Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I always knew it was too nice to stay non-shitty forever.
Guess it’s time for me to pester my ISP to let me open some portsJust use normal wireguard, why do you need tails or heads at all?
Accessing your home network that is kept inside a NAT by your ISP, without you having to acquire an online server somewhere.
You really don’t though. I use wireguard myself under the same scenario without issue. You just need to use some form of dynamic DNS to mitigate the potentially changing IP. Even if you’re using Tailscale you’ll still need to have something running a service all the time anyways, so may as well skip the proxy.
Your approach won’t work if you’re behind carrier grade NAT or you can’t open ports. My landlord provides my internet so I use tailscale (with headscale on my long distance vps) to connect everything and it works great. It uses LAN when I’m home, and NAT punches when I’m elsewhere.
Except you do need to acquire an online server somewhere, its just one that tailscale owns and controls instead of you, and when tailscale decides to enshittify and kill of their free tier you’ll be left wondering why you didn’t just rent a cheap VPS sooner.
Ask yourself, what is tailscale getting out of those “free” users that makes it worth providing services to them that they’d otherwsie need to rent a VPS for? What do you think their response would be if for example they got pressured about maybe too many users on their network are running a certain video streaming app?
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
I’m curious what kind of a use case you can think of that “traditional wireguard” can’t replace tailscale for.
Tailscale has a maximum of 3 users on their free tier, so it seems like a super limited use case of people who DIY their own servers for Jellyfin or HomAssistant or whatever, but just a tad too lazy to setup their own Wireguard service in addition to whatever it is they’d be using it for… I think the vast majority of free tailscale users have simply never actually tried wg-easy , because if they did they wouldnt need to use a third party service.
@gravitywell you miss the whole goodie-part like funnels, acls, certs etc.
ACLs for me are really valuable as i’m using for a small team (3ppl) for server/app admin. @ShortN0teI think ACL is a paid feature with TS, but maybe im wrong. Once you get to the paid tier, you are just paying someone else to manage your VPN, which is fair enough but its not something you could’t also pay someone to do with wireguard (or openVPN for that matter). I think its fair to say “I pay for this service because i don’t want to have to deal with configuring it myself”, it might be easier to setup for some use cases, but if someone is already self-hosting things and has a DIY attitude to it, I don’t think tailscale can do anything wireguard can’t also do (it is based on WG afterall)
Maybe I’m not familiar enough with other kinds of setups to think of things though. My wireguard setup is basically a meshnet between several people’s home servers, each person has their own subnet only they can use, but the wider 10.X.X.X is shared by everyone, its certainly not the most secure because it doesnt need to be, but if i wanted to restrict one persons access to something i certainly could do that.
ACLs are on the free tier too.
Big difference in users and devices here. Tailscale might have a 3 user limit, but you can add up to 100 devices for free. So for me for example I have tailscale running in each and every docker container in my NAS. So each and every container can now act as a node on my tailnet. Users isn’t a big deal, any one node can activate funnel with a simple command and poof its available to the public. The convenience coupled with simplicity is what makes Tailscale so god damn good.
I’ve realized how easy it is to just actually run a network rather than half ass it with tailscale. I recommend this, it’s fun.
I just replaced my entire setup with base wireguard as a challenge, easier than I expected it to be, and not hard to mimic tailscale.
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it’s a known-to-them freemail address. And it was by design “to reduce friction”.
I don’t think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
Headscale maintainer hours contributed by Tailscale
Could you expand on this?
There’s a disclaimer in the readme: https://github.com/juanfont/headscale/?tab=readme-ov-file#disclaimer
The maintainer Tailscale contributes happens to be the lead developer by commit count at the moment.
What’s the benefit over just WG?
Personally, my ISP (T-Mobile 5G) has CGNAT and blocks all incoming traffic. I can’t simply Wireguard into my network. Tailscale has been my intermediary to get remote access.
I guess it’s time to figure how how to host an alternative on a VPS (I see Headscale mentioned in these comments).
Tailscale uses WG though, so it’s fundamentally the same thing. Like you said - just do Headscale on a VPS.
Or Wireguard on a VPS
You dont need to manually handle the WG config files. This isn’t really an issue when it’s just and your two devices, but once you start supporting more people like non-technical family members, this gets really annoying really quickly.
Tailscale (and headscale) just require you to log in which even those family members can manage and do the rest for you. They also support SSO in which case you wouldn’t even have to create new accounts.
Your tech illiterate grandma can set it up. It’s that easy.
WG is worthless in a CGNAT environment… And as we are in 2025 and time doesn’t stop it will be irrelevant for everyone someday, unless they fully support IPv6 (which I don’t know if they do, if you can use WG in a CGNATED network with IPv6 I’d like to know though, I am very rusty setting it up, but it might worth checking it out).
CGNAT is for IPv4, the IPv6 network is separate. But if you have IPv6 connectivity on both ends setting up WG is the same as with IPv4.
No need to port forward, almost 0 config.
Easier/zero configuration compared to manual WG setup. Takes care of ports and providing transparent relay when no direct connection works.
I’m not that worried as there are alternatives like Netbird. The underlying tech really isn’t hard to replicate since Wireguard is pretty standard.
I think it would be cool if Tailscale made it into the enterprise arena.
Didnt even work for me, i use mullvad so if i wanted to use tailscale on my android to connect to my desktop, it wants me to disable mullvad unlike on my desktop…
Tailscale offers a paid Mullvad integration, where you can select most Mullvad servers as exit nodes. Works quite well.
Yeah this was a deal-breaker for me too.
I think that’s because both work on Android by being a VPN, and the system can’t handle doing two vpns simultaneously
Well not really but most people don’t like manually editing routing tables
You can do that? On ordinary, non-rooted Android?
a long runway that allows us to become profitable when needed
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Vps can be really inexpensive, I pay $3 a month for mine
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
What is even the point of tailscale? What can it do that other VPN solutions don’t? I feel like this is a problem that was solved like 20 years ago and still we’re coming up with novel solutions for some reason. At my company they want to start using tailscale and I don’t see why we don’t just set up wireguard on a node in our k8s cluster instead
If you are capable of setting up your own personal VPN, you don’t need Tailscale. You still may want to use it though, depending on how much of a novelty Network Fun is for you in your spare time.
For me, the main advantage to Tailscale et al is that it is on a per device basis. So I can access my SMB shares or Frigate setup remotely while still keeping the rest of my internal network isolated( to the degree I trust the software and network setup). You CAN accomplish that with some fancy firewall rules and vlanning but… yeah.
Because it offers much more than just VPN even though that’s what most users use it for. Read their documentation and you’ll see
Because I can have 3 phones, 2 tablets, 3 computers and 4 server on the same Tailnet in 15 minutes when starting from scratch
I guess that’s neat but I don’t think I’ve ever needed more than one connection to a corpo VPN at a time
Tailscale/headscale/wire guard is different from a normal vpn setup.
VPN: you tunnel into a remote network and all your connections flow through as if you’re on that remote network.
Tailscale: your devices each run the daemon and basically create a separate, encrypted, dedicated overlay network between them no matter where they are or what network they are on. You can make an exit node where network traffic can exit the overlay network to the local network for a specific cidr, but without that, you’re only devices on the network are the devices connected to the overlay. I can setup a set of severs to be on the Tailscale overlay and only on that network, and it will only serve data with the devices also on the overlay network, and they can be distributed anywhere without any crazy router configuration or port forwarding or NAT or whatever.
pre-emptive pikachu face strike
Tailscale never sat right with me. The convenience was nice, but - like other VC-funded projects - it followed that ever-familiar pattern of an “easy” service popping up out of nowhere and gaining massive popularity seemingly overnight. 🚩🚩🚩
I can’t say I’m surprised by any of this.
I think there’s room in the world for a selfhosted, foss version of their software, even if a little simplified.
Would you rather a difficult and hard to use program?
Easy to use means people will want to adopt it, and that’s what VC companies want. Nobody wants to pay millions of dollars to make a program that nobody wants to use.
My problem isn’t directly with the program - my problem lies with VC funding in general. Because they will come back for their money, and the project will inevitably enshittify and shove out enthusiasts in the never-ending search for infinite money.
The solution is getting rid of VC bullshit entirely. But we all know that will never happen.
I’m just a rat who got pied pipered AGAIN
Maybe this is a pet peeve but it’s a vpn tool that forces you to log in with an “identity provider”. Yeah, no thanks.
That’s a basic requirement for almost any company. If you’re into hard coding credentials just use wireguard directly.
If I host headscale on a VPS, is that as seamless of an experience as Tailscale? And would I miss out on features, like the Tailscale dashboard? How does the experience change for me (an admin type) and my users (non-technical types)?
There are some community webUIs for Headscale, headplane in particular looks pretty good: https://headscale.net/stable/ref/integration/web-ui/
I’m not sure otherwise how different the experience would be.
Tailscale is a business seeking profit? (clutches pearls gasp)
It’s one of the key reasons why everyone here hates plex too so I don’t get why you’re acting like this isn’t a valid concern
…and what are current Plex users, that don’t like the direction Plex has taken, doing ? Riding the next horse. When Tailscale gets unbearable with their business practices, there are a lot of other options. Tailscale is just easy and it flippin’ works.
What next horse? There’s plex and there’s fully self hosting with Jellyfin or similar. The gulf is very wide between plex and that.
So, I don’t run the arr stack, or any of it’'s components. In fact, I’ve never even test run Plex. However, I hear that Emby is a better replacement coupled with Symfonium to take the place of PlexAmp. That seems to be the ‘next horse’ everyone is switching to, even tho Emby does seem to have some unresolved issues.
I just find the constant grind against profitability and capitalism to be a bit worn. I guess you could say I am fully ensconced in capitalism as I run three tax paying, for profit businesses. The issues I take with capitalism is unbridled, uncontrolled greed…when we place profit over principal. By all means tho, make yo’ paper son.
These are my opinions. There are many like them, but these ones are mine.
If there’s no one who can replace you with someone else, if you don’t deliver profit growth that they expect, then there’s a chance for you to apply principle over profit because it’s up to you. Many if not most corporations however can and do replace corporate leadership that doesn’t deliver profit growth with one that does. In these circumstances, leadership can rarely put principle over profit without being replaced. Many if not most of us see the direct effects of this process on our lives, working to get ever more of our incomes and health. This process hasn’t stopped and hasn’t slowed down. The opposite. This is why you’re hearing us grinding against capitalism as we can see the system all around us grinding us down. This is why it’s likely you’ll keep hearing it and it’s likely gonna get louder. I might not have your product in my home. If I do, I might be very happy with it because you’re not trying to get as much money out of me as you can. However I am certain without checking that I have Unilever, Kraft, Nestle, PepsiCo, Google and so on, and I know they are. You probably do too and they’re probably skinning you just as much. This is what capitalism is for us and we will grind against it because our standard of living is falling and it’s not because of people like you. Small businesses have much more in common with us in this, than large corporations, or small corporations funded by large capital of different kinds. I’m an employee of a very large, well known American corporation that has strategically stopped making products that were objectively better for its customers but had lower margins, replacing them with much more expensive, higher margin ones. I’m not getting anything from the difference. Our major shareholders do.
So I asked chatgpt for alternatives and I liked the look of ZeroTier, does this sound right to people with more knowledge than me, and would people recommend it in general?
Spoiler
Perfect! Here’s everything you need — broken down into three stages, from quick setup to full self-hosted control.
🧩 Part 1: Install and Connect ZeroTier
✅ Step 1: Create a ZeroTier account
Go to https://my.zerotier.com/
Sign up (only to create your private network — it’s free)
Click “Create a Network”
Give it a name
Note the Network ID
✅ Step 2: Install ZeroTier on your devices
🖥️ On your PC (Windows/Linux/Mac):
Download from: https://www.zerotier.com/download
Install and run
Join your network with:
zerotier-cli join <your-network-id>
(or click in the tray app if using the GUI)
📱 On your Android phone:
Install the ZeroTier One app from Google Play
Open the app, paste the network ID, tap Join
✅ Step 3: Authorise your devices
Go back to my.zerotier.com
Under your network, you’ll see your PC and phone listed
Tick “Auth” to allow them on the network
Note the IPs assigned (e.g. 10.147.17.34)
🎶 Part 2: Access Jellyfin + Symphonium Over ZeroTier
✅ Step 1: On your PC (Jellyfin server):
Open Jellyfin settings → Dashboard → Network
Ensure “Allow remote connections” is enabled (This just means other IPs — not the internet — can connect)
✅ Step 2: On your phone (Symphonium):
Open Symphonium
Add a new Jellyfin library
For the server address, enter:
http://<zerotier-ip-of-your-PC>:8096
e.g. http://10.147.17.34:8096/
It should connect exactly as it does on home Wi-Fi!
No public ports, no tailscale, no cost 🎉
🛠️ Part 3: Optional – Self-Host Your Own ZeroTier Controller
Only needed if you want to avoid using their cloud control plane. Not needed for basic private use.
✅ Requirements:
A Linux machine (can be your PC or a VPS if you change your mind)
Some CLI familiarity
Quick Guide:
-
Install Docker
-
Run:
docker run -d
–name zerotier-controller
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controller- You’ll now control your own ZeroTier networks, not theirs.
Docs: https://github.com/zyclonite/zerotier-controller
🔐 Even if you stick with their hosted controller, your traffic is still end-to-end encrypted. Self-hosting just removes the cloud coordination step.
✅ TL;DR:
Task Done
ZeroTier installed and devices connected ✅ Jellyfin accessible via ZeroTier IP ✅ Public internet avoided ✅ Self-hosting ZeroTier controller (optional) Available when ready
Let me know if you’d like help testing connection, optimising for battery/wake-on-LAN, or even integrating LAN fallback + ZeroTier for seamless home/away streaming.
Then asking if I can use a pi as a controller for the optional step 3:
Spoiler
Yes — an old Raspberry Pi running Raspberry Pi OS is perfectly capable of hosting a ZeroTier controller! It’s low-power, quiet, and ideal for self-hosted network services.
Here’s how to get it up and running.
🛠️ Self-Hosting a ZeroTier Controller on Raspberry Pi (PiOS)
✅ Requirements:
Raspberry Pi with PiOS Lite or Full (Debian-based)
Internet access (Ethernet or Wi-Fi)
Static IP on your LAN (recommended)
Port UDP 9993 open on your LAN (only needed if other clients are connecting over LAN)
🔧 Step-by-Step: Install Docker and the Controller
- Update and install Docker
Open a terminal on your Pi or SSH in:
sudo apt update && sudo apt upgrade -y curl -sSL https://get.docker.com/ | sh sudo usermod -aG docker $USER
Log out and back in (or reboot) to activate Docker group access.
- Run the ZeroTier controller in Docker
docker volume create zerotier-one
docker run -d
–name zerotier-controller
–restart unless-stopped
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controllerThis starts the controller and creates a persistent volume.
- Initialise the Controller
After a few seconds, you’ll have config files generated inside the container volume. To extract your identity.secret and create/manage networks, you can either:
Option A: Exec into the container
docker exec -it zerotier-controller bash
Then use the zerotier-cli inside the container:
zerotier-cli status zerotier-cli listnetworks zerotier-cli createnetwork
Option B: Install the CLI on your Pi (outside Docker)
This gives you easier long-term control, but it’s optional. Let me know if you want help setting this up.
- Connect clients to your Pi’s controller
On each device (PC, phone, etc.):
Install ZeroTier as normal
Instead of the default control plane, point the client to your Pi
This requires updating the local.conf to override the default controller (ask if you’d like help with that — it’s a little involved but totally doable).
🧪 Notes & Tips
Your Pi can stay on your LAN. It doesn’t need a public IP if your devices are already on the same network or are able to relay.
If you do want this to work outside your LAN, you’d need to:
Port forward UDP 9993 (if your router allows it), or
Run a small VPS relay or drop it entirely and let ZeroTier do relaying automatically (works 95% of the time)
✅ Summary
Task Possible on Pi? Notes
Host ZeroTier controller ✅ Lightweight and runs well Use with Jellyfin via ZeroTier ✅ No public exposure needed Use Docker ✅ Simplifies setup Avoid external services ✅ No Tailscale, no cloud
Let me know if you’d like:
Help setting up the network manually on the Pi
Step-by-step for configuring your clients to talk to your own controller
Instructions for adding DNS, wake-on-LAN, or file access over ZeroTier too
Your Pi just became your private VPN brain 🧠💻
AI SLOPPPPPPPPPPPPP delete this nephew
Fine I deleted it. But it worked so whatever don’t need opinions now anyway.
-
