I just got an email about this and here’s what they say:
> Your plan is unaffected and you can continue to use the Personal Pro plan as you normally do. However, Tailscale's new Free plan includes nearly everything that Tailscale has to offer for up to 3 users on a custom domain and 100 devices. This plan may be more aligned with how you use Tailscale. Go to the Billing page in the admin console to review your options.
So I’ve been paying them for a while now but now they’re telling me I could just get the same functionality with the free plan. I really like what this company is doing! Thank you Tailscale, I’ll just keep paying to show my appreciation!
Amazing. Was just discussing this with a friend yesterday as a way to build loyalty. I have so many subscriptions I pay for but rarely if ever use (often forgotten). How refreshing it would be to receive an email to the effect "hey we notice your paying but not using product X. Here's some ideas of how you could use it, otherwise consider downgrading to free plan". May be at odds with short term revenue, but I'd then be a brand advocate.
This is what github did a while ago, no? I was paying for some enterprise-y features that they added to the free plan and then stopped billing me. I know there's lots of MS hate here, but this was pretty unique IME
Love tailscale, but here's a company on the up, bouyed by the renewed impetus all around for zero trust, with its do no evil, free lunch for all, growth mindset. Comparing it with companies that have switched to rent-seeking is ironic, because if history is any indicator, most Day 1 companies of today will Day 2 out, eventually (not to say that being a Day 1 company is in anyway easy).
I think the point of free plans is that no money changes hands so there's no support or SLA, while base paid plan gets now more expensive.
So if you didn't need those, you save money now, but if you do, you have to pay up to get the same features (going from $50/year up to $200+/year if you are just using it alone). So it's not all pure altruism.
But I'm not a Tailscale user, this is just from what I see looking from outside.
I just got the opposite treatment from another service a couple of days ago. The API endpoints failed silently without an error, and when I logged in on the dashboard it said that my current plan was replaced. They didn't even sent an email.
They said he should reconsider if the free plan covers his usage, not that he'd get the same features. Which could be true if e.g you were only paying so you could get more than one user.
> we’ll bill you retrospectively each month for the number of users who actively used Tailscale [...] More importantly, it aligns our incentives. [..] With this change, we don’t get paid for a user in your tailnet until that user is getting value from Tailscale. That means it’s not just our job to sell seats, but to help you succeed.
Trust is one of the most valuable things in a brand seeking long-term relationships. But so many brands optimize for short-term metrics in ways that damage trust. E.g., places that make it much harder to close an account than open one. (NYT, GFY.) One I really dislike is subscription-based businesses that care more about getting signups than delivering value. It has made me deeply suspicious of joining anything with a subscription model. [1]
So I'm very glad to see Tailscale, whose product is great, taking such a thoughtful approach here. I think it's especially important for them, as trust is deeply necessary for them to succeed. I hope some other people learn lessons! E.g., I'd sign up for more streaming subscriptions if I were sure they'd not bill me a month where I didn't watch anything.
This is a really intelligent move on tailscales part. Yes, there are a few hobbyists who paid for the personal pro plan, I'm sure. But at $50 a year it's not exactly going to change the companies economics a lot. Then the next step was jumping into "Team" level which would actually be a major step down for a small hobbyist who wanted a lot of devices (Personal was 20 devices, Personal Pro was 100 devices, Team was 5x the use count. So 2 users... 10 devices). Realistically hobbyists are not going to be the bread-and-butter of Tailscale's business, so why not let them go crazy.
Looking at https://tailscale.com/pricing/ one of the other major changes that has been made, is the free plan now provides access to almost every feature. Going up to the $6/mo/use "Starter" plan actually loses you some features. So if you've had a taste of the good life, and want to keep it, but have more than three users… You are going to need to go to the premium or enterprise plans. Probably makes their sales process, super easy, since they don't need to give out trials to companies anymore, "free plan for a few users and try it out".
I see a lot of love for Tailscale, but I'm curious what people use Tailscale for? Is it mostly to access services running on an internal network? Do you use it for work or for fun?
The use case I can see is streaming from my personal Plex server from anywhere outside my home, but maybe I'm not thinking big enough.
- I have a bootmod3 WiFi adapter plugged into my street/track car with a combo 5G/Linux unit in the car connected to my Tailscale that streams continuous telemetry about the car whenever its turned on. I could in theory re-flash the ECU via this.
- Using https://tailscale.com/kb/ondemand-access/ alongside node/subnet grouping to create a very neat first step towards auditing access to sensitive production services/environments.
- I use server-based dev environments to keep my portable laptop as clean as possible with no source code on it. VS Code remote + Coder server are fantastic over Tailscale.
+ others. Tailscale I think solves the problem of node-to-node-to-subnet connectivity at a convenient and flexible layer.
"- I have a bootmod3 WiFi adapter plugged into my street/track car with a combo 5G/Linux unit in the car connected to my Tailscale that streams continuous telemetry about the car whenever its turned on. I could in theory re-flash the ECU via this."
Do you have a writeup or more details you can share around this? This sounds interesting.
That sort of stuff is pretty common. Car guys have lots of disposable income. I'm certain there are devices out there that provide levels of telemetry that was only accessible to top-end racing teams just a decade or two ago.
> Entire site-to-site tunneling/routing. I didn't have to do anything for my parents I just dropped a subnet router at their place.
Can you elaborate? What do your parents need tailscale for? I mean my parents have internet purely by the telco dropping a router at their place and it just works, what is my family missing?
Best guess is OP is hosting files or services that are shared with less tech-savvy parents. Similar to our setup. My son is away at college but still wants access to his music and movie collection on our NAS at home along with some other services. He setup a Tailscale connection and everyone is happy. I don't have to manage any of it and he doesn't have to work around the school's firewall and network architecture.
Mostly standard VPN use cases. They can access my Plex server, Mealie instance and in turn I can remote access their devices without something like TeamViewer when they need IT Support or their home automation stuff is acting up.
Would their lives fall apart without it? No. But it makes my life as the family SRE much easier.
This is no longer a problem for me since I switched my parents from windows to mac, but remote desktop login to troubleshoot their problems would be a huge bonus.
Other cool things I could do if I dropped a raspberry-pi w/ tailscale onto their network:
- Need another public IP to test something? Route my laptop through their network for awhile.
- share files with them or backup some of their devices to a fileserver I control.
- send print jobs to their printer, I don't keep a printer but they do because.. and I shit you not, they hate doing crosswords on their ipads, they print the damn things out every morning and work them on paper.
- Put it on their phones and have them route their requests through one of my exit nodes.
In my case that's actually multiple functions: remote login without using TeamViewer and also for general remote support, and I have a small backup server at the place for my off-site backups.
It provides a consistent IP address (in the CGNAT range) that the end-device is always reachable at. On top of that you can use MagicDNS or regular DNS records to refer to it.
That IP is usable regardless of how that device and your device actually reach the internet. Further, no one device acts as a “server” and needs a stable public IP thanks to NAT traversal and the DERP fallback path. Keys are handled automatically with an option to not trust Tailscale infra in doing that (Tailscale lock) and I just need to auth devices with my Google Workspace/Gsuite SSO.
Plain vanilla wireguard involves a bunch more faffing about with wg, wg0 and keys. With Tailscale, you (can just) install the software on each computer and then log in. There are also more advanced things you can do with Tailscale, but I chose Tailscale because of wanting to not have to deal with the setup like Wireguard (or OpenVPN) have.
Tailscalar here. One of the main things I use Tailscale for is accessing my development box from anywhere in the world. I can't really develop on Windows so I'm used to ssh-ing into a NixOS machine that runs all my compilers. Tailscale makes accessing it so easy that I can just leave hundreds of emacs buffers open in various tmux panes and reconnect back when I want to do development again.
I also run some internal services over Tailscale, a lot of my personal projects have tsnet embedded into them so that my Prometheus machine can scrape and monitor them. My husband also uses one of those services daily to monitor some information that I publish there.
I also run the development instance of my blog over Tailscale and use Funnel to share it with people to review my writing before it goes live.
At work we use it a lot to let people poke around with changes to development instances of websites (like https://tailscale.dev) without having to push them to the cloud and wait for preview deploys. It is _stupidly convenient_.
Turns out you can do a lot of things with networks when you don't have firewalls making everything complicated.
Now that I think about it, there's also some other things I use it for. I embedded the Tailscale API into my VM manager waifud (https://github.com/Xe/waifud) so that I can pass a `--join-tailnet` flag to `waifuctl create` and plunk new virtual machines onto my tailnet with Tailscale SSH enabled. It makes testing things on arbitrary versions of Ubuntu so easy that it feels like I'm cheating.
My hypervisors are also subnet routers so my VMs can connect to eachother like they're on the same network. All the fun of static routing without any of the "fun" of static routing!
Speaking of Funnel, a holy grail use case is to be able to host one-off game sessions to an untrusted stranger who do would not trust this "Tell-scale thing" you require him to install or register an account for. Most frequently these kinds of spontaneous interaction happens over Discord, where perhaps you want to quickly show someone what you're building in Minecraft and have him make some suggestions in-game or something. Is there any possibility that Tailscale can improve on reducing friction for some of these more "social" use cases where the target demographic is not tech-savvy and distrustful?
As a consumer, I use it for two things and it does it well and very simply across all platforms:
1) When traveling, you can use one of your home computers as an "exit node" so you can watch Netflix, etc. abroad very easily. Much more reliable than using VPNs which can be blocked.
2) Accessing your internal network from wherever you are for Plex, Homebridge, IP cameras, or whatever.
I don’t have space for servers at home, so I use Tailscale to expand my home lab with a couple of VPS; the nice thing is that I can just block all ingress traffic in my provider’s control panel (Hetzner in my case) and just use these machines as they were part of my LAN, and I don’t have to worry about things like Docker exposing stuff to the public internet
Personally:
- I have a few raspberry Pis and PCs around the house. This lets me SSH into them for maintenance/etc. It’s also good for projects and stuff to use their DNS. Eg I can use “http://nas/photos” to get to my photo library instead of an IP address. No TLD is kinda cool (it’s just a net search group afaik so reproducible without them) but very memorable for the family. I’ve also gone as far as to embed their library in a go project I made - it means the same IP address and host name regardless of where the binary is running which is cool. This also means the binary knows who is who when accessing the website it hosts. The ease of doing this makes me feel like projects like OpenZiti bay be the future of zero trust and networking - embed the security into the code via a library and get all the global routing you need for free.
Work:
I work at a tiny company (5 of us). We do IOT stuff, and we have a lab with a bunch of equipment, mostly controlled by Raspberry Pis or similar. We’re small so we work in a private room in a coworking space. We use tailscale to manage the RPIs and keep consistent IP addresses when we don’t have control over the overall network. We also run some internal stuff in AWS over tailscale (eg our staging servers etc). It’s hands down the easiest option to onboard people too. It lets us access equipment from home if needed, and it’s super lightweight compared to other VPNs I’ve used.
I have my first year Pi running Diet Pi with Adguard Home and was just happy that I found a use for such an old machine that I was considering throwing.
The speed test in Diet Pi said that the latest Pis can complete them in a few seconds versus the minutes it took mine to setup, so figured it would be useless but had been working flawlessly as a dns at home and blocking all ads on all devices.
Adding Tailscale took it to the next level and now all my devices have ad blocking on LTE, public wifi, friends houses, everywhere.
I subnet advertise my entire home network, which I consume from my phone and laptop on the go. Primarily to access home assistant, plex and SSH without advertising any of those to the internet - people can and do get hacked both via plex and SSH :)
When travelling internationally, I use the exit node functionality to optionally switch on and off sending all my traffic back home to either work around geo-blocks for my home streaming services or as a pseudo-vpn replacement for particularly dodgy networks.
Accessing servers without the need to open their ssh port to the public internet. This is the main point for me. Such functionality could be achieved with other means of course but tailscale makes it so easy and reliable that I don't think any other solution can compete with it.
After I install the tailscale client on the server and do some very simple configuration on the tailscale web app to identify the new node I know I'll be able to access it no matter of any firewalls the node may be behind!
Standard VPN stuff really. Set it and forget it. Accessing my NAS and home machine without opening them up to the world mostly.
The most specific use aside from "it's my network, wherever" I've got is setting it up with NextDNS for adblocking no matter where I am in the world and regardless of what network I'm on https://tailscale.com/kb/1218/nextdns/
I am doing a lot of what people here said they are doing with tailscale but I just use plain wireguard. As I understand it tailscale makes various configurations automatic, management easy and provides features like authentication that wireguard does not have. But for a small number of hosts, it's fine to run wireguard itself and manage manually.
I have a NAS in my home, and my parents have a NAS in theirs. Everything is on Tailscale and I can SSH into either machine whenever I need. I've needed to do this a few times when I am on the road, but more commonly when I use Tailscale when I do a little remote tech support for my parents.
I don't expose anything to the internet and use it to access my Synology or my Unraid NAS, to stream Plex music to Plexamp, to check my home network when I am away, and in some cases I have used it to circumvent filtering Proxies by tunneling HTTP/HTTPS.
I found Tailscale for a specific reason, having a network where my various services can talk to each other without going thru HTTP for everything, i.e. ssh, scp, direct schemas for DBs.
And I use it for screen sharing my mac computers over the internet while traveling.
We use it at work. All our services run on private IPs on our own vnets, and we access them with Tailscale. We don't need to run a VPN tunnel, or manage public IPs and firewall rules.
Technically maintaining your Tailscale ACLs is the same as maintaining “firewall rules”. If you’re allowing any-any on your tailnet you are in a world of hurt if any endpoint gets compromised by e.g. ransomware.
We use Tailscale at $dayjob and the fact that we can ensure that marketing machines can’t access any engineering resources is the big win. And it “just works” through NAT.
Plex provides remote access without needing any additional services. Just enable it in the settings and you can access your library anywhere when you log in to plex.tv.
I'm a big Tailscale proponent, implementing it at work in early 2020. But for us I'm not sure this is great news. We have a small Tailnet of 5 users, paying $30 for the Team plan. If we went for Starter we'd save $18, but loose a lot of cool things Tailscale has come out with recently that we have been looking at, like user/group level ACLs, ACL Gitops,Tailscale SSH and Tailscale Funnel.
Alternatively we'd pay $36 for (3 free, 2 * $18) for Premium, which doesn't sound too bad. But the cost for each new user would be three times higher than it currently is (and Tailscale our most expensive SAAS product per person).
Or we stick to legacy pricing for now, and live with things like the Subnet Router limit which makes e.g. connecting home VoIP phones to the Tailnet price prohibitive.
So they used to have a $6/month/user plan that included Funnel and SSH, but now they moved those to the $18/month/user plan? That doesn't sound great, and it's disappointing that that's not even mentioned in the article
Yeah. I had a feeling of dread when I saw the "Changes to your Tailscale plan" email subject, but then was positively surprised by many of the changes. For smaller companies, getting the first three users for free will also be nice.
Previously almost all features were available [0] on all plans, though with certain restrictions that made sense (and some that didn't). I was hitting those limits and wanted to get approval for us to purchase the Team plan.
But now I see that features have been stripped out of the "new" Team plan — and was also frustrated that I couldn't find any information on this. I guess overall the pricing structure makes sense for them, but it's frustrating to not have this clearer in their article.
I suppose I can live without things like Funnel and SSH, and don't need Okta etc., but paying the new ACL tax for Starter to Premium (a $12 jump per user) is more painful.
Overall a positive, but with rough edges which unfortunately hurt me. But perhaps there'll be some tweaks in future, and perhaps again the opportunity to pay for individual feature upgrades.
Yeah, I'm in the same boat. I'm kinda confused about things like SSH and Funnel being moved to the Premium tier.
It feels a little odd that the Free tier lets you use Premium features indefinitely, but as soon as you get more colleagues onboard, you lose those features.
Unless you're looking carefully at the pricing page, you'd miss that Starter has many fewer features compared to Free.
Yeah, I thought the webpage was broken when I saw it! :D
I can understand that things like SSH and Funnel cost more, since they actually interact with their server infrastructure… but the removal of features and ACLs from Starter wasn't well communicated.
This is weird, currently I'm using the Free plan but I always wanted to upgrade to financially help Tailscale, but now that the Starter plan doesn't have SSH and Funnel, it would make more sense to stay on the Free plan instead.
It doesn't even make any sense, if it is available on the Free plan, why not give it to the Starter plan too?
Also, I may be misunderstanding the billing page, but it looks like Tailscale removed soft limits? On my billing page, it shows "Your tailnet has 3 more users than you are paying for. That’s fine, we have soft limits. Play around and upgrade your plan before April 30th 2024."
I use the free plan to access a little raspberry, opened the link with a bit of fear... Read the first phrase "The free plan....." :CRY: "....is expanding from one to three" NIIICE don't need any more user but I am happy that it's staying
I would love to see expanded personal options. The new free tier with 3 users is great, but trying to Tailscale for personal use for a family of more than three users while still using advanced features like Funnel is $18/user/mo, which is too high for personal/family use.
If anyone from Tailscale is around, would you consider a family or advanced personal tier for primarily non-commercial use, perhaps a moderate user limit, but more advanced features and lower pricing than Starter?
I am not sure why Tailscale is always on Hackernews.
For example, Twingate allows 5 free users and supports more complex use case without requiring a subnet router. They generally have stronger enterprise features as well.
Tailscale is really a winner for simple use cases. For example, these are the steps to access my home server from anywhere in the world with my phone:
1. docker run tailscale/tailscale
2. Use the link provided to login and link my server
3. Download the Tailscale app
4. Login
And if you're using a server OS like Unraid, you don't even need to do the first step; just install it through the GUI. It's widely available and accessible.
TailScale is the HN darling - open source and great for stitching together computers across networks.
Most organisations though are looking at the NetSkope/ZScaler/Perimeter81s of the world and that's where Twingate seems to be picking up the business. It goes beyond the connectivity and has things like non-intrusive device controls which are essential for a lot of places that are in fin tech or have to do SOC2, etc.
Twingate definitely supports complex enterprise use cases for sure but I'll say that somehow it manages to remain super simple to deploy, configure and maintain. I've even got my family on it (let's just say they aren't exactly the most technical folks ever..) so they can access our family photos and other stuff I host at my house (they all live abroad).
> For historical architectural reasons you cannot currently have more than one user on a “personal” tailnet (such as a gmail.com account). You need either your own domain or a GitHub Organization. Sorry. We will fix this, but not today. Meanwhile, don’t forget that you can use Node Sharing to share devices (including Exit Nodes) across individual tailnets.
Darn. Looks like I may have to create another tailscale account!
I do wonder whether this restriction will severely limit the number of 3-person free accounts that are created though - I have my own domain, but that probably puts me in a small minority of people, even the kind of nerds who are willing to try out tailscale in their own time? Which in turn might put something of a crimp on the hoped for flow of viral “my friend put me on their tailnet & I discovered how easy it was” signups.
I have been recommending tailscale to absolutely everyone though, so I guess free services work as a marketing tool!?
Since everyone has done a nice job of analyzing the pricing changes, I just thought I would mention that from quick visual inspection, it's not obvious that the two growth curves are drawn from meaningfully different distributions.
TailScale is still small. They probably identified that their pricing plan was preventing them from user acquisition and/or they are having pressure from competition and thus are trying to flood the market to become the de facto solution.
It’s a pretty common play for a smaller startup. They just broke the 1B valuation last year. Could be the board pushing the executive team to grow the number of users because happy free tier customers tend to convert to paygo at some non 0% just as paygo customers convert to ENT contracts at some non 0% as personal projects grow into businesses and smaller businesses grow into large ones.
I'm going to get my son to use the three user plan when he runs a minecraft server and has a friend log in, it's a better answer than screwing around with the NAT, DMZ and all that.
Even without this change, if you can get the other folks to use Tailscale you can share out devices. So he doesn't need to manage other users, they can create their own accounts and access his server.
I've been looking into using Tailscale/Headscale but I've been struggling[0] to find in-depth information about what security risk the coordination server poses (should it get hacked). Yes, the node list can be locked but the ACL cannot(?) So if I, say, run the Headscale coordination server on one of the devices that are part of my Tailnet, wouldn't an attacker that controls the coordination server automatically get access to my entire Tailnet, including SSH access to every device? So is the conclusion
- Always lock your node list, whether you use Tailscale or Headscale.
- If you use Headscale, run the coordination server entirely separately from your Tailnet.
Thanks, I did read that blog post but adding yet another dependency to my stack just for authentication of a single user (me)? I don't know… Then I might as well just install Headscale.
> Instead, we hope that by being transparent about our security practices and helping ensure that Headscale remains compatible with Tailscale, you will either use Tailscale, or host Headscale for your own personal needs.
You love Headscale for personal use? What would you say to someone looking at Headscale for their business over Tailscale?
That's a really odd response, to be honest. I was expecting something around features you only get with Tailscale, scaling issues with Headscale, something to sell me on paying $6 a user.
- You don't have to maintain the infra yourself. It is maintained by system experts, vs the necessity to learn such knowledge yourself
- You are going to get features earlier, as Tailscale is the leading implementation, and Headscale is trying to maintain compatibility
- You have a promise of a certain level of support depending on your plan, rather than relying on an open source community with no responsibility to provide support
It feels like Tailscale isn't trying to gatekeep the technology, they are trying to sell all the things that simplify/provide value for people who would like to use the technology.
What hardware would be recommended for a Tailscale subnet router between two sites with a GBit link? Saturating a full-duplex GBit link would require two LAN ports, ruling out the option of a raspberry pi, wouldn’t it?
I don't know if it was intentional, but when I saw the headline I assume they were axing the free tier or at least making it significantly less useful.
So far, the same way it's always worked: you need to BYODomain and sign in with your domain's configured SSO provider. You can't do, say, 3 gmail users.
However, if you did have 3 Gmail users, it’s possible to share Tailscale access across multiple accounts. So in a small setup you could create an account for each user and then effectively connect their Tailscale networks together (I’m not sure if you can route between Tailscale accounts directly but you can at least share hosts on your account with users on another account, which is how I do it).
I do this with a personal and work account to share some limited access between them.
> 4 For historical architectural reasons you cannot currently have more than one user on a “personal” tailnet (such as a gmail.com account). You need either your own domain or a GitHub Organization. Sorry. We will fix this, but not today. Meanwhile, don’t forget that you can use Node Sharing to share devices (including Exit Nodes) across individual tailnets.
TLDR from Tailscale announcement email regarding Personal plan:
`changes are that the Personal plan is now called Free, and it includes nearly everything that Tailscale has to offer for up to 3 users and 100 devices.`
As of about a month ago, you can also sign up to Tailscale with any OIDC-compatible identity provider, so if you don't want to use Gmail or Microsoft you can self-host your own!
Seriously, if you use one of their recommended identity providers and their "AI" bans you, can you change your access controls on tailscale to another provider? Ideally without physical access to the other machines.
The list of identity providers is just ginormous companies that are likely to automatically ban accounts.
> Your plan is unaffected and you can continue to use the Personal Pro plan as you normally do. However, Tailscale's new Free plan includes nearly everything that Tailscale has to offer for up to 3 users on a custom domain and 100 devices. This plan may be more aligned with how you use Tailscale. Go to the Billing page in the admin console to review your options.
So I’ve been paying them for a while now but now they’re telling me I could just get the same functionality with the free plan. I really like what this company is doing! Thank you Tailscale, I’ll just keep paying to show my appreciation!