Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
Is there an issue with Netbird’s servers at the moment? In my testing devices are connected and reach eachother, but the web admin is missing a lot of functionality compared to what’s in the docs. The peer devices section is there, but everything else, user settings, rules etc, isn’t showing/says I don’t have admin permission (of my own account… Lol?)
Honestly, no idea, worth checking their GitHub etc or their status pages if they have any
Join our Discord server for a chat and community support.
Sigh…
And even worse:
Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.
everything is open source except half of all things.
Lol
To be fair, anything the GUI clients do can be done with the CLI which is still open source and on all desktop platforms and headscale is literally their open source control server.
Yea, but in iOS?
I mean is anything iOS really open source?
Yes? There are Lemmy clients that are open source, for instance. And the Wireguard client is.
The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.
Huh, I actually didn’t know this because I don’t use Windows/macOS/iOS. Somehow completely missed this.
Granted this is not Headscale’s fault, they’re just using Tailscale clients. Either way I’m glad I use a roll-your-own Wireguard.
I and my partner also don’t use those OSs, but it’s more the point of using FOSS when we can.
I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?
I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.
My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.
Yeah, as I said, it’s a friendly reminder. I’m personally probably doing it this year. It’s entirely possible that enshittification could come even years from now. It all depends on how their enterprise adoption goes I think. The more money they make there, the longer the individual users are gonna be left unsqueezed.
Nerds stop recommending corporate crap: challenge: impossible
I just replaced my entire setup with base wireguard as a challenge, easier than I expected it to be, and not hard to mimic tailscale.
If you just have to talk from many devices to the one server sure, but Tailscale sure makes it easy for many to many. Also if a direct connection is impossible (e.g. firewall of china, CGNAT etc) tailscale puts a relay server in the middle for you.
My entire setup might not be your entire setup, I have the basic functionality of connecting multiple systems into one mesh network. That’s all I needed so it’s all I did.
Any helpful guids or links you feel like sharing for interested parties?
I did this was well awhile ago. Felt nice to completely control everything.
Can you elaborate how?
Pihole and pivpn get along like peas and carrots.
Make the “available ips” your pivpn subnet and ta-da, the mesh functionality of tailscale without the entire connection.
Want to exit node from the server? Just change the value back to 0.0.0.0/0.
become profitable when needed
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
Crap, I really need to switch of Tailscale but currently it is an easy way for me to access my stuff outside of home as a temporary solution while I am on a 5G modem.
I can recommend to take a look at netbird.io
I can’t. I tried it first and installed it on my phone from f-droid. After opening it up, it connected to an already existing network with other people’s old machines from years ago on it. I was horrified.
So then I tried to delete my whole account and couldn’t due to an error. I sent them an email about it and they took like two weeks to respond.
Netbird isn’t on F-droid
Are we talking about the same thing?
It used to be
It has never been on F-droid. I’ve been following the service since it started. It didn’t even have a mobile app not that long ago.
It’s possible I misremembered and got the apk from their website or github. Doesn’t change anything though.
I just went back though my emails, I got a reply email from their CTO promising to look into it and they would get back to me, but they never did.
Much more user friendly
Json is awful for config
Crockford is a good and smart person but he really dropped the fucking ball on JSON.
Double-quotes-only and no comments kill the whole spec for me. Extremely opinionated and dumb. I fucking hate JSON.
My boss once sent me a machine generated config. He’s terminally addicted to double-quotes (like, a fatal condition). I searched and there were 27k sequences of
\".Edit: my point is - all that compute and network wasted, every single time the file is requested and parsed. Completely pointless waste
Do you pay for a domain? They likely provide dynamic DNS (DNS). If you’re lucky, they have an API for it, instead of an app, and you can configure a cronjob on your home server to run every 1-5 minutes (or more often, if your IP is super unstable!).
Yeah I can always do that, but putting stuff behind something like Tailscale is (or atleast feels) more secure than making my IP known to the public. I have a DMZ setup though so it should be fine.
Your “IP address” is already public. That’s why an IPv4 address is assigned to you as a “public IP address” and you NAT to a private space. When using IPv6, everything is public.
The key is to secure everything with access restrictions.
Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes
Chances are you’ve had the same public IP for a long time. Mine hasn’t changed in 2 years.
@chronicledmonocle @Vinstaal0 I used to work for a dial-up ISP. Every IP is registered to an account, if you’re going through your ISP (as opposed to, say, coffee shop or hotel wifi). Though the people who have the information are different (ICANN/registrar vs your internet provider), there’s no anonymity in your home IP address even with CGNAT.
As far as your domain, you should have privacy protection enabled so people can’t find your personal info via whois.
That was the case when I lived with my parents, but now it changes every 5 minutes sadly.
So I had to shut down my Minecraft server etc for now because I am on a 5G modem which makes it really annoying to open up ports and point a domain to your IP
If your IP changed every 5 minutes, you would not be able to have a voice call or anything similar. Your IP probably changes every 24 hours
Tailscale is great. The principle concern to me is that your super easy mesh network depends on Tailscale so if they want it they have control, and if they change their pricing or options you depend on them, and though they can’t see the data you send they can see the topology of your network and where all your computers/devices are.
I use Nebula, which is more work to set up and doesn’t have some of the features, not But if you slap the ‘lighthouse’ (administrating node) on a cheap VPS it works great. And it has some advantages. But Nebula also troubles me: though it’s fully open source and fully in your control, the documentation isn’t great. Instead, you can now get “managed nebula”, which puts you in the same problem as Tailscale: the company sees and controls your network topology. I fear the company (Defined Networking) is trying to push things that way. Even their android app you can’t fully configure unless you use their ‘managed’ service.
For now, Nebula is great, and my preferred mesh network (I looked into all the main ones). And for Tailscale you can run the administration server yourself with Headscale and be fully in your control.
Actually I wish Tailscale the best as a profitable business. They’ve created a fantastic service and system. But for me, I’d rather my network be in my own hands and for my own eyes. And, as is OP’s main point, once they have enough dependent users, the service might turn much worse.
Netbird seemed to go in a similar way, though still good. I want to try zrok next, looks interesting
Netbird you can still run unlike tailscale with headscale right?
At least hope the backend can be fully ran ?
Yes, and I think it’s the full fat option as well
What do you mean by going in a similar way? Towards an IPO?
Maybe not ipo, but it seemed like it had a strong monetisation push a while ago
Nice to hear your experience with Nebula. I considered it when I went with Tailscale years ago. Now you gotta migrate off of lemm.ee as it’s shutting down soon. :D
Yep. It’s on the TODO list…
Friendly reminder that Tailscale is VC-funded and driving towards IPO
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
I spent an afternoon doing precisely that. Bought a domain, a vps, and setup pangolin. Can’t believe how smooth it went.
@cooopsspace pangolin is not a replacement for tailscale/headscale. different usecase imho. @avidamoeba
Ziti isn’t though.
Point is, you know Tailscale will turn to shit the same way all VC stuff does.
Make no mistakes VC aren’t giving money out of the goodness of their heart, they expect a profit.
I’m not that worried as there are alternatives like Netbird. The underlying tech really isn’t hard to replicate since Wireguard is pretty standard.
I think it would be cool if Tailscale made it into the enterprise arena.
I think it would be cool if Tailscale made it into the enterprise arena.
I think they already have started. Telus is on their list of clients.
Am I totally off-base in thinking that MagicDNS and pluggable DNS nameserver overrides are a huge feature of tailscale?
I love that I can refer to my tailnet devices just via their machine name. I use it everywhere. And also that I can just slot in my NextDNS ID so that any device running tailscale now automatically uses that, and I don’t have to mess with my shared router settings or per device settings. Is all that actually really easy to set up outside of tailscale? Cuz if it is and I just somehow missed that when doing all my research, I’ll happily give plain wireguard or other mesh orchestrators like NetBird a go.
And I already know that mDNS is not the answer. That protocol is simply not reliable enough.
I use wireguard and have public DNS refer to private IPs.
For example if my server is accessible at 10.0.0.1 via wireguard then I point *.myserver.mydomain.com to that IP.
Sorry if I’ve misunderstood your question.
deleted by creator
Nah, DNS is separate and these features are indeed pretty great. I think Headscale can also do them. I think I tested MagicDNS if I recall correctly.
And here I am, still using OpenVPN in 2025 lol
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
I can highly recommend Netbird selfhosted, it has SSO support, logins, complex network topologies, it uses wireguard under the hood and it’s open source.
That sounds kinda cool. I’ll have to check it out. It’s kinda hard sometimes to push FOSS stuff in a largercorporate environment but this looks like something I could recommend/build for small-mid private SOHO clients.
This is what I used in a small/mid sized company to replace a legacy VPN, generally we had only very few issues but probably the employee personal computer is to blame, right now is very stable.
Yeah, OpenVPN definitely doesn’t have light spec requirements 😅 thankfully hardware is unfathomably powerful these days.
Sure but wireguards connection is just faster.
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
It also doesn’t cost them much of anything
Positive PR and little draw backs means that everyone is generally pretty happy
I never really understood the point of using Tailscale over plain ol’ WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won’t be complex beyond a regular old wireguard config
Wireguard doesn’t do NAT/Firewall traversal nor does it have SSO
Tailscale manages the underlying Wireguard for you. I would be great if Wireguard had native NAT traversal but that isn’t the case.
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
Simplicity?
I mean sure, but I don’t think it’s simpler than setting up a wireguard config IMO. For tailscale you gotta make an account, register devices, connect them. Feel like wireguard is about the same except you don’t have to make an account.
Same thing here, either tailscale selfhosted or Netbird selfhosted I’d the way to go for all the nice features, having the free tier or tailscale for personal data never sounded right to me.
Good thing I deleted it from my homeserver a month ago.
