Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
Tailscale never sat right with me. The convenience was nice, but - like other VC-funded projects - it followed that ever-familiar pattern of an “easy” service popping up out of nowhere and gaining massive popularity seemingly overnight. 🚩🚩🚩
I can’t say I’m surprised by any of this.
Would you rather a difficult and hard to use program?
Easy to use means people will want to adopt it, and that’s what VC companies want. Nobody wants to pay millions of dollars to make a program that nobody wants to use.
My problem isn’t directly with the programs - my problem lies with VC funding in general. Because they will come back for their money, and the project will inevitably enshittify and shove out enthusiasts in the never-ending search for infinite money.
The solution is getting rid of VC bullshit entirely. But we all know that will never happen.
would you rather …
If it means no VC, yes, without a doubt. That’s kind of the point.
I think there’s room in the world for a selfhosted, foss version of their software, even if a little simplified.
I’m unsure if it has been mentioned, but a similar tool which is open source (you can run the backend unlike tailscale), netbird
Headscale is the tailscale backend server
Well not “the” backend server but “a” different backend server. As far as I know Headscale is a separate implementation from what Tailscale run themselves.
We’ve implemented netbird at my company, we’re pretty happy with it overall.
The main drawback is that it has no way of handling multiple different accounts on the same machine, and they don’t seem to have any plans for ever really solving that. As long as you can live with that, it’s a good solution.
Support is a mixed bag. Mostly just a slack server, kind of lacking in what I’d call enterprise level support. But development seems to be moving at a rapid pace, and they’re definitely in that “Small but eager” stage where everything happens quickly. I’ve reported bugs and had them fixed the same day.
Everything is open source. Backend, clients, the whole bag. So if they ever try to enshittify, you can just take your ball and leave.
Also, the security tools are really cool. Instead of writing out firewall rules by hand like Tailscale, they have a really nice, really simple GUI for setting up all your ACLs. I found it very intuitive.
Thank you for your insight, I’m assuming the only public part is the UI and coturn (the bit that enables two clients between firewalls to hole-punch)?
Yes, the underlying model is the same as Tailscale, Zerotier and Netmaker (also worth checking out, btw). Clients connect to a central host (which can be self-hosted) and use that to exchange information on addresses and open ports, then form direct connections to each other.
I think I’ll just keep using tailscale until they start enshittifying, and then set up a Headscale instance on a VPS - no need to take this step ahead of time, right?
I mean, all the people saying they can avoid any issues by doing the above - what’s to stop Tailscale dropping support for Headscale in future if they’re serious about enshitification? Their Linux & Android clients are open source, but not IOS or Windows so they could easily block access for them.
My point being - I’ll worry when there is something substantial to worry about, til then they can know I’m using like 3 devices and a github account to authenticate. MagicDNS and the reliability of the clients is just too good for me to switch over mild funding concerns.
Yeah, as I said, it’s a friendly reminder. I’m personally probably doing it this year. It’s entirely possible that enshittification could come even years from now. It all depends on how their enterprise adoption goes I think. The more money they make there, the longer the individual users are gonna be left unsqueezed.
Tailscale is great. The principle concern to me is that your super easy mesh network depends on Tailscale so if they want it they have control, and if they change their pricing or options you depend on them, and though they can’t see the data you send they can see the topology of your network and where all your computers/devices are.
I use Nebula, which is more work to set up and doesn’t have some of the features, not But if you slap the ‘lighthouse’ (administrating node) on a cheap VPS it works great. And it has some advantages. But Nebula also troubles me: though it’s fully open source and fully in your control, the documentation isn’t great. Instead, you can now get “managed nebula”, which puts you in the same problem as Tailscale: the company sees and controls your network topology. I fear the company (Defined Networking) is trying to push things that way. Even their android app you can’t fully configure unless you use their ‘managed’ service.
For now, Nebula is great, and my preferred mesh network (I looked into all the main ones). And for Tailscale you can run the administration server yourself with Headscale and be fully in your control.
Actually I wish Tailscale the best as a profitable business. They’ve created a fantastic service and system. But for me, I’d rather my network be in my own hands and for my own eyes. And, as is OP’s main point, once they have enough dependent users, the service might turn much worse.
Nice to hear your experience with Nebula. I considered it when I went with Tailscale years ago. Now you gotta migrate off of lemm.ee as it’s shutting down soon. :D
Yep. It’s on the TODO list…
I just replaced my entire setup with base wireguard as a challenge, easier than I expected it to be, and not hard to mimic tailscale.
I did this was well awhile ago. Felt nice to completely control everything.
Any helpful guids or links you feel like sharing for interested parties?
Can you elaborate how?
Pihole and pivpn get along like peas and carrots.
Make the “available ips” your pivpn subnet and ta-da, the mesh functionality of tailscale without the entire connection.
Want to exit node from the server? Just change the value back to 0.0.0.0/0.
Friendly reminder that Tailscale is VC-funded and driving towards IPO
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
If I host headscale on a VPS, is that as seamless of an experience as Tailscale? And would I miss out on features, like the Tailscale dashboard? How does the experience change for me (an admin type) and my users (non-technical types)?
become profitable when needed
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
I think a lot of companies view their free plan as recruiting/advertising — if you use TailScale personally and have a great experience then you’ll bring in business by advocating for it at work.
Of course it could go either way, and I don’t rely on TailScale (it’s my “backup” VPN to my home network)… we’ll see, I guess.
And here I am, still using OpenVPN in 2025 lol
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
Yeah, OpenVPN definitely doesn’t have light spec requirements 😅 thankfully hardware is unfathomably powerful these days.
Sure but wireguards connection is just faster.
Just use normal wireguard, why do you need tails or heads at all?
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
I’m curious what kind of a use case you can think of that “traditional wireguard” can’t replace tailscale for.
Tailscale has a maximum of 3 users on their free tier, so it seems like a super limited use case of people who DIY their own servers for Jellyfin or HomAssistant or whatever, but just a tad too lazy to setup their own Wireguard service in addition to whatever it is they’d be using it for… I think the vast majority of free tailscale users have simply never actually tried wg-easy , because if they did they wouldnt need to use a third party service.
Big difference in users and devices here. Tailscale might have a 3 user limit, but you can add up to 100 devices for free. So for me for example I have tailscale running in each and every docker container in my NAS. So each and every container can now act as a node on my tailnet. Users isn’t a big deal, any one node can activate funnel with a simple command and poof its available to the public. The convenience coupled with simplicity is what makes Tailscale so god damn good.
Can you segregate connections between different nodes on the tailnet, like say node G and H can only talk to each other and no other nodes?
Not sure, not tried that as that’s outside my use case. But I would assume its possible with ACLs!
Accessing your home network that is kept inside a NAT by your ISP, without you having to acquire an online server somewhere.
Except you do need to acquire an online server somewhere, its just one that tailscale owns and controls instead of you, and when tailscale decides to enshittify and kill of their free tier you’ll be left wondering why you didn’t just rent a cheap VPS sooner.
Ask yourself, what is tailscale getting out of those “free” users that makes it worth providing services to them that they’d otherwsie need to rent a VPS for? What do you think their response would be if for example they got pressured about maybe too many users on their network are running a certain video streaming app?
You really don’t though. I use wireguard myself under the same scenario without issue. You just need to use some form of dynamic DNS to mitigate the potentially changing IP. Even if you’re using Tailscale you’ll still need to have something running a service all the time anyways, so may as well skip the proxy.
Your approach won’t work if you’re behind carrier grade NAT or you can’t open ports. My landlord provides my internet so I use tailscale (with headscale on my long distance vps) to connect everything and it works great. It uses LAN when I’m home, and NAT punches when I’m elsewhere.
If you only need to worry about the IP changing, then your ISP is not using NAT, or CGNAT as it is better known. I’m pretty sure that you can also use port forwarding, which is not commonly available under CGNAT.
Ah, I see where I got confused. Yeah, CGNAT isn’t very common around here. I don’t think I’ve ever run into an ISP that uses it. I can see how that complicates things.
It’s more common with mobile-based connections like satellite connections or mobile-LTE data based connections, I believe.
Or be like me stuck in the 2000s using OpenVPN still in 2025 lol
Didnt even work for me, i use mullvad so if i wanted to use tailscale on my android to connect to my desktop, it wants me to disable mullvad unlike on my desktop…
I think that’s because both work on Android by being a VPN, and the system can’t handle doing two vpns simultaneously
Well not really but most people don’t like manually editing routing tables
You can do that? On ordinary, non-rooted Android?
Tailscale offers a paid Mullvad integration, where you can select most Mullvad servers as exit nodes. Works quite well.
Hmmm. I run PIA and Tailscale simultaneously on my devices. I did have to tinker around with the settings in PIA such as the VPN & Advanced Kill Switch. So, now Tailscale is for administrating remote servers, and PIA for everything else. DNS leak checks, etc all check out.
Yeah this was a deal-breaker for me too.
So glad my router supports WireGuard/OVPN server hosting, doing it this way also relieves resources off your homelab and for whatever reason your homelab shuts off or loses network access you can at least rely on your router to re-establish the VPN server without further intervention.
is this some kind of furry porn CDN
I never really understood the point of using Tailscale over plain ol’ WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won’t be complex beyond a regular old wireguard config
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
Simplicity?
I mean sure, but I don’t think it’s simpler than setting up a wireguard config IMO. For tailscale you gotta make an account, register devices, connect them. Feel like wireguard is about the same except you don’t have to make an account.
