What if we all just had a static IP address, and a DNS name?
…and the address migrated around the world with you?
…and you could connect to any of your devices no matter where they were?
Does this not promote the destruction of anonymity on the Internet?
I think you've got a fundamental misunderstanding of what Tailscale does. It's all about accessing your own devices. You don't need or want anonymity in that case. They are not a general purpose VPN service, and can't even be used as one.
> They are not a general purpose VPN service, and can't even be used as one.
I'm not sure what you mean by this, but this sounds like exactly what they are, with some functionality on top. It's what I use to VPN into my LAN from outside, and it's pretty general purpose from where I stand.
In fact, they are not even VPNs in the first place. They merely use the same technology to provide a private tunnel to the public Internet (and use the name in marketing material because by now people are familiar with it).
What they are not is general purpose private networks.
A VPN is a Virtual Private Network. Those services you mentioned merely provide a secure tunnel to the same public Internet you'd have access without them, avoiding eavesdropping by your ISP or other intermediaries, whilst handing over that capability to the "VPN" provider. There is no private network anywhere in this case.
An actual VPN provides you with a private network that just happens to workover of the public Internet, usually encrypted, but is inaccessible from it.
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources that are inaccessible on the public network and is typically used for remote workers. Encryption is common, although not an inherent part of a VPN connection.
Saying that these services are "not VPNs" is unnecessary pedantry. Definitions evolve over time, and these services meet the common definition of a VPN.
If they start off as VPN but morph into something more (like Cloudflare, Google, etc...) then it really doesn't matter how you define them "today" if their goal as a company is to become something more/different.
No? The fact that some machines (notably: all your _own devices_) need to be able to reliably talk to each other does nothing to impact anonymity on the Internet. Sure, you can route everything out of your own IP using Tailscale also, and that might be desirable if you're on a crappy connection, but it's still completely orthogonal to privacy-preserving techniques like Tor (and may in fact make those easier to deploy).
Tailscale doesn't make privacy worse any more than the fact that to a first approximation, no residential Internet provider in the US has rotated an IP in recent memory.
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
It's not their "mission" but it is their system. If you have a static IP address where "...the address migrated around the world with you..." how do you think that will work for people that _NEED_ anonymity?
The title of the article from Tailscale is "...to fix the Internet"... if it was "only" about "your own devices" then you are assuming they are thinking small.
You're assuming that they're thinking something completely outside of anything they've ever said, and something that nobody actually wants. Your assumption is the one that's out of left field, not mine.
I don't have to prove you wrong, I'm not making an assertion. It's on you to prove that your assertion is correct, and you have nothing more than your opinion backing you up.
The idea of "you have something permanently static that identifies what is yours" on the internet that never goes away, and it runs through a corporation's server, that supposedly is marketed as "fixing the internet"... do you really think this sounds good?
"To paraphrase Larry Wall, Tailscale makes easy things easy" ..
Indeed, I run multiple devices via two regionally separated homes and two cheap VPS's .. RaspberryPi, Linux, MacOS and an iPhone all able to communicate effortlessly thanks to TS
Tailscale is my favorite (product) discovery of 2022. I initially set it up to use as a VPN to get around a misbehaving corporate firewall and accidentally realized it solved a whole bunch of other problems I didn't realize I had. Usually a new product doesn't even live up to the intended use case and so TS is really anomalous IMHO in how good it is.
- SSH'ing into a raspberry pi I have at home that does random IoT stuff.
- Accessing servers on my local dev machine from other devices for testing (i.e. a Windows box or phone)
- Giving access to production bastion devices without publicly exposing anything to the internet.
And best of all I don't have to fiddle with the usual networking stuff. It just works. Kudos on the raise!
Non-disclaimer: I have no relation to anyone on the team. Tailscale is just a delight to use.
I've been using it since last summer to SSH to my pi too. Huge relief in terms of securing it. Easy to install and it just works. I'm not particularly savvy either.
My only complaint is that if you use it on your phone (iphone 11) and forget to turn it off it drains the battery like crazy.
When I tried Tailscale it seemed to have high CPU problem in general under reasonable load. I don't remember the numbers, but it made me uncomfortable to use it in my low powered servers. I wonder if this is the consequence of being a userspace program unlike wireguard kernel module.
Same here - I've found a ton of uses, for one I can now access my Home Assistant instance without actually exposing it to the internet. Same for the linux VMs I run via ESXi on the same Intel NUC. I can also access my QNAP NAS without exposing that to the internet which is huge given how many vulnerabilities have been found with it.
It actually allows me to turn my iPad Pro into a proper development machine as long as I have access to the internet since I can write code locally via Textastic, push to my git repo and test via the VM connected to Tailscale. Of course this was possible with a box on DigitalOcean but I prefer not to pay monthly for a machine just for noodling around.
SSH'ing to a raspberry pi in my parent's basement where my beer is fermenting has been the killer use case for me. Their crappy IPS router does not allow port forwarding, but with Tailscale I can directly access the sensors.
Only today I learned that I can even use Tailscale as an exit node (to the internet or the local network) and therefore use it like a normal VPN.
But HOW can this work? It MUST have config level access to each machine, that's the only way I can see this working. I guess I just have to try it to see.
It's a really neat piece of software - you're right that it does have the ability to configure your system, routing tables in particular.
The Tailscale agent (thing that runs on your machine) changes the system routing table (at least on Linux) and uses policy-based routing (marks packets destined for the "Tailnet" specially) to build the overlay network. Since everything is done at L3 in the OSI model, iOS and Android clients (in the form of an app) are also available without needing root (jailbreaking).
There are some things it can't do owing to the whole thing operating at L3, but it's a really awesome implementation nevertheless. And just to add, they aren't the first to build a product like this, but they do it incredibly well and the time to value for most users is extremely short, made even better by the fact that the expectation is that the time to value will be long(ish) and painful.
I know it was supposed to be a funny throwaway line, but I am irked by the "with $100 million you could interrupt the Super Bowl for 7 full minutes." That's not how sports advertising runs works. You are bidding on a limited amount of space determined by the game. I think there is also a non-linear cost.
Of course the NFL would never allow a 7 minute commercial break, although I do believe that the cost is linear. A 60 second commercial's cost is simply 2x 30 second commercials. There's no reason to do anything differently, since in the end it doesn't matter if that 60 seconds are filled by one or two commercials (aside from making the ad sales team's job slightly easier by having one less spot to fill).
I think there are reasons why cost would be nonlinear. First, there's simply demand. The people who want to do 60s clearly have a reason that 30s won't work, so they may be willing to pay more (certainly
they won't pay less). It's a different segmented market. There is a reason companies with lots of commercials tend to also be official sponsors of the Super Bowl. Second, practically it costs more. Ads are reshuffled around in real-time and the number of times you can be sure you can broadcast a 60 second spot are less than you being able to broadcast a 30 second spot, since the action may resume at an indeterminate time. Third, the Super Bowl specifically sells itself on the quality of the ads. It could do long term damage to the Super Bowl of the ads one year were just one company and not the funny celebrity heavy spots people expect.
This is not true. The commercial breaks in all US pro sports have a pre-determined length, and the game action will not resume until the broadcast has rejoined (outside of a mistake somewhere along the line). In the NFL, they have a countdown timer on the stadium scoreboard indicating how much time is left in the commercial break, and even a dedicated guy who stands on the field next to a referee, talking to the TV truck to confirm when the broadcast has rejoined.
With such a huge investment comes the obligation to eventually pay it back. Is this another one of my favourite tools going the way of Dropbox, 1Password and all other companies that were formed around what should be a platform feature, which took on way too large investment sums and were eventually forced to become the everything, losing sight of their core values?
I sincerely hope not, but there's so much bad precedent.
I haven't really felt like 1Password's product materially strayed from the original mission. If anything, I'm even more delighted with the team functionality, shared vaults, quick keyboard access in 1Password 8, etc.
I wouldn't put them in the Dropbox bucket.
Also, I think the value Tailscale provides is fairly unique and far from obviously a platform feature like file storage and perhaps even password management.
Indeed, 1Password is practically a utility at this point, as far as I'm concerned. I really like the direction they're heading and they're solving some pretty tricky problems without compromising on security, predominantly in the enterprise domain. The experience is the same regardless of whether you're an enterprise user or a personal or family user. It's polished enough that my grandma can use it.
I heard some people complaining a bit for a moment when they made the transition, but that happens anytime anyone changes anything and doubly so when that change is Electron. But that faded quickly.
I...don't think it's faded. I could totally be wrong here, but I don't think they'd actually made a transition yet; the complaining you're talking about was over the 1Password 8 beta. That actually just went GA this week, and people were still upset.
I get why they're doing it (or, at least, think I do), and I'm not angry enough to go get angry on Twitter, but I am going to avoid the upgrade for as long as I can. That's kind of a bummer to get there with a product you've historically really liked.
Honestly I haven't noticed and I use 1Password on all of my devices every day. I heard some grumblings about 1Password changing to electron months ago and just assumed that they already made the transition. In whatever case, I haven't heard a peep until this thread. I don't like electron in theory and the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.
You might double check which version you’re on. Might still be on v7.
> the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.
They have the financial resources to build it in ~Rust but still chose electron. It’s a mind boggling decision.
Modern 1password using Electron is sad in some respects, but hardly surprising. Even people who use Electron hate Electron. The real differentiating factor is those who understand why.
Removing the ability to use it in a non-saas (local vaults, vaults shared by other syncing solutions) capacity is what drove the final nail into the 1password coffin for me. I can't trust that they don't hold master keys to all the vaults on their saas offerings.
The swap from native to electron on macos was hugely disappointing but something I could have probably lived with if they hadn't gone full saas no alternative.
> I can't trust that they don't hold master keys to all the vaults on their saas offerings.
So you think they could be lying about their fundamental selling point, and hiding it in all of their audits? Personally, I'd trust them more than Apple/Google/etc.
Yep, ramming online vaults down everyone's throat is also what killed it for me. Since then I've gone from a massive supporter to recommending everyone look elsewhere.
Their online security-related UX is also a freaking nightmare. The desktop and mobile apps are excellent and still clearly the best, but yikes, their password plus secret uuid plus device identity is awful. I know multiple people who permanently lost everything thanks to that (remember, no local backups any more! That's what cloud storage almost always guarantees!), and they now push others away too.
Maybe technical customers who knew it were Electron. I knew, and don't really care. My wife doesn't even know what Electron is- everything is just another app to her.
1password took away the ability to have offline vaults, so i don't know how you can say they didn't compromised on security, since they cut off the most secure way you can store your vault chasing the solving of the tricky problem of monetizing a key value store.
It's been [0] days since the last time 1Password randomly bombarded me with a "Upgrade to 1Password subscription today" dialog. Not talking about the banner in the corner of the app. this was a dialog that had to specifically be dismissed
1Password went from being buy once upgrade forever to SaaS. A lot of folks bought back when that was the package (and business model) so it's viewed relatively negatively here from some folks. I don't blame them, but also, I think 1Password is a success. I just don't think they'd have been viable under their original business model.
Why? 1PW is succeeding. They didn’t do some huge moral quandary either that would make stopping the one time buying product a moral failing. People like the first commenter and myself have used 1PW for many years too and are fine with what has gone down.
Vs a clear moral screw up like the big tech companies colluding to not hire one another’s employees.
If they said "buy once, get upgrades forever" and didn't provide that, then yeah, that's definitely a very plain example of immoral dealing. The future service is exactly what the purchasers were buying - not a nice-to-have add-on.
Seemed to work for a lot software before SaaS ate the world. But who wants viable when you can bleed you customers for 10-1000x the would have paid for the software once? /s
I think they changed from their mission to make password management easy and secure to extracting service fees forever.
I don’t necessarily blame them but think their decision was pushed along by the need for big money.
For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.
There’s really no value add as a user for a monthly fee. Although lots of people don’t mind. I’d rather not pay for something as essential and simple as a synchronized, encrypted data blob. I literally replaced it with a Google doc and cutting and pasting more. A filter over Google docs does not require a monthly fee.
I have this problem with lots of SaaS products that could be software if they didn’t want or need lots of money.
> For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.
I get why they don't but I often wish more SaaS companies had a bring your own computer & storage model. It doesn't make sense for 95% of customers and the 5% of us who might like it and have the tech chops to use it would just complain about having to pay more because we are outliers. But I wish it was offered!
It makes sense because they make less money that way. It seems like they have some cognitive dissonance where they try to explain their SaaS fee because of the “features” that require SaaS. If they supported bring your own storage then that cuts out the main reason for the SaaS fees.
Also sad because bring your own storage is more secure to me than trusting a company with all of my passwords. So they are reducing security and increasing price.
I found 1Passwords UI/UX and development tooling choices... not ideal, as of 1P v8. I miss the native apps, and the latest iOS app/integration had far too many bugs initially (I just use autofill alone now, on my iPhone. Not ideal, but good enough)
Perhaps you refer to loss of local vaults? If so, they were never really a viable option for me - I needed the app syncing across multiple devices, including mobile, and doing so with a third party sync solution wasn't suitable.
For me, it was their switch to an Electron app. "High security" and "built from dozens of third party libraries and running on a browser" don't belong together.
Moving from a native app to an Electron-based one has a definitive impact on usability. Calling it a tech stack choice is a bit dismissive.
They used to have a kick-ass Mac app. That appealed to a considerable amount of their users. Then they ditched the native app for Electron, and those same users were disappointed.
Which functionality was removed by switch stacks? What is the actual usability impact? I currently use 1Password7 and haven't updated to 8 so I'd like to know before updating.
I’m fully in the camp who believes critical, top-level security should not co-exist with npm pulling dozens of 3rd party libraries which each pull even more 4th party code.
Is there anyone here with a counter argument? Has a security review been performed on each dependency? Any reason to think my fear is unfounded?
And what should replace it? Rust? Cargo? Oops. (I believe 1Password uses Rust for security-sensitive parts too, btw.) I'd genuinely like to know what the correct tech stack for a password manager is today because using the right one is important to my current endeavor.
Regardless at Uno we're working on a password manager with a native app and rust core. It's geared more towards everyday consumers than power HN users, but you might find it interesting. The rust core including api server is open source right now because that's one point where we diverge from 1P. Whatever tech stack you choose, it needs to be openly auditable so that the community can collectively ensure it remains secure. https://github.com/withuno/identity
Electron actually offers some of the best dependency-isolation capabilities of any language/platform given that you can set a content-security policy and leverage Chrome's extremely robust sandboxing to prevent front-end dependencies from accessing the file system, making network calls to untrusted domains, making system calls, calling 'eval', etc.
A fully native app will offer you no such protection. If a dependency used for styling or animations or whatever is compromised, it will have total access to the system and be able to exfiltrate at will to any location. In Electron, the equivalent dependencies can instead run inside the CSP sandbox, preventing them from doing any serious harm.
Supply chain vulnerabilities also aren't unique to npm. Any project that uses dependencies (in any language) has the same issue.
> Any project that uses dependencies (in any language) has the same issue.
While that's absolutely true, the Node ecosystem (which I use, love, and make my money in) definitely takes the sheer dependencies of dependencies of dependencies problem to a rather fascinating extreme, compared to nearly any other language I use.
It would be interesting to see some data. Node definitely has that reputation, but every other language I’ve worked in—ruby, python, golang, clojure, hell even objective c—all have rich library ecosystems and most libraries include other libraries. They also all have plenty of small, single-purpose libraries. Perhaps node is a bit worse, but it’s not like it’s in a different category. Most popular languages/ecosystems are like this.
Node/JS definitely is a lot worse and in a different category by several orders of magnitude.
My theory is that this is because there is no standard library in Node.
My JS frontend has something like 20,000 packages that need to be installed to build the app. The next highest-dependency lang I use is python, where my average python app will have approx 100 packages all in. And then it only goes down from there with other systems.
I suppose a lot of that can be chalked up to the overall size of the ecosystem (and also the complexity of frontends).
There's an exponential effect at work based on the number of libraries that do any one thing. If in python you have (for sake of argument) an average of 5, and in node an average of 25, the downstream effect is that you have massively more dependencies in your tree (many, many, more than 5x), just like you're seeing.
I still don't think the O(n) properties of dependency trees are any different in other languages though. Node just has the largest scale. If python had as many total packages as node, and was also as popular for building frontends, I think you'd have exactly the same situation. That's what I meant by "not in a different category". Node's scale/popularity is in a different category than python's, but its approach to dependencies is basically the same.
> ... and doing so with a third party sync solution wasn't suitable.
why not?
More importantly why was it necessary to remove the local vaults feature (I don't need it to integrate with any particular 3rd party syncing solution, I can handle that myself without any features from them) entirely?
It’s a basic web UX over a built in Linux kernel feature
There are Docker containerized apps that manage Wireguard too
Maybe contribute to one and fret less about behavior of VC funded business and wondering if they’re actually respecting your privacy to accomplish finance goals
If the open source implementation is equally good, I'm sure people will use that instead of Tailscale. That Tailscale exists makes me suspect that the open source implementation - as is usually the case with these "just use curlftpfs!" comments – is not equally good.
The reality is that making software, like any other human endeavour, takes time and energy. Paying one another money is a rather well-established mechanism of rewarding and incentivising that time and energy (since not everyone wants to work free of charge to make and maintain software for you, out of the goodness of their hearts, no matter how much you insist that you're owed their unpaid labour).
There are small and local means of getting free food, or free woodworking, etc, but the general reality is that a high-quality high-dependency maintained product, over the long term, is more feasible when it's paid.
If agency to make a thing must be purchased the long term viability of the thing is suspect. The work becomes about payments not the thing.
If it’s a real human problem, humans will solve it. If it’s instigated due to someone with coins in their pocket to mesmerize lizard brains, it’s a synthetic solution that will vanish with the synthetic driver of the work; payments.
Just because paying for things is common throughout history does not mean it’s necessary or the best choice long term; see Netflix propping up payment flows churning out crap. It means meat based tape recorders simply LARP the past.
Ditto, but the fact that they still can’t handle more than ~300k files is a long-standing problem they have yet to solve. I have close to a million syncing files and startup time for the app takes about 20 minutes on a brand new MBP, and CPU and overall energy usage is ridiculously high. All while they keep pushing me to backup more files.
I pay over $700/ yr for their business plan and would like to have better performance for it.
Even if it does go away, youre not loosing anything. Its functionality can be replicated with a USD 5 VPS using Slack's nebula (not wireguard based) or any wireguard based tool like headscale, innernet, netmaker or plain old wireguard.
> For people who believe there’s a catch — and most still do — then I don’t know how to write a blog post or hire a marketing or sales team to change their minds.
I think the catch is that (at least at the free level) one must trust an identity providers. For many companies that's probably fair enough, but for high-security companies and private individuals one absolutely cannot trust anything running outside of one's physical control. Service providers can be suborned, either legally by corrupt regimes or illegally by employees. There is no way that I would permit Google, Microsoft or GitHub (their three supported options) to gate access to my private devices.
I think that one must also trust Tailscale themselves, although I could be wrong about that.
Yep we had it rejected w an enterprise we work with as the org needed to own the full control plane so we couldn't bring it in, and not on the schedule for the org's security team for them to bring it in. Making a smarter, easier, and less creepily managed VPN more palatable to enterprises would be awesome, so the marketing value of their fundraise is real.
Yes, it's usable with every tailscale client (except for iOS). You provide an argument to make headscale your controller, and then it works much the same as the hosted Tailscale service, with some only minor differences in configuration.
Yes it works with all of the Tailscale clients except for iOS. No it does not work with clients from the broader Wireguard ecosystem (e.g the Wireguard iOS app).
I've seen them mention that they're looking at having the coordination server being self-hostable (and is for some client already), so I expect that to be one of the things you can get at the higher price points in the near future.
Tailscale will let you use any SAML or OIDC provider you like in the Enterprise plan (presumably because of the cost of supporting the long tail of nonsense IdPs will produce).
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
(That tweet I think was a teaser saying it was coming. I subsequently looked for it a few times and never found it, but maybe plans changed, or maybe I just failed to find it).
That is true. Sometimes we are talking about the business aspects of product-market fit, and sometimes we are talking about our own personal use of the product or domain. In this case it's both.
> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.
It seems to take care of key distribution, nat-traversal, authentication etc etc
Neat! No sure how that is 'fixing internet' exactly, but really cool anyway
This is kind of overstated. Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.
Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.
> Yeah, no one is going to allow unsolicited inbound connections even without NAT so you still have to have something to hook up the two ends in a P2P setting.
Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.
It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.
... if your definition of "home routers" excludes ISP-provided ones, then I'll agree. Unfortunately, I'm pretty sure that either you are on an ISP that actually cared and found a good supplier or didn't check out what are the capabilities of ISP-provided routers.
Of the three ISPs in my area that I have used, all of them allowed inbound traffic and either had useful controls in their routers or didn't supply a router, just an ethernet handoff. RCN, Comcast, Verizon.
All of them filtered out the SMB/CIFS ports.
Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.
Yeah, it's inconsistent to be honest. I've found that Hitron to not have any sort of firewalls (except for IPv4 NAT if you consider it as a firewall), while Huawei routers (which is not used in the US for reasons hopefully known to you) do have an IPv6 firewall that is only an off or on switch, stupidly their enterprise stuff do have advanced controls, Alcatel/Nokia-branded ones are inconsistent to say the least and the same can be said for Zyxel. I'm actually interested in checking out other routers used by ISPs, but those are the ones I've actually seen.
With IPv4 I have to worry about UPnP/PCP working and TURN/STUN/etc non-sense when it comes to peer-to-peer protocols. With IPv6 I only have to worry about about UPnP/PCP working. In my books that's an improvement.
If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?
Which can be done via UPnP and PCP, and without having to maintain TURN/STUN/etc infrastructure. The latter of which can only be done with IPv6, since with IPv4 you're NATing.
So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.
This fact must be bundled everywhere someone mentioned "IPv6 will allow direct connectivity again". While NAT isn't a fully-functional firewall, it did do things that a firewall in a router would do. What equipment have proper IPv6 firewalls? Routers, that's who.
> Even if everyone went IPv6 and gave every device a public IP address, pretty much every network would have a firewall that behaved just like NAT.
No, they do not behave just like NAT. With NAT you have two problems:
* figuring out your address
* firewall hole punching
With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.
This helps immensely for residential connections since people (generally) control their gateways, and with more and more higher speed (fibre) connections being done, it could help in more self-hosted and peer-to-peer services.
What one is allowed to do at the office would be dictated by the policy(s) of your employer: they could allow PCP/uPNP opening via authenticated requests for example.
No, no, no, no. You haven't really experienced the quality of IPv6 routers at home. The only thing that I can (probably) say with confidence is you will not need TURN, and even that assumption can be broken with even more restrictive firewalls that block nearly all UDP traffic or even not know your real public address because IPv6 NAT does exist (https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no..., https://datatracker.ietf.org/doc/html/rfc6296), but fortunately this is usually found in enterprise stuff. NAT-PMP or router UPnP is probably the wildest: majority don't (remember that I'm focusing on ISP routers since that most people don't bother to switch to actual routers...*), some only on IPv4 (which is even more frustrating), and only few supports it correctly. Worse, those same broken garbage-level routers have NAT-like firewalls: at least you know what address and port you will contact the other computer, but you will still need UDP (TCP handshake will be very problematic) and you will still need keepalives (or otherwise your firewall will just close the port).
* ... and most that do get another router (usually because they have seen that their Wi-Fi on the "modem" is bad) don't turn on** bridge mode which will be a definite headache on both IPv4 (double NAT) and IPv6 (address conflict, especially if you're using an ISP like Comcast that would only allocate a /64 and no more.
** ... because you need to call up the ISP or even outright refused to bridge it (either because they're stupid but you don't have another ISP to switch or the equipment manufacturer of their garbage special router didn't program one).
No, not necessarily, but if you're using an aftermarket router rather than an ISP-supplied router, then this rather long list is not applicable to you.
I'm guessing you're in the US? Haven't had any problems with IPv6 on ISP-supplied routers in UK, NL, DE, CN, HK, VN, TH, SG over the last 10y or so, seems like a solved problem for most of the world.
> With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.
What about phone networks? (in the US providers block all incoming traffic.) Or other ISPs that block incoming traffic?
NAT has been used to address a fundamental problem of what traffic can be trusted. That's what Tailscale fixes.
Our epic treatise on how NAT traversal works (in general, not specific to Tailscale) mentions this. IPv6 greatly reduces the amount of pain for p2p connections, but does not eliminate some of the fundamentals (stateful firewall traversal) if you want it to be zero-config: https://tailscale.com/blog/how-nat-traversal-works/
But until deployment hits 100%, and until ISPs start caring about IPv6 reliability the way they do about IPv4, "just use IPv6" can't be your answer. It's lovely when it works, but you need to do something other than "give up" when it doesn't. (also, as long as the internet is dual-stacked, doing IPv6 right also implies figuring out if NAT64 is in play, and wielding it correctly; so arguably IPv6 adds more complexity to the overall story, for now :) )
Avery Pennarun, its CTO, is somebody whose judgment I am used to trusting.
Then I learned that to use it, I would be dependent on authenticating using a login on one of the unaccountable internet behemoths who could take away my account for any random reason or no expressed reason at all.
If you use an identity provider like Okta or OneLogin, then you're not tied to any "contentful" services like GitHub or a Google account that "historically" seem to have more problems of this type.
As far as threat models go, I can't really say I understand this one too much.
As an example: shortly after Russia invaded Ukraine, Namecheap cancelled all accounts of all of its customers who were located in Russia. This was done regardless of what content if any was hosted by the account, whether or not the person in question supported the war, or whether the person in question was actively fleeing Russia and may have been relying on technical infrastructure they had previously set up to help them do so.
Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.
This is a strange example to pick given that (1) it's a war, and (2) a significant percentage (majority?) of Namecheap's employees and offices are in Ukraine.
If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.
Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.
I don't think parent is saying it's unexpected, but rather that having a third-party identity provider (especially a corporation) is an unwarrented and/or unwanted political dependency. I deeply empathize with this sentiment but also recognize why many companies choose to rely on them (identity is very difficult).
Okta and OneLogin are both private corporations that have each existed for 13 years. Does your threat model include an estimate for how long they will stay in business? What if one of them puts the other out of business? Does your threat model choose a winner in that fight?
As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.
These things don't happen when you use public key authentication.
For enterprise, sure, using a separate IDM provider works, but last I checked, neither Okta nor OneLogin cater to individuals and their personal accounts. So as far as threat models go, I understand why people view this requirement from Tailscale as utter garbage for personal accounts.
Google does that, Microsoft doesn't. Microsoft will ban you from a particular service if you egregiously violate the terms of service for a particular application of theirs, but never the whole account.
Google will throw you on your ass in the blink of an eye.
This isn't a very nice comment (from my reading anyway).
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.
> Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Oh, that is a shame. I can see why they do it like this for businesses, but for personal accounts I refuse to use SSO. Been bitten by that a few times too many.
I _could_ use my github account, but I don't trust them at all anymore. And I'm not going to setup an account with some other service just to use this. So that is a hard pass for personal use.
For a company it makes sense to have to use whatever sso provider you are already using i guess
They don't want to build basic auth. They probably could, but it gives them more headaches and customer service touch points compared to delegating that out. Like: what if the user forgets their password? Or what if they lose their 2FA device?
Apparently the third-party authentication service is needed just to get it going. If you get an "enterprise license" you can choose among more authentication services, but not yourself.
What precisely are the consequences of the third-party auth? Is it, they get an IP ping each time a device connects or does anything? Or, does that only happen once, but they can revoke access at any time? *Surely* they aren't granted access to the content? That would be mindboggling.
You should checkout the opensource project OpenZiti (https://openziti.github.io/). It has its own internal PKI system so you dont need to (but can) like to an external 3rd party. It also allows you to close all inbound ports and link listeners (as every endpoint has embedded identity so makes outbound only connections) and can be embedded directly into apps with SDKs as well as deploy on any popular OS or as a virtual appliance.
If you're that concerned with 3rd party auth, I'm surprised you're not more concerned about trusting your virtual network to a SaaS platform (who could definitely decrypt the traffic). For those more privacy minded, they'd probably wanna go with one of the self-hosted alternatives, of which there are now a few.
I'm about to go away but having local access will be very useful.
I've just setup tailscale in a few minutes, very smoothly. I'm impressed it scales down to this kind of simple use case nicely, and it seems it has nice features as my use cases might scale up.
So basically Wireguard with automated key setup/distribution/identity management?
(btw. I love Wireguard - currenly using it to route traffic between my servers + transfer media between my home and my mother's mediacenter with both PCs being behind their own router - she loves it too as so far there were no problems hehe)
But isn't that just part of Wireguard itself? In the end that's what's happening in my case when I exchange data through Wireguard between my flat and the one of my parents... .
A bit offtopic, but how did they create the visualizations? Do they have a designer on their team for that or is there any good tool that creates charts like these?
Maybe a apt place to ask the question, all of my devices are silos. I’m still wondering if this is for people besides me, or if I’m just missing the potential use cases for myself. I have never needed to connect my device to each other. In the house I have a few laptops, a couple phones, Xbox, Apple TV’s, fire sticks, and every device is just connected to the google mesh Wi-Fi. Every device communicates out for what it needs (and yeah probably more) but I never in years have needed to use a device as a server unless I was developing on it and using it as localhost. Do I still have a use for tailscale?
That's such a broad "mission statement" that I wonder if it's effective at all. I mean, what SaaS wouldn't say that they fix something with the internet? That's to whole reason for online businesses solving one or another problem.
How could that statement help them guide their implementations of various solutions?
I think the best way to get a feel for what that means is Remembering the LAN[0] and then just trying it out (really, it's easy) and deciding for yourself if they're living up to it. Or grep Twitter for "tailscale" -- all these nerds aren't astroturfing :)
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
The internet, at its essence, means connecting machines aross (intra)networks. Not everything those machines do. That's what Tailscale (+wireguard) is for.
My understanding/hope is that the author uses "internet" to mean the technology. Colloquially we use "internet" to also refer to every technology that runs on top of the internet (like the web), but 'connect devices together' is a meaningful statement and the internet is the technology that we currently use to do that.
I read almost all of TFA (started to jump paragraphs near the end) and still couldn't figure out what it was or did, even after being told, repeatedly, that they "make easy things easy".
The blog post is poor. It has TailScale's "house style" of folksy reminiscence and Avery's stream-of-consciousness writing stylewrapped around an announcement. It only says two things, one at the top, and one at the bottom: "We raised a $100m for our war chest; we don't have any plans for how to use it besides extending runway for our current operations". The middle is left trying to justify why that is a good thing, despite not having a reason beyond "we know a lot of rich people who know we are wicked smart and talented, so they want a piece of equity in us".
I thought the post was remarkably well written. I had a vague idea what Tailscale did going into it, but this post did a good job of describing the company's values and vision. I'm not sure what the intended audience of the announcement was, but for me it was interesting.
Unfortunately despite claiming that they would, they've never allowed their iOS application to allow configuration of the control server (every other client they have released does). Maybe some more funding will allow them to focus on the client quality.
also, their iOS client still has abysmal background battery usage even when not connected. It has been more than a year now, so, yes, seeing them improve in such areas would be cool.
But given the huge amount of money invested, pressure will go into other directions. I'm afraid my (aside of the iOS issues) beloved Tailscale is on a path to expensive enterprisey bloat, losing what made it so good (the JSON based ACLs, the external authentication provider reliance, etc - GitHub Auth is a killer-feature for me for example)
That's https://github.com/tailscale/tailscale/issues/1572 which we haven't given up on. It's just not done. We did it for macOS and we thought the same thing would've worked for iOS (they share ton of the same code) but it apparently didn't work.
The mobile apps have been a low priority thus far. We just recently hired some people to work on them, though.
The highest priority for them currently is fixing battery life (we do some dumb things when LTE + wifi are both available, and when using exit nodes, and some unnecessary heart beating that sucks on mobile) and then there's also a mobile app redesign (or just "design" coming).
We like Headscale and we're super glad that it exists. (they saved us some work by doing it first, as our control server wasn't in a releasable state) We keep Juan et al updated when there's protocol changes or things they can do. (e.g. recent https://github.com/juanfont/headscale/issues/552)
About the battery usage: what I can’t explain is that there’s a lot of background energy usage on iOS when Tailscale is running even when it’s not connected.
If this was about heart beating, I would expect that to only happen when the client is connected.
Also, in the battery stats, the background usage is there and tailscale is listed, but with - % of battery usage.
However, when I force quit tailscale, all of the background energy usage goes away.
Thanks for the response. I had misinterpreted the communication from Tailscale to be adversarial rather than just that it wasn't something that had engineering focus. It's good to hear that there will be some progress towards making the mobile app better.
Any chance to be able to get the dmg directly from Tailscale vs the App Store? It's been a pain on MacOS as not everyone wants to mix personal accounts with corporate laptops
We love Tailscale. Everyone employee has it, and we use it to provide access to dev, staging, and prod environments as well.
Fun little thing we did with it: nobody can access the prod network without requesting access via a Slack bot (powered by https://indent.com/). So somebody requests access, another authorized person approves it, and the Tailscale ACLs are updated for X minutes and then reset.
Access to secure environments is super low friction but more secure (with fantastic audit trails) than ever.
Well, we run our servers without ssh access... no amount escalation through ACLs / Security Groups let you in. Can't say it would work for everyone, but at least, no one can mutate prod unless the code itself exposes those interfaces.
As I’ve said in a past thread for another product (oxide), I LOVE Tailscale and am really happy for the team for their well earned growth and success.
However this is the path that could move them towards being pressured to add a bunch of bloat, followed by acquisition pressure and a big payout that will likely eventually cause the product to stagnate after the founding team leaves and the buyers don't care.
I really hope they’re all already rich enough that they aren’t tempted by that. :-)
Update: altered content to add more speculative version.
Am I the only one that has an issue with a VPN that I can't self host? Presumably if Tailscale get's PWN'd or subpoenaed then your network is breached no?
Depends on the kind of breach. Tailscale is extremely carefully designed to minimize that risk. Notably: Tailscale doesn't get your keys. (Granted: a compromised agent would still be a problem. It's a thing I have some plans for :-))
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
No, they don't have access to the Wireguard keys and everything is point-to-point. They'd have to push a backdoored software update to gain access (and this is a threat with any vendor product).
IIUC Tailscale controls key distribution, so you'd still have to trust them. However, it might still be possible to eliminate that need for trust by verifying peer connections out of band.
Tailscale's data plane is [1] mostly p2p except for some cases where it doesn't work and it goes through an encrypted relay.
So your data does not run through Tailscale servers.
There is an oss [2]coordination server that does let you totally self-host.
If the tailscale control-plane is pwnd, outside of compromised ACLs (access controls) and DNS routes, I don't think it affects anything critical on the data-plane like passwords (because SSO) or private-keys since tailscale machine keys and node keys never leave the device: https://tailscale.com/blog/tailscale-key-management/
The clients are. The control server, which is the bit that Tailscale host, is not.
There is an open source alternative called headscale [0]. The main downside is that you'll need to run it.
The closed source centralised control server has other potential issues though, and it ends up being up to the user to decide what's the right balance of security vs convenience.
I remember reading a previous HN post about Tailscale and a certain commenter said that Tailscale is ideologically driven, small-scale operation and they prefer an alternative like NetMaker which has more backing.
$100M seems more than a small-scale operation or is $100M in tech actually small scale?
As the founder of what some say is a competitor (ZeroTier) I'd like to congratulate the Tailscale team. We don't really see Tailscale as the competition. We see the competition as:
(1) The old school castle and moat IT model that dominates at 99% of companies. If we can disrupt this then TS, ZT, and four other upstarts could all become billion dollar companies. Right now 1-2% of this market has been disrupted at most.
(2) The put everything in the cloud and everyone gets a thin client model. If that wins then all of us lose because there is no market for endpoint connectivity. We also lose all privacy, all data ownership, and all ability to experiment or innovate without paying for it by the instance-hour with TOS-enforcement bots looking over our shoulder.
Avery and the team at Tailscale are building a fantastic product and totally deserve the round and recognition, huge congratulations - we're super happy for them.
In many ways they're also an ice-breaker for the zero trust overlay network architecture, which means they've got the most work to do. As the current top comment on this thread correctly notes, with huge investment comes the obligation to eventually pay it back.
The market hasn't even come close yet to crossing the chasm and seeped into mainstream conscience to become the accepted norm - yet.
That said, we believe fiercely that networks should be simple to reason about, easy to use and safe to operate. That private connectivity should “just work”, and just work in exactly the same way, everywhere too. Flexible to change, simple to automate and only available to the right things at the right times.
When you think about it, building private networks is actually pretty complex right now and can be pretty insecure too. It's some unholy combination of spell casting meets a yak shaving contest to wrangle firewalls, VPNs, MTUs, and manage IPs, subnets, ACLs, NSGs, VPCs, NAT, routing, VLANs, certificates & secret keys, then hoping a zero-day doesn't show up that drops someone straight into the network via the VPN server, who then starts poking around the squishy centre.
Once you've used products like Enclave, Tailscale or ZeroTier and seen how simple private networks really can be - at a certain point you almost stop and ask the question, why would you not do it like this.
There will always be nay-sayers and people for whom this approach just isn't a fit, and that's fine - but I personally find it hard to imagine that this genie can be put back in the bottle.
What will happen over time is that as we disrupt old-school IT and re-introduce the idea that you can own your own compute (disrupting the everything-cloud model) the various participants in this new area will find niches in which their specific strengths and features shine the most. This always happens. Look at databases. There are like 10 decent sized database vendors for a reason, not to mention several paradigms: SQL, NoSQL, NewSQL, GraphQL, etc.
But if we don't succeed in disrupting the actual competition everyone fails.
At least that's how I look at this market.
Of course I'm also a mostly-follower of the "ignore your market peers, focus on the customer" philosophy. Your greatest competition is always your own shortcomings.
There is another interesting company in this space- Netmaker[0]. It's been getting a lot of traction in the homelab space- namely because it takes advantage of kernel wireguard, which is more performant than the userspace wireguard that tailscale uses.
I have heard of but never really looked in to Tailscale until today. I'm not impressed.
"Fixing the Internet" is not done by layering more private network garbage on top of it.
Their claim[0] that after you install Tailscale on all your devices: "This final configuration is called 'zero trust networking',” is pretty interesting. It seems this would be more like having a trusted internal network (sure it is overlaid on an untrusted network). A true zero-trust network would mean all of your clients and servers are secure in a manner that they can operate on the public Internet...like O365, Salesforce, etc. To say that you run a zero-trust network because you implement a fancy VPN is C-suite dreaming at its finest.
"get around a misbehaving corporate firewall" like newhouseb sings praises for is exactly the sort of thing that should be happening less, and the opposite of "fixing the Internet". Follow the policies of the network you are being allowed to use, or lobby for them the be fixed. Don't like ISPs messing with DNS traffic? Get rules/laws implemented that prohibit that, instead of garbage like hiding your DNS in DNS over HTTPS. (DNS over TLS seems more acceptable to me.)
This is how people fix things caused by commercial entities being abusive. It's done quite a bit, most of the critical things people rely on are regulated.
Do you live in a place that doesn't regulate things?
You could spend time to learn about the process, deal with months or years of lobbying, deal with counter-lobbying, and eventually win your position or maybe not. Or you could use this technical workaround.
And maybe we're all worse-off for it, but now you're done dealing with that issue.
Yes, so I think it is reasonable that someone who stumbles upon $100,000,000 and wants to "fix the Internet" aim a little higher than making it as easy as possible to do the technical workarounds that leave us all worse-off.
To be fair, my "misbehaving corporate firewall" is actually my apartment that has building-managed internet wherein everyone is NAT'ed to the same fiber connection.
For whatever reason, SYN flooding detection triggers when you do more than a few TCP connections per second which makes most TCP-based things super frustrating and their IT is clueless as to how to fix it.
Every time I've looked at setting up distributed VPN I've wanted layer 2, I haven't used WireGuard yet but apparently it's layer 3. I would love to be able to connect remotely and have my newly connected machine act like just another machine on the LAN. That in turn makes all kinds of other network-related operations simpler and homogeneous, in that the remote property of the connected machine(s) is abstracted away.
467 comments
[ 3.6 ms ] story [ 302 ms ] threadWhat if we all just had a static IP address, and a DNS name? …and the address migrated around the world with you? …and you could connect to any of your devices no matter where they were?
Does this not promote the destruction of anonymity on the Internet?
They are claiming they are on the road to "fix the internet", their own words.
I'm not sure what you mean by this, but this sounds like exactly what they are, with some functionality on top. It's what I use to VPN into my LAN from outside, and it's pretty general purpose from where I stand.
Those are not general purpose VPNs though.
In fact, they are not even VPNs in the first place. They merely use the same technology to provide a private tunnel to the public Internet (and use the name in marketing material because by now people are familiar with it).
What they are not is general purpose private networks.
An actual VPN provides you with a private network that just happens to workover of the public Internet, usually encrypted, but is inaccessible from it.
* https://en.wikipedia.org/wiki/Virtual_private_networkSaying that these services are "not VPNs" is unnecessary pedantry. Definitions evolve over time, and these services meet the common definition of a VPN.
Tailscale doesn't make privacy worse any more than the fact that to a first approximation, no residential Internet provider in the US has rotated an IP in recent memory.
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
Will they be left out of this new internet?
- SSH'ing into a raspberry pi I have at home that does random IoT stuff.
- Accessing servers on my local dev machine from other devices for testing (i.e. a Windows box or phone)
- Giving access to production bastion devices without publicly exposing anything to the internet.
And best of all I don't have to fiddle with the usual networking stuff. It just works. Kudos on the raise!
Non-disclaimer: I have no relation to anyone on the team. Tailscale is just a delight to use.
My only complaint is that if you use it on your phone (iphone 11) and forget to turn it off it drains the battery like crazy.
It actually allows me to turn my iPad Pro into a proper development machine as long as I have access to the internet since I can write code locally via Textastic, push to my git repo and test via the VM connected to Tailscale. Of course this was possible with a box on DigitalOcean but I prefer not to pay monthly for a machine just for noodling around.
The Tailscale agent (thing that runs on your machine) changes the system routing table (at least on Linux) and uses policy-based routing (marks packets destined for the "Tailnet" specially) to build the overlay network. Since everything is done at L3 in the OSI model, iOS and Android clients (in the form of an app) are also available without needing root (jailbreaking).
There are some things it can't do owing to the whole thing operating at L3, but it's a really awesome implementation nevertheless. And just to add, they aren't the first to build a product like this, but they do it incredibly well and the time to value for most users is extremely short, made even better by the fact that the expectation is that the time to value will be long(ish) and painful.
This is not true. The commercial breaks in all US pro sports have a pre-determined length, and the game action will not resume until the broadcast has rejoined (outside of a mistake somewhere along the line). In the NFL, they have a countdown timer on the stadium scoreboard indicating how much time is left in the commercial break, and even a dedicated guy who stands on the field next to a referee, talking to the TV truck to confirm when the broadcast has rejoined.
I sincerely hope not, but there's so much bad precedent.
OK, but it's not. Now what? Do we just live without until the platform overlords provide it, or does someone build it on top of the platform?
What even is the "platform", when my Android phone is connecting to my iPad and my Windows laptop and Linux desktop and Amazon cloud server?
$100M = ~$0.20 / computer user in US and western Europe (wealthy countries in connected software markets)
I wouldn't put them in the Dropbox bucket.
Also, I think the value Tailscale provides is fairly unique and far from obviously a platform feature like file storage and perhaps even password management.
I thought customers were complainingly loudly against their new direction of making 1Password an Electron app. Is that not the case?
Note: I'm not a 1Password customer.
I get why they're doing it (or, at least, think I do), and I'm not angry enough to go get angry on Twitter, but I am going to avoid the upgrade for as long as I can. That's kind of a bummer to get there with a product you've historically really liked.
> the industry should collectively come up with a solution that incentivizes app developers away from electron rather than hoping they swim against the current of incentive.
They have the financial resources to build it in ~Rust but still chose electron. It’s a mind boggling decision.
Respectfully, I think you may misunderstand the company’s mission.
The swap from native to electron on macos was hugely disappointing but something I could have probably lived with if they hadn't gone full saas no alternative.
So you think they could be lying about their fundamental selling point, and hiding it in all of their audits? Personally, I'd trust them more than Apple/Google/etc.
https://support.1password.com/1password-security/
https://1passwordstatic.com/files/security/1password-white-p...
https://support.1password.com/security-assessments/
Their online security-related UX is also a freaking nightmare. The desktop and mobile apps are excellent and still clearly the best, but yikes, their password plus secret uuid plus device identity is awful. I know multiple people who permanently lost everything thanks to that (remember, no local backups any more! That's what cloud storage almost always guarantees!), and they now push others away too.
I'm now a (relatively) happy KeePass user.
No, you confuse "customers" with a vocal minority.
Vs a clear moral screw up like the big tech companies colluding to not hire one another’s employees.
I don’t necessarily blame them but think their decision was pushed along by the need for big money.
For example, I think they’d still be able to do the pay once model if they abstracted they storage to work with Dropbox/icloud/OneDrive/whatever.
There’s really no value add as a user for a monthly fee. Although lots of people don’t mind. I’d rather not pay for something as essential and simple as a synchronized, encrypted data blob. I literally replaced it with a Google doc and cutting and pasting more. A filter over Google docs does not require a monthly fee.
I have this problem with lots of SaaS products that could be software if they didn’t want or need lots of money.
I get why they don't but I often wish more SaaS companies had a bring your own computer & storage model. It doesn't make sense for 95% of customers and the 5% of us who might like it and have the tech chops to use it would just complain about having to pay more because we are outliers. But I wish it was offered!
Also sad because bring your own storage is more secure to me than trusting a company with all of my passwords. So they are reducing security and increasing price.
Perhaps you refer to loss of local vaults? If so, they were never really a viable option for me - I needed the app syncing across multiple devices, including mobile, and doing so with a third party sync solution wasn't suitable.
They used to have a kick-ass Mac app. That appealed to a considerable amount of their users. Then they ditched the native app for Electron, and those same users were disappointed.
Is there anyone here with a counter argument? Has a security review been performed on each dependency? Any reason to think my fear is unfounded?
Regardless at Uno we're working on a password manager with a native app and rust core. It's geared more towards everyday consumers than power HN users, but you might find it interesting. The rust core including api server is open source right now because that's one point where we diverge from 1P. Whatever tech stack you choose, it needs to be openly auditable so that the community can collectively ensure it remains secure. https://github.com/withuno/identity
A fully native app will offer you no such protection. If a dependency used for styling or animations or whatever is compromised, it will have total access to the system and be able to exfiltrate at will to any location. In Electron, the equivalent dependencies can instead run inside the CSP sandbox, preventing them from doing any serious harm.
Supply chain vulnerabilities also aren't unique to npm. Any project that uses dependencies (in any language) has the same issue.
While that's absolutely true, the Node ecosystem (which I use, love, and make my money in) definitely takes the sheer dependencies of dependencies of dependencies problem to a rather fascinating extreme, compared to nearly any other language I use.
My theory is that this is because there is no standard library in Node.
My JS frontend has something like 20,000 packages that need to be installed to build the app. The next highest-dependency lang I use is python, where my average python app will have approx 100 packages all in. And then it only goes down from there with other systems.
There's an exponential effect at work based on the number of libraries that do any one thing. If in python you have (for sake of argument) an average of 5, and in node an average of 25, the downstream effect is that you have massively more dependencies in your tree (many, many, more than 5x), just like you're seeing.
I still don't think the O(n) properties of dependency trees are any different in other languages though. Node just has the largest scale. If python had as many total packages as node, and was also as popular for building frontends, I think you'd have exactly the same situation. That's what I meant by "not in a different category". Node's scale/popularity is in a different category than python's, but its approach to dependencies is basically the same.
why not?
More importantly why was it necessary to remove the local vaults feature (I don't need it to integrate with any particular 3rd party syncing solution, I can handle that myself without any features from them) entirely?
There are Docker containerized apps that manage Wireguard too
Maybe contribute to one and fret less about behavior of VC funded business and wondering if they’re actually respecting your privacy to accomplish finance goals
With an open source implementation out there, anyone can do it merely pulling a Docker container, and without paying Tailscale.
Regardless I manage a dozen users with no issue using Embarks container; once they’re setup I touch nothing.
Paying people is not working with people; it’s working with a specific group. Open source is working with people.
The reality is that making software, like any other human endeavour, takes time and energy. Paying one another money is a rather well-established mechanism of rewarding and incentivising that time and energy (since not everyone wants to work free of charge to make and maintain software for you, out of the goodness of their hearts, no matter how much you insist that you're owed their unpaid labour).
There are small and local means of getting free food, or free woodworking, etc, but the general reality is that a high-quality high-dependency maintained product, over the long term, is more feasible when it's paid.
[0]: https://news.ycombinator.com/item?id=9224
A fully functional web app in a Docker image is what wg-ui is.
Web companies could probably just provide API keys for customers at this point and abandon UX teams.
If it’s a real human problem, humans will solve it. If it’s instigated due to someone with coins in their pocket to mesmerize lizard brains, it’s a synthetic solution that will vanish with the synthetic driver of the work; payments.
Just because paying for things is common throughout history does not mean it’s necessary or the best choice long term; see Netflix propping up payment flows churning out crap. It means meat based tape recorders simply LARP the past.
I pay over $700/ yr for their business plan and would like to have better performance for it.
I think the catch is that (at least at the free level) one must trust an identity providers. For many companies that's probably fair enough, but for high-security companies and private individuals one absolutely cannot trust anything running outside of one's physical control. Service providers can be suborned, either legally by corrupt regimes or illegally by employees. There is no way that I would permit Google, Microsoft or GitHub (their three supported options) to gate access to my private devices.
I think that one must also trust Tailscale themselves, although I could be wrong about that.
https://github.com/juanfont/headscale
Can this work the rest of the wireguard ecosystem (agents, UIs, ...) for a full VPN soln without involving the VC-tied company?
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
(That tweet I think was a teaser saying it was coming. I subsequently looked for it a few times and never found it, but maybe plans changed, or maybe I just failed to find it).
Also, it doesn't address the individual case, but that's fair enough: Tailscale isn't a charity.
> Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.
It seems to take care of key distribution, nat-traversal, authentication etc etc
Neat! No sure how that is 'fixing internet' exactly, but really cool anyway
If someone uses a rubber hose, you might be forced to communicate against your will, using the fixed Internet.
Sure they are. All home routers that I'm aware of allow for port forwarding so folks can self-host a service: perhaps a game server (e.g., Minecraft), web, e-mail, etc.
It's just going forward you can set up a separate subnet to put your gear in (especially if you get multiple /64 subnets from your ISP). You can have a DMZ, and use either the router- and/or host-level firewall to dictate which connections are allowed.
All of them filtered out the SMB/CIFS ports.
Two of them filtered outbound port 25; one of them was willing to open it with the additional cost of a static IP.
If I want to self-host something, then with IPv4 I have publish my IP and worry about the CPE supporting port forwarding. With IPv6 I have publish my IP and use UPnP/PCP to allow all connections. Is there any CPE gear that does not support UPnP/PCP?
So IPv6 makes things easier—which was the point of my post: IPv6 makes things easier.
No, they do not behave just like NAT. With NAT you have two problems:
* figuring out your address
* firewall hole punching
With IPv6 you already know your address and just give it to the peer you are communicating with. You then tell your firewall to allow connections from the address(:port) that the peer tells you. No STUN, no TURN, no ICE.
* https://en.wikipedia.org/wiki/Hole_punching_(networking)
* https://en.wikipedia.org/wiki/Port_Control_Protocol
* https://en.wikipedia.org/wiki/Universal_Plug_and_Play
* http://www.upnp.org/resources/documents/AnnexA-IPv6_000.pdf
This helps immensely for residential connections since people (generally) control their gateways, and with more and more higher speed (fibre) connections being done, it could help in more self-hosted and peer-to-peer services.
What one is allowed to do at the office would be dictated by the policy(s) of your employer: they could allow PCP/uPNP opening via authenticated requests for example.
* ... and most that do get another router (usually because they have seen that their Wi-Fi on the "modem" is bad) don't turn on** bridge mode which will be a definite headache on both IPv4 (double NAT) and IPv6 (address conflict, especially if you're using an ISP like Comcast that would only allocate a /64 and no more.
** ... because you need to call up the ISP or even outright refused to bridge it (either because they're stupid but you don't have another ISP to switch or the equipment manufacturer of their garbage special router didn't program one).
I've been running IPv6 at home >2 years. You're telling me that my own experience is invalid?
What about phone networks? (in the US providers block all incoming traffic.) Or other ISPs that block incoming traffic?
NAT has been used to address a fundamental problem of what traffic can be trusted. That's what Tailscale fixes.
But until deployment hits 100%, and until ISPs start caring about IPv6 reliability the way they do about IPv4, "just use IPv6" can't be your answer. It's lovely when it works, but you need to do something other than "give up" when it doesn't. (also, as long as the internet is dual-stacked, doing IPv6 right also implies figuring out if NAT64 is in play, and wielding it correctly; so arguably IPv6 adds more complexity to the overall story, for now :) )
Avery Pennarun, its CTO, is somebody whose judgment I am used to trusting.
Then I learned that to use it, I would be dependent on authenticating using a login on one of the unaccountable internet behemoths who could take away my account for any random reason or no expressed reason at all.
No, thank you.
As far as threat models go, I can't really say I understand this one too much.
Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.
If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.
Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.
[1]: https://www.namecheap.com/careers/ukraine
As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.
These things don't happen when you use public key authentication.
Google will throw you on your ass in the blink of an eye.
What matters most is if they can. Then, if they ever have done. What I want is that they can't.
> Be kind. Don't be snarky. Have curious conversation; don't cross-examine. Please don't fulminate. Please don't sneer, including at the rest of the community.
> Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
I _could_ use my github account, but I don't trust them at all anymore. And I'm not going to setup an account with some other service just to use this. So that is a hard pass for personal use.
For a company it makes sense to have to use whatever sso provider you are already using i guess
Super annoying and borderline unacceptable.
Some people suggest trying Nebula instead.
David Crawshaw is CTO.
I've just setup tailscale in a few minutes, very smoothly. I'm impressed it scales down to this kind of simple use case nicely, and it seems it has nice features as my use cases might scale up.
(btw. I love Wireguard - currenly using it to route traffic between my servers + transfer media between my home and my mother's mediacenter with both PCs being behind their own router - she loves it too as so far there were no problems hehe)
The NAT traversal stuff is all magic that happens before the socket is given to wireguard.
I took a stab at recreating one of the diagrams here, using pikchr: https://zellyn.com/2022/02/tailscale-diagram-in-pikchr/
That's such a broad "mission statement" that I wonder if it's effective at all. I mean, what SaaS wouldn't say that they fix something with the internet? That's to whole reason for online businesses solving one or another problem.
How could that statement help them guide their implementations of various solutions?
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
[0]: https://tailscale.com/blog/remembering-the-lan/
Apparently, it's a VPN.
The home page is a pretty clear exposition of what TailScale is: https://tailscale.com/
But given the huge amount of money invested, pressure will go into other directions. I'm afraid my (aside of the iOS issues) beloved Tailscale is on a path to expensive enterprisey bloat, losing what made it so good (the JSON based ACLs, the external authentication provider reliance, etc - GitHub Auth is a killer-feature for me for example)
That's https://github.com/tailscale/tailscale/issues/1572 which we haven't given up on. It's just not done. We did it for macOS and we thought the same thing would've worked for iOS (they share ton of the same code) but it apparently didn't work.
The mobile apps have been a low priority thus far. We just recently hired some people to work on them, though.
The highest priority for them currently is fixing battery life (we do some dumb things when LTE + wifi are both available, and when using exit nodes, and some unnecessary heart beating that sucks on mobile) and then there's also a mobile app redesign (or just "design" coming).
We like Headscale and we're super glad that it exists. (they saved us some work by doing it first, as our control server wasn't in a releasable state) We keep Juan et al updated when there's protocol changes or things they can do. (e.g. recent https://github.com/juanfont/headscale/issues/552)
If this was about heart beating, I would expect that to only happen when the client is connected.
Also, in the battery stats, the background usage is there and tailscale is listed, but with - % of battery usage.
However, when I force quit tailscale, all of the background energy usage goes away.
Have you tried 1.24.2 that's just as of yesterday on the App Store? It fixes one of the worst of the offenders (but not all yet).
In any case, we understand a lot of the problems now and plan to work on it soon.
https://i.imgur.com/hQU6Orz.jpg
Tailscale app not force quit but also not connected
Fun little thing we did with it: nobody can access the prod network without requesting access via a Slack bot (powered by https://indent.com/). So somebody requests access, another authorized person approves it, and the Tailscale ACLs are updated for X minutes and then reset.
Access to secure environments is super low friction but more secure (with fantastic audit trails) than ever.
However this is the path that could move them towards being pressured to add a bunch of bloat, followed by acquisition pressure and a big payout that will likely eventually cause the product to stagnate after the founding team leaves and the buyers don't care.
I really hope they’re all already rich enough that they aren’t tempted by that. :-)
Update: altered content to add more speculative version.
(Disclosure: I'm a (small) investor via Latacora's sibling fund, Lagomorphic.)
[0] https://github.com/juanfont/headscale
There is an oss [2]coordination server that does let you totally self-host.
[1] https://tailscale.com/blog/how-nat-traversal-works/
[2] https://github.com/juanfont/headscale
Not that they do it, but the possibility is there, and one has to account for risks.
edit: Only the client is open source. See clarification below.
There is an open source alternative called headscale [0]. The main downside is that you'll need to run it.
The closed source centralised control server has other potential issues though, and it ends up being up to the user to decide what's the right balance of security vs convenience.
[0] https://github.com/juanfont/headscale
$100M seems more than a small-scale operation or is $100M in tech actually small scale?
(1) The old school castle and moat IT model that dominates at 99% of companies. If we can disrupt this then TS, ZT, and four other upstarts could all become billion dollar companies. Right now 1-2% of this market has been disrupted at most.
(2) The put everything in the cloud and everyone gets a thin client model. If that wins then all of us lose because there is no market for endpoint connectivity. We also lose all privacy, all data ownership, and all ability to experiment or innovate without paying for it by the instance-hour with TOS-enforcement bots looking over our shoulder.
Avery and the team at Tailscale are building a fantastic product and totally deserve the round and recognition, huge congratulations - we're super happy for them.
In many ways they're also an ice-breaker for the zero trust overlay network architecture, which means they've got the most work to do. As the current top comment on this thread correctly notes, with huge investment comes the obligation to eventually pay it back.
The market hasn't even come close yet to crossing the chasm and seeped into mainstream conscience to become the accepted norm - yet.
That said, we believe fiercely that networks should be simple to reason about, easy to use and safe to operate. That private connectivity should “just work”, and just work in exactly the same way, everywhere too. Flexible to change, simple to automate and only available to the right things at the right times.
When you think about it, building private networks is actually pretty complex right now and can be pretty insecure too. It's some unholy combination of spell casting meets a yak shaving contest to wrangle firewalls, VPNs, MTUs, and manage IPs, subnets, ACLs, NSGs, VPCs, NAT, routing, VLANs, certificates & secret keys, then hoping a zero-day doesn't show up that drops someone straight into the network via the VPN server, who then starts poking around the squishy centre.
Once you've used products like Enclave, Tailscale or ZeroTier and seen how simple private networks really can be - at a certain point you almost stop and ask the question, why would you not do it like this.
There will always be nay-sayers and people for whom this approach just isn't a fit, and that's fine - but I personally find it hard to imagine that this genie can be put back in the bottle.
- Founder @ https://enclave.io
But if we don't succeed in disrupting the actual competition everyone fails.
At least that's how I look at this market.
Of course I'm also a mostly-follower of the "ignore your market peers, focus on the customer" philosophy. Your greatest competition is always your own shortcomings.
[0] - https://www.netmaker.org/
"Fixing the Internet" is not done by layering more private network garbage on top of it.
Their claim[0] that after you install Tailscale on all your devices: "This final configuration is called 'zero trust networking',” is pretty interesting. It seems this would be more like having a trusted internal network (sure it is overlaid on an untrusted network). A true zero-trust network would mean all of your clients and servers are secure in a manner that they can operate on the public Internet...like O365, Salesforce, etc. To say that you run a zero-trust network because you implement a fancy VPN is C-suite dreaming at its finest.
"get around a misbehaving corporate firewall" like newhouseb sings praises for is exactly the sort of thing that should be happening less, and the opposite of "fixing the Internet". Follow the policies of the network you are being allowed to use, or lobby for them the be fixed. Don't like ISPs messing with DNS traffic? Get rules/laws implemented that prohibit that, instead of garbage like hiding your DNS in DNS over HTTPS. (DNS over TLS seems more acceptable to me.)
[0] https://tailscale.com/blog/how-tailscale-works/
Do you live in a place that doesn't regulate things?
And maybe we're all worse-off for it, but now you're done dealing with that issue.
You know this does not work in the real world right?
For whatever reason, SYN flooding detection triggers when you do more than a few TCP connections per second which makes most TCP-based things super frustrating and their IT is clueless as to how to fix it.