Tailscale’s free tier is not very feature rich. You can’t do user ACLs with it, for example. And yes, you’re locked into a Google/Microsoft identity. If you don’t like that, pay for more. If you can’t, go use another service or roll it on your own.
Articles like this are why I’ll probably never make a service with a free tier. Yikes.
Articles like this are why I’ll probably never make a service with a free tier. Yikes.
Because someone might write a polite and even-handed criticism? I have certainly read and indeed written substantially less charitable things about companies that are not giving their stuff away for free.
Tailscale employee here. +1, my reading of iliana’s post is absolutely not “wow, those ingrate free users”. It’s a very well constructed critique of one of our product choices, and my reaction is a web of different things (mostly “I agree, and have complex thoughts on why we haven’t done the thing yet”), but I’m very grateful for this feedback.
Another Tailscale employee here. +1, iliana means very well by this. Xie means very will by this and xer feedback is already in the awareness of the product side of things at Tailscale. I was thinking out ideas on how to work around this with xer and presented them alongside that article. Overall I’m fairly sure that this will end up with positive change.
Talking about ICE and union busting in this context doesn’t feel even-handed to me. 🤷🏽♀️
I have certainly read and indeed written substantially less charitable things about companies that are not giving their stuff away for free.
I’m confused, isn’t that exactly the point? If Tailscale only offered Google/MS login on their paid corporate plan this article would make much more sense?
Talking about ICE and union busting in this context doesn’t feel even-handed to me
A footnote explaining why the OP doesn’t want to work with Microsoft and Google seems entirely relevant, no? Google and Microsoft do work with immigration authorities, and they do engage in union-busting; these are facts, not imputation or speculation.
I’m really not sure what you mean. The complaint here is that the free tier of Tailscale requires people to use Google or Microsoft’s services. Explaining why Google and Microsoft are parties the OP doesn’t want to work with is at least somewhat relevant.
One neat aspect of the Microsoft authentication system is that it works for both Microsoft’s consumer account system (Microsoft Account) and Microsoft’s business authentication system (Office 365). This means that if you, like me, don’t want to authenticate to Tailscale using an account that you don’t pay for, you can easily get a $3/month email subscription to Office 365 and use that. I’m far more confident that Microsoft isn’t going to yeet me out of my paid Office 365 subscription than I am that Google won’t shut down my Google Account.
I’m far more confident that Microsoft isn’t going to yeet me out of my paid Office 365 subscription than I am that Google won’t shut down my Google Account.
Being able to pay for the account you’re using for SSO isn’t really a differentiator here. Google also has both free consumer and paid business account types, that you could use for authentication.
Fair point, but there’s an easily obtainable customer support phone number for Office 365. As far as I can tell, without access to your account there’s no way to reach Google Workspace support. I think that’s a better way to explain what I failed to articulate.
This is an utterly hilarious motivating use case. I get the need, it’s funny and makes sense, but for some reason I just find it really entertaining.
For our own purposes Tinc was kinda neat, but it doesn’t have a good way of booting folks. A bit of custom tooling around Nebula goes a long way.
It might be worth it just to bodge something together with wireguard and self-hosting directly…at some point if you’re doing nonstandard stuff you should just build your own stack.
A business customer would use their own IdP, as the article mentions, or have contracts and policies in place to reduce risk around accounts being banned or hacked. I think the risk is probably more acute for smaller companies or individuals using the service.
For individuals, I wonder if there’s some room for using multiple accounts to limit blast radius. Accounts can be banned for various reasons, but it seems like a common one is posting controversial topics to public areas. If you have separate Google or Microsoft accounts that you specifically don’t use to post anything in public, it might protect you a bit. Regardless, the safest is probably to self host and not use Tailscale. Personally I really like using Tailscale for convenience, but I don’t have anything critical on it so I’m not super worried.
TL;DR: Tailscale is awesome, but the author does not like the fact that they depend on Google and Microsoft. There are some reasons stated, regarding control that is given to the provider in terms of being able to terminate accounts. The author would prefer if Tailscale did authentication themselves.
I don’t think Tailscale needs to handle auth data themselves to resolve this, we could have some kinda federated OIDC but then they have to think about abuse and mass-account farming and rate limiting and stuff rather than handing that work off to Microsoft or Google
Would https://github.com/juanfont/headscale work for your usecase ?
I’m not the author but I actually do use headscale personally, but it’s not something I would want to deploy for the entire polycule
Especially when without any custom frontend work the process for adding new devices is “get the admin to SSH in and add the node”
Tailscale’s free tier is not very feature rich. You can’t do user ACLs with it, for example. And yes, you’re locked into a Google/Microsoft identity. If you don’t like that, pay for more. If you can’t, go use another service or roll it on your own.
Articles like this are why I’ll probably never make a service with a free tier. Yikes.
Because someone might write a polite and even-handed criticism? I have certainly read and indeed written substantially less charitable things about companies that are not giving their stuff away for free.
Tailscale employee here. +1, my reading of iliana’s post is absolutely not “wow, those ingrate free users”. It’s a very well constructed critique of one of our product choices, and my reaction is a web of different things (mostly “I agree, and have complex thoughts on why we haven’t done the thing yet”), but I’m very grateful for this feedback.
Another Tailscale employee here. +1, iliana means very well by this. Xie means very will by this and xer feedback is already in the awareness of the product side of things at Tailscale. I was thinking out ideas on how to work around this with xer and presented them alongside that article. Overall I’m fairly sure that this will end up with positive change.
Talking about ICE and union busting in this context doesn’t feel even-handed to me. 🤷🏽♀️
I’m confused, isn’t that exactly the point? If Tailscale only offered Google/MS login on their paid corporate plan this article would make much more sense?
A footnote explaining why the OP doesn’t want to work with Microsoft and Google seems entirely relevant, no? Google and Microsoft do work with immigration authorities, and they do engage in union-busting; these are facts, not imputation or speculation.
But the OP isn’t forced to work with them. They can use the free service Google/MS provide or pay Tailscale to bring a different identity provider.
That makes Google/MS business with immigration extremely irrelevant to an article about Tailscale.
I’m really not sure what you mean. The complaint here is that the free tier of Tailscale requires people to use Google or Microsoft’s services. Explaining why Google and Microsoft are parties the OP doesn’t want to work with is at least somewhat relevant.
Uh. If you don’t like their product, use another? Cloudflare Tunnels? wireguard?
People are allowed to criticize things and still use them.
Yes. You’re right. And it’s totally legitimate criticism. It’s quite a dependency for what’s essentially your new network plane.
One neat aspect of the Microsoft authentication system is that it works for both Microsoft’s consumer account system (Microsoft Account) and Microsoft’s business authentication system (Office 365). This means that if you, like me, don’t want to authenticate to Tailscale using an account that you don’t pay for, you can easily get a $3/month email subscription to Office 365 and use that. I’m far more confident that Microsoft isn’t going to yeet me out of my paid Office 365 subscription than I am that Google won’t shut down my Google Account.
No, you just have to worry about Solarwinds.
Being able to pay for the account you’re using for SSO isn’t really a differentiator here. Google also has both free consumer and paid business account types, that you could use for authentication.
Fair point, but there’s an easily obtainable customer support phone number for Office 365. As far as I can tell, without access to your account there’s no way to reach Google Workspace support. I think that’s a better way to explain what I failed to articulate.
This is an utterly hilarious motivating use case. I get the need, it’s funny and makes sense, but for some reason I just find it really entertaining.
For our own purposes Tinc was kinda neat, but it doesn’t have a good way of booting folks. A bit of custom tooling around Nebula goes a long way.
It might be worth it just to bodge something together with wireguard and self-hosting directly…at some point if you’re doing nonstandard stuff you should just build your own stack.
I guess we need a web3 version of Tailscale /s
A business customer would use their own IdP, as the article mentions, or have contracts and policies in place to reduce risk around accounts being banned or hacked. I think the risk is probably more acute for smaller companies or individuals using the service.
For individuals, I wonder if there’s some room for using multiple accounts to limit blast radius. Accounts can be banned for various reasons, but it seems like a common one is posting controversial topics to public areas. If you have separate Google or Microsoft accounts that you specifically don’t use to post anything in public, it might protect you a bit. Regardless, the safest is probably to self host and not use Tailscale. Personally I really like using Tailscale for convenience, but I don’t have anything critical on it so I’m not super worried.
TL;DR: Tailscale is awesome, but the author does not like the fact that they depend on Google and Microsoft. There are some reasons stated, regarding control that is given to the provider in terms of being able to terminate accounts. The author would prefer if Tailscale did authentication themselves.
I don’t think Tailscale needs to handle auth data themselves to resolve this, we could have some kinda federated OIDC but then they have to think about abuse and mass-account farming and rate limiting and stuff rather than handing that work off to Microsoft or Google