Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
a long runway that allows us to become profitable when needed
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
Vps can be really inexpensive, I pay $3 a month for mine
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
Tailscale never sat right with me. The convenience was nice, but - like other VC-funded projects - it followed that ever-familiar pattern of an “easy” service popping up out of nowhere and gaining massive popularity seemingly overnight. 🚩🚩🚩
I can’t say I’m surprised by any of this.
Would you rather a difficult and hard to use program?
Easy to use means people will want to adopt it, and that’s what VC companies want. Nobody wants to pay millions of dollars to make a program that nobody wants to use.
My problem isn’t directly with the programs - my problem lies with VC funding in general. Because they will come back for their money, and the project will inevitably enshittify and shove out enthusiasts in the never-ending search for infinite money.
The solution is getting rid of VC bullshit entirely. But we all know that will never happen.
I’m just a rat who got pied pipered AGAIN
would you rather …
If it means no VC, yes, without a doubt. That’s kind of the point.
Maybe this is a pet peeve but it’s a vpn tool that forces you to log in with an “identity provider”. Yeah, no thanks.
That’s a basic requirement for almost any company. If you’re into hard coding credentials just use wireguard directly.
There are tons and tons of websites where you can create an account with just your email. I wouldn’t expect a third party account to be mandatory. Specially from a product like this one.
I think there’s room in the world for a selfhosted, foss version of their software, even if a little simplified.
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
Is there an issue with Netbird’s servers at the moment? In my testing devices are connected and reach eachother, but the web admin is missing a lot of functionality compared to what’s in the docs. The peer devices section is there, but everything else, user settings, rules etc, isn’t showing/says I don’t have admin permission (of my own account… Lol?)
Honestly, no idea, worth checking their GitHub etc or their status pages if they have any
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
Are there better alternatives? I was planning on using tailscale until now. :P
For me personally, the next step is using Headscale - a FOSS replacement of the Tailscale control server. The Tailscale clients are already open source and can be used with Headscale.
Someone else could give other suggestions.
I’ve been meaning to switch from Tailscale to Headscale but I have been to busy. Do you have any instructions, write-ups/walk-thrus you could recommend to set this up? I have three sites with 1GB internet I can use. One has a whole house UPS but dynamic IP, another has a static IP but no UPS, and the third is Google fiber with no UPS, but I can use the app to get the current IP anytime. I also own a number of domain names I could use.
No writeups. I tried following the Headscale doc for a test last year. Set it up on the smallest DigitalOcean VM. Worked fine. Didn’t use a UI, had to add new clients via CLI on the server. When I set it up for real, I’d likely setup a UI as well and put it in a cloud outside of the US. It would work at home too but any other connection would die if my home internet dies or the power does. E.g. accessing one laptop from another, or accessing the off-site backup location.
Wireguard if you’re just using it yourself. Many various ways to manage it, and it’s built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
Pivpn is really easy, and since pivpn is just scripts, it always installs current wireguard even if they lax on updating pivpn that often.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn’t actually access it if I wasn’t initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn’t take long to get it going, but realistically my setup’s access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I’ve been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
Well a VPS or an exposed service, but I feel like the latter ends up somewhat defeating the purpose anyway.
When running locally (not exposed), it worked great until I tried to make the initial connection from mobile data - can’t establish a connection to headscale if it can’t reach it in the first place. Unless I’m mistaken, the headscale service needs to be publicly accessible in some way.
Oh gotcha yes it does. Are you on CGNAT with your ISP so you can’t forward ports?
Nah, but personally I have no need to expose anything and would rather avoid the security headaches and such that come with it
A bunch really, Headscale with Tailscale client, Nebula VPN, Netmaker, Zerotier.
Yeah, I also use that, but it’s not quite as easy as the others. Either you’re open to the whole network or you need some form of external key management to add/remove peers from your network.
I use the built in wireguard VPN in my router. If you just need local network access elsewhere it’s usually really easy to setup if your router provides it. I would look into it!
ive been eyeing up netbird but havnt got around to trying it yet. its fully open source at least, and theyre based in germany is anyone cares about that
Just looked at NetBird, it looks suspiciously similar to Tailscale in what it does except they also got an open-source control server. They have self-hosting doc right in their web site. Looks interesting. Can’t find much about the company other than it’s based in Berlin and it’s currently private - Wiretrustee UG.
What’s the difference with their open-source control server, from headscale? That it’s officially published by the company?
deleted by creator
I use Nebula. It’s lightweight, well-engineered and fully under your control. But you do need a computer with a fixed IP and accessible port. (E.g. a cheap VPS)
You can also use “managed nebula” if you want to enjoy the same risk of the control point of your network depending on a new business ;-)
Depends on your use case. If you’re just looking to expose services and are ok having them publicly accessible, there’s Cloudflare Tunnel, or you can run WireGuard on a cheap VPS
Join our Discord server for a chat and community support.
Sigh…
And even worse:
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.
everything is open source except half of all things.
Lol
To be fair, anything the GUI clients do can be done with the CLI which is still open source and on all desktop platforms and headscale is literally their open source control server.
Yea, but in iOS?
I mean is anything iOS really open source?
Huh, I actually didn’t know this because I don’t use Windows/macOS/iOS. Somehow completely missed this.
Tailscale is great. The principle concern to me is that your super easy mesh network depends on Tailscale so if they want it they have control, and if they change their pricing or options you depend on them, and though they can’t see the data you send they can see the topology of your network and where all your computers/devices are.
I use Nebula, which is more work to set up and doesn’t have some of the features, not But if you slap the ‘lighthouse’ (administrating node) on a cheap VPS it works great. And it has some advantages. But Nebula also troubles me: though it’s fully open source and fully in your control, the documentation isn’t great. Instead, you can now get “managed nebula”, which puts you in the same problem as Tailscale: the company sees and controls your network topology. I fear the company (Defined Networking) is trying to push things that way. Even their android app you can’t fully configure unless you use their ‘managed’ service.
For now, Nebula is great, and my preferred mesh network (I looked into all the main ones). And for Tailscale you can run the administration server yourself with Headscale and be fully in your control.
Actually I wish Tailscale the best as a profitable business. They’ve created a fantastic service and system. But for me, I’d rather my network be in my own hands and for my own eyes. And, as is OP’s main point, once they have enough dependent users, the service might turn much worse.
Netbird seemed to go in a similar way, though still good. I want to try zrok next, looks interesting
Netbird you can still run unlike tailscale with headscale right?
At least hope the backend can be fully ran ?
Yes, and I think it’s the full fat option as well
What do you mean by going in a similar way? Towards an IPO?
Nice to hear your experience with Nebula. I considered it when I went with Tailscale years ago. Now you gotta migrate off of lemm.ee as it’s shutting down soon. :D
Yep. It’s on the TODO list…
What’s the benefit over just WG?
You dont need to manually handle the WG config files. This isn’t really an issue when it’s just you and your two devices, but once you start supporting more people, like non-technical family members, this gets really annoying really quickly.
Tailscale (and headscale) just require you to log in, which even those family members can manage and then does the rest for you. They also support SSO in which case you wouldn’t even have to create new accounts.
Easier/zero configuration compared to manual WG setup. Takes care of ports and providing transparent relay when no direct connection works.
No need to port forward, almost 0 config.
Your tech illiterate grandma can set it up. It’s that easy.
Personally, my ISP (T-Mobile 5G) has CGNAT and blocks all incoming traffic. I can’t simply Wireguard into my network. Tailscale has been my intermediary to get remote access.
I guess it’s time to figure how how to host an alternative on a VPS (I see Headscale mentioned in these comments).
Tailscale uses WG though, so it’s fundamentally the same thing. Like you said - just do Headscale on a VPS.
Or Wireguard on a VPS
WG is worthless in a CGNAT environment… And as we are in 2025 and time doesn’t stop it will be irrelevant for everyone someday, unless they fully support IPv6 (which I don’t know if they do, if you can use WG in a CGNATED network with IPv6 I’d like to know though, I am very rusty setting it up, but it might worth checking it out).
CGNAT is for IPv4, the IPv6 network is separate. But if you have IPv6 connectivity on both ends setting up WG is the same as with IPv4.
deleted by creator
There are some community webUIs for Headscale, headplane in particular looks pretty good: https://headscale.net/stable/ref/integration/web-ui/
I’m not sure otherwise how different the experience would be.
I actually did this instead of tailscale first; installing tailscale on a pfsense router was a challenge, iirc i had to find and install the freebsd tailscale pkg from the command line because the plugin doesn’t give the option to connect to a non-tailscale control plane.
After I did that and connected to my headscale server (on my vps) I could ping pfsense’s local ip over the tailnet, but couldn’t get any traffic out from pfsense. Turns out I had forgotten the pfsense tailscale plugin automatically sets up outbound rules for you.
That was a rabbit hole I didn’t feeling like falling down, so I turned off headscale and just used tailscale account and the normal pfsense tailscale plugin. But it’s there and it does work fine if I ever wanted to go figure out the outbound traffic rules.
Friendly reminder that Tailscale is VC-funded and driving towards IPO
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
I spent an afternoon doing precisely that. Bought a domain, a vps, and setup pangolin. Can’t believe how smooth it went.
I just replaced my entire setup with base wireguard as a challenge, easier than I expected it to be, and not hard to mimic tailscale.
Any helpful guids or links you feel like sharing for interested parties?
If you just have to talk from many devices to the one server sure, but Tailscale sure makes it easy for many to many. Also if a direct connection is impossible (e.g. firewall of china, CGNAT etc) tailscale puts a relay server in the middle for you.
I did this was well awhile ago. Felt nice to completely control everything.
Am I totally off-base in thinking that MagicDNS and pluggable DNS nameserver overrides are a huge feature of tailscale?
I love that I can refer to my tailnet devices just via their machine name. I use it everywhere. And also that I can just slot in my NextDNS ID so that any device running tailscale now automatically uses that, and I don’t have to mess with my shared router settings or per device settings. Is all that actually really easy to set up outside of tailscale? Cuz if it is and I just somehow missed that when doing all my research, I’ll happily give plain wireguard or other mesh orchestrators like NetBird a go.
And I already know that mDNS is not the answer. That protocol is simply not reliable enough.
I use wireguard and have public DNS refer to private IPs.
For example if my server is accessible at 10.0.0.1 via wireguard then I point *.myserver.mydomain.com to that IP.
Sorry if I’ve misunderstood your question.
deleted by creator
Nah, DNS is separate and these features are indeed pretty great. I think Headscale can also do them. I think I tested MagicDNS if I recall correctly.
pre-emptive pikachu face strike
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
become profitable when needed
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it’s a known-to-them freemail address. And it was by design “to reduce friction”.
I don’t think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
Headscale maintainer hours contributed by Tailscale
Could you expand on this?
There’s a disclaimer in the readme: https://github.com/juanfont/headscale/?tab=readme-ov-file#disclaimer
The maintainer Tailscale contributes happens to be the lead developer by commit count at the moment.
Thank you!
