I don't think that's what this issue is talking about. I have the Max $200/mo plan and have noticed starting yesterday that my quota drains much much faster, to the point I'm about to use the $50 credit Anthropic gave away to everyone.
How does Tailscale make money? I really like their service but I'm worried about a rug pull in the future. Has anyone tried alternative FOSS solutions?
Also, sometimes it seems like I get rate limited on Tailscale. Has anyone had that experience? This usually happens with multiple SSH connections at the same time.
Our company pays for the premium business plan, $18/mo/user. You have to pay for at least the lower tier plan once your team grows beyond a handful of people. And there's several quite useful features (though maybe not essential) on the premium plan like serve/funnel and SSH.
On the other hand, I do wonder about zerotier. before tailscale we used zerotier for a few years, and during the first 3-4 years we paid nothing because as far as I can recall there was nothing extra that we needed that paying would've gotten us. Eventually we did upgrade to add more users, and it cost something like $5/mo (total, not per user).
Zerotier is not the same as tailscale although both can be used to do the same, but under the hood both are fundamentally different, ZT is layer2 like switch, so it’s like an Ethernet meanwhile TS is built on top of wireguard and is layer3. ZT allows broadcast/multicast and has own protocol, TS don’t. I use both among others, and ZT since around 2019, I found it reliable in some cases in IoT world while TS had better throughput in usual applications.
Yeah, they're not direct replacements. I think both models have have their pros and cons. In fact I tried both around when covid shutdowns started (server being in the office, me at home), and liked zerotier better; it was faster, and a more generous free tier. But now tailscale has won out for a couple of reasons; the main one, it's simply less flaky for us on macOS, especially for devs working overseas. No idea why and maybe there's simple fixes (that don't involve repeated connections/disconnections, hopefully). The other, tailscale has a few extra things that are nicer and easy to use like identity-based ACLs, funnel/serve, magicDNS, ssh management, etc.
Zerotier works fine for me, but with a huge exception which I just can't figure out. On my Linux laptop which also runs OpenVPN and with some specific routing set up, Zerotier will, after a minute or so, completely take over the routing and default everything through Zerotier, and nothing I do with the routing tables will change this. I have to stop ZT at this point and then it reverts to normal.
Every other computer in my ZT network behaves fine.
This is so problematic that I'm considering looking into Tailscale, I understand they work very differently but it looks like my use case could be covered by both.
I had to do MTU tuning on macos on the ZeroTier interface (find your feth name via ifconfig)
# Replace feth1234/feth2345 with your active interface
sudo ifconfig feth1234 mtu 1400
sudo ifconfig feth2345 mtu 1400
..and for working with Windows peers, manually "Orbit" the Windows Peer as well as adding a direct routing hint for the internal ZeroTier IP. ZT definitely takes some effort for tuning.
I've used serve/funnel on the tailscale free tier... definitely agree that the team size limit seems like it would move companies to the paid plan though.
I think how it works usually is that they let you use the features from higher tier plans than the one you're on; once you use them enough they send you an email asking to upgrade. That's what happened to us and I've seen other users mention it. Not sure how I felt about it, OTOH maybe it was less friction than explicitly subscribing for some "2 weeks free trial" or whatever but OTOH it did feel weird and unexpected. Anyway, we felt the extra features were worth it so ended up paying.
Ok I checked the pricing page and funnel is available in the free tier (limited to 3 users) but not the $6/user/month tier - which you need for more than 6 users... strange pricing structure but I guess I see the logic.
Any chance you were asked to upgrade from $6/user/month to $18/user/month and not free to $18/user/month?
How do you handle the do-before-thinking devs? Or the kinda low-to-mid performing devs? Most companies has one or a few of those, right? They help the company machine go around by doing the somewhat boring stuff over and over again.
Tailscale in a company/developer env seems awesome when you know what you are doing and (potentially) terrifying otherwise.
Does someone set up detailed ACLs for what's allowed? How well does that work?
> Also, sometimes it seems like I get rate limited on Tailscale.
As I understand it if everything is working properly you should end up with a peer to peer wireguard connection after initial connection using tailscales infrastructure. ie, there should be nothing to rate limit. There are exceptions depending on your network environment where you need one of the relays noted in this post.
The Tl;Dr here is that the cost to them of operating the free tier is lower than what they estimate their Customer Acquisition Cost would be without a free tier, so the free tier generates better leads/conversions to their paid products at a lower cost than traditional sales and marketing.
As long as these economics continue to hold they'd be stupid to discontinue the free tier.
But it isn't 'economics' as there is no actual data or science here, just a wild guess about what customer acquisition might currently cost. All it takes to rug pull is some exec speculating that 'the economics' have changed.
Acquisition cost can definitely be calculated. I'm pretty sure they know how many customers do convert into paying users from their free tier and how much does it cost to get them through other channels
Say 5% of the free tier users converts to a paying customer within 5 years. And user growth is constant. Then over time, you will get a much larger free tier user base, compared to your paying customers (in absolute numbers).
At some point, it must become tempting to charge all free tier users a little bit to continue, because the group got so big, so there is a lot that can be earned there.
And they have become quite infamous for having aggressive sales tactics for anyone going over their internal metrics for the free tier (still under the public metrics for free).
Also the fact it means companies can run a demo themselves without having to contact sales, after they see it works on their system they pay to add all the users they will need.
Products that have no free tier where everything is behind a scheduled sales demo present a huge barrier to entry.
All it takes is for the decision-maker who gets the credit for cutting costs by removing the free tier to be a different person from the one who gets the blame for higher customer acquisition costs. Not saying it'll happen, just that it being a bad move isn't a guarantee.
Tailscale is a perfect example of using a free tier to become popular with developers, who then evangelize the product to their employers. The employers pay for business scale plans.
There are a lot of workarounds these days, such as tailnet switching, and, of course, if you're admin on both tailnets, you're practically golden with the "share" option.
But even power users have to pick and choose their battles.
If I had a nice tailnet home setup going I might be seriously miffed if I had to try to fit in some of my devices to a corporate tailnet I didn't control.
Just like cloudflare, a healthy free offering makes lots of happy/loyal developer users. Some of those users have business needs / use for the paid features and support and will convince their managers to buy in.
I have the same fears. Last year they have publicly stated they are not interested in acquisition [0]
> Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
> “Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Nothing is set in stone, after all it's VC backed. I have a strong aversion to becoming dependent upon proprietary services, however i have chosen to integrate TS into my infrastructure, because the value and simplicity it provides is worth it. I considered the various copy cat services and pure FOSS clones, but TS are the ones who started this space and are the ones continuously innovating in it, I'm onboard with their ethos and mission and have made use of apenwarrs previous work - In other words, they are the experts, they appear to be pretty dedicated to this space, so I'm putting my trust in them... I hope I'm right!
Just note i doubt Tailscale were first popular vpn manager as i remember many hobby users are Zerotier converts and also much older products like Hamachi.
Tailscale have build great product around wireguard (which is quite young) and they have great marketing and docs. But they are hardly first VPN service - they might not even be the most popular one.
Yes, I ambiguously said "started this space"... and to be honest even in the most generous interpretation that's probably incorrect, maybe ZeroTier started "this space", in that it had NAT busting mesh networking first.
As far as I understand Tailscale brought NAT busting mesh networking to wireguard + identity first access control, and reduced configuration complexity. I think they were the first to think about it from an end to end user perspective, and each feature they add definitely has this spin on it. It makes it feel effortless and transparent (in both the networking use sense and cryptography sense)... So i suppose that's what I mean by started, TS was when it first really clicked for a larger group of people, it felt right.
At this point Tailscale is working so well and I'm so happy with it that I'm afraid it's time to start migrating to Headscale [0] for my home network. The rag pull may just be too painful otherwise!
Just like cloudflare, a healthy free offering makes lots of happy/loyal users. Some of those users have business needs / use for the paid features and support.
If you're worried about a rug pull, you should be. Not because Tailscale is shady, but because that's just how VC-funded infrastructure works. The free tier exists to build lock-in, not out of generosity. Headscale exists but honestly it's a pain to run compared to just paying Tailscale $18/user. The real answer is: if it's critical infrastructure, you should be running Wireguard directly and owning the coordination layer yourself. Everything else is renting convenience.
It happened to others but there are also some very good examples like Veeam community edition which, IMO, is the best backup software. They had lots of discussions and even pressure from management to terminated, but the numbers made a lot of sense and they kept it. Tailscale is in disadvantage here because they are in a very crowded market and it will be very easy to slip into one corner and let way for others like netbird, netmaker, nebula(?), wireguard (like u said), etc.
I self-host a few apps and use Tailscale to access them remotely. It's worked well, so I recommended it as a possible solution to allow employees at my company to remotely access some on-prem resources while remote, and that's being considered. If we go with that, then that'd be Tailscale making money from me using the free plan.
Free personal tier is basically a cheap advertisement for them. You try Tailscale personally and get used to it, then it is very likely you would want to deploy it at your work seeing the benefits scaling even more with more people.
And then they make money.
1000%. Tailscale is the first VPN I've used that makes my life easier, and I'm using it for personal access to my selfhosted servers at home. I will definitely recommend it to companies I work for in the future.
Most posters on HN barely know what a subnet is so it's not that simple
There's two key features
1) Tunnel management
Tailscale will configure your p2p tunnels itself - if you have 10 devices, to do that yourself you'd have to manage 90 tunnels. Add another device and that goes upto 100. Remove a device and you have 9 other devices to update.
2) Firewall punching
They provide an orchestration system which allows two devices both behind a nat or stateful firewall to communicate with each other without having to open holes in the firewall (because most firewalls will allow "established" connections - including measuring established UDP as "packet went from ipa:porta to ipb:portb 'outbound', thus until a timeout period any traffic from ipb:portb to ipa:porta will be let through (and natted as appropriate)".
The orchestration sends traffic from ipa to ipb and ipb to ipa on known ports at the same time so both firewalls think the traffic is established. For nats which do source-port scrambling it uses the birthday paradox to get a matching stream.
I believe you can run a similar headend using "headscale" yourself.
I do, I use a VPS (at OCI free) to host Wireguard. My home systems (running my production web sites and email) are on my VPN and mine and my wife's phones. I hand configured it all but it wasn't difficult for me.
There are a number of features and teamsizes that they provide where you have to pay money. Most company users are going to end up paying them money. But also their emphasis on P2P connections means their costs are quite low. It doesn't add much overhead to have the smallish number of personal users out there. They've talked about how having the free tier helps to force them keep those costs down in useful ways.
“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...
For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326
I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true.
I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway).
From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro).
Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing:
Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.
I highly doubt any of this can actually be opted-out of. How else would they stay in business?
The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users.
The core client code is open source, feel free to inspect it yourself.
They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.
The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.
> To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.
Metadata is as good as data for deducing your behavior. Think what conclusions can be drawn about a person's behavior from a log of their network connections, from each connection's timestamp, source, destination, and port. Think about the way each additional thing-which-makes-network-requests increases the surveillance value of all the others.
Straight away, many people's NTP client tells the network what OS they use: `time.windows.com`? Probably a Windows user. `time.apple.com`? Probably Mac or iOS. `time.google.com`? You get the idea. Yeah, anyone can configure an NTP client to use any of those hosts, but the vast vast majority of people are taking the default and probably don't even know what NTP is.
Add a metadata point: somebody makes a connection to one of the well-known Wi-Fi captive portal detection hosts around 4PM on a weekday? Maybe somebody just got home from school. Captive portal detection at 6PM on a weekday? Maybe somebody just got home from work. Your machines are all doing this any time they reconnect to a saved Wi-Fi network: https://en.wikipedia.org/wiki/Captive_portal#Detection
Add a metadata point: somebody makes a network connection to their OS's default weather-widget API right after the captive-portal test, and then another weather-API connection exactly $(DEFAULT_INTERVAL} minutes later? That person who got home is probably still home.
I don’t mean P2P in the same sense that BitTorrent or something is P2P. (Splitting one connection into many distributed ones) But more like how a game that does P2P multiplayer has the clients connect directly instead of through a centralized service.
The difference is architectural; Tailscale is a mesh VPN, whereas OpenZiti is an identity-first, zero trust overlay network. This makes OpenZiti service-centric and deny-by-default, not network-centric. Instead of “join a private network,” you get access only to explicitly authorised services — with no ambient reachability at all. Its also 100% open source. If you want a simple productised, SaaS experience, NetFoundry, the company behind OpenZiti provides that.
Nah, the model is merely repeating the patterns it saw in its brutal safety training at Anthropic. They put models under stress test and RLHF the hell out of them. Of course the model would learn what the less penalized paths require it to do.
Anthropic has a tendency to exaggerate the results of their (arguably scientific) research; IDK what they gain from this fearmongering.
Knowing a couple people who work at Anthropic or in their particular flavour of AI Safety, I think you would be surprised how sincere they are about existential AI risk. Many safety researchers funnel into the company, and the Amodei's are linked to Effective Altruism, which also exhibits a strong (and as far as I can tell, sincere) concern about existential AI risk. I personally disagree with their risk analysis, but I don't doubt that these people are serious.
I'd challenge that if you think they're fearmongering but don't see what they can gain from it (I agree it shows no obvious benefit for them), there's a pretty high probability they're not fearmongering.
You really don't see how they can monetarily gain from "our models are so advance they keep trying to trick us!"? Are tech workers this easily mislead nowadays?
Reminds me of how scammers would trick doctors into pumping penny stocks for a easy buck during the 80s/90s.
Correct. Anthropic keeps pushing these weird sci-fi narratives to maintain some kind of mystique around their slightly-better-than-others commodity product. But Occam’s Razor is not dead.
I think this has more to do with legals than anything else. Virtually no one reads the page except adversaries who wanna sue the company. I don't remember the last time I looked up the mission statement of a company before purchasing from them.
It matters more for non-profits, because your mission statement in your IRS filings is part of how the IRS evaluates if you should keep your non-profit status or not.
I'm on the board of directors for the Python Software Foundation and the board has to pay close attention to our official mission statement when we're making decisions about things the foundation should do.
> your mission statement in your IRS filings is part of how the IRS evaluates if you should keep your non-profit status or not.
So has the IRS spotted the fact that "unconstrained by the need for financial return" got deleted? Will they? It certainly seems like they should revoke OpenAI's nonprofit status based on that.
Perhaps not, but if it was there before and then got suddenly removed, that ought to at least raise the suspicion that the organization's nature has changed and it should be re-evaluated.
Of course, that reading of the IRS's duty is going to quickly be a partisan witch hunt. PSF should be careful they dont catch strays with them turning down the grant.
In my opinion, they solved the wrong problem. The main issue I have with Codex is that the best model is insanely slow, except at nights and weekends when Silicon Valley goes to bed. I don't want a faster, smaller model (already have that with GLM and MiniMax). I want a faster, better model (at least as fast as Opus).
When they partnered with Cerebras, I kind of had a gut feeling that they wouldn't be able to use their technology for larger models because Cerebras doesn't have a track record of serving models larger than GLM.
It pains me that five days before my Codex subscription ends, I have to switch to Anthropic because despite getting less quota compared to Codex, at least I'll be able to use my quota _and_ stay in the flow.
But even Codex's slowness aside, it's just not as good of an "agentic" model as Opus: here's what drove me crazy: https://x.com/OrganicGPT/status/2021462447341830582?s=20. The Codex model (gpt-5.3-xhigh) has no idea about how to call agents smh
Yes, I was using that. But the prompt given to the agents is not correct. Codex sends a prompt to the first agent and then sends the second prompt to the second agent, but then in the second prompt, it references the first prompt. which is completely incorrect.
> In my opinion, they solved the wrong problem. The main issue I have with Codex is that the best model is insanely slow, except at nights and weekends when Silicon Valley goes to bed. I don't want a faster, smaller model (already have that with GLM and MiniMax). I want a faster, better model (at least as fast as Opus).
It's entirely possible that this is the first step and that they will also do faster better models, too.
reply