Tailscale Peer Relays is now generally available

"Support free alternatives if you can, even if they underperform by some measure."

I value _control_ more than I do performance

Better performance is, IMHO, not a reason to sacrifice _control_, but that's just me

If users have control, i.e., can compile from source, then in theory performance improvement is possible through DIY or work of others. However performance is not always the only important issue. Today's commercial software tends to be rushed, lower quality, bloated. Releasing work-in-progress software that requires constant remotely-installed "updates" in place of a thoroughly-tested final product is a norm

Without control, if performance, _or anything else about the software_, is unsatisfactory, then there is nothing users can do

(Tailscalar here) To be clear: it's only the GUIs that are closed source on selected platforms.

I've been relatively happy with Headscale, but now that I have MacOS/iOS users I'm in the process of testing alternatives like Netbird. I was also surprised that the Tailscale Kubernetes operator is not compatible with Headscale.

That justification honestly doesn't sound that ridiculous to me, especially if the closed-source stuff is mostly just platform-specific GUI and integration code. Is there even a practical mechanism to open source an iOS app and then letting users verify that the version they're downloading from the App Store is exactly the same version that is open sourced?

Seems like an odd thing to be concerned about. Most of the apps on my Mac are closed source, that little Tailscale menu bar item is really insignificant. You can always control it through the command line if you're really bothered by it. I'm pretty sure tailscale is on brew.

Went with ZeroTier and Netbird, they're not too bad.

I switched to Netbird because of this.

That seems really exciting! If you wanted to share game streaming to a general public would they have to install tailscale on their device/login? How does that work? Am I right in assuming that tailscale is built mostly for sharing resources with people you trust instead of the general public?

Neat use case. But in fairness, you've simply 'offloaded' NAT traversal/port forwarding to automagic helper protocols over which you have no control even if you wanted it.

May want to give Apollo a try: https://github.com/ClassicOldSong/Apollo (re Sunshine)

What hardware do you use on the networking side?

There are several ports open (you dont open them, Tailscale does), including for peer relay. Some are vpn ports, but the ports for relay servers are not for VPN so my guess is that the software that listens to those ports is a lot less secure (compared to Wireguard or OpenVPN).

I believe the client is open source and there's a reverse engineered server (that some tail scale employees contribute to)

Headscale is an open source alternative, I haven't read the code but it might be a good place to start: https://github.com/juanfont/headscale

Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH.

On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user).

> Also, sometimes it seems like I get rate limited on Tailscale.

As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post.

As for opensource alternatives:

https://github.com/juanfont/headscale can replace tailscales initial coordination servers

and https://netbird.io/ seemed to be a rapidly developing full stack alternative.

They wrote a blog post addressing this concern: https://tailscale.com/blog/free-plan

Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans.

Facilitating peer to peer connections is cheap.

Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in.

I love tailscale but you may be right, it's entering that acquisition zone that'll inevitably bum everyone out.

Salesforce, stay away from it!

Facilitating peer to peer connections is cheap.

Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support.

If you're worried about a rug pull, you should be. Not because Tailscale is shady, but because that's just how VC-funded infrastructure works. The free tier exists to build lock-in, not out of generosity. Headscale exists but honestly it's a pain to run compared to just paying Tailscale $18/user. The real answer is: if it's critical infrastructure, you should be running Wireguard directly and owning the coordination layer yourself. Everything else is renting convenience.

At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise!

[0]: https://headscale.net/

It's free for up to 3 users. After that you need to start paying.

I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan.

> How does Tailscale make money?

They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326

There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways.

Companies pay for it. And except for their DERP servers, free users don't cost them much.

Wouldn't the FOSS alternative be to simply use wireguard?

I pay $5 a month, and my company has a license for every employee.

Nebula is what we use. It's definitely not as convenient, but it's 100% self-ownable.

OpenZiti (Apache 2.0):

https://github.com/openziti/ziti

Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people. And then they make money.

if you have a cheap vps you can use it to forward the traffic to for some benefit, that is what i have been doing when i need compute accessible online and don't want to pay for cloud.

I see a white X in a blue box to the lower right of the modal. Is it that?

Is it a typo and it's the Nginx Proxy Manager?

(Tailscale founder here) Two main differences: first, every DERP server used by your tailnet must be accessible by every node on your tailnet at all times, otherwise you get hard-to-debug netsplits. That's a very high bar to maintain so we've historically recommended you don't try. In contrast, peer relays are "if a given pair of nodes can connect through any of the relays, go for it" so deploying one is always a performance and reliability improvement.

Secondly, peer relays support UDP while DERP is TCP-only. That would be fixable by simply improving the DERP protocol, but as we explored that option, we decided to implement the Peer Relay layer instead as a more complete solution.

Talking out my ass, but as with all things Tailscale, not much, aside from easier to use / less manual setup.

Nothing they do was impossible before, but their big win is making world wide private networking easy and accessible.

I’ve been on-boarding my friends who have their own local media servers setup so we can all share/stream content from each other.

Peer relays are a bit different from our previously available Custom DERP servers. While the custom DERPs do relay traffic, they also require a bunch of configuration and management for their other jobs and they open up availability concerns that are pretty tough for our average customer.

Conversely Peer Relays are built on top of the shoulders of DERP. For example, they don't need to do peer discovery set connections up end to end - instead connections are brokered via our DERP fleet and then in a sense "upgraded" to an available Peer Relay or Direct connection. Because of that they're super lightweight and much easier to deploy + manage. And, they scale horizontally so you can deploy many peer relays across your network, and they're resilient to downtime (we'll just fall back to DERP).

This is a more all-included and resilient system, especially for logging, than just opening a VPN port. I do a lot of corporate installs, and if we had a system like Tailscale then I would be in heaven. The amount of user-created systems are heinous in regards to security, and hard to setup and keep running. Tailscale lets you setup quickly, and reliably with minimal errors OOTB.

If you feel that tailscale will fold, or the free plan will be future limited, then you can drop in headscale which is a near 1:1 API open source tailscale central server.

If you always want to be open source and not rely on API changes or staying up to green on the headscale development (made by a third party), then you can set up netbird, which is both hosted (for free) as an alternative to Tailscale more tailored for developers, but they also open-sourced their entire stack, so you can always leave and use that on your own servers.

Things are much more unscrupulous than potentially ceasing to be free tomorrow. Nobody who values their privacy would ever route their network traffic through a 'free' service.

I can't believe this isn't a show stopper for more people here. I literally couldn't figure out how use it the first time tried because I didn't know how to comprehend that it was trying to get me to auth via browser window. I kept digging around for a tailscale.conf.

Which is then when I realized it was less a piece of software and more so an auth management provider with some vaguely helpful auxillary services.

One of the many use cases, but basically yes. Other use cases: Home automation, remote backups, media servers, photo libraries, AI assistants... you name it!

I use it only as a Personal VPN - works great!