Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
Are there better alternatives? I was planning on using tailscale until now. :P
I use Nebula. It’s lightweight, well-engineered and fully under your control. But you do need a computer with a fixed IP and accessible port. (E.g. a cheap VPS)
You can also use “managed nebula” if you want to enjoy the same risk of the control point of your network depending on a new business ;-)
Wireguard if you’re just using it yourself. Many various ways to manage it, and it’s built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn’t actually access it if I wasn’t initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn’t take long to get it going, but realistically my setup’s access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I’ve been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
Well a VPS or an exposed service, but I feel like the latter ends up somewhat defeating the purpose anyway.
When running locally (not exposed), it worked great until I tried to make the initial connection from mobile data - can’t establish a connection to headscale if it can’t reach it in the first place. Unless I’m mistaken, the headscale service needs to be publicly accessible in some way.
Oh gotcha yes it does. Are you on CGNAT with your ISP so you can’t forward ports?
Pivpn is really easy, and since pivpn is just scripts, it always installs current wireguard even if they lax on updating pivpn that often.
For me personally, the next step is using Headscale - a FOSS replacement of the Tailscale control server. The Tailscale clients are already open source and can be used with Headscale.
Someone else could give other suggestions.
I’ve been meaning to switch from Tailscale to Headscale but I have been to busy. Do you have any instructions, write-ups/walk-thrus you could recommend to set this up? I have three sites with 1GB internet I can use. One has a whole house UPS but dynamic IP, another has a static IP but no UPS, and the third is Google fiber with no UPS, but I can use the app to get the current IP anytime. I also own a number of domain names I could use.
No writeups. I tried following the Headscale doc for a test last year. Set it up on the smallest DigitalOcean VM. Worked fine. Didn’t use a UI, had to add new clients via CLI on the server. When I set it up for real, I’d likely setup a UI as well and put it in a cloud outside of the US. It would work at home too but any other connection would die if my home internet dies or the power does. E.g. accessing one laptop from another, or accessing the off-site backup location.
Depends on your use case. If you’re just looking to expose services and are ok having them publicly accessible, there’s Cloudflare Tunnel, or you can run WireGuard on a cheap VPS
ive been eyeing up netbird but havnt got around to trying it yet. its fully open source at least, and theyre based in germany is anyone cares about that
Just looked at NetBird, it looks suspiciously similar to Tailscale in what it does except they also got an open-source control server. They have self-hosting doc right in their web site. Looks interesting. Can’t find much about the company other than it’s based in Berlin and it’s currently private - Wiretrustee UG.
What’s the difference with their open-source control server, from headscale? That it’s officially published by the company?
A bunch really, Headscale with Tailscale client, Nebula VPN, Netmaker, Zerotier.
I use the built in wireguard VPN in my router. If you just need local network access elsewhere it’s usually really easy to setup if your router provides it. I would look into it!
pre-emptive pikachu face strike
Question: if I setup Headscale on my network, I would have to open a port on my router to connect to it right? And also if I setup Headscale with some cloud provider, could they theoretically go and use the setup to get to my home network? I know its unlikely, I just mean if the technology is like e2e from clients to my home network, or if the cloud headscale ‘centre’ would be also an unguarded entry point (from the perspective of cloud admins). I hope I am clear 😀 Thanks (btw you probably guess why I currently use Tailscale 😀)
if I setup Headscale on my network, I would have to open a port on my router to connect to it right?
The way I understand it is:
I would have to open a port on my router to connect to it right?
Yes
if I setup Headscale with some cloud provider, could they theoretically go and use the setup to get to my home network?
If they are able to authorize their own node to your Headscale server, then their node gets on your network. If they take over the Headscale node, they might also be able to access your network, either by changing Headscale’s config to auth another node or perhaps if the Headscale node is part of the network, which it might be, I don’t recall. But I think that’s immaterial. If someone takes over the Headscale machine, they can get on your network either way.
So there has to be some trust between you and the cloud provider then. Thank you
is this some kind of furry porn CDN
become profitable when needed
By what, laying off all QA and support staff and half your developers the moment a single quarterly earnings report isn’t spotlessly gilded?
Ok and?
I never really understood the point of using Tailscale over plain ol’ WireGuard. I mean I guess if youve got a dozen+ nodes but I feel like most laymens topologies won’t be complex beyond a regular old wireguard config
NAT punching and proxying when a p2p connection between any 2 nodes cannot be achieved. It’s a world of difference with mobile devices when they always see each other, all the time. However, headscale does all that.
Same thing here, either tailscale selfhosted or Netbird selfhosted I’d the way to go for all the nice features, having the free tier or tailscale for personal data never sounded right to me.
Wireguard doesn’t do NAT/Firewall traversal nor does it have SSO
Tailscale manages the underlying Wireguard for you
Simplicity?
I mean sure, but I don’t think it’s simpler than setting up a wireguard config IMO. For tailscale you gotta make an account, register devices, connect them. Feel like wireguard is about the same except you don’t have to make an account.
Meh. I will keep using it
So glad my router supports WireGuard/OVPN server hosting, doing it this way also relieves resources off your homelab and for whatever reason your homelab shuts off or loses network access you can at least rely on your router to re-establish the VPN server without further intervention.
So I asked chatgpt for alternatives and I liked the look of ZeroTier, does this sound right to people with more knowledge than me, and would people recommend it in general?
Spoiler
Perfect! Here’s everything you need — broken down into three stages, from quick setup to full self-hosted control.
🧩 Part 1: Install and Connect ZeroTier
✅ Step 1: Create a ZeroTier account
Go to https://my.zerotier.com/
Sign up (only to create your private network — it’s free)
Click “Create a Network”
Give it a name
Note the Network ID
✅ Step 2: Install ZeroTier on your devices
🖥️ On your PC (Windows/Linux/Mac):
Download from: https://www.zerotier.com/download
Install and run
Join your network with:
zerotier-cli join <your-network-id>
(or click in the tray app if using the GUI)
📱 On your Android phone:
Install the ZeroTier One app from Google Play
Open the app, paste the network ID, tap Join
✅ Step 3: Authorise your devices
Go back to my.zerotier.com
Under your network, you’ll see your PC and phone listed
Tick “Auth” to allow them on the network
Note the IPs assigned (e.g. 10.147.17.34)
🎶 Part 2: Access Jellyfin + Symphonium Over ZeroTier
✅ Step 1: On your PC (Jellyfin server):
Open Jellyfin settings → Dashboard → Network
Ensure “Allow remote connections” is enabled (This just means other IPs — not the internet — can connect)
✅ Step 2: On your phone (Symphonium):
Open Symphonium
Add a new Jellyfin library
For the server address, enter:
http://<zerotier-ip-of-your-PC>:8096
e.g. http://10.147.17.34:8096/
It should connect exactly as it does on home Wi-Fi!
No public ports, no tailscale, no cost 🎉
🛠️ Part 3: Optional – Self-Host Your Own ZeroTier Controller
Only needed if you want to avoid using their cloud control plane. Not needed for basic private use.
✅ Requirements:
A Linux machine (can be your PC or a VPS if you change your mind)
Some CLI familiarity
Quick Guide:
-
Install Docker
-
Run:
docker run -d
–name zerotier-controller
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controller- You’ll now control your own ZeroTier networks, not theirs.
Docs: https://github.com/zyclonite/zerotier-controller
🔐 Even if you stick with their hosted controller, your traffic is still end-to-end encrypted. Self-hosting just removes the cloud coordination step.
✅ TL;DR:
Task Done
ZeroTier installed and devices connected ✅ Jellyfin accessible via ZeroTier IP ✅ Public internet avoided ✅ Self-hosting ZeroTier controller (optional) Available when ready
Let me know if you’d like help testing connection, optimising for battery/wake-on-LAN, or even integrating LAN fallback + ZeroTier for seamless home/away streaming.
Then asking if I can use a pi as a controller for the optional step 3:
Spoiler
Yes — an old Raspberry Pi running Raspberry Pi OS is perfectly capable of hosting a ZeroTier controller! It’s low-power, quiet, and ideal for self-hosted network services.
Here’s how to get it up and running.
🛠️ Self-Hosting a ZeroTier Controller on Raspberry Pi (PiOS)
✅ Requirements:
Raspberry Pi with PiOS Lite or Full (Debian-based)
Internet access (Ethernet or Wi-Fi)
Static IP on your LAN (recommended)
Port UDP 9993 open on your LAN (only needed if other clients are connecting over LAN)
🔧 Step-by-Step: Install Docker and the Controller
- Update and install Docker
Open a terminal on your Pi or SSH in:
sudo apt update && sudo apt upgrade -y curl -sSL https://get.docker.com/ | sh sudo usermod -aG docker $USER
Log out and back in (or reboot) to activate Docker group access.
- Run the ZeroTier controller in Docker
docker volume create zerotier-one
docker run -d
–name zerotier-controller
–restart unless-stopped
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controllerThis starts the controller and creates a persistent volume.
- Initialise the Controller
After a few seconds, you’ll have config files generated inside the container volume. To extract your identity.secret and create/manage networks, you can either:
Option A: Exec into the container
docker exec -it zerotier-controller bash
Then use the zerotier-cli inside the container:
zerotier-cli status zerotier-cli listnetworks zerotier-cli createnetwork
Option B: Install the CLI on your Pi (outside Docker)
This gives you easier long-term control, but it’s optional. Let me know if you want help setting this up.
- Connect clients to your Pi’s controller
On each device (PC, phone, etc.):
Install ZeroTier as normal
Instead of the default control plane, point the client to your Pi
This requires updating the local.conf to override the default controller (ask if you’d like help with that — it’s a little involved but totally doable).
🧪 Notes & Tips
Your Pi can stay on your LAN. It doesn’t need a public IP if your devices are already on the same network or are able to relay.
If you do want this to work outside your LAN, you’d need to:
Port forward UDP 9993 (if your router allows it), or
Run a small VPS relay or drop it entirely and let ZeroTier do relaying automatically (works 95% of the time)
✅ Summary
Task Possible on Pi? Notes
Host ZeroTier controller ✅ Lightweight and runs well Use with Jellyfin via ZeroTier ✅ No public exposure needed Use Docker ✅ Simplifies setup Avoid external services ✅ No Tailscale, no cloud
Let me know if you’d like:
Help setting up the network manually on the Pi
Step-by-step for configuring your clients to talk to your own controller
Instructions for adding DNS, wake-on-LAN, or file access over ZeroTier too
Your Pi just became your private VPN brain 🧠💻
AI SLOPPPPPPPPPPPPP delete this nephew
Fine I deleted it. But it worked so whatever don’t need opinions now anyway.
-
Friendly reminder that Tailscale is VC-funded and driving towards IPO
You know what’s to come.
The answer to the question is immediately. Or switch to OpenZiti or Pangolin even.
I spent an afternoon doing precisely that. Bought a domain, a vps, and setup pangolin. Can’t believe how smooth it went.
@cooopsspace pangolin is not a replacement for tailscale/headscale. different usecase imho. @avidamoeba
Ziti isn’t though.
Point is, you know Tailscale will turn to shit the same way all VC stuff does.
Make no mistakes VC aren’t giving money out of the goodness of their heart, they expect a profit.
What’s the benefit over just WG?
You dont need to manually handle the WG config files. This isn’t really an issue when it’s just and your two devices, but once you start supporting more people like non-technical family members, this gets really annoying really quickly.
Tailscale (and headscale) just require you to log in which even those family members can manage and do the rest for you. They also support SSO in which case you wouldn’t even have to create new accounts.
Your tech illiterate grandma can set it up. It’s that easy.
WG is worthless in a CGNAT environment… And as we are in 2025 and time doesn’t stop it will be irrelevant for everyone someday, unless they fully support IPv6 (which I don’t know if they do, if you can use WG in a CGNATED network with IPv6 I’d like to know though, I am very rusty setting it up, but it might worth checking it out).
CGNAT is for IPv4, the IPv6 network is separate. But if you have IPv6 connectivity on both ends setting up WG is the same as with IPv4.
Personally, my ISP (T-Mobile 5G) has CGNAT and blocks all incoming traffic. I can’t simply Wireguard into my network. Tailscale has been my intermediary to get remote access.
I guess it’s time to figure how how to host an alternative on a VPS (I see Headscale mentioned in these comments).
Tailscale uses WG though, so it’s fundamentally the same thing. Like you said - just do Headscale on a VPS.
Or Wireguard on a VPS
No need to port forward, almost 0 config.
Easier/zero configuration compared to manual WG setup. Takes care of ports and providing transparent relay when no direct connection works.
a long runway that allows us to become profitable when needed
Switch to self-hosting headscale when they enshittify in an attempt to become profitable, duh
I mainly use Tailscale (and Zerotier) to access my CGNATED LAN, headscale will require me to pay a subscription for a VPS wouldn’t it?
I really envy the guys who say only use them because they’re lazy to open ports or want a more secure approach, I use them because I NEED them lol.
If (when?) Tailscale enshitify I’ll stick with ZT a bit until it goes the same way lol, I started using it 1st, I don’t know if ZT came before Tailscale though.
Same. I mean, I was already looking to rent a VPS, but at least there’s some time so I can save money until things get weird.
Yeah, don’t get me wrong, I can see value of getting a VPS, especially if you are gonna be using it for some other projects, I have had a DO instance in the past and I thinkered with WG back then BTW, but if it is only for remote accessing your home LAN, I don’t feel like paying for it tbh, especially when some users get it for free (public IPv4) and it feels even dumber for me since I have a fully working IPv6 setup!
BTW my ISP is funny, no firewall at all with it, I almost fainted when I noticed everyone could access my self hosted services with the IPv6 address and I did nothing regarding ports or whatsoever… They were fully accessible once I fired up the projects! I think I read an article about this subject… But I can’t recall when or where… I had to manually set up a firewall, which tbh, you always should do and it is especially easy to do in a Synology NAS.
Anyway, back to the mesh VPN part, if they enshitify so be it, but in the meantime we still can benefit from it.
Thats just how IPv6 works. You get a delegate address from your ISP for your router and then any device within that gets it own unique address. Considering how large the pool is, all address are unique. No NAT means no port forwarding needed!
Vps can be really inexpensive, I pay $3 a month for mine
Same, my Hetzner proxy running NPM, with pivpn and pihole is doing all it needs to do for $3 and some change.
My only open ports on anything I own are 80, 443 and the wg port I changed on that system. Love it.
How does WG work on the local side of the network? Do you need to connect each VM/CT to the wireguard instance?
I am currently setting up my home network again, and my VPS will tunnel through my home network and NPM will be run locally on the local VLAN for services and redirect from there.
I wonder if there is any advantage to run NPM on the VPS instead of locally?
The vps is the wg server and my home server is a client and it uses pihole as the dns server. Once your clients hang around for a minute, their hostnames will populate on pihole and become available just like TS.
You do have to set available ips to wg’s subnet so your clients don’t all exit node from the server, so you’ll be able to use 192.168.0.0 at home still for speed.
As for NPM, run it on the proxy, aim (for example) Jellyfin at 10.243.21.4 on the wg network and bam.
I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
the VPS uses the pi-hole through the tunnel
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server’s wg address
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn’t aware I host anything at all.
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
Pihole (in my case) can’t see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Allowed ips = 10.x.x.0/24 - only connects the clients and servers together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients together.
Do the top one, that’s how TS works.
Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.
Bookmarking “headscale”!
I only recently started using Tailscale because it makes connecting to my local network through a Windows VM running in Boxes on Linux a hell of a lot easier than figuring out how to set up a networked bridge.
This sounds like a great alternative, and it looks like it can even work on a Synology NAS.
Been meaning to do this. Tailscale was just there and easy to implement when I set my stuff up. Is it relatively simple to transition?
I can’t unfortunately. They only feature I use is that fact I can access my ipv6 only server via an ipv4 only network.
Just came here to say that the guy looks like a creep!
Tailscale is a business seeking profit? (clutches pearls gasp)
It’s one of the key reasons why everyone here hates plex too so I don’t get why you’re acting like this isn’t a valid concern
…and what are current Plex users, that don’t like the direction Plex has taken, doing ? Riding the next horse. When Tailscale gets unbearable with their business practices, there are a lot of other options. Tailscale is just easy and it flippin’ works.
What next horse? There’s plex and there’s fully self hosting with Jellyfin or similar. The gulf is very wide between plex and that.
So, I don’t run the arr stack, or any of it’'s components. In fact, I’ve never even test run Plex. However, I hear that Emby is a better replacement coupled with Symfonium to take the place of PlexAmp. That seems to be the ‘next horse’ everyone is switching to, even tho Emby does seem to have some unresolved issues.
I just find the constant grind against profitability and capitalism to be a bit worn. I guess you could say I am fully ensconced in capitalism as I run three tax paying, for profit businesses. The issues I take with capitalism is unbridled, uncontrolled greed…when we place profit over principal. By all means tho, make yo’ paper son.
These are my opinions. There are many like them, but these ones are mine.
If there’s no one who can replace you with someone else, if you don’t deliver profit growth that they expect, then there’s a chance for you to apply principle over profit because it’s up to you. Many if not most corporations however can and do replace corporate leadership that doesn’t deliver profit growth with one that does. In these circumstances, leadership can rarely put principle over profit without being replaced. Many if not most of us see the direct effects of this process on our lives, working to get ever more of our incomes and health. This process hasn’t stopped and hasn’t slowed down. The opposite. This is why you’re hearing us grinding against capitalism as we can see the system all around us grinding us down. This is why it’s likely you’ll keep hearing it and it’s likely gonna get louder. I might not have your product in my home. If I do, I might be very happy with it because you’re not trying to get as much money out of me as you can. However I am certain without checking that I have Unilever, Kraft, Nestle, PepsiCo, Google and so on, and I know they are. You probably do too and they’re probably skinning you just as much. This is what capitalism is for us and we will grind against it because our standard of living is falling and it’s not because of people like you. Small businesses have much more in common with us in this, than large corporations, or small corporations funded by large capital of different kinds. I’m an employee of a very large, well known American corporation that has strategically stopped making products that were objectively better for its customers but had lower margins, replacing them with much more expensive, higher margin ones. I’m not getting anything from the difference. Our major shareholders do.
I get all of that. I really do feel ya. However, I find it quite difficult to raise my ire over a free product (Tailscale) that I use in conjunction with my hobby, changing up their game and going IPO. I guess I do not take my network as seriously as others here do.
Not so much ire than awareness and planning so we don’t get caught pants down. I’ve been using them for 5 years, paid for it and have a pretty elaborate setup which supports services for family and friends. I’ve been happy so far, but will be decoupling from their infrastructure. No ire for them, just for the system. The system makes people and firms do what they do. 😄
Plexamp is exclusively music so that’s pretty limited, and what you’re proposing with emby is a lot more complicated than setting up Plex
