> When do I have to update all those policies to use the new syntax? ... You never have to update your existing rules to use the new grants syntax. We will support our original ACL syntax forever. ... When we say that Tailscale is a stable platform, we aren’t kidding around.
Nice business decision. Just like their reaction to Headscale, I'm reminded Tailscale 'gets it' when interacting with the dev community and why their popularity will continue to grow.
I reckon this (and that it can be used in conjunction with grants) implies they're translating the old config to the new format if it exists on the fly. Otherwise, if it involved running two things one in maintenance mode (and somehow ensuring they both take effect and don't conflict) it'd be ballsy to promise 'forever'.
Although not sure why that's preferable to converting it once-off, so it's still not something a user has to worry about, but then the old way is done with.
Stripe has been doing it for god knows how long now and it seems to be working for them. With a robust test suite, I can’t think of too much that can/would go wrong. Honestly, I wish more software would approach things this way instead of introducing a major api version every 5 years. Just continuously ship the latest thing and translate everything that came before. Hopefully if people are also using “official” client libraries, they will eventually upgrade their dependencies and their API version will also get bumped. If there is a particularly heavy usage client jumping forward 100 versions and using too many of your resources, hopefully your org can dedicate some resources to help them upgrade which theoretically benefits both of you.
Now that I think of it Adyen did this to us a few years back. We’ll probably stay in the v5 branch until they politely poke us to upgrade again in another 5 years…
> Although not sure why that's preferable to converting it once-off, so it's still not something a user has to worry about, but then the old way is done with.
This way also supports users who have scripts or workflows that produce the old form of ACLs. If you had a single cut-off date, those scripts would presumably need to be updated.
We are indeed converting the old syntax to grants behind the scenes. In fact, we have been quietly doing this for months :)
As tczMUFlmoNk mentioned further down, we wanted to allow both syntaxes in perpetuity to account for scripts, Terraform configs, version-controlled policy files, and other automation that may rely on the original syntax.
We will provide a button on the JSON editor in our admin console to do a one-click conversion for anyone who would like to make a hard switch.
They probably have a parser that parses to some other format. They only need to maintain the parser and they probably won't support new features on it.
I'm not sure what they meant, but Tailscale links to Headscale and says this:
> Headscale is an open source alternative to the Tailscale coordination server and can be self-hosted for a single tailnet. Headscale is a re-implemented version of the Tailscale coordination server, developed independently and completely separate from Tailscale.
Headscale is a project that complements Tailscale — with its own independent community of users and developers. Tailscale does not set Headscale’s product direction or manage the community, and neither prohibits nor requires employees from contributing to Headscale.
> Our opinion is that Headscale provides a valuable complement to Tailscale: It helps personal users better understand both how Tailscale works and how to run a coordination server at home. As such, Tailscale works with Headscale maintainers when making changes to Tailscale clients that might affect how the Headscale coordination server works, to ensure ongoing compatibility.
The distilled version of this is that they let Headscale, a FOSS, use their proprietary client to connect to the Headscale server rather than Tailscale’s. They don’t need to allow this, they could easily disable that feature and have every right to, but they don’t. This makes the development of Headscale a lot more straightforward since the entire client codebase is just removed from the equation.
An excellent way to position yourself towards an open source alternative. Everything they do seems to be grounded in an engineering mindset and with respect to users.
I think they've figured out a way to align their interests with what's truly good for their users. I'm sure a lot of their sales funnel is just nerds like us using Tailscale at home, and then bringing it to their employers.
We're really happy Tailscale users at home. No bullshit, just works.
> I think they've figured out a way to align their interests with what's truly good for their users. I'm sure a lot of their sales funnel is just nerds like us using Tailscale at home, and then bringing it to their employers.
I can't say for certain (I do not work for TailScale, nor have I ever) but I suspect you are right.
TailScale was _immediately_ surfaced in our team's "what could we replace open-vpn with?" conversation recently... precisely because most of us _are_ using it at home and have nothing but praise.
> I'm sure a lot of their sales funnel is just nerds like us using Tailscale at home, and then bringing it to their employers.
100% this. GitHub and WandB also seem to follow this strategy.
Honestly, I don't know why this stopped being the dominant strategy. Matlab, Adobe, Solidworks, and many other tools used to be free for students. It's not hard to see how people working with certain software while in school translates to using that same software outside. The same is true for at home! You get frustrated with whatever BS thing your work has and then ask your boss if you can use X instead.
I think it stopped because they got too big. Becoming the de facto tool they figured they could charge students and hobbiests too. I'm pretty sure this just lead to more piracy and open source solutions. I mean Coca-Cola still advertises... they sure aren't doing it for brand recognition... everyone knows who they are (same with McDonalds!). They do it to associate feelings. These companies should still do those student and hobbiest versions for the same reasons. It prevents others from displacing you. Companies aren't going to complain about the price and pirate your stuff instead, they have the money. Only hobbiests and students do that stuff...
There is one problem... I've seen employees at certain places use personal accounts for business work. Worse, I've seen them do this despite the business already having seats! I don't know why this is going on, but maybe we should do a bit of peer pressure if we want to ensure we keep those free hobbiest licenses. Plus, it puts your business in a legally dubious area. Not likely to get sued, but it sure isn't legal...
I think it's still a dominant strategy. Docker functions on the same ideology. VMWare switched to the same strategy with their Workstation Pro being free for non-commercial use, etc.
Agreed on the licensing concerns. I hate seeing members of commercial entities discuss using personal/non-commercial products like that. I moved to a new company and wanted to use Obsidian for some individual note-taking purposes, then realized I could only use it for 30 days before I needed a commercial license if I did anything work related with it. I know Obsidian proper wouldn't even know if I used it this way, but I avoided doing so until I got word that Obsidian was changing their commercial licensing policy.
I think that you would've lose those users anyway, so at least leave a good impression on them as they can become advocate when they're in another context where Tailscale is the better solution.
They let it be. The decision is many-fold correct:
1) hobbiests that are obsessed with self-hosting can use it -- tailscale will never see a penny from them anyways
2) some businesses will consider headscale as an escape hatch de-risking if tailscale were to be purchased out by an extortionist (like broadcom's acquisition of VMware)
3) It signals they are doing business in a position of strength: businesses don't buy software, they buy solutions to problems
4) Tailscale can benefit from innovations that Headscale finds.
Competition can be beneficial for all parties involved. If the Headscale devs make novel contributions and solve problems Tailscale didn't think of or figure out themselves, Tailscale can copy Headscale just as Headscale copies Tailscale. Competition has this benefit of distributing research expenditures.
I think it is easy to forget that even monopolies are bad for monopolies. They can benefit by being fat and lazy, but this is at the cost of larger future profits. It's "safer", but there's plenty of competitive markets where there is little risk of failure. At least compared to the risk that naturally exists.
5) Headscale users may convert to Tailscale users.
That can happen if Headscale was implemented by a enthusiastic employee who later leaves. Company learned to like the benefits but no longer has the support. This makes a natural conversion. The same thing happens if Headscale fizzles out.
I really just don't see how Tailscale really has much, if anything, to lose from Headscale. It definitely has things to gain! The only reason to go after Headscale would be if they are greedy and irrationally fearful. Which the action itself would scare a lot of its users. Tailscale really is in touch with its users and honestly, I'm not sure there's anything negative I have to say about them. They're not creating enemies, they're paying attention to users, and they're just focusing on making a great product. Seems like the ideal strategy that we'd want all businesses to follow.
As I understand it, headscale was implemented by an enthusiast user who became an enthusiast employee, who is allowed to spend work cycles on maintaining it.
My guess is they probably don't care because their pricing is really low. If you want to self-host, for any serious company, you need a very resilient setup (multiple servers) because you can't afford to have your "authz" down. If your headscale is down, so is everything in your organization. $6/month/user is then relatively cheap. The savings on self-hosting will be minimal.
Fun fact: Tailscale have an almost-assuredly-accurate count of Headscale users due to how few people disable the Tailscale client's telemetry which by default sends them real-time events about everything you do on a Headscale network. See KB1011: https://tailscale.com/kb/1011/log-mesh-traffic
“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.io). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”
This is why they had the data telling them they should hire the Headscale dev to nip that competition in the bud before it had any chance to usurp their business by overtaking them in mindshare using their own client. Definitely a sound business decision, but it really really irked me when I realized I was feeding Tailscale detailed usage data for everything I did on my supposedly “““private””” Headscale network despite having no business relationship with them.
For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326
The privacy-adversarial behavior made me switch from Headscale to NetBird for my personal network now that it's available in FreeBSD Ports: https://www.freshports.org/security/netbird/
> For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326
18000 data points per week seems IMHO pretty low (only 1.7 requests per minute for a whole network? Unlikely, even my Android phone does way more that 1.7 requests per minute just to ad networks, nevermind everything else on the network summed), it's probably way more.
18000 data points is also a lie, that's a different issue - the issue of UDP DNS sucking in general so your average application/OS keeps reissuing requests if they think the UDP packet got dropped.
> only 1.7 requests per minute for a whole network?
Connections != Requests
Telemetry consisting of an open/close event pair would be, like, one entire SSH session, or one RDP session. Even HTTP has supported Keep-Alive since 1997.
> Fun fact: Tailscale have an almost-assuredly-accurate count of Headscale users due to how few people disable the Tailscale client's telemetry which by default sends them real-time events about everything you do on a Headscale network. See KB1011: https://tailscale.com/kb/1011/log-mesh-traffic
That is not true. We actually instruct all the clients to send no logs - since at least three years:
> It's possible to opt out of this spying on Unix/Windows/Mac by starting Tailscale with `--no-logs-no-support` or `TS_NO_LOGS_NO_SUPPORT=true` environment variable
Am I misreading the docs?[0]
Network flow logs are available to help you understand which devices are connecting to one another over time, that is, the flow of traffic across your tailnet.
These logs strictly do not contain any information about client operations or contents of network traffic.
Network flow logs must be enabled[1].
This makes it look like they are disabled by default.
“When you use the Tailscale Solution, we collect limited metadata regarding your device used to access the Tailscale Solution, such as: the device name; relevant operating system type; host name; IP address; cryptographic public key; user agent (where applicable); language settings; date and time of access to the Tailscale Solution; logs describing connections and containing statistics about data sent to and from other devices (“Inter-Node Traffic Logs”); and version of the Tailscale Solution installed.” (emphasis mine)
Here's a Tailscale client startup with telemetry enabled, which is the silent default:
2025/04/13 17:02:07 logtail started
2025/04/13 17:02:07 Program starting: v1.82.0, Go 1.24.2: []string{"/usr/local/bin/tailscaled", "-port", "41641", "-tun", "tailscale0", "-statedir", "/var/db/tailscale"}
2025/04/13 17:02:07 LogID: b933623d2f5012930c72af6593b1a94f36749b5495076c937bde51dd620d21e5
2025/04/13 17:02:07 logpolicy: using system state directory "/var/db/tailscale"
2025/04/13 17:02:07 dns: using dns.openresolvManager
2025/04/13 17:02:07 ifconfig destroy: exit status 1
ifconfig: interface tailscale0 does not exist
2025/04/13 17:02:07 wgengine.NewUserspaceEngine(tun "tailscale0") ...
Versus the same client with the `--no-logs-no-support` opt-out argument added, where the very first line (not to mention the argument name itself) is some FUD trying to scare one into reverting to anti-privacy mode:
2025/04/13 16:29:20 You have disabled logging. Tailscale will not be able to provide support.
2025/04/13 16:29:20 logtail started
2025/04/13 16:29:20 Program starting: v1.82.0, Go 1.24.2: []string{"/usr/local/bin/tailscaled", "-port", "41641", "-tun", "tailscale0", "-statedir", "/var/db/tailscale", "--no-logs-no-support"}
2025/04/13 16:29:20 LogID: b933623d2f5012930c72af6593b1a94f36749b5495076c937bde51dd620d21e5
2025/04/13 16:29:20 logpolicy: using system state directory "/var/db/tailscale"
2025/04/13 16:29:20 dns: using dns.openresolvManager
2025/04/13 16:29:20 ifconfig destroy: exit status 1
ifconfig: interface tailscale0 does not exist
2025/04/13 16:29:20 wgengine.NewUserspaceEngine(tun "tailscale0") ...
For anyone wondering, Lammy provided the head of journalctl for tailscaled.service. I got similar results.
I think my confusion comes down to there being two different types of logging. It is the network flow logs that are on the enterprise.
Per the privacy policy statement, this does not set off any alarm bells for me. Reason being that the capacity to create logs would necessitate that language. But I definitely don't like that they are collecting that much information. Thanks, I'll change /etc/defaults/tailscaled
Nice business decision. Just like their reaction to Headscale, I'm reminded Tailscale 'gets it' when interacting with the dev community and why their popularity will continue to grow.