| ▲ | behnamoh 6 hours ago |
| How does Tailscale make money? I really like their service but I'm worried about a rug pull in the future. Has anyone tried alternative FOSS solutions? Also, sometimes it seems like I get rate limited on Tailscale. Has anyone had that experience? This usually happens with multiple SSH connections at the same time. |
|
| ▲ | dimatura 6 hours ago | parent | next [-] |
| Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH. On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user). |
| |
| ▲ | gpm 5 hours ago | parent | next [-] | | I've used serve/funnel on the tailscale free tier... definitely agree that the team size limit seems like it would move companies to the paid plan though. | | |
| ▲ | dimatura an hour ago | parent [-] | | I think how it works usually is that they let you use the features from higher tier plans than the one you're on; once you use them enough they send you an email asking to upgrade. That's what happened to us and I've seen other users mention it. Not sure how I felt about it, OTOH maybe it was less friction than explicitly subscribing for some "2 weeks free trial" or whatever but OTOH it did feel weird and unexpected. Anyway, we felt the extra features were worth it so ended up paying. | | |
| ▲ | gpm 43 minutes ago | parent [-] | | Hmm... Ok I checked the pricing page and funnel is available in the free tier (limited to 3 users) but not the $6/user/month tier - which you need for more than 6 users... strange pricing structure but I guess I see the logic. Any chance you were asked to upgrade from $6/user/month to $18/user/month and not free to $18/user/month? https://tailscale.com/pricing#application-networking |
|
| |
| ▲ | tamimio 5 hours ago | parent | prev | next [-] | | Zerotier is not the same as tailscale although both can be used to do the same, but under the hood both are fundamentally different, ZT is layer2 like switch, so it’s like an Ethernet meanwhile TS is built on top of wireguard and is layer3. ZT allows broadcast/multicast and has own protocol, TS don’t. I use both among others, and ZT since around 2019, I found it reliable in some cases in IoT world while TS had better throughput in usual applications. | | |
| ▲ | dimatura an hour ago | parent [-] | | Yeah, they're not direct replacements. I think both models have have their pros and cons. In fact I tried both around when covid shutdowns started (server being in the office, me at home), and liked zerotier better; it was faster, and a more generous free tier. But now tailscale has won out for a couple of reasons; the main one, it's simply less flaky for us on macOS, especially for devs working overseas. No idea why and maybe there's simple fixes (that don't involve repeated connections/disconnections, hopefully). The other, tailscale has a few extra things that are nicer and easy to use like identity-based ACLs, funnel/serve, magicDNS, ssh management, etc. |
| |
| ▲ | lysace 5 hours ago | parent | prev [-] | | How do you handle the do-before-thinking devs? Or the kinda low-to-mid performing devs? Most companies has one or a few of those, right? They help the company machine go around by doing the somewhat boring stuff over and over again. Tailscale in a company/developer env seems awesome when you know what you are doing and (potentially) terrifying otherwise. Does someone set up detailed ACLs for what's allowed? How well does that work? | | |
| ▲ | madeofpalk 5 hours ago | parent [-] | | > How do you handle the do-before-thinking devs? Isn't that exactly what tailscale is built to accommodate - zero trust? You set up ACLs and other permissions to not allow people to do more than the damage you can tolerate. | | |
| ▲ | nickburns 4 hours ago | parent [-] | | Zerconf ≠ zero trust. The difference could not be more material in this context. | | |
| ▲ | tonyplee 3 hours ago | parent [-] | | If both sides of your ssh tunnel (pub,private keys) are under your control, in theory, that's "zero trust". Unless one considers the meta data such as src/dest IP are visible to Tailscale sw. Right? | | |
|
|
|
|
|
| ▲ | vizzier 6 hours ago | parent | prev | next [-] |
| > Also, sometimes it seems like I get rate limited on Tailscale. As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post. As for opensource alternatives: https://github.com/juanfont/headscale can replace tailscales initial coordination servers and https://netbird.io/ seemed to be a rapidly developing full stack alternative. |
| |
|
| ▲ | evmar 6 hours ago | parent | prev | next [-] |
| They wrote a blog post addressing this concern: https://tailscale.com/blog/free-plan |
| |
| ▲ | riknos314 6 hours ago | parent [-] | | The Tl;Dr here is that the cost to them of operating the free tier is lower than what they estimate their Customer Acquisition Cost would be without a free tier, so the free tier generates better leads/conversions to their paid products at a lower cost than traditional sales and marketing. As long as these economics continue to hold they'd be stupid to discontinue the free tier. | | |
| ▲ | hashstring 2 hours ago | parent | next [-] | | Makes me wonder. Say 5% of the free tier users converts to a paying customer within 5 years. And user growth is constant. Then over time, you will get a much larger free tier user base, compared to your paying customers (in absolute numbers).
At some point, it must become tempting to charge all free tier users a little bit to continue, because the group got so big, so there is a lot that can be earned there. Is this wrong, or should we expect this? | | | |
| ▲ | eleventyseven 5 hours ago | parent | prev | next [-] | | But it isn't 'economics' as there is no actual data or science here, just a wild guess about what customer acquisition might currently cost. All it takes to rug pull is some exec speculating that 'the economics' have changed. | | |
| ▲ | erikpukinskis 5 hours ago | parent | next [-] | | Any mature SaaS company will have exact measurements of acquisition costs. This is advertising, sales staff, etc. This is one the the most fundamental components of SaaS accounting, it’s absolutely not a “wild guess”. | |
| ▲ | dagi3d 5 hours ago | parent | prev | next [-] | | Acquisition cost can definitely be calculated. I'm pretty sure they know how many customers do convert into paying users from their free tier and how much does it cost to get them through other channels | |
| ▲ | roughly 4 hours ago | parent | prev [-] | | > But it isn't 'economics' as there is no actual data or science here, just a wild guess Welcome to economics. |
| |
| ▲ | wat10000 5 hours ago | parent | prev [-] | | All it takes is for the decision-maker who gets the credit for cutting costs by removing the free tier to be a different person from the one who gets the blame for higher customer acquisition costs. Not saying it'll happen, just that it being a bad move isn't a guarantee. |
|
|
|
| ▲ | Aurornis 5 hours ago | parent | prev | next [-] |
| Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans. |
| |
| ▲ | zephen 2 hours ago | parent [-] | | I wonder about this. The hoops you have to jump through to be on two different tailnets might dissuade some home users from even bringing it up at work. | | |
| ▲ | baq an hour ago | parent [-] | | Home users being on multiple tailnets is serious power user territory |
|
|
|
| ▲ | allthetime 5 hours ago | parent | prev | next [-] |
| Facilitating peer to peer connections is cheap. Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in. |
|
| ▲ | prodigycorp 6 hours ago | parent | prev | next [-] |
| I love tailscale but you may be right, it's entering that acquisition zone that'll inevitably bum everyone out. Salesforce, stay away from it! |
| |
| ▲ | tomxor 5 hours ago | parent | next [-] | | I have the same fears. Last year they have publicly stated they are not interested in acquisition [0] > Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO). > “Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.” Nothing is set in stone, after all it's VC backed. I have a strong aversion to becoming dependent upon proprietary services, however i have chosen to integrate TS into my infrastructure, because the value and simplicity it provides is worth it. I considered the various copy cat services and pure FOSS clones, but TS are the ones who started this space and are the ones continuously innovating in it, I'm onboard with their ethos and mission and have made use of apenwarrs previous work - In other words, they are the experts, they appear to be pretty dedicated to this space, so I'm putting my trust in them... I hope I'm right! [0] https://betakit.com/corporate-vpn-startup-tailscale-secures-... | | |
| ▲ | nerdsniper 5 hours ago | parent | next [-] | | Would be curious if a partial decompilation and short static analysis would yield any reliable info about what they might be collecting. | |
| ▲ | omnimus 5 hours ago | parent | prev [-] | | Just note i doubt Tailscale were first popular vpn manager as i remember many hobby users are Zerotier converts and also much older products like Hamachi. Tailscale have build great product around wireguard (which is quite young) and they have great marketing and docs. But they are hardly first VPN service - they might not even be the most popular one. | | |
| ▲ | tomxor 4 hours ago | parent | next [-] | | Yes, I ambiguously said "started this space"... and to be honest even in the most generous interpretation that's probably incorrect, maybe ZeroTier started "this space", in that it had NAT busting mesh networking first. As far as I understand Tailscale brought NAT busting mesh networking to wireguard + identity first access control, and reduced configuration complexity. I think they were the first to think about it from an end to end user perspective, and each feature they add definitely has this spin on it. It makes it feel effortless and transparent (in both the networking use sense and cryptography sense)... So i suppose that's what I mean by started, TS was when it first really clicked for a larger group of people, it felt right. | |
| ▲ | tietjens an hour ago | parent | prev [-] | | Might be time to learn me some Wireguard. |
|
| |
| ▲ | politelemon 6 hours ago | parent | prev [-] | | Dearest Salesforce, Apple, Oracle, and IBM. Please look elsewhere for acquisitions to ruin for everyone. Cheers. |
|
|
| ▲ | nsbk 6 hours ago | parent | prev | next [-] |
| At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise! [0]: https://headscale.net/ |
| |
| ▲ | sureglymop 6 hours ago | parent [-] | | I've been smoothly running headscale on a hetzner vps for many months now. Works without issues (note that it does lack some features still). | | |
|
|
| ▲ | allthetime 5 hours ago | parent | prev | next [-] |
| Facilitating peer to peer connections is cheap. Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support. |
|
| ▲ | tiernano 6 hours ago | parent | prev | next [-] |
| It's free for up to 3 users. After that you need to start paying. |
| |
| ▲ | criddell 4 hours ago | parent [-] | | I have a family of 4 so I pay and it's still crazy cheap. I've wonder how sustainable it is. |
|
|
| ▲ | Lammy 5 hours ago | parent | prev | next [-] |
| > How does Tailscale make money? They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging “Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.” They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien... It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174 For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326 |
| |
| ▲ | jzelinskie an hour ago | parent | next [-] | | I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true. I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway).
From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro). Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing: echo "TS_NO_LOGS_NO_SUPPORT=true" > ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt
[0]: https://login.tailscale.com/admin/logs/network | |
| ▲ | nickburns 5 hours ago | parent | prev [-] | | Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later. I highly doubt any of this can actually be opted-out of. How else would they stay in business? | | |
| ▲ | namtim 4 hours ago | parent [-] | | The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users. The core client code is open source, feel free to inspect it yourself. | | |
| ▲ | nickburns 4 hours ago | parent [-] | | The client may be open source. But the service is obviously not. Don't let that deter you from trusting whomever you choose, though. |
|
|
|
|
| ▲ | fdefitte 4 hours ago | parent | prev | next [-] |
| If you're worried about a rug pull, you should be. Not because Tailscale is shady, but because that's just how VC-funded infrastructure works. The free tier exists to build lock-in, not out of generosity. Headscale exists but honestly it's a pain to run compared to just paying Tailscale $18/user. The real answer is: if it's critical infrastructure, you should be running Wireguard directly and owning the coordination layer yourself. Everything else is renting convenience. |
| |
| ▲ | batrat 3 hours ago | parent [-] | | It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc. |
|
|
| ▲ | thecapybara 6 hours ago | parent | prev | next [-] |
| I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan. |
|
| ▲ | eurg 6 hours ago | parent | prev | next [-] |
| Companies pay for it. And except for their DERP servers, free users don't cost them much. |
|
| ▲ | zaphar 5 hours ago | parent | prev | next [-] |
| There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways. |
|
| ▲ | dec0dedab0de 5 hours ago | parent | prev | next [-] |
| Wouldn't the FOSS alternative be to simply use wireguard? |
| |
| ▲ | newsoftheday 5 hours ago | parent | next [-] | | I do, I use a VPS (at OCI free) to host Wireguard. My home systems (running my production web sites and email) are on my VPN and mine and my wife's phones. I hand configured it all but it wasn't difficult for me. | |
| ▲ | iso1631 5 hours ago | parent | prev | next [-] | | Most posters on HN barely know what a subnet is so it's not that simple There's two key features 1) Tunnel management Tailscale will configure your p2p tunnels itself - if you have 10 devices, to do that yourself you'd have to manage 90 tunnels. Add another device and that goes upto 100. Remove a device and you have 9 other devices to update. 2) Firewall punching They provide an orchestration system which allows two devices both behind a nat or stateful firewall to communicate with each other without having to open holes in the firewall (because most firewalls will allow "established" connections - including measuring established UDP as "packet went from ipa:porta to ipb:portb 'outbound', thus until a timeout period any traffic from ipb:portb to ipa:porta will be let through (and natted as appropriate)". The orchestration sends traffic from ipa to ipb and ipb to ipa on known ports at the same time so both firewalls think the traffic is established. For nats which do source-port scrambling it uses the birthday paradox to get a matching stream. I believe you can run a similar headend using "headscale" yourself. | |
| ▲ | NoiseBert69 5 hours ago | parent | prev [-] | | Yes and no. It's much manual work to get WG to behave like Tailscale. |
|
|
| ▲ | Suffocate5100 5 hours ago | parent | prev | next [-] |
| Nebula is what we use. It's definitely not as convenient, but it's 100% self-ownable. |
|
| ▲ | gz5 6 hours ago | parent | prev | next [-] |
| OpenZiti (Apache 2.0): https://github.com/openziti/ziti |
| |
| ▲ | bityard 3 hours ago | parent [-] | | This is a secure mesh network, but it appears to be for embedding into applications, not a "private VPN" like Tailscale, or do I misunderstand? |
|
|
| ▲ | pkulak 4 hours ago | parent | prev | next [-] |
| I pay $5 a month, and my company has a license for every employee. |
|
| ▲ | mrsssnake 5 hours ago | parent | prev [-] |
| Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people.
And then they make money. |
| |
| ▲ | QuercusMax 4 hours ago | parent [-] | | 1000%. Tailscale is the first VPN I've used that makes my life easier, and I'm using it for personal access to my selfhosted servers at home. I will definitely recommend it to companies I work for in the future. |
|
