier is also present here, which is that
there's no name management whatsoever, so I have to either keep a hosts file
around with all the names of the network or find a script on GitHub that does
it for me (or put a DNS server on the Tailscale network, and make sure all the
hosts have records on there manually since there isn't a way to automatically
integrate it with the hostnames that Tailscale already logs). Or, of course,
use public records and pray you don't have more than a couple services because
who wants to log in to the domain host every time you bring up a new
container?

Half the magic of BeyondCorp (which I'm a big believer in) is that it's
invisible from an end user perspective. I open a browser, go to
git.corp.planeteaston.com, and it works, not "let's go to gitlab... it didn't
resolve. what was the IP address again? 192.168.10-oh, wait, I'm offsite, the
address is different, let's go see what it is in the Tailscale console", and a
tech person could figure that out, maybe, never mind a computer-illiterate
person in another department that was just told "go home, coronavirus, take
your laptop".

This isn't a knock, since the main competitor, ZeroTier, doesn't have a great
solution for DNS either besides run a DNS server, but whoever cracks it will
probably win this race. And it's almost worse for ZeroTier, which by default
(at least when I started using it 2-ish years ago), wanted you to use IPv6
addresses by default that there was no chance of you memorizing. I'll be a
customer when this works!

~~~
apenwarr
(Tailscale co-founder) Everyone at tailscale agrees 100% with all your
comments here. We're eager to someday have a chance to stop optimizing NAT
traversal so that we can make magic DNS work. But we also know we have to get
the core routing near-perfect before we start adding more features. I'm
guessing ZeroTier feels the same.

~~~
ignoramous
> _But we also know we have to get the core routing near-perfect_

As someone who's been following tailscale's development, I'm curious to what
you mean by _core routing_? Isn't routing P2P? Or, do you mean routing via
DERP tunnels or TURN relays when P2P is a no-go? If so, what really are some
key challenges here?

------
steeve
Been using it for the last few months and it's great. I use it for SSH, NAS
etc...

Also, being able to ping my iOS phone that's on 4G from my computer feels like
magic.

~~~
ASalazarMX
> Also, being able to ping my iOS phone that's on 4G from my computer feels
> like magic.

So, like every other VPN?

~~~
steeve
TailScale is to other VPNs what Docker was to LXC. Well, except Hamachi.

~~~
3xblah
"Well, except Hamachi."

As well as the one from the author of ntop.

A few characteristics most projects consistently fail to meet are (a) keeping
the source code available, small, relatively simple and easy to compile, (b)
allowing peers the _option_ to connect directly after discovery without
routing traffic through a third party and (c) recognising that not all peers
want to form massive infinitely scalable networks, most will prefer small
ones.

Most P2P projects choose a design that forces the majority of users compromise
in order to accomodate a few unpredictable/hypothetical edge cases. "Perfect"
gets in the way of progress. History shows there is no "perfect" when it comes
to P2P.

------
kaffee
Seems like it requires a Google or Microsoft account (or corporate SAML). No
thanks!

~~~
apenwarr
(I'm a Tailscale co-founder) The idea is to avoid building yet another
commercial service that holds onto your username and password. People have
enough identities already. More details here: [https://tailscale.com/blog/how-
tailscale-works/](https://tailscale.com/blog/how-tailscale-works/)

We know we keep getting feedback that people want a different way to authorize
their accounts (especially for personal use), so we're looking at other
options. We just really want to stay out of the username+password business;
it's simply bad security practice.

~~~
mholt
I'd actually rather you have my username and password, since I use a password
manager and every password is long and unique. I don't want to tie my
Google/Apple/<X-Mega-Corp> account to my Tailscale account. This way I can
also more easily keep track of which accounts I have since my password manager
stores them all. So I will wait for email signup (which currently just
subscribes me to a mailing list...)!

~~~
apenwarr
It's easy to make a basic password login system, and very technical people use
password managers, long passwords, etc. But there's a long "tail" (ha ha) of
people who don't use long passwords, who will reuse their password on multiple
web sites, who will forget their password and need to recover it using their
mother's maiden name, etc. This opens up unlimited opportunity for phishing
attacks.

And you don't get any key rotation unless you force people to change their
passwords occasionally, which is itself now deprecated as a bad practice
because people then start writing their passwords down on paper or storing
them in a spreadsheet, which is even worse than no rotation. (Tailscale
rotates your VPN keys automatically, but it's all for naught if the root key
is just a password.)

We know that something better is needed for personal accounts, but please, not
username+password. Your private network security is important. The world needs
something much closer to foolproof.

~~~
blueside
> few very technical people use password managers, long passwords, etc

I'd be very surprised if this was true. Most all technical (competent) people
I know use a pw manager of some sort

~~~
apenwarr
It originally said "a few", not "few", which was intended to have a slightly
different meaning, but I've edited it to remove that because you're right and
it's not important :)

Unfortunately non-technical people mostly don't use a password manager and we
can't assume they do. Tailscale is about making the Internet secure by
default, and passwords will never be secure by default.

------
sbaha88
Sorry for off-topic, but does anyone know which css library Tailscale used for
their blog?

Looks very nice and clean.

~~~
rosszurowski
(Designer behind the Tailscale blog here)

Glad you like it! The text styles are custom, and the layout is built using an
in-house CSS framework not unlike Tailwind [1].

But if you'd like to build something similar, you could get pretty close by
using something like Tailwind and building with Rasmus Andersson's lovely (and
open-source!) Inter type family [2], which we use throughout the site.

[1] [https://tailwindcss.com/](https://tailwindcss.com/) [2]
[https://rsms.me/inter/](https://rsms.me/inter/)

~~~
sbaha88
Hi,

thanks for your reply and great work:). The site looks just amazing and very
clean (especially typography). I noticed it uses utility classes like
tailwindcss so thought maybe there is a similar library.

------
yingw787
Very nice! Congratulations on launching, and looking forward to seeing your
success in the coming years!

------
bawana
If a site within a tail scale net is compromised, does that make all of the
other sites instantly compromised on that net?

------
royjacobs
Looks really interesting! For my use case I'd really want that Android app,
but other than that this looks solid.

------
lwhsiao
Can someone comment on the tradeoffs between Tailscale and ZeroTier?

------
sbr464
Nice service, was just testing it out. I had one question/issue. Will the
pings heal automatically if a device changes internet connections or wifi
providers? I noticed I had to disable and re-enable the active toggle on an
ipad after changing wifi networks (local wifi to phone/LTE). I didn't have to
if simply disconnecting/reconnecting to the same wifi network.

------
zhaoweny
According to the blog[1], Tailscale currently have a relay network for
relaying traffic when NAT traversal does not work.

I wish one day Tailscale allows private relay server, for privacy and speed /
latency reasons.

[1]: [https://tailscale.com/blog/how-tailscale-
works/](https://tailscale.com/blog/how-tailscale-works/)

~~~
dave_universetf
It's planned. Although note that DERP only relays the encrypted wireguard
packets. All we see is "please send this ciphertext blob to pubkey X", i.e.
exactly what any router on the internet sees.

Still, for latency and compliance reasons, it makes sense to allow companies
to operate their own DERP relays, if they want to.

------
reinhardt1053
Why my team should pay Tailscale 10 dollars/user/month? We can get the same
features with Wireguard/OpenVPN.

~~~
jasonvorhe
If you can, do so. This reminds me of claiming to be able to build Dropbox in
a weekend with existing tools. You can, but it most likely won't work as well,
won't be as integrated and well, you'll have to build it yourself which won't
be as easy as you think it is, then add monitoring and paging and, depending
on your requirements, high availability.

I'd certainly be interested in a blog post about this, if it's as easy. But
considering that Tailscale took this long to launch, I have doubts that this
is as easy to build.

~~~
dfcarney
(Co-founder of Tailscale here) To that end, we started publishing a
"blueprint" for people who want to DIY. There's more to explain (and questions
encouraged). Please check it out: [https://tailscale.com/blog/how-tailscale-
works/](https://tailscale.com/blog/how-tailscale-works/)

~~~
zackmorris
Thanks for this. From the link:

 _My teammate Dave Anderson is writing a post about all the insanity that is
NAT traversal. That alone will probably be as long as this entire article.
Stay tuned!_

I've watched countless p2p projects fail due to NAT difficulties, and spent
months/years banging my head against it only to fail too. I've heard that NAT
is tragically still a thing with IPv6 as well.

Please, if you all make it big, start a cross-platform open source, drop-in
library that completely solves the NAT problem. The unit test for it would be
that an app using it can accept inbound connections with zero configuration.
That might require a central server though. I think the crux of the problem is
how to share IP addresses with each other through that central server securely
for STUN/ICE so that nobody can eavesdrop. Would you consider making your DERP
servers free and open for that purpose? Apologies if I'm glossing over this or
missed something, this is just something that has vexed me for almost 20
years. Thanks!

~~~
apenwarr
(Tailscale co-founder) I'm with you on this! The NAT problem drives me nuts.
That's one of the core concepts behind tailscale. Unfortunately I don't think
the "open source NAT traversal as a library" idea will work; it's been tried
before, but NAT is just _so fiddly_ that the library invariably "doesn't quite
work" in some weird condition and the app developer is left trying to debug
NATs, which they don't know how to do.

With Tailscale we want to take full responsibility for connectivity, so that
app developers can work on apps that just assume the connectivity+security is
there, and users can complain to us instead of them when their computers won't
connect. At least, that's the dream. How best to package that up, I'm not
quite sure.

Regarding DERP, the server code is open source:
[https://github.com/tailscale/tailscale/tree/master/cmd/derpe...](https://github.com/tailscale/tailscale/tree/master/cmd/derper)
and if you look closely, you can see that DERP servers are fully anonymous
(pseudonymous?) and will route traffic between any two DERP connections based
on their public keys. We rate limit traffic to keep costs under control, and
we'll let paying customers boost their speeds, but we intend to always let our
DERP network be usable at "reasonable throughput" for free. And since the code
is open source, you can write your own tools that do it.

Lots of things to work on. Hope this helps!

~~~
ptman
Does tailscale work in China? Does DERP penetrate the great firewall? How does
tailscale protect / work against nation state actors? Are you incorporated in
the US? How does Tailscale help against wide-reaching legislation like EARN
IT?

------
e12e
Congratulations on launch! The solo tier looks very nice and useful (except
for missing Android client for now). Low the sign-up flow, very easy.

This looks very similar to ZeroTier - apart from building on wireguard - how
do the solutions differ? Is tailscale also a true mesh (ie packets go direct
between two tailscale nodes on a lan)?

------
j88439h84
In "The asymmetry of internet identity" you're describing a problem and
currently Tailscale doesn't solve it -- it relies on google/ms/etc for
identity.

I'm curious if it'd be possible to avoid using brands by just authorizing
device ids like Syncthing does, without any login at all.

------
RabbitmqGuy
How about we add another pricing plan. It's for people who like me are happy
with the free plan, but still want to somehow give you money without upgrading
to the $10/user plan.

Bonus points if you call the plan, the wireguard plan; and 90% of the payments
go to Jason Donenfeld.

------
brunoqc
Can you use tailscale with friends or does it only work with the same email
address?

~~~
dave_universetf
(Tailscale employee here) For personal use, we're planning a "sharing"
feature, so that you can share machines (or individual services) with friends,
and they just show up on their network (after mutual approval, of course).
It's a feature I very much want for my personal use of tailscale, so it's
going to happen :)

~~~
brunoqc
That sounds awesome. Thanks!

------
nodesocket
In the dashboard, there is no link to support. There should also be a way to
create a support ticket or even better live chat.

I am getting intermittent errors in the dashboard as well.

~~~
crawshaw
I've filed an issue for me to add a support email link. Will do another
dashboard release in a couple days, thanks.

As for alternatives, we tried chat but no-one used it, and it added a ton of
heavy awful javascript to our website. You can file issues on
[https://github.com/tailscale/tailscale](https://github.com/tailscale/tailscale),
though for the dashboard I'll move them elsewhere. Also we have been looking
at various pieces of "forum" software too but haven't settled on anything we
really like.

Could you elaborate on the errors you saw? If you want to send support@ an
email with your account email address and rough time, I can look in the server
error logs and try to hunt it down. Thanks.

(I work on Tailscale.)

~~~
nodesocket
Thanks so much for the reply. I am sending an e-mail to @support now.

------
nojvek
From the website

> We’re announcing our public launch today, with a $3M seed round →

Seed rounds are now 3M, wow!

I wonder how they seemlessly authenticate with Okta, Google, Active Directory
e.t.c ?

------
mleonhard
Do you plan to release a Terraform provider for configuring Tailscale?

~~~
dave_universetf
(Tailscale employee here) Automatic provisioning is definitely on the list.
It's an enabler for immutable infra deployment, getting connectivity into
containers, and building things like automatic enrollment based on external
sources of trust (e.g. "automatically enroll any VM that can prove via its
vTPM that it's in this GCP account").

------
sbr464
Is there a pfsense integration?

------
nubela
Is talescale really that popular? Who are upvoting these articles?

~~~
microtherion
I can only speak for myself:

I was interested in WireGuard for a while, but setting it up properly seemed
rather a daunting task to me. With Tailscale, this was literally a matter of
minutes. I'm not sure I would pay $10/month for this, but the free solo plan
is sufficient for my purposes and works great.

------
armaxt
I will get banned for this in a matter of minutes but I will say the truth to
whoever think HN is fair. For the past 3 months, every, again EVERY post that
was linked to Tailscale (not just the company domain but also the blog posts
of the founders' websites), has gotten to the frontpage within minutes, with a
full 100% hit rate. This cannot happen for any company, any project or
anything else to be honest since there is a thread that gets posted every
minute on average, and almost every thread, no matter how great it is, goes
forgotten forever without a single upvote. This doesn't happen to even
trillion dollar companies that are known by almost everybody so certainly this
can't happen for a company of 5 people that was started only last year and
hardly known by anybody. Nothing can get to HN's frontpage at a hit rate of
100% especially when you know this has been happening on almost a weekly basis
since last December not to mention the daily promotion in comments on
literally everything that has anything to do with WireGuard or even VPNs.

HN simply favors some founders who have good network over the rest of us. I
know that organized upovting and astroturfing isn't uncommon here, but there
has never been anything anywhere near that's being done by this company and
its founders here. This is simply free advertising worth of hundreds of
thousands of dollars for free simply because the founders "know people".

EDIT: Thank you HN for proving me right! This comment has 42 points as of now
and it's buried in the bottom below almost every other comment. Still not a
response from the founders who very coincidentally happen to exist literally
during every time a post about their company gets submitted!

~~~
dang
> Thank you HN for proving me right

You've been proven nothing of the sort. I buried your post _and_ the
submission itself while investigating this claim, even though you've been
trolling HN threads with these rants for weeks now, using multiple accounts to
do it, ignoring our requests to stop breaking the site guidelines, and
barraging us with ranty emails to boot.

I've looked closely at the data and found no evidence for any of this. Every
sentence in your comment is either demonstrably false or completely
unsupported.

I know that sometimes a bee gets into one's bonnet, but as I've explained to
you a dozen times or so, all we can do is look at the data, and if reality
conflicts with what you're saying, we have to go with reality. Actually, I
appreciate your underlying concern for the integrity of this site. (Not so
much the smears and accusations of corruption.)

Your real sin, though, is wasting our time. That sucks precious resources away
from doing what we ought to be doing to make HN better. I haven't had a chance
to attend to the front page for the last several hours because I've been busy
looking into this, writing about it, and dealing with your posts and emails.
Meanwhile other emails pointing out quality concerns in other threads have
been piling up in the inbox.

Even though it's tedious, I've assembled a sample of what you've been posting
so that readers can evaluate your claims for themselves, and also see how much
damage a single disgruntled user can do to this place. In the future, we can
refer concerns back here and hopefully not lose so much time.

[https://news.ycombinator.com/item?id=22465402](https://news.ycombinator.com/item?id=22465402)

[https://news.ycombinator.com/item?id=22645796](https://news.ycombinator.com/item?id=22645796)

[https://news.ycombinator.com/item?id=22587268](https://news.ycombinator.com/item?id=22587268)

[https://news.ycombinator.com/item?id=22646808](https://news.ycombinator.com/item?id=22646808)

[https://news.ycombinator.com/item?id=22223423](https://news.ycombinator.com/item?id=22223423)

This was a pleasant one:
[https://news.ycombinator.com/item?id=22652042](https://news.ycombinator.com/item?id=22652042)

In the past, you've had similar campaigns against other sites and topics,
including Go, Kubernetes, IndieHackers, Keybase, DuckDuckGo, Mailchimp, and
(yes) the Qataris:

[https://news.ycombinator.com/item?id=22361860](https://news.ycombinator.com/item?id=22361860)

[https://news.ycombinator.com/item?id=22329624](https://news.ycombinator.com/item?id=22329624)

[https://news.ycombinator.com/item?id=22190633](https://news.ycombinator.com/item?id=22190633)

[https://news.ycombinator.com/item?id=22211243](https://news.ycombinator.com/item?id=22211243)

[https://news.ycombinator.com/item?id=22109987](https://news.ycombinator.com/item?id=22109987)

[https://news.ycombinator.com/item?id=22048852](https://news.ycombinator.com/item?id=22048852)

[https://news.ycombinator.com/item?id=22112625](https://news.ycombinator.com/item?id=22112625)

~~~
dang
I want to add something for fair-minded users who may still be wondering,
after all that, whether the interest in the OP really is organic or whether
there might be shenanigans. It's natural to worry about this, especially
because other users tend to make loud and grand claims about abuse, whether
they have knowledge or not.

You can check a lot of this for yourself using publicly available information.

Look at a sample of users who've been expressing interest about Tailscale, in
threads about that topic and/or Wireguard or other topics. Check out the
histories of these users—you can do that by clicking on a username to go to
their profile, and then clicking on 'comments' or 'submissions'. You'll see
that most are longstanding, serious community members. If your random samples
look anything like the ones I've examined, you'll find many excellent HN
contributors among them, with a lot of technical expertise. This is evidence
that the interest in this topic is both organic and serious. I'd supply links,
but it wouldn't feel right to haul in specific usernames that way. It's easy
enough to check.

To that public information, I can add some non-public facts. First, the
profiles of users upvoting these threads look much the same as the commenters.
Of course in many cases they _are_ the same, since it's natural to both upvote
and comment on something that you find interesting. In addition, the voting
patterns on these threads look like what we see on popular topics of organic
interest, and nothing like what we tend to see with voting rings and organized
promotion.

Conclusion: although we can never say for sure, because we aren't inside
users' heads while they upvote, the evidence points to organic interest. I'll
go further: I'm the person who has spent by far the most time on this problem
in the history of HN and I find it hard to imagine the evidence being any
clearer. Also, no one at HN (and no one at YC that I know of) has any
connection with any of the people involved in this project. I've spent so much
time writing about this because (a) I don't like to see people smeared, (b) we
take concerns about abuse of HN extremely seriously, and (c) I want a record
to link back to in the future so I don't have to spend any more sad hours on
this.

