Comment by ogaj
3 years ago
I love tailscale's technology and their contributions to the security ecosystem, but I can't help but take a contrarian angle to many of the comments here...
This feels like a bad idea, and perhaps it signals defeat in the enterprise space (where the tech would provide the most value, imo). Tailscale raised $100M last year, surely based on a theory of growth upmarket. While this partnership surely provides value to personal consumers, it feels, at best, a distraction from the larger opportunity and, at worst, counterproductive to achieving it.
I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
Okay. But it does? Our stats continue to show that making nerds happy (we're also nerds) leads to more corporate sales. (https://tailscale.com/blog/free-plan/ etc)
So if we can make something that we want ourselves and our friends and fellow nerds also like, and that also then leads to more corporate sales... why not?
Anecdata: It directly lead us (Instacart) to try and then adopt Tailscale. Many of us had used it at home and were happy nerds. This gave it a huge initial leg up vs other "enterprisey" VPNs when we were in the evaluation stage.
Tailscale sold itself after that. The docs were excellent and it really is simple to use and run. I was able to do a full PoC in day and prove that I could join all of our environments and clouds into one VPN and have DNS resolving correctly everywhere.
Same here.
Tried Tailscsle at home, took it to work and implemented it for our own needs.
Seems to me making nerds happy had a great conversion rate to paying customers.
I appreciate the response - great blog post. I don't doubt this works for certain companies and components of the ecosystem; it worked for Dropbox (at least for a long time).
Tailscale is clearly a superior product to it's competitors and I have regularly recommended colleagues and clients to evaluate whether it fits their needs. However, unfortunately, that is frequently not enough to "win" in the crowded and bureaucratic enterprise software space.
I would love to be proved wrong here and wish you the greatest success!
The big problem with Tailscale in enterprise is it can't touch anything that interacts with lots of compliance domains, which typically require FIPS.
There are creative ways to get around that, but it makes implementation a complex story and heavy lift.
8 replies →
A lot of B2C VPNs position themselves as kinda sketchy and anti-corporate.
If the cops or the MPAA come calling, we'll tell them to go to hell. Netflix blocks our servers? We'll set up new ones. Accused of torrenting? We didn't see anything, and we don't know who you are either. We're incorporated in a jurisdiction that makes us almost impossible to sue. We've got 4 employees, and not a single clothes iron between us.
B2B VPN products often have the opposite market positioning - straight-laced, trustworthy stuff. Absolutely not claiming to be difficult to sue. We've got 50+ employees, all of them wear shirts and some even wear ties. And suppliers like cloudflare are more than happy to help you MITM all your employees' https traffic, in the name of "security".
These just seem like positions in the market that are very hard to reconcile.
Cloudflare is on a somewhat interesting position. They are known for negative about banning copyright violation or controversial contents (than competitors), but also provides enterprise solutions.
1 reply →
This is simply a false dichotomy and that you don't realize such is damning
This is a pretty tried and true process historically as well, just… “ask your developer.”
A lot of the people making purchasing decisions to acquire products like Tailscale are in security departments and have a very low opinion of Mullvad (VPN of choice for all kinds of abusive/fraud/hacking traffic).
>>> and have a very low opinion of Mullvad
We do?
I have a high opinion of them, one of the few VPN services I would trust not to give in even to governmental pressure. I firmly believe they would shut down their service before the compromised user privacy. That is very commendable
2 replies →
Why would this affect the security of someone adopting Tailscale? It's not like partnering with Mullvad makes it easier for hackers/fraudsters/etc to attack a Tailscale user. Maybe I'm an idiot, but I would assume that 'hackers/fraudsters trust it' probably means that they do a decent job of respecting privacy?
What is the VPN service you think people (people on HN, say, not YouTube) have a high opinion of?
Mozilla is rebadged Mullvad. Proton might be ok. Everything else (Nord, Avast, Express, ...) is YouTube sponsor trash, Mullvad's the gold standard afaik.
1 reply →
>(VPN of choice for all kinds of abusive/fraud/hacking traffic).
This is a pretty bad take. With your logic anything pro-privacy like Signal/Matrix etc would also be "x of choice for abuse/fraud/hacking etc" and thus shouldn't be used.
A VPN that can block activity X by definition is monitoring you to decide whether you're doing activity X.
1 reply →
tailscale has many employees, adding a small patch to wireguard client programming and strapping in mullvad account provisioning seems like a very small amount of effort for a pretty cool feature that also earns some recurring money from the hitherto freeloading nerd customers.
Point well taken. My comment was primarily based on two other factors:
a) the strategic signal it sends re developer resource allocation and b) the market signal it sends, selling a security solution while partnering with a company (not a knock - I've been a mullvad customer!) that provides solutions which are frequently used to bypass compliance/regulatory controls.
True, but if it is any positive signal, FiloSottile (golang crypto lead) vouched for Mullvad integration: https://github.com/tailscale/tailscale/issues/2880#issuecomm...
I think Tailscale going after 3 wildly different market segments (hobbyists, smb/teams, enterprises) [0] is why we're likely to see more such features, not less.
[0] https://tailscale.com/blog/pricing-v3/
It doesn't sound like that's a big distraction for Mullvad as it seems most of the actual changes are done on the Tailscale side, enabling users to use Mullvad proxied through their setup.
Partnering with similarly aligned organizations like Tailscale and Tor seems like a good way of increasing the userbase without engaging in sketchy business models like the rest of the VPN competition.
> I'm skeptical of the obvious counterpoint that this assists a flywheel of greater b2c satisfaction leading to b2b success...
This past summer I quit my job as Engr #3 of a startup. While there, I desperately tried to convince 1+2 that we should use tailscale instead of rolling our own VPN with wire guard and EC2. Couldn’t do it. The product was too magical and everyone was suspicious. I use it at home and tried very hard to make the case.
This feels more like a long term investment in breaking the “mesh” basis for their product. IMO it’s part of the magic and partially a problem. I couldn’t explain the security model for the mesh (as an outsider), and according to some comments it seems like it causes battery issues on mobile devices.
They've been, over the past year, putting a significant amount of work into fixing the battery life issues. It is largely resolved for me, and it seems according to a recent article the vast majority of their users.
https://tailscale.dev/blog/battery-life
* 2% still affected according to https://tailscale.com/blog/reimagining-tailscale-for-ios/
This also has to be a nightmare for speed. Making two separate tunnels, then browsing the internet through them? Streaming or using virtually anything other than static HTML pages would be a pain.
Mullvad servers are fast enough. On some occasions, I can only connect to Mullvad through 3 hops. Me -> Chinese VPS -> DigitalOcean VPS -> Mullvad. I can still stream YouTube just fine (1MiB/s)
Context: during government meetings in a particular region, their network policies would become more restrictive so that it’s only possible to connect to Chinese IPs. Chinese VPSs are exempt but cannot connect to Mullvad directly due to a Fortinet rule. Connections are done with a mix of Trojan-gfw, xray, and WireGuard