Comments

• By tda 2026-02-1817:277 reply

  I just set this up the other day, and I got my ping to drop from 16 to 10ms, and my bandwidth tripled, when connecting from a remote natted site to a matter desktop my house. Together with Moonlight/Sunshine I can now play Windows games on my Linux desktop from my MacBook, with 50mbps/10ms streaming. So far so good!

  Not a single port forwarded, I just set my router up as peer node.

  By FrenchTouch42 2026-02-1819:442 reply

  May want to give Apollo a try: https://github.com/ClassicOldSong/Apollo (re Sunshine)

  By langarus 2026-02-196:33

  Any idea how this solution compares to parsec?

  By stavros 2026-02-1822:211 reply

  Why?

  By tietjens 2026-02-1822:421 reply

  It handles virtual displays better in case you want your pc screen to be off while streaming. There might be other reasons.

  By stavros 2026-02-1822:511 reply

  Oh nice, virtual displays is a feature I've been wanting, thanks!

  By StumpChunkman 2026-02-190:21

  Agreed with OP. It's very handy. I made the switch after trying to tinker with running third party utilities to do this and running into issues. I found Apollo and it all just worked. Now I can stream in 4K HDR to my living room TV (which is not even what my physical PC display is). It's compatible with all the regular clients too which is nice.

  By nickburns 2026-02-1819:001 reply

  Neat use case. But in fairness, you've simply 'offloaded' NAT traversal/port forwarding to automagic helper protocols over which you have no control even if you wanted it.

  By RulerOf 2026-02-201:19

  I recently tried whitelisting IPv6 prefixes at the network border and running straight IPv6 traffic from end to end.

  It works really well so long as there's an encrypted transport, although I'm a little annoyed that the routes are very different and the ping times are different too. Although at the moment I can't remember if they're worse ¯\_(ツ)_/¯

  By jak6jak 2026-02-1820:56

  That seems really exciting! If you wanted to share game streaming to a general public would they have to install tailscale on their device/login? How does that work? Am I right in assuming that tailscale is built mostly for sharing resources with people you trust instead of the general public?

  By flowstraume 2026-02-1823:16

  I'm confused. I wanted to do this too with an OpenWRT router, but I was under the impression I still had to open a 40000 port so my NAT devices can see it. Wouldn't it still be on the exposed public Internet?

  By arjie 2026-02-1817:391 reply

  What hardware do you use on the networking side?

  By tda 2026-02-1820:081 reply

  Nothing special, an edgerouter that allows installing tailscale

  By arjie 2026-02-1823:201 reply

  Ah, perfect. The Mikrotiks weren't as straightforward earlier but maybe it's easier now. Glad to know it works on EdgeOS. Did you just use this? https://github.com/jamesog/tailscale-edgeos

  By OJFord 2026-02-197:54

  On RouterOS you just need hardware that supports containers, then you can just run the offical tailscale image.

  Otherwise there's native ZeroTier and WireGuard, but no Tailscale.

  By aborsy 2026-02-1817:451 reply

  There are several ports open (you dont open them, Tailscale does), including for peer relay. Some are vpn ports, but the ports for relay servers are not for VPN so my guess is that the software that listens to those ports is a lot less secure (compared to Wireguard or OpenVPN).

  By tda 2026-02-1820:131 reply

  Yes my router has open ports, but it does not do any port forwarding. So I can 'directly' connect any device behind my router without my router needing to know any specifics of which device that is. And I don't need to do any port forwarding of anything on my network and thus expose them to the whole internet; I just expose them to the users of my tailscale network (only me)

  By toomuchtodo 2026-02-1820:151 reply

  Does your router not support UPNP for dynamic port punching?

  By bityard 2026-02-1820:292 reply

  UPnP allows literally any random piece of software inside your network to open and forward arbitrary ports on your firewall. Bad idea!

  By toomuchtodo 2026-02-1820:29

  Within my risk appetite on trusted network segments. I have bigger issues if malware is operational within the trust boundary, it can do what it needs using outbound connections just fine (recon, lateral movement, etc). Your risk appetite might differ.

  By gzread 2026-02-1823:152 reply

  Why are you running software that randomly opens firewall ports?

  By sleepybrett 2026-02-205:34

  malware. Got any no-name IOT devices on your network? Got some Huawei built hardware anywhere? Playing some new indie game from developers in romania?

  I had to install openwrt on my router so that I could restrict access to upnp by mac address just to my gaming pc (imo this should be standard on any router as an advanced setting, most are just upnp yes/no) so that I can still play online games.

• By behnamoh 2026-02-1817:2723 reply

  How does Tailscale make money? I really like their service but I'm worried about a rug pull in the future. Has anyone tried alternative FOSS solutions?

  Also, sometimes it seems like I get rate limited on Tailscale. Has anyone had that experience? This usually happens with multiple SSH connections at the same time.

  By dimatura 2026-02-1818:133 reply

  Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH.

  On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user).

  By tamimio 2026-02-1818:281 reply

  Zerotier is not the same as tailscale although both can be used to do the same, but under the hood both are fundamentally different, ZT is layer2 like switch, so it’s like an Ethernet meanwhile TS is built on top of wireguard and is layer3. ZT allows broadcast/multicast and has own protocol, TS don’t. I use both among others, and ZT since around 2019, I found it reliable in some cases in IoT world while TS had better throughput in usual applications.

  By dimatura 2026-02-1822:532 reply

  Yeah, they're not direct replacements. I think both models have have their pros and cons. In fact I tried both around when covid shutdowns started (server being in the office, me at home), and liked zerotier better; it was faster, and a more generous free tier. But now tailscale has won out for a couple of reasons; the main one, it's simply less flaky for us on macOS, especially for devs working overseas. No idea why and maybe there's simple fixes (that don't involve repeated connections/disconnections, hopefully). The other, tailscale has a few extra things that are nicer and easy to use like identity-based ACLs, funnel/serve, magicDNS, ssh management, etc.

  By Tor3 2026-02-196:43

  Zerotier works fine for me, but with a huge exception which I just can't figure out. On my Linux laptop which also runs OpenVPN and with some specific routing set up, Zerotier will, after a minute or so, completely take over the routing and default everything through Zerotier, and nothing I do with the routing tables will change this. I have to stop ZT at this point and then it reverts to normal. Every other computer in my ZT network behaves fine.

  This is so problematic that I'm considering looking into Tailscale, I understand they work very differently but it looks like my use case could be covered by both.

  By mycall 2026-02-192:47

  I had to do MTU tuning on macos on the ZeroTier interface (find your feth name via ifconfig)

  # Replace feth1234/feth2345 with your active interface

  sudo ifconfig feth1234 mtu 1400

  sudo ifconfig feth2345 mtu 1400

  ..and for working with Windows peers, manually "Orbit" the Windows Peer as well as adding a direct routing hint for the internal ZeroTier IP. ZT definitely takes some effort for tuning.

  By gpm 2026-02-1818:251 reply

  I've used serve/funnel on the tailscale free tier... definitely agree that the team size limit seems like it would move companies to the paid plan though.

  By dimatura 2026-02-1822:571 reply

  I think how it works usually is that they let you use the features from higher tier plans than the one you're on; once you use them enough they send you an email asking to upgrade. That's what happened to us and I've seen other users mention it. Not sure how I felt about it, OTOH maybe it was less friction than explicitly subscribing for some "2 weeks free trial" or whatever but OTOH it did feel weird and unexpected. Anyway, we felt the extra features were worth it so ended up paying.

  By gpm 2026-02-1823:061 reply

  Hmm...

  Ok I checked the pricing page and funnel is available in the free tier (limited to 3 users) but not the $6/user/month tier - which you need for more than 6 users... strange pricing structure but I guess I see the logic.

  Any chance you were asked to upgrade from $6/user/month to $18/user/month and not free to $18/user/month?

  https://tailscale.com/pricing#application-networking

  By dimatura 2026-02-190:59

  Yes, we were on the starter $6 plan. The feature we got messaged about was SSH management, iirc.

  By lysace 2026-02-1818:351 reply

  How do you handle the do-before-thinking devs? Or the kinda low-to-mid performing devs? Most companies has one or a few of those, right? They help the company machine go around by doing the somewhat boring stuff over and over again.

  Tailscale in a company/developer env seems awesome when you know what you are doing and (potentially) terrifying otherwise.

  Does someone set up detailed ACLs for what's allowed? How well does that work?

  By madeofpalk 2026-02-1818:581 reply

  > How do you handle the do-before-thinking devs?

  Isn't that exactly what tailscale is built to accommodate - zero trust?

  You set up ACLs and other permissions to not allow people to do more than the damage you can tolerate.

  By nickburns 2026-02-1820:041 reply

  Zerconf ≠ zero trust. The difference could not be more material in this context.

  By tonyplee 2026-02-1820:381 reply

  If both sides of your ssh tunnel (pub,private keys) are under your control, in theory, that's "zero trust".

  Unless one considers the meta data such as src/dest IP are visible to Tailscale sw.

  Right?

  By nickburns 2026-02-1821:01

  'Zero trust' has a technical definition that's not really relevant here. See: https://en.wikipedia.org/wiki/Zero_trust.

  The concept is separate from 'zero config' (https://en.wikipedia.org/wiki/Zero-configuration_networking), which Tailscale's low technical barrier to entry evokes.

  By vizzier 2026-02-1817:442 reply

  > Also, sometimes it seems like I get rate limited on Tailscale.

  As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post.

  As for opensource alternatives:

  https://github.com/juanfont/headscale can replace tailscales initial coordination servers

  and https://netbird.io/ seemed to be a rapidly developing full stack alternative.

  By arsome 2026-02-1818:15

  Headscale also offers a relay server of its own.

  By kkapelon 2026-02-197:10

  There is also netmaker

  By evmar 2026-02-1817:391 reply

  They wrote a blog post addressing this concern: https://tailscale.com/blog/free-plan

  By riknos314 2026-02-1818:134 reply

  The Tl;Dr here is that the cost to them of operating the free tier is lower than what they estimate their Customer Acquisition Cost would be without a free tier, so the free tier generates better leads/conversions to their paid products at a lower cost than traditional sales and marketing.

  As long as these economics continue to hold they'd be stupid to discontinue the free tier.

  By eleventyseven 2026-02-1818:543 reply

  But it isn't 'economics' as there is no actual data or science here, just a wild guess about what customer acquisition might currently cost. All it takes to rug pull is some exec speculating that 'the economics' have changed.

  By erikpukinskis 2026-02-1819:14

  Any mature SaaS company will have exact measurements of acquisition costs. This is advertising, sales staff, etc.

  This is one the the most fundamental components of SaaS accounting, it’s absolutely not a “wild guess”.

  By dagi3d 2026-02-1819:08

  Acquisition cost can definitely be calculated. I'm pretty sure they know how many customers do convert into paying users from their free tier and how much does it cost to get them through other channels

  By roughly 2026-02-1820:15

  > But it isn't 'economics' as there is no actual data or science here, just a wild guess

  Welcome to economics.

  By hashstring 2026-02-1821:531 reply

  Makes me wonder.

  Say 5% of the free tier users converts to a paying customer within 5 years. And user growth is constant. Then over time, you will get a much larger free tier user base, compared to your paying customers (in absolute numbers). At some point, it must become tempting to charge all free tier users a little bit to continue, because the group got so big, so there is a lot that can be earned there.

  Is this wrong, or should we expect this?

  By tokioyoyo 2026-02-1821:561 reply

  Cloudflare still operates like this.

  By SahAssar 2026-02-190:261 reply

  And they have become quite infamous for having aggressive sales tactics for anyone going over their internal metrics for the free tier (still under the public metrics for free).

  By tokioyoyo 2026-02-196:37

  If you’re going above those limits… come on lol.

  By dawnerd 2026-02-190:361 reply

  Makes sense. Get tech people to adopt it, then push for it at work. It's brilliant and it will work. It's working for Cloudflare too.

  By Gigachad 2026-02-193:55

  Also the fact it means companies can run a demo themselves without having to contact sales, after they see it works on their system they pay to add all the users they will need.

  Products that have no free tier where everything is behind a scheduled sales demo present a huge barrier to entry.

  By wat10000 2026-02-1818:47

  All it takes is for the decision-maker who gets the credit for cutting costs by removing the free tier to be a different person from the one who gets the blame for higher customer acquisition costs. Not saying it'll happen, just that it being a bad move isn't a guarantee.

  By Aurornis 2026-02-1818:211 reply

  Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans.

  By zephen 2026-02-1822:071 reply

  I wonder about this.

  The hoops you have to jump through to be on two different tailnets might dissuade some home users from even bringing it up at work.

  By baq 2026-02-1822:231 reply

  Home users being on multiple tailnets is serious power user territory

  By zephen 2026-02-190:161 reply

  There are a lot of workarounds these days, such as tailnet switching, and, of course, if you're admin on both tailnets, you're practically golden with the "share" option.

  But even power users have to pick and choose their battles.

  If I had a nice tailnet home setup going I might be seriously miffed if I had to try to fit in some of my devices to a corporate tailnet I didn't control.

  By db48x 2026-02-208:401 reply

  True, but to be frank you shouldn’t be using personal devices for work purposes anyway.

  By zephen 2026-02-2418:23

  Security is a series of trade-offs, which in the worst case disallows anybody from doing anything.

  In the simplest case, if a person has two different sets of systems they desire to access from a cellphone, and an unwillingness to carry two different cellphones around with them, then it becomes a business decision of whether that person is valuable and trustworthy enough to allow access to work systems and "other" systems from that cellphone.

  Who pays for the cellphone, and whether this extends to laptops or not, are questions of degree.

  By allthetime 2026-02-1819:09

  Facilitating peer to peer connections is cheap.

  Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in.

  By prodigycorp 2026-02-1817:352 reply

  I love tailscale but you may be right, it's entering that acquisition zone that'll inevitably bum everyone out.

  Salesforce, stay away from it!

  By tomxor 2026-02-1818:382 reply

  I have the same fears. Last year they have publicly stated they are not interested in acquisition [0]

  > Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).

  > “Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”

  Nothing is set in stone, after all it's VC backed. I have a strong aversion to becoming dependent upon proprietary services, however i have chosen to integrate TS into my infrastructure, because the value and simplicity it provides is worth it. I considered the various copy cat services and pure FOSS clones, but TS are the ones who started this space and are the ones continuously innovating in it, I'm onboard with their ethos and mission and have made use of apenwarrs previous work - In other words, they are the experts, they appear to be pretty dedicated to this space, so I'm putting my trust in them... I hope I'm right!

  [0] https://betakit.com/corporate-vpn-startup-tailscale-secures-...

  By nerdsniper 2026-02-1818:59

  Would be curious if a partial decompilation and short static analysis would yield any reliable info about what they might be collecting.

  By omnimus 2026-02-1819:082 reply

  Just note i doubt Tailscale were first popular vpn manager as i remember many hobby users are Zerotier converts and also much older products like Hamachi.

  Tailscale have build great product around wireguard (which is quite young) and they have great marketing and docs. But they are hardly first VPN service - they might not even be the most popular one.

  By tomxor 2026-02-1819:58

  Yes, I ambiguously said "started this space"... and to be honest even in the most generous interpretation that's probably incorrect, maybe ZeroTier started "this space", in that it had NAT busting mesh networking first.

  As far as I understand Tailscale brought NAT busting mesh networking to wireguard + identity first access control, and reduced configuration complexity. I think they were the first to think about it from an end to end user perspective, and each feature they add definitely has this spin on it. It makes it feel effortless and transparent (in both the networking use sense and cryptography sense)... So i suppose that's what I mean by started, TS was when it first really clicked for a larger group of people, it felt right.

  By tietjens 2026-02-1822:46

  Might be time to learn me some Wireguard.

  By politelemon 2026-02-1817:57

  Dearest Salesforce, Apple, Oracle, and IBM. Please look elsewhere for acquisitions to ruin for everyone. Cheers.

  By nsbk 2026-02-1817:431 reply

  At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise!

  [0]: https://headscale.net/

  By sureglymop 2026-02-1817:551 reply

  I've been smoothly running headscale on a hetzner vps for many months now. Works without issues (note that it does lack some features still).

  By ErneX 2026-02-1819:02

  Same here.

  By allthetime 2026-02-1819:08

  Facilitating peer to peer connections is cheap.

  Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support.

  By tiernano 2026-02-1817:301 reply

  It's free for up to 3 users. After that you need to start paying.

  By criddell 2026-02-1819:22

  I have a family of 4 so I pay and it's still crazy cheap. I've wonder how sustainable it is.

  By thecapybara 2026-02-1818:02

  I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan.

  By mrsssnake 2026-02-1818:361 reply

  Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people. And then they make money.

  By QuercusMax 2026-02-1819:29

  1000%. Tailscale is the first VPN I've used that makes my life easier, and I'm using it for personal access to my selfhosted servers at home. I will definitely recommend it to companies I work for in the future.

  By eurg 2026-02-1817:48

  Companies pay for it. And except for their DERP servers, free users don't cost them much.

  By dec0dedab0de 2026-02-1818:544 reply

  Wouldn't the FOSS alternative be to simply use wireguard?

  By iso1631 2026-02-1819:03

  Most posters on HN barely know what a subnet is so it's not that simple

  There's two key features

  1) Tunnel management

  Tailscale will configure your p2p tunnels itself - if you have 10 devices, to do that yourself you'd have to manage 90 tunnels. Add another device and that goes upto 100. Remove a device and you have 9 other devices to update.

  2) Firewall punching

  They provide an orchestration system which allows two devices both behind a nat or stateful firewall to communicate with each other without having to open holes in the firewall (because most firewalls will allow "established" connections - including measuring established UDP as "packet went from ipa:porta to ipb:portb 'outbound', thus until a timeout period any traffic from ipb:portb to ipa:porta will be let through (and natted as appropriate)".

  The orchestration sends traffic from ipa to ipb and ipb to ipa on known ports at the same time so both firewalls think the traffic is established. For nats which do source-port scrambling it uses the birthday paradox to get a matching stream.

  I believe you can run a similar headend using "headscale" yourself.

  By newsoftheday 2026-02-1819:09

  I do, I use a VPS (at OCI free) to host Wireguard. My home systems (running my production web sites and email) are on my VPN and mine and my wife's phones. I hand configured it all but it wasn't difficult for me.

  By NoiseBert69 2026-02-1819:04

  Yes and no. It's much manual work to get WG to behave like Tailscale.

  By nagaiaida 2026-02-1919:30

  a simpler setup with broad feature parity would probably look more similar to nebula than bare wireguard

  By zaphar 2026-02-1818:51

  There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways.

  By cbility 2026-02-208:41

  https://netbird.io/ is open source, with a freemium hosted option. Works for us and I find it easier to configure than tailscale for routing rules.

  By Lammy 2026-02-1818:423 reply

  > How does Tailscale make money?

  They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

  “Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

  They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

  It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

  For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326

  By jzelinskie 2026-02-1822:45

  I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true.

  I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway). From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro).

  Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing:

       echo "TS_NO_LOGS_NO_SUPPORT=true" > ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt
  

  [0]: https://login.tailscale.com/admin/logs/network

  By nickburns 2026-02-1818:552 reply

  Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.

  I highly doubt any of this can actually be opted-out of. How else would they stay in business?

  By namtim 2026-02-1819:231 reply

  The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users.

  The core client code is open source, feel free to inspect it yourself.

  By nickburns 2026-02-1819:32

  The client may be open source. But the service is obviously not.

  Don't let that deter you from trusting whomever you choose, though.

  By snailmailman 2026-02-192:502 reply

  They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.

  The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.

  I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.

  By Lammy 2026-02-1917:081 reply

  > To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.

  Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.

  Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.

  Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection

  Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.

  Required reading: https://kieranhealy.org/blog/archives/2013/06/09/using-metad...

  By db48x 2026-02-208:49

  True, but none of that metadata goes to Tailscale.

  By nickburns 2026-02-1912:532 reply

  This is pure misinformation. 'Most connections are direct, P2P' makes no sense to anyone versed in basic networking.

  By snailmailman 2026-02-1917:11

  I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.

  By allarm 2026-02-1916:21

  What do you mean? P2P is commonplace, for example, in IP telephony, and obviously in many other cases.

  By db48x 2026-02-208:49

  That’s misleading; you have to pay extra to get access to that feature.

  By gz5 2026-02-1817:402 reply

  OpenZiti (Apache 2.0):

  https://github.com/openziti/ziti

  By bityard 2026-02-1820:371 reply

  This is a secure mesh network, but it appears to be for embedding into applications, not a "private VPN" like Tailscale, or do I misunderstand?

  By PLG88 2026-02-198:38

  Embedding is an option, but tunnelers - https://netfoundry.io/docs/openziti/reference/tunnelers/ - and edge routers (which can front legacy services without modifying them) also exist.

  The difference is architectural; Tailscale is a mesh VPN, whereas OpenZiti is an identity-first, zero trust overlay network. This makes OpenZiti service-centric and deny-by-default, not network-centric. Instead of “join a private network,” you get access only to explicitly authorised services — with no ambient reachability at all. Its also 100% open source. If you want a simple productised, SaaS experience, NetFoundry, the company behind OpenZiti provides that.

  By resiros 2026-02-1911:16

  I use netbird and can only recommend it

  By UltraSane 2026-02-190:51

  Companies pay per user for TailScale as an alternative to conventional VPNs like Cisco AnyConnect.

  By Suffocate5100 2026-02-1819:08

  Nebula is what we use. It's definitely not as convenient, but it's 100% self-ownable.

  By pkulak 2026-02-1820:01

  I pay $5 a month, and my company has a license for every employee.

  By jacquesm 2026-02-1910:18

  Through paying users like me.

  By fdefitte 2026-02-1820:071 reply

  [dead]

  By batrat 2026-02-1820:54

  It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc.

• By timwis 2026-02-1821:382 reply

  I'm having a hard time understanding how this is different from a bastion server, where you're tunneling through an intermediary server that you've deployed in the target network.

  I guess the difference is the fact that the intermediary server doesn't need a port open (as standard nat punching will work)? Or are there other big differences?

  By bingo-bongo 2026-02-207:261 reply

  We've setup and used peer-relays since it was first announced and they've been great, but they do solve a somewhat specific problem.

  Some of our users experienced fairly limited throughput from time to time. Under certain circumstances (eg. always ipv4 NAT/double-NAT, never for ipv6) their Tailscale client couldn't establish a direct connection to the Tailscale node in the datacenter, so data was relayed through Tailscales public relay nodes. Which at times was rate limited/bottleneck - in all fairness, that is to be expected according to their docs.

  The first mitigation was to "ban" the specific public relay they were using in the policy. Which helped, but still not a great solution and we might just end up in a weird whack-a-mole-ish ban game with the public peer relays in the long run.

  So we setup a peer relay, which networking-wise is in a DMZ sort of network (more open), but location wise still in the datacenter and allowed it to easily reach the internal (more restricted networking) Tailscale nodes. Which solved all throughput problems, since we no longer have users connecting through the public relays.

  Also, the peer relays feels a little bit magic, once you allow the use of them in the Tailscale policy, it just works(tm) - there is basically zero fiddling with them.

  EDIT: I'll happily provide more details if interested - we did a fair amount of testing and debugging along the way :)

  By timwis 2026-02-208:54

  Thanks, that's a helpful example to put it into context!

  By fireant 2026-02-204:53

  I think that biggest difference is that your client applications don't need to be explicitly configured to use the bastion server. For example ssh, web browsers, rdp, samba and so on can just pretend that you are inside the target network. Doubly useful if this is a "customer" network and you are working with multiple customers.