The eternal problem with companies like Tailscale (and Cloudflare, Google, etc. etc.) is that, by solving a problem with the modern internet which the internet should have been designed to solve by itself, like simple end-to-end secure connectivity, Tailscale becomes incentivized to keep the problem. What the internet would need is something like IPv6 with automatic encryption via IPsec, with PKI provided by DNSSEC. But Tailscale has every incentive to prevent such things to be widely and compatibly implemented, because it would destroy their business. Their whole business depends on the problem persisting.

(Repost of <https://news.ycombinator.com/item?id=38570370>)

An incredibly long ramp up to complaining about centralised control by rent seekers (a very reasonable complaint!) which gets bogged down in some ostensibly unrelated shade about whether client-server computing makes sense (it does) or is itself somehow responsible for the rent seeking (it isn't; you can seek rent on proprietary peer to peer systems as well!) to then arrive at:

> There’s going to be a new world of haves and have-nots. Where in 1970 you had or didn’t have a mainframe, and in 1995 you had or didn’t have the Internet, and today you have or don’t have a TLS cert, tomorrow you’ll have or not have Tailscale. And if you don’t, you won’t be able to run apps that only work in a post-Tailscale world.

The king is dead, long live the king!

I'm one of the people who actually use Tailscale for production systems where there are servers physically close to me, or at some other controlled locations, and then there are hundreds of users hundreds kilometers away, all working via Tailscale.

I should say two things. Tailscale is amazing and I love it. The system could not exist without it, or I'd have to have at least ten more people in my team to manage all this 24/7. It's working, and it's good enough.

That being said, you do need to lower your expectations: it's not as good as "the internet". The latency spikes periodically, the connection drops sometimes, the MagicDNS just magically stops working or interferes with the system. Since we have many users, we've encountered every possible problem one can encounter, and then there's still something new you'll see tomorrow.

In any case, we believe in Tailscale and its vision, it's a categorically new approach that simultaneously gives you the control on hardware, reduces the cost, and improves the security. Our first big production server was a 4-core Linux Laptop!

We love Tailscale and we wish the product prosperous life and development. Thank you TEAM TAILSCALE!

I love Tailscale, but this post gives me the creeps. The internet succeeded because it was built on standards and was completely free. With Tailscale, I get wireguard is open source and we have things like Headscale. But the whole everyone gets an IP, doesn’t it depend on Tailscale owning a massive ip address space? We can all wait until full ipv6 rollout, or we can depend on centralized ipv4, and servers and proprietary stuff. Maybe a bit hypocritical?

I like Tailscale, but this reads as too self-aggrandizing.

You have a mesh VPN product with some value-added services on top of it. That's great, but this idea isn't novel or unique. Why should your solution be the "new internet" instead of any of the alternatives?

I wouldn't want to rely on a single company for all my internet infrastructure, anyway. So I'll stick with the traditional internet with all its complexity. Its major problems aren't technical but social, and no new technology will solve those.

Isn't yggdrasil[1] supposed to be the New Internet?

If not, why Tailscale specifically, and not Netbird, Nebula, Netmaker or some other competitor?

The article is indeed very well written, but gives the wrong vibes, like something's coming: acquisition, pivot, split, shutting down, etc. Also, "we're re just getting started", the famous last words.

Just to balance my healthy mistrust, I'd like to add that I'm a satisfied Tailscale user, mostly impressed with how little it requires of me to just work.

[1] https://yggdrasil-network.github.io

I really enjoy and appreciate the tailscale service, but this article didn't click for me. I love an inspiring CEO rally speech as much as the next early adopter, and agree that there is a ridiculous amount of developer friction and complexity in computing, but tailscale still has its own friction and isn't on track to solve the big picture issues _at all_.

As a concrete example, a few weeks ago, I invited my dad to my tailnet with the intent of using remote desktop into his machine to help him fix something. He accepted the invite, and then I couldn't ping his machine despite it appearing in my TS domain web interface.

Now he hates tailscale, and I lost credibility because prior I told him how awesome it is. In his view, it wasted his time and doesn't "work right", and metadat is a fool.

I think the author misdiagnoses the problem, and the proposed solution simply hides the centralization instead of removing it.

The reason AWS is expensive is not because of IPv4, or the datacenters. It's mostly in their software/managed offerings, and the ability to quickly add more servers. If you are a "serious company" and you don't want to pay AWS or a similar company, renting a rack and colocating your own servers (either within your premises or in a datacenter) is doable and done by lots of companies.

I disagree that certificates have caused centralization, and they're not something separating the haves and have-nots and are in no way comparable to having or not a mainframe. HTTPS becoming pseudo-mandatory didn't push people into having their own (sub)domains, which is nowadays the only requirement to obtain a certificate. It already happened out of convenience.

The other point of centralization mentioned is DNS, which tailscale doesn't avoid at all. MagicDNS still relies on the ICANN root, as does the tailscale control plane. And if all you wanted was a free subdomain, there are plenty of people offering that.

If you are behind CGNAT, tailnets aren't particularly less centralized, as traffic has to flow through the DERP servers. I doubt tailscale can keep providing these free of charge when the volume is in the tbps instead of the gbps.

I agree that tailscale (and similar solutions) help in the last remaining case, which is accessing your computer that is behind a NAT. I even think they could reach the dozens of millions of users. This is, in my opinion, not enough to claim the title of "the new internet".

Of course these ideas are not that new. IPv6 was supposed to give end-to-end connectivity to all, and originally IPsec was supposed to be mandatory part of IPv6, giving each internet host cryptographic identity. And so on.

I really liked the premise of the post until I got to the last paragraph and had to do a quick double take.

Sure Tailscale makes the internet easier again, but I still have to rely on a landlord. Something I didn’t/don’t have to for the internet. As much as a lot of stuff has been centralized, even today I can connect to any server in the world with just the link.

I'm distracted by all the references to being "old" because the author remembers the 1990s.

> You know what, nobody ever got fired for buying AWS.

> That’s an IBM analogy.

Wow, this dialogue comes in the first episode of halt and catch fire. I didn't know this was a real thing

Here's the clip at 1.51 minutes, if anyone's interested: https://www.youtube.com/watch?v=XOR8mk0tLpc

> In fact, we didn’t found Tailscale to be a networking company. Networking didn’t come into it much at all at first.

I always just assumed they were building some kind of logging software (“tail”scale), used Wireguard to connect hosts, and just kind of stopped there. Don’t get me wrong, Tailscale is a nice way to connect machines. It’s nice because Wireguard is nice.

IPv6 + transport mode IPsec + opportunistic encryption with TOFU or other topologies of trust (including WoT, DNSSEC and PKI). All that is standard, most of it is available and only requires configuration (and, ideally, being turned on by default).

There is very little use for companies like Tailscale in this setup, it’s scalable and works.

> Every device gets an IP address and a DNS name and end-to-end encryption and an identity, and safely bypasses firewalls.

Tailscale can certainly be blocked on NGFW firewalls like Palo Alto. I am not a BOFH, but also can’t have random employees circumventing security policies by setting up tailscale and leaving permanent backdoors in my corporate network.

I remember the good old days when everyone had a public IP on the Internet and how easy it was to setup things. It was cool and fun while it lasted. But now things are different and security is a nightmare when we have to deal with things like ransomware.

So the answer to the bad old internet is to install tailscale on everything?

Even though I don't agree with the whole "New Internet" thing, this article is very well written.

> Sure, Apple’s there selling popular laptops, but you could buy a different laptop or a different phone.

> But the liberation didn’t last long. If you deploy software, you probably pay rent to AWS.

There's no Azure? GCP? Hetzner? Digital Ocean?

> You pay exorbitant rents to cloud providers for their computing power because your own computer isn’t in the right place to be a decent server.

You do that because you don't know what port-forwarding is (vast majority of software people do not), or you don't have the place or infra in your dwelling to stash a laptop server running 24/7 without interruption.

The new internet, an overlay network on top of the existing internet. Cool?

Did anyone else immediately do the calculation of 8.1 billion (world population 2024) * 1/20000 = 405k user base? Which makes me wonder what percentage are paying users.

Ehm, sorry no. OSes matter much as before because even if today giants want to call desktop and co "just endpoints" a politically correct variant of old dumb terminals of "their mainframes", actually we know very well that "the intelligence" must be in "endpoints" and no "mainframe alike" modern solution can scale or serve well in that regards. Of course we need networking, a network of individual hosts, not of dumb endpoints.

Devs have lost such knowledge because big tech have trained them to loose it and now we see more and more limits of their model. The new internet must be the very old one, a network of hosts communicating each others, without *NAT and alike in the middle explicitly done in most case to lock users hosts behind some giant iron curtain.

The modern web today matter because we lack UIs because commercial desktops have decided for widgets based UIs and have strongly hit their limits, finding in the modern web a crappy modern version of the old classic DocUIs and we know as well we need DocUIs. Slowly we start coming back to the end-users programming admitting that visual crap and all tentative to make programming hard on purpose led to unsustainable crapware ecosystems. Maybe in a decade spreadsheets and "calculators" will be finally dropped and Jupyter/R alike tools will have finally substituted them eventually with some LLM plugged in to help the dumb mean users. In another decade we probably will be back at LispM because try other paths to profit from users is not sustainable anymore.

The shortest this period will be the less damage we will suffer.

As I've been deliberately moving toward self-hosted computing, under my control, on my home network, I've had a feeling more and more that we're on the cusp of something transformative... For those who want it and those who care. There's an ecosystem of mostly FOSS software now designed to run on a home network and replace big, centralized, cloud providers. That software is right on the edge of being easy enough for everyone to use and for sufficient numbers of people to deploy and administer. News like Immich (to replace Google Photos) getting a major investment thanks to Louis Rossman and FUTO [1] is encouraging. The ecosystem of software you can now run on a commodity built NAS or homelab is, for me, the most exciting thing in computing since I first used the Internet in the late 90s.

The rollout and transformation, if it happens, won't look like all this stuff becoming so easy that every individual can run a server. But it is possible that every extended family will have at least one member who can run a server or administer a private network for the whole clan. And that's where tech like tailscale's offering will come in. That's where I see the author's vision being a believable moonshot:

Each extended family, and some small communities, with their own little interconnected, distributed network-citadels, behind the firewalls of which they do their computing, their sharing, and their work. Most family members won't need to understand it any more than they understand the centralized clouds they use now. And most networks won't be as well secured as a massive company can make its cloud offering, but a patchwork heterogeneity of network-citadels creates its own sort of security, and significantly lowers the value of any one "citadel" to even motivated adversaries.

[1]: https://www.youtube.com/watch?v=uyTPqxgqgjU

Any one play with https://github.com/slackhq/nebula

"layers" have been a major motif of the write up.

> We’re removing layers, and layers, and layers of complexity, and making it easier to work on what you wanted to work on in the first place.

as an avid user, i'd say they are in fact adding more layers to the problem. it is well-designed and relatively accessible, sure, but it represents a stop-gap solution while everyone eventually pushes to the eventual solution.

it has always been the double-edged nature of abstraction. we give trust and responsibility to another party while for us networking works out "magically". but the moment your remote client has some auth issues, you snap back to reality. besides bandwidth costs, it seems that their otherwise generous pricing model is economically viable in post-ai landscape.

i'd personally like to act like a "landowner" of the internet, but currently being a rentor seems like a good idea while we all wait for social housing to finally get accepted.

I used to use Wireguard. It connects a peer to a peer, but stops there. I have since replaced it with Tailscale. It goes much beyond Wireguard, and connects everything to everything. A lot of my networking problems went away. After using Taildrop for several months, I feel the post is right about it. It’s a frictionless one click peer to peer file transfer tool that is very useful. It should have been built into the internet.

The idea of entirely decentralized internet is wishful thinking. You always need servers. Even with IP6, you have to run a STUN or DDNS server, since ip addresses change. Do you want to run them at home? I don’t.

I do think Tailscale is on path to different networking.

One thing I don’t understand. The article claims that we need to pay rent to big corps like AWS, which is true only if you’re offering something on the internet (e.g., you have a saas). As a consumer I don’t pay to AWS, I only pay to my isp. Now, the article wants everyone (the ones who have something to offer, and the consumers) to switch to this new internet… so both producers and consumers (peers now) need to pay rent to tailscale (unless you selfhost, but selfhosting is like the first story tell tell in the article about asking your isp for a static ip address, opening ports and the like; self hosting is too much work).

Smells like more centralisation, not less.

Tailscale complaining about centralized actors controling the internet, yet not allowing to sign up for Tailscale with your email but strictly requiring to use a Microsoft/Meta/Google account. Cant make this up.

I love this.

Except to use tailscale you do need to bring in a while OIDC authentication provider.

It's all small and aimed at avoiding scale until the very first step, when suddenly only the big complex thing is acceptable.

I still just want to just use my email and a top. The only one of the auth providers tailscale supports that I have is GitHub, but I don't use GitHub as beyond work as I self host my git.

When the onboarding is "maintain and run a full oidc provider", all we've done is trade one aspect of complexity for another.

Speaking of Tailscale, does anyone know on Windows how to prevent it significantly slowing down file transfers between peer computers on my home LAN?

I don't really understand it, I can use the direct IP address of the other machine and I can still see tailscaled.exe using a lot of CPU and my file transfer being only 65MB/s. If I right click the system tray icon and exit from Tailscale, the transfer speed instantly jumps to 109MB/s (which is the maximum my Gb/s LAN).

I'll preface this by saying: I DO appreciate tailscale and what they've done for frictionless VPNs; I use it daily. But this post has a really unfortunate tone, it comes across as really arrogant. Not ambitious, but arrogant. The notion that the population as a whole is buying tailscale because it might offer some as-yet unpublished capabilities at some non-determinant point in the future... is delusional. And tailscale's moat is very shallow - yes, there's some nifty networking stuff going on, but it's well understood and the functionality will be replicated by competitors as tailscale gains mainstream traction, however big their warchest is.

That looks like Hamachi of 20 years ago.

This is a 'gimme some of that Wix money', IPO/acq ramp-up post right?

When is the government going to start requiring IPv6 more aggressively?

It's that simple.

My ISP deployed ipv6 via serving ULAs to clients behind the ISP box, and doing a NAT to a single dynamic public IP.

Another one just blocks all incoming connections on ipv6 entirely.

I’m confused by this New Internet talk. Tailscale is nice and all, but it gives you virtual private networks. To talk to anything you need to first be invited to that private network. It’s more like the New LAN, great for intranet and shit. But how am I supposed to build Internet apps intended for everyone if they need to be invited to my network first?

Not to mention most Internet services do need a central backend to function even if there are no barriers among clients at all (because the clients are completely unreliable), including even the textbook p2p example of file transfer: while direct p2p is nice in many cases, with a central service the recipient can receive at any time, instead of having to coordinate with the sender to both stay online simultaneously and for the duration of the transfer, which is quite difficult nowadays with most of the computing happening on phones.

How is having a TLS cert considered to currently be a “have”? Seems like a deployment issue for your colo and edge presence (for those eschewing AWS).

> centralization is bad except when we do it

TL;DR

I love this blog post. It resonates so much. But I honestly don't know how to deploy applications efficiently without containerization. And where there's containers there's kubernetes. So on and so forth

I've been an active Tailscale user for years now, preaching the Gospel of Wireguard Control Planes to all who will listen (and many who won't) in both my personal and professional life.

It's been really disheartening to watch the steady enshittification of Tailscale, Inc. I knew it was coming with 100% certainty once they raised 100mil in 2022. It's still heartbreaking because the product itself is quite good.

The worst part is because Tailscale, Inc got there "first" (I know nebula existed before Tailscale did. shut up, okay?) and now the other competitors like NetMaker, NetBird, are all following almost the exact same business model ("open core+" - open source client and some kind of claim to an open source control plane with infinity caveats to funnel enterprise dollarydoos back to the vulture capitalists)

Ipv6 is for poor people, until the poors figure out something really cool you can do with it the rich will never switch

> I read a post recently where someone bragged about using Kubernetes to scale all the way up to 500,000 page views per month. But that’s 0.2 requests per second. I could serve that from my phone, on battery power, and it would spend most of its time asleep.

lmao

[dead]

the new internet? i'm still on BBS. dont wanna use computers without ansi art.

[flagged]