Comment by pilif
1 day ago
Keep in mind that for many use cases (mobile access, GUI on macOS), this relies on the official Tailscale clients keeping the ability to set the control server.
The moment the inevitable enshitification will start at Tailscale, this feature will go away.
I’m saying this as a currently super happy Tailscale customer who was burned multiple times in the past by other companies being sold or running out of VC money
I may be misremembering, but I think they have said somewhere that Headscale is actually revenue positive for them.
That feels right to me. Headscale is mostly used by home labbers and small hobby users, it competes with self-hosted OpenVPN and WireGuard, not Pulsesecure, Cisco Anyconnect or GlobalProtect. It's a way to introduce Tailscale to people who love to try new shiny tech in their spare time, but don't want to give up control over their infrastructure.
Those people will then bring their Tailscale expertise and enthusiasm to work. Work really doesn't like managing IT infrastructure unless it's one of their core competencies.
Sure, some companies will actually choose Headscale over Tailscale proper, but I suspect that's a small minority (especially if you take company size and the money involved into account). That's just cost of revenue, not unlike Facebook advertising or billboards on the side of a road in Silicon Valley.
> I think they have said somewhere that Headscale is actually revenue positive for them.
I have the same memory. But they may not feel that way forever. Many a company started by attracting developers with a generous free tier or open-source offering, then started to clamp down once the going got tough.
Heck, it happened to one of Tailscale's competitors, ZeroTier, which used to release their client software under GPLv3 but eventually switched to BSL.
arent most of the the tailscale clients open source aside from the gui portion of the non open source os's?
Yes they are, unless you're using a mainstream OS and/or want to use a GUI, which is probably the most common use case.
While the GUI is somewhat helpful, at the end of the day it's not the key piece, and it could easily be rebuilt.
I think the whole Windows client is closed. On macOS though you can use it from the command line just fine (apart from a couple quirks due to a completely different VPN implementation [1]).
[1]: they have three: https://tailscale.com/kb/1065/macos-variants
From https://github.com/tailscale/tailscale
"This repository contains the majority of Tailscale's open source code. Notably, it includes the tailscaled daemon and the tailscale CLI tool. The tailscaled daemon runs on Linux, Windows, macOS, and to varying degrees on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code."
and
"The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers. The GUI wrappers on non-open source platforms are themselves not open source."
Moreover, there's https://github.com/tailscale/tailscale-chocolatey to aid the build process. I haven't built it or run it.
On the other hand, while I suppose the Windows app is probably reasonably straightforward to replicate, I guess it would be much harder to produce an iOS or Android app because of the vagaries of mobile programming.
4 replies →
Tailscale clients are the thing I am least happy about with Tailscale. Specifically mobile clients and battery usage.
The reason I can't use Tailscale at work is because it routes traffic through servers we can't control.
I would _love_ to use tailscale at work. It would solve so many problems. I am okay with being forced to open ports. But tunneling traffic through them is extremely worrysome.
> The reason I can't use Tailscale at work is because it routes traffic through servers we can't control.
You can run your own DERP servers and exclude the Tailscale ones even if you don’t run your own Headscale server: https://tailscale.com/kb/1118/custom-derp-servers
> Specifically mobile clients and battery usage.
yes. Battery usage is super bad, mainly because of their DNS features which forces every DNS resolution to go through their network extension. At least recent updates have stopped the background power usage when you disconnect from the network in the app.
>But tunneling traffic through them is extremely worrysome.
it only does that in case of super bad NATs that make the usual NAT traversal techniques impossible. And presumably, the traffic is end-to-end-encrypted, so it doesn't matter if they have to be in the loop.
If you don't trust them to properly end-to-end encrypt, then it really doesn't matter whether they are in the loop for forwarding a packet or not because if you don't trust them to encrypt properly, all bets are off to begin with.
If you trust them however, it doesn't matter where the traffic is flowing through because only the intended machine is able to decrypt it.
On the battery topic I’m curious if you have anything more than anecdotal evidence. A basic full tunnel wg network extension doesn’t affect battery in a noticeable or unacceptable way, in my experience. Is tailscale’s implementation doing more in a way you can isolate and attribute to poor battery?
4 replies →