Tailscale Peer Relays is now generally available

tailscale.com

246 points

sz4kerto

5 hours ago


110 comments

ZoomZoomZoom 2 hours ago

If you're sold on Tailscale due to them "being open" (as they semi-officially support the development of Headscale), keep in mind, that at the same time some of their clients are closed source and proprietary, and thus totally controlled by them and the official distribution channels, like Apple. Some of the arguments given for this stance are just ridiculous:

> If users are comfortable running non-open operating systems or employers are comfortable with their employees running non-open operating systems, they should likewise be comfortable with Tailscale not being open on those platforms.

https://github.com/tailscale/tailscale/issues/13717

A solution like this can't really be relied in situations of limited connectivity and availability, even if technically it beats most of the competition. Don't ever forget it's just a business. Support free alternatives if you can, even if they underperform by some measures.

  • 1vuio0pswjnm7 an hour ago

    "Support free alternatives if you can, even if they underperform by some measure."

    I value _control_ more than I do performance

    Better performance is, IMHO, not a reason to sacrifice _control_, but that's just me

    If users have control, i.e., can compile from source, then in theory performance improvement is possible through DIY or work of others. However performance is not always the only important issue. Today's commercial software tends to be rushed, lower quality, bloated. Releasing work-in-progress software that requires constant remotely-installed "updates" in place of a thoroughly-tested final product is a norm

    Without control, if performance, _or anything else about the software_, is unsatisfactory, then there is nothing users can do

    • Forgeties79 4 minutes ago

      Basically a lot of current software teams operate like many modern video game companies. Ship the broken thing, (maybe) repair/improve it as people suffer through the experience.

  • dblohm7 an hour ago

    (Tailscalar here) To be clear: it's only the GUIs that are closed source on selected platforms.

  • uneekname an hour ago

    I've been relatively happy with Headscale, but now that I have MacOS/iOS users I'm in the process of testing alternatives like Netbird. I was also surprised that the Tailscale Kubernetes operator is not compatible with Headscale.

  • tshaddox an hour ago

    That justification honestly doesn't sound that ridiculous to me, especially if the closed-source stuff is mostly just platform-specific GUI and integration code. Is there even a practical mechanism to open source an iOS app and then letting users verify that the version they're downloading from the App Store is exactly the same version that is open sourced?

  • zarzavat an hour ago

    Seems like an odd thing to be concerned about. Most of the apps on my Mac are closed source, that little Tailscale menu bar item is really insignificant. You can always control it through the command line if you're really bothered by it. I'm pretty sure tailscale is on brew.

  • 8cvor6j844qw_d6 an hour ago

    Went with ZeroTier and Netbird, they're not too bad.

  • xyst 2 hours ago

    I switched to Netbird because of this.

tda 4 hours ago

I just set this up the other day, and I got my ping to drop from 16 to 10ms, and my bandwidth tripled, when connecting from a remote natted site to a matter desktop my house. Together with Moonlight/Sunshine I can now play Windows games on my Linux desktop from my MacBook, with 50mbps/10ms streaming. So far so good!

Not a single port forwarded, I just set my router up as peer node.

  • jak6jak 24 minutes ago

    That seems really exciting! If you wanted to share game streaming to a general public would they have to install tailscale on their device/login? How does that work? Am I right in assuming that tailscale is built mostly for sharing resources with people you trust instead of the general public?

  • nickburns 2 hours ago

    Neat use case. But in fairness, you've simply 'offloaded' NAT traversal/port forwarding to automagic helper protocols over which you have no control even if you wanted it.

  • arjie 4 hours ago

    What hardware do you use on the networking side?

    • tda an hour ago

      Nothing special, an edgerouter that allows installing tailscale

  • aborsy 4 hours ago

    There are several ports open (you dont open them, Tailscale does), including for peer relay. Some are vpn ports, but the ports for relay servers are not for VPN so my guess is that the software that listens to those ports is a lot less secure (compared to Wireguard or OpenVPN).

    • tda an hour ago

      Yes my router has open ports, but it does not do any port forwarding. So I can 'directly' connect any device behind my router without my router needing to know any specifics of which device that is. And I don't need to do any port forwarding of anything on my network and thus expose them to the whole internet; I just expose them to the users of my tailscale network (only me)

      • toomuchtodo an hour ago
        3 more

        Does your router not support UPNP for dynamic port punching?

        • bityard an hour ago
          2 more

          UPnP allows literally any random piece of software inside your network to open and forward arbitrary ports on your firewall. Bad idea!

          • toomuchtodo an hour ago

            Within my risk appetite on trusted network segments. I have bigger issues if malware is operational within the trust boundary, it can do what it needs using outbound connections just fine (recon, lateral movement, etc). Your risk appetite might differ.

bityard 21 minutes ago

I wonder if someone might indulge me by answering a question or two about Tailscale. I have a self-managed wireguard network which works, but probably isn't very smart or elegant.

From what I can gather, Tailscale does a lot of "magic" things to accomplish its goals, and some of them actually have "magic" right in the name. As a system administrator by trade, I have been bitten SO MANY TIMES by things that try to automagically mess with DNS resolution, routing tables, firewall rules, etc in the name of user-friendliness. (Often, things that even ship with the OS itself.)

Are there any documentation or articles detailing exactly what it's doing under the hood? I found https://tailscale.com/docs/concepts but it doesn't really cover everything.

If I have a virtualization host with, let's call it a "very custom" networking configuration, how likely is it to interfere with things? Is it polite and smart about working around fancy networking setups, or does it really only handle the common cases (one networking interface, a default route, public nameserver) elegantly?

  • patmorgan23 3 minutes ago

    I believe the client is open source and there's a reverse engineered server (that some tail scale employees contribute to)

behnamoh 4 hours ago

How does Tailscale make money? I really like their service but I'm worried about a rug pull in the future. Has anyone tried alternative FOSS solutions?

Also, sometimes it seems like I get rate limited on Tailscale. Has anyone had that experience? This usually happens with multiple SSH connections at the same time.

  • dimatura 3 hours ago

    Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH.

    On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user).

    • gpm 3 hours ago

      I've used serve/funnel on the tailscale free tier... definitely agree that the team size limit seems like it would move companies to the paid plan though.

    • tamimio 3 hours ago

      Zerotier is not the same as tailscale although both can be used to do the same, but under the hood both are fundamentally different, ZT is layer2 like switch, so it’s like an Ethernet meanwhile TS is built on top of wireguard and is layer3. ZT allows broadcast/multicast and has own protocol, TS don’t. I use both among others, and ZT since around 2019, I found it reliable in some cases in IoT world while TS had better throughput in usual applications.

    • lysace 3 hours ago

      How do you handle the do-before-thinking devs? Or the kinda low-to-mid performing devs? Most companies has one or a few of those, right? They help the company machine go around by doing the somewhat boring stuff over and over again.

      Tailscale in a company/developer env seems awesome when you know what you are doing and (potentially) terrifying otherwise.

      Does someone set up detailed ACLs for what's allowed? How well does that work?

      • madeofpalk 2 hours ago
        4 more

        > How do you handle the do-before-thinking devs?

        Isn't that exactly what tailscale is built to accommodate - zero trust?

        You set up ACLs and other permissions to not allow people to do more than the damage you can tolerate.

        • nickburns an hour ago
          3 more

          Zerconf ≠ zero trust. The difference could not be more material in this context.

  • vizzier 4 hours ago

    > Also, sometimes it seems like I get rate limited on Tailscale.

    As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post.

    As for opensource alternatives:

    https://github.com/juanfont/headscale can replace tailscales initial coordination servers

    and https://netbird.io/ seemed to be a rapidly developing full stack alternative.

    • arsome 3 hours ago

      Headscale also offers a relay server of its own.

  • evmar 4 hours ago

    They wrote a blog post addressing this concern: https://tailscale.com/blog/free-plan

    • riknos314 3 hours ago

      The Tl;Dr here is that the cost to them of operating the free tier is lower than what they estimate their Customer Acquisition Cost would be without a free tier, so the free tier generates better leads/conversions to their paid products at a lower cost than traditional sales and marketing.

      As long as these economics continue to hold they'd be stupid to discontinue the free tier.

      • eleventyseven 2 hours ago
        4 more

        But it isn't 'economics' as there is no actual data or science here, just a wild guess about what customer acquisition might currently cost. All it takes to rug pull is some exec speculating that 'the economics' have changed.

        • erikpukinskis 2 hours ago

          Any mature SaaS company will have exact measurements of acquisition costs. This is advertising, sales staff, etc.

          This is one the the most fundamental components of SaaS accounting, it’s absolutely not a “wild guess”.

        • dagi3d 2 hours ago

          Acquisition cost can definitely be calculated. I'm pretty sure they know how many customers do convert into paying users from their free tier and how much does it cost to get them through other channels

        • roughly an hour ago

          > But it isn't 'economics' as there is no actual data or science here, just a wild guess

          Welcome to economics.

      • wat10000 3 hours ago

        All it takes is for the decision-maker who gets the credit for cutting costs by removing the free tier to be a different person from the one who gets the blame for higher customer acquisition costs. Not saying it'll happen, just that it being a bad move isn't a guarantee.

  • Aurornis 3 hours ago

    Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans.

  • allthetime 2 hours ago

    Facilitating peer to peer connections is cheap.

    Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in.

  • prodigycorp 4 hours ago

    I love tailscale but you may be right, it's entering that acquisition zone that'll inevitably bum everyone out.

    Salesforce, stay away from it!

    • tomxor 3 hours ago

      I have the same fears. Last year they have publicly stated they are not interested in acquisition [0]

      > Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).

      > “Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”

      Nothing is set in stone, after all it's VC backed. I have a strong aversion to becoming dependent upon proprietary services, however i have chosen to integrate TS into my infrastructure, because the value and simplicity it provides is worth it. I considered the various copy cat services and pure FOSS clones, but TS are the ones who started this space and are the ones continuously innovating in it, I'm onboard with their ethos and mission and have made use of apenwarrs previous work - In other words, they are the experts, they appear to be pretty dedicated to this space, so I'm putting my trust in them... I hope I'm right!

      [0] https://betakit.com/corporate-vpn-startup-tailscale-secures-...

      • omnimus 2 hours ago
        2 more

        Just note i doubt Tailscale were first popular vpn manager as i remember many hobby users are Zerotier converts and also much older products like Hamachi.

        Tailscale have build great product around wireguard (which is quite young) and they have great marketing and docs. But they are hardly first VPN service - they might not even be the most popular one.

        • tomxor an hour ago

          Yes, I ambiguously said "started this space"... and to be honest even in the most generous interpretation that's probably incorrect, maybe ZeroTier started "this space", in that it had NAT busting mesh networking first.

          As far as I understand Tailscale brought NAT busting mesh networking to wireguard + identity first access control, and reduced configuration complexity. I think they were the first to think about it from an end to end user perspective, and each feature they add definitely has this spin on it. It makes it feel effortless and transparent (in both the networking use sense and cryptography sense)... So i suppose that's what I mean by started, TS was when it first really clicked for a larger group of people, it felt right.

      • nerdsniper 2 hours ago

        Would be curious if a partial decompilation and short static analysis would yield any reliable info about what they might be collecting.

    • politelemon 3 hours ago

      Dearest Salesforce, Apple, Oracle, and IBM. Please look elsewhere for acquisitions to ruin for everyone. Cheers.

  • allthetime 2 hours ago

    Facilitating peer to peer connections is cheap.

    Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support.

  • fdefitte an hour ago

    If you're worried about a rug pull, you should be. Not because Tailscale is shady, but because that's just how VC-funded infrastructure works. The free tier exists to build lock-in, not out of generosity. Headscale exists but honestly it's a pain to run compared to just paying Tailscale $18/user. The real answer is: if it's critical infrastructure, you should be running Wireguard directly and owning the coordination layer yourself. Everything else is renting convenience.

    • batrat 26 minutes ago

      It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc.

  • nsbk 4 hours ago

    At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise!

    [0]: https://headscale.net/

    • sureglymop 3 hours ago

      I've been smoothly running headscale on a hetzner vps for many months now. Works without issues (note that it does lack some features still).

      • ErneX 2 hours ago

        Same here.

  • tiernano 4 hours ago

    It's free for up to 3 users. After that you need to start paying.

    • criddell 2 hours ago

      I have a family of 4 so I pay and it's still crazy cheap. I've wonder how sustainable it is.

  • thecapybara 3 hours ago

    I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan.

  • Lammy 3 hours ago

    > How does Tailscale make money?

    They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

    “Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

    They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

    It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

    For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326

    • nickburns 2 hours ago

      Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.

      I highly doubt any of this can actually be opted-out of. How else would they stay in business?

      • namtim 2 hours ago
        2 more

        The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users.

        The core client code is open source, feel free to inspect it yourself.

        • nickburns 2 hours ago

          The client may be open source. But the service is obviously not.

          Don't let that deter you from trusting whomever you choose, though.

  • zaphar 2 hours ago

    There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways.

  • eurg 4 hours ago

    Companies pay for it. And except for their DERP servers, free users don't cost them much.

  • dec0dedab0de 2 hours ago

    Wouldn't the FOSS alternative be to simply use wireguard?

    • newsoftheday 2 hours ago

      I do, I use a VPS (at OCI free) to host Wireguard. My home systems (running my production web sites and email) are on my VPN and mine and my wife's phones. I hand configured it all but it wasn't difficult for me.

    • NoiseBert69 2 hours ago

      Yes and no. It's much manual work to get WG to behave like Tailscale.

    • iso1631 2 hours ago

      Most posters on HN barely know what a subnet is so it's not that simple

      There's two key features

      1) Tunnel management

      Tailscale will configure your p2p tunnels itself - if you have 10 devices, to do that yourself you'd have to manage 90 tunnels. Add another device and that goes upto 100. Remove a device and you have 9 other devices to update.

      2) Firewall punching

      They provide an orchestration system which allows two devices both behind a nat or stateful firewall to communicate with each other without having to open holes in the firewall (because most firewalls will allow "established" connections - including measuring established UDP as "packet went from ipa:porta to ipb:portb 'outbound', thus until a timeout period any traffic from ipb:portb to ipa:porta will be let through (and natted as appropriate)".

      The orchestration sends traffic from ipa to ipb and ipb to ipa on known ports at the same time so both firewalls think the traffic is established. For nats which do source-port scrambling it uses the birthday paradox to get a matching stream.

      I believe you can run a similar headend using "headscale" yourself.

  • pkulak an hour ago

    I pay $5 a month, and my company has a license for every employee.

  • Suffocate5100 2 hours ago

    Nebula is what we use. It's definitely not as convenient, but it's 100% self-ownable.

  • gz5 4 hours ago

    OpenZiti (Apache 2.0):

    https://github.com/openziti/ziti

    • bityard 43 minutes ago

      This is a secure mesh network, but it appears to be for embedding into applications, not a "private VPN" like Tailscale, or do I misunderstand?

  • mrsssnake 3 hours ago

    Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people. And then they make money.

    • QuercusMax 2 hours ago

      1000%. Tailscale is the first VPN I've used that makes my life easier, and I'm using it for personal access to my selfhosted servers at home. I will definitely recommend it to companies I work for in the future.

jak6jak 28 minutes ago

I looked into tailscale in the past as a way to host a game server such as minecraft on my local machine publicly without port forwarding . It seems that tailscale is mostly configured only to work with people you know and trust. I was hoping that Peer Relays would help alleviate some restrictions with tailwind funnel. Does anyone know any alternatives?

  • Computer0 2 minutes ago

    if you have a cheap vps you can use it to forward the traffic to for some benefit, that is what i have been doing when i need compute accessible online and don't want to pay for cloud.

adithyassekhar 3 hours ago

I wish I could read this but got this[0] guy on mobile with no close button, won't close when you click outside the modal.

0: https://i.postimg.cc/14h3Q9mD/Screenshot-20260219-001356-Chr...

Edit: Nvm, found it. Weird place to put it.

  • yardstick 3 hours ago

    I see a white X in a blue box to the lower right of the modal. Is it that?

    • adithyassekhar 2 hours ago

      That was it, ok now I feel stupid.

      • drannex 2 hours ago

        Oh man, I even read all the comments and still couldn't find it when I finally clicked on the image link. Terrible UX.

        cc: @apenwarr (tailscale founder), might want to have someone fix this and move the close button to the top right of the modal, not the bottom right.

      • a_wild_dandan 2 hours ago
        2 more

        You’re not stupid. That’s terrible UX. The button is completely disconnected from its modal, and is placed in a bizarre/nonstandard location.

        • ChrisClark 2 hours ago

          It's placed like one of those chat services on sites. Which we've been trained to ignore.

itissid 4 hours ago

I have my homenas set up with Node Proxy Manager container forwarding requests to different docker machines:ports e.g. I have some TTS/STT/LLM services locally hosted. To increase bandwidth to internet facing nodes, would you use this or some other simpler solution?

  • tecleandor 4 hours ago

    Is it a typo and it's the Nginx Proxy Manager?

    • mikepurvis 4 hours ago

      I assume so; I use the same thing with my Unraid box and then create the DNS entries in the unifi panel so I get jellyfin.lan, minecraft.lan, etc inside the house.

    • itissid 2 hours ago

      Oh yeah Nginx* not Node.

shj2105 2 hours ago

I’m so confused. What is the difference between a peer relay and a DERP server that is self hosted?

  • apenwarr 2 hours ago

    (Tailscale founder here) Two main differences: first, every DERP server used by your tailnet must be accessible by every node on your tailnet at all times, otherwise you get hard-to-debug netsplits. That's a very high bar to maintain so we've historically recommended you don't try. In contrast, peer relays are "if a given pair of nodes can connect through any of the relays, go for it" so deploying one is always a performance and reliability improvement.

    Secondly, peer relays support UDP while DERP is TCP-only. That would be fixable by simply improving the DERP protocol, but as we explored that option, we decided to implement the Peer Relay layer instead as a more complete solution.

    • shj2105 2 hours ago

      Hmm got it not sure I entirely understand. The issue I have is I’m trying to connect two devices where one is behind a hard CGNAT that always causes the connection to be relayed even though the other one is not behind a cgnat with proper port forwarding. Would a peer relay solve this but is it like a DERP where I have to host it on a VPS separate from my existing two networks or is this something different where I can host the peer relay on the same network not behind a CGNAT and somehow it will link the two networks through it?

    • kwakubiney 2 hours ago

      > every DERP server used by your tailnet must be accessible by every node on your tailnet at all times, otherwise you get hard-to-debug netsplits.

      What would allow a given pair of nodes access a peer relay? Isn’t the peer relay by default also accessible by every node on the tailnet since it’s in the tailnet as well?

  • allthetime 2 hours ago

    Talking out my ass, but as with all things Tailscale, not much, aside from easier to use / less manual setup.

    Nothing they do was impossible before, but their big win is making world wide private networking easy and accessible.

    I’ve been on-boarding my friends who have their own local media servers setup so we can all share/stream content from each other.

alberto_delrio 2 hours ago

Tried the other day, honestly so far surprised by the good results!

aborsy 4 hours ago

Is peer relay essentially a custom relay which was previously available, except now it’s one command?

So it runs a STUN server or similar, for discovery and relaying.

  • kabirx 3 hours ago

    Peer relays are a bit different from our previously available Custom DERP servers. While the custom DERPs do relay traffic, they also require a bunch of configuration and management for their other jobs and they open up availability concerns that are pretty tough for our average customer.

    Conversely Peer Relays are built on top of the shoulders of DERP. For example, they don't need to do peer discovery set connections up end to end - instead connections are brokered via our DERP fleet and then in a sense "upgraded" to an available Peer Relay or Direct connection. Because of that they're super lightweight and much easier to deploy + manage. And, they scale horizontally so you can deploy many peer relays across your network, and they're resilient to downtime (we'll just fall back to DERP).

    • shj2105 2 hours ago

      I’m so confused. What is the difference between a peer relay and a DERP server that is self hosted?

      The issue I have is I’m trying to connect two devices where one is behind a CGNAT that always causes the connection to be relayed even though the other one is not behind a cgnat with proper port forwarding. Would a peer relay solve this but is it like a DERp where I have to host it on a VPS separate from my existing two networks or is this something different where I can host the peer relay on the network not behind a CGNAT and somehow it will link the two networks through it?

yuvadam 3 hours ago

Tailscale simp here, been using this feature since it launched in beta, can't believe it didn't exist earlier.

This solved every last remaining problem of my CGNAT'd devices having to hop through STUN servers (with the QoS being noticable), now they just route through my own nodes.

drnick1 3 hours ago

It's a bit disingenuous to present solutions like Tailscale as more secure than opening a VPN port on one's on machine. The latter solution should always be preferred when available just because you don't want your infrastructure to depend on a "free" service which might cease to be free tomorrow.

  • drannex 2 hours ago

    This is a more all-included and resilient system, especially for logging, than just opening a VPN port. I do a lot of corporate installs, and if we had a system like Tailscale then I would be in heaven. The amount of user-created systems are heinous in regards to security, and hard to setup and keep running. Tailscale lets you setup quickly, and reliably with minimal errors OOTB.

    If you feel that tailscale will fold, or the free plan will be future limited, then you can drop in headscale which is a near 1:1 API open source tailscale central server.

    If you always want to be open source and not rely on API changes or staying up to green on the headscale development (made by a third party), then you can set up netbird, which is both hosted (for free) as an alternative to Tailscale more tailored for developers, but they also open-sourced their entire stack, so you can always leave and use that on your own servers.

  • nickburns 2 hours ago

    Things are much more unscrupulous than potentially ceasing to be free tomorrow. Nobody who values their privacy would ever route their network traffic through a 'free' service.

    • jon_adler 2 hours ago

      Isn’t there separation of the control and data planes? I don’t think Tailscale get to see any of your network traffic.

      • nickburns 2 hours ago

        They need to know how/where to route your outbound traffic. That inherently includes plaintext DNS, TLS handshakes, and otherwise plaintext traffic (like HTTP for example).

        Anybody wanting to see what Tailscale is able to see can simply sniff any router interface passing outbound traffic before it enters the WireGuard tunnel interface.

himata4113 4 hours ago

I never brought my self to use tailscale because it has a login screen and I absolutely despise that even as a concept for a private NAT. I know headscale exists, but it doesn't seem to even support the features I really want.

  • earthscienceman 15 minutes ago

    I can't believe this isn't a show stopper for more people here. I literally couldn't figure out how use it the first time tried because I didn't know how to comprehend that it was trying to get me to auth via browser window. I kept digging around for a tailscale.conf.

    Which is then when I realized it was less a piece of software and more so an auth management provider with some vaguely helpful auxillary services.

kittbuilds 3 hours ago

The peer relay approach is interesting because it essentially turns every node in your tailnet into a potential relay for other nodes. This is a meaningful architectural shift from relying on Tailscale's centralized DERP servers.

For anyone worried about the "rug pull" concern raised in another comment — this actually makes me more optimistic, not less. By distributing relay infrastructure to the edges, Tailscale is reducing its own operational cost per user while improving performance. That's the kind of flywheel that makes a generous free tier more sustainable, not less. Each new node potentially helps the whole network.

jahrichie 4 hours ago

Are you guys using this for OpenClaw or what?

  • nsbk 4 hours ago

    One of the many use cases, but basically yes. Other use cases: Home automation, remote backups, media servers, photo libraries, AI assistants... you name it!

  • josefresco 3 hours ago

    I use it only as a Personal VPN - works great!