Friendly reminder that Tailscale is VC-funded and driving towards IPO
-
Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
Nerds stop recommending corporate crap: challenge: impossible
-
Vps can be really inexpensive, I pay $3 a month for mine
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
-
Wireguard if you're just using it yourself. Many various ways to manage it, and it's built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn't actually access it if I wasn't initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn't take long to get it going, but realistically my setup's access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I've been seeing).
-
If you just have to talk from many devices to the one server sure, but Tailscale sure makes it easy for many to many. Also if a direct connection is impossible (e.g. firewall of china, CGNAT etc) tailscale puts a relay server in the middle for you.
My entire setup might not be your entire setup, I have the basic functionality of connecting multiple systems into one mesh network. That's all I needed so it's all I did.
-
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
wrote last edited by [email protected]the VPS uses the pi-hole through the tunnel
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server's wg address
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn't aware I host anything at all.
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
Pihole (in my case) can't see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that's how TS works.
-
the VPS uses the pi-hole through the tunnel
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server's wg address
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn't aware I host anything at all.
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
Pihole (in my case) can't see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Allowed ips = 10.x.x.0/24 - only connects the clients and server together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.
Do the top one, that's how TS works.
Thanks for the info, I appreciate it.
-
Ok I can understand awareness. This whole time I've been thinking, Plex started in 2008 and 'Plex Hate' followed about two years into it's existence and has perpetuated itself for these 15 +/- years now. So I'm wondering, if during this time, anyone's personal narrator went off in their head with something like:
Hey bro....you know we're gonna have to dismount.
Awww maaan!
Yeah, I know it's your little honey hole but we're going to have to marry it if this keeps up.
Perhaps I misread the tone of the article.
wrote last edited by [email protected]What you want to look at is the size of the hate and the material reasons for it. And that's fairly difficult to measure if you're not paying close attention. Plex hate has been growing dramatically over the last few years because they materially changed their service. They began collecting data some time ago and now they are selling it unless you go and opt out. So the hate is much larger and louder for that reason. For me those last changes were the straw that made it clear we're just one small push for profit away from my sailing habits getting sold to the American copyright lobby. So I'm currently trialling Jellyfin.
In addition as some have highlighted Jellyfin is markedly different from Plex or Emby in that it's open source and if something happens to it, forking is the way out, which already happened since Jellyfin is a fork of Emby. Migrating from one open source project to its fork is usually trivial compared to migrating from a proprietary service to another one. And there's no reasonable chance of my data ending up in the RIAA/MPAA's hands. So the Plex -> Jellyfin switch everyone is doing is not merely switching to another horse. It's more like switching to completely different vehicle that you can maintain indefinitely.
E: This process we currently call "enshittification" (not a new process) has now been experienced by wide swaths of people where previously only a small minority understood it. I think that drives faster and wider reaction to these patterns as they're now very familiar. I think that's a good thing. I used to give corporations more benefit of the doubt and think in balance but then I did not understand why they do what they do. Now I do and the benefit of the doubt is gone unless there's something material to support it. Like having open source clients.
-
Ah, I see where I got confused. Yeah, CGNAT isn't very common around here. I don't think I've ever run into an ISP that uses it. I can see how that complicates things.
It's more common with mobile-based connections like satellite connections or mobile-LTE data based connections, I believe.
-
Just use normal wireguard, why do you need tails or heads at all?
Or be like me stuck in the 2000s using OpenVPN still in 2025 lol
-
What you want to look at is the size of the hate and the material reasons for it. And that's fairly difficult to measure if you're not paying close attention. Plex hate has been growing dramatically over the last few years because they materially changed their service. They began collecting data some time ago and now they are selling it unless you go and opt out. So the hate is much larger and louder for that reason. For me those last changes were the straw that made it clear we're just one small push for profit away from my sailing habits getting sold to the American copyright lobby. So I'm currently trialling Jellyfin.
In addition as some have highlighted Jellyfin is markedly different from Plex or Emby in that it's open source and if something happens to it, forking is the way out, which already happened since Jellyfin is a fork of Emby. Migrating from one open source project to its fork is usually trivial compared to migrating from a proprietary service to another one. And there's no reasonable chance of my data ending up in the RIAA/MPAA's hands. So the Plex -> Jellyfin switch everyone is doing is not merely switching to another horse. It's more like switching to completely different vehicle that you can maintain indefinitely.
E: This process we currently call "enshittification" (not a new process) has now been experienced by wide swaths of people where previously only a small minority understood it. I think that drives faster and wider reaction to these patterns as they're now very familiar. I think that's a good thing. I used to give corporations more benefit of the doubt and think in balance but then I did not understand why they do what they do. Now I do and the benefit of the doubt is gone unless there's something material to support it. Like having open source clients.
there’s no reasonable chance of my data ending up in the RIAA/MPAA’s hands
Well, I have had dealings with the RIAA back in the pre-Napster era when audio on the internet had not really come into it's own and most people associated audio on the internet with GeoCities midis....pretty crappy stuff. I ran a fairly successful, fully liscensed, internet radio station with a company called the IM Radio Networks. They along with Phillips created one of the world's first bookshelf stereos that could 'tune in' internet radio as well as AM/FM. Even went to Washington with others to plead our case before a hearing that included Senator Leahy. Yeah, the RIAA are a bunch of reactive assholes and have never been proactive since AM radio first crackled into people's homes.
I used to give corporations more benefit of the doubt and think in balance
I've always figured that if it was offered for free on the internet, there were always going to be strings and at some point I'd have to do something different to achieve the same results I was looking for.
-
Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes
Chances are you've had the same public IP for a long time. Mine hasn't changed in 2 years.
-
Yea, but in iOS?
I mean is anything iOS really open source?
-
Chances are you've had the same public IP for a long time. Mine hasn't changed in 2 years.
@chronicledmonocle @Vinstaal0 I used to work for a dial-up ISP. Every IP is registered to an account, if you're going through your ISP (as opposed to, say, coffee shop or hotel wifi). Though the people who have the information are different (ICANN/registrar vs your internet provider), there's no anonymity in your home IP address even with CGNAT.
As far as your domain, you should have privacy protection enabled so people can't find your personal info via whois.
-
I'm unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
We've implemented netbird at my company, we're pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don't seem to have any plans for ever really solving that. As long as you can live with that, it's a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I'd call enterprise level support. But development seems to be moving at a rapid pace, and they're definitely in that "Small but eager" stage where everything happens quickly. I've reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
-
Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I didn't really get the allure of it TBH. For most home-based nerds a simple Wireguard host (or OpnSense, OpenWRT etc running such) should be fine, and there are better options for commercial from better-known vendors in the network security space
-
And here I am, still using OpenVPN in 2025 lol
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
-
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
Yeah, OpenVPN definitely doesn't have light spec requirements
thankfully hardware is unfathomably powerful these days. -
We've implemented netbird at my company, we're pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don't seem to have any plans for ever really solving that. As long as you can live with that, it's a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I'd call enterprise level support. But development seems to be moving at a rapid pace, and they're definitely in that "Small but eager" stage where everything happens quickly. I've reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I'm assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
-
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn't actually access it if I wasn't initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn't take long to get it going, but realistically my setup's access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I've been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
-
Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I never really understood the point of using Tailscale over plain ol' WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won't be complex beyond a regular old wireguard config
