Corporate VPN startup Tailscale secures $230 million CAD Series C on back of “surprising” growth
Pennarun confirmed the company had been approached by potential acquirers, but told BetaKit that the company intends to grow as a private company and work towards an initial public offering (IPO).
“Tailscale intends to remain independent and we are on a likely IPO track, although any IPO is several years out,” Pennarun said. “Meanwhile, we have an extremely efficient business model, rapid revenue acceleration, and a long runway that allows us to become profitable when needed, which means we can weather all kinds of economic storms.”
Keep that in mind as you ponder whether and when to switch to self-hosting Headscale.
I’m not that worried as there are alternatives like Netbird. The underlying tech really isn’t hard to replicate since Wireguard is pretty standard.
I think it would be cool if Tailscale made it into the enterprise arena.
I think it would be cool if Tailscale made it into the enterprise arena.
I think they already have started. Telus is on their list of clients.
So I asked chatgpt for alternatives and I liked the look of ZeroTier, does this sound right to people with more knowledge than me, and would people recommend it in general?
Perfect! Here’s everything you need — broken down into three stages, from quick setup to full self-hosted control.
🧩 Part 1: Install and Connect ZeroTier
✅ Step 1: Create a ZeroTier account
Go to https://my.zerotier.com/
Sign up (only to create your private network — it’s free)
Click “Create a Network”
Give it a name
Note the Network ID
✅ Step 2: Install ZeroTier on your devices
🖥️ On your PC (Windows/Linux/Mac):
Download from: https://www.zerotier.com/download
Install and run
Join your network with:
zerotier-cli join <your-network-id>
(or click in the tray app if using the GUI)
📱 On your Android phone:
Install the ZeroTier One app from Google Play
Open the app, paste the network ID, tap Join
✅ Step 3: Authorise your devices
Go back to my.zerotier.com
Under your network, you’ll see your PC and phone listed
Tick “Auth” to allow them on the network
Note the IPs assigned (e.g. 10.147.17.34)
🎶 Part 2: Access Jellyfin + Symphonium Over ZeroTier
✅ Step 1: On your PC (Jellyfin server):
Open Jellyfin settings → Dashboard → Network
Ensure “Allow remote connections” is enabled (This just means other IPs — not the internet — can connect)
✅ Step 2: On your phone (Symphonium):
Open Symphonium
Add a new Jellyfin library
For the server address, enter:
http://<zerotier-ip-of-your-PC>:8096
e.g. http://10.147.17.34:8096/
It should connect exactly as it does on home Wi-Fi!
No public ports, no tailscale, no cost 🎉
🛠️ Part 3: Optional – Self-Host Your Own ZeroTier Controller
Only needed if you want to avoid using their cloud control plane. Not needed for basic private use.
✅ Requirements:
A Linux machine (can be your PC or a VPS if you change your mind)
Some CLI familiarity
Quick Guide:
-
Install Docker
-
Run:
docker run -d
–name zerotier-controller
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controller- You’ll now control your own ZeroTier networks, not theirs.
Docs: https://github.com/zyclonite/zerotier-controller
🔐 Even if you stick with their hosted controller, your traffic is still end-to-end encrypted. Self-hosting just removes the cloud coordination step.
✅ TL;DR:
Task Done
ZeroTier installed and devices connected ✅ Jellyfin accessible via ZeroTier IP ✅ Public internet avoided ✅ Self-hosting ZeroTier controller (optional) Available when ready
Let me know if you’d like help testing connection, optimising for battery/wake-on-LAN, or even integrating LAN fallback + ZeroTier for seamless home/away streaming.
Part 2, asking if I can use a pi as a controller for the optional step 3:
Yes — an old Raspberry Pi running Raspberry Pi OS is perfectly capable of hosting a ZeroTier controller! It’s low-power, quiet, and ideal for self-hosted network services.
Here’s how to get it up and running.
🛠️ Self-Hosting a ZeroTier Controller on Raspberry Pi (PiOS)
✅ Requirements:
Raspberry Pi with PiOS Lite or Full (Debian-based)
Internet access (Ethernet or Wi-Fi)
Static IP on your LAN (recommended)
Port UDP 9993 open on your LAN (only needed if other clients are connecting over LAN)
🔧 Step-by-Step: Install Docker and the Controller
- Update and install Docker
Open a terminal on your Pi or SSH in:
sudo apt update && sudo apt upgrade -y curl -sSL https://get.docker.com/ | sh sudo usermod -aG docker $USER
Log out and back in (or reboot) to activate Docker group access.
- Run the ZeroTier controller in Docker
docker volume create zerotier-one
docker run -d
–name zerotier-controller
–restart unless-stopped
-p 9993:9993/udp
-v zerotier-one:/var/lib/zerotier-one
zyclonite/zerotier-controllerThis starts the controller and creates a persistent volume.
- Initialise the Controller
After a few seconds, you’ll have config files generated inside the container volume. To extract your identity.secret and create/manage networks, you can either:
Option A: Exec into the container
docker exec -it zerotier-controller bash
Then use the zerotier-cli inside the container:
zerotier-cli status zerotier-cli listnetworks zerotier-cli createnetwork
Option B: Install the CLI on your Pi (outside Docker)
This gives you easier long-term control, but it’s optional. Let me know if you want help setting this up.
- Connect clients to your Pi’s controller
On each device (PC, phone, etc.):
Install ZeroTier as normal
Instead of the default control plane, point the client to your Pi
This requires updating the local.conf to override the default controller (ask if you’d like help with that — it’s a little involved but totally doable).
🧪 Notes & Tips
Your Pi can stay on your LAN. It doesn’t need a public IP if your devices are already on the same network or are able to relay.
If you do want this to work outside your LAN, you’d need to:
Port forward UDP 9993 (if your router allows it), or
Run a small VPS relay or drop it entirely and let ZeroTier do relaying automatically (works 95% of the time)
✅ Summary
Task Possible on Pi? Notes
Host ZeroTier controller ✅ Lightweight and runs well Use with Jellyfin via ZeroTier ✅ No public exposure needed Use Docker ✅ Simplifies setup Avoid external services ✅ No Tailscale, no cloud
Let me know if you’d like:
Help setting up the network manually on the Pi
Step-by-step for configuring your clients to talk to your own controller
Instructions for adding DNS, wake-on-LAN, or file access over ZeroTier too
Your Pi just became your private VPN brain 🧠💻
-
Am I totally off-base in thinking that MagicDNS and pluggable DNS nameserver overrides are a huge feature of tailscale?
I love that I can refer to my tailnet devices just via their machine name. I use it everywhere. And also that I can just slot in my NextDNS ID so that any device running tailscale now automatically uses that, and I don’t have to mess with my shared router settings or per device settings. Is all that actually really easy to set up outside of tailscale? Cuz if it is and I just somehow missed that when doing all my research, I’ll happily give plain wireguard or other mesh orchestrators like NetBird a go.
And I already know that mDNS is not the answer. That protocol is simply not reliable enough.
Nah, DNS is separate and these features are indeed pretty great. I think Headscale can also do them. I think I tested MagicDNS if I recall correctly.
I use wireguard and have public DNS refer to private IPs.
For example if my server is accessible at 10.0.0.1 via wireguard then I point *.myserver.mydomain.com to that IP.
Sorry if I’ve misunderstood your question.
If I host headscale on a VPS, is that as seamless of an experience as Tailscale? And would I miss out on features, like the Tailscale dashboard? How does the experience change for me (an admin type) and my users (non-technical types)?
There are some community webUIs for Headscale, headplane in particular looks pretty good: https://headscale.net/stable/ref/integration/web-ui/
I’m not sure otherwise how different the experience would be.
deleted by creator
Because it offers much more than just VPN even though that’s what most users use it for. Read their documentation and you’ll see
If you are capable of setting up your own personal VPN, you don’t need Tailscale. You still may want to use it though, depending on how much of a novelty Network Fun is for you in your spare time.
For me, the main advantage to Tailscale et al is that it is on a per device basis. So I can access my SMB shares or Frigate setup remotely while still keeping the rest of my internal network isolated( to the degree I trust the software and network setup). You CAN accomplish that with some fancy firewall rules and vlanning but… yeah.
Because I can have 3 phones, 2 tablets, 3 computers and 4 server on the same Tailnet in 15 minutes when starting from scratch
deleted by creator
Tailscale/headscale/wire guard is different from a normal vpn setup.
VPN: you tunnel into a remote network and all your connections flow through as if you’re on that remote network.
Tailscale: your devices each run the daemon and basically create a separate, encrypted, dedicated overlay network between them no matter where they are or what network they are on. You can make an exit node where network traffic can exit the overlay network to the local network for a specific cidr, but without that, you’re only devices on the network are the devices connected to the overlay. I can setup a set of severs to be on the Tailscale overlay and only on that network, and it will only serve data with the devices also on the overlay network, and they can be distributed anywhere without any crazy router configuration or port forwarding or NAT or whatever.
And on Unraid you can add individual docker containers to the tailnet too.
So you can just go ssh <container> on any device in the Tailnet and it’ll connect
Are there better alternatives? I was planning on using tailscale until now. :P
I use Nebula. It’s lightweight, well-engineered and fully under your control. But you do need a computer with a fixed IP and accessible port. (E.g. a cheap VPS)
You can also use “managed nebula” if you want to enjoy the same risk of the control point of your network depending on a new business ;-)
A bunch really, Headscale with Tailscale client, Nebula VPN, Netmaker, Zerotier.
For me personally, the next step is using Headscale - a FOSS replacement of the Tailscale control server. The Tailscale clients are already open source and can be used with Headscale.
Someone else could give other suggestions.
I’ve been meaning to switch from Tailscale to Headscale but I have been to busy. Do you have any instructions, write-ups/walk-thrus you could recommend to set this up? I have three sites with 1GB internet I can use. One has a whole house UPS but dynamic IP, another has a static IP but no UPS, and the third is Google fiber with no UPS, but I can use the app to get the current IP anytime. I also own a number of domain names I could use.
No writeups. I tried following the Headscale doc for a test last year. Set it up on the smallest DigitalOcean VM. Worked fine. Didn’t use a UI, had to add new clients via CLI on the server. When I set it up for real, I’d likely setup a UI as well and put it in a cloud outside of the US. It would work at home too but any other connection would die if my home internet dies or the power does. E.g. accessing one laptop from another, or accessing the off-site backup location.
Wireguard if you’re just using it yourself. Many various ways to manage it, and it’s built in to most routers already.
Otherwise Headscale with one of the webUIs would be the closest replacement.
Pivpn is really easy, and since pivpn is just scripts, it always installs current wireguard even if they lax on updating pivpn that often.
I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn’t actually access it if I wasn’t initially on my home network, oops.
I might play around with it again down the road with a cheap VPS, didn’t take long to get it going, but realistically my setup’s access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I’ve been seeing).
Why does it need to be on a VPS? It seems to work on a home network when I played around with it.
Well a VPS or an exposed service, but I feel like the latter ends up somewhat defeating the purpose anyway.
When running locally (not exposed), it worked great until I tried to make the initial connection from mobile data - can’t establish a connection to headscale if it can’t reach it in the first place. Unless I’m mistaken, the headscale service needs to be publicly accessible in some way.
Oh gotcha yes it does. Are you on CGNAT with your ISP so you can’t forward ports?
I use the built in wireguard VPN in my router. If you just need local network access elsewhere it’s usually really easy to setup if your router provides it. I would look into it!
Depends on your use case. If you’re just looking to expose services and are ok having them publicly accessible, there’s Cloudflare Tunnel, or you can run WireGuard on a cheap VPS
ive been eyeing up netbird but havnt got around to trying it yet. its fully open source at least, and theyre based in germany is anyone cares about that
Just looked at NetBird, it looks suspiciously similar to Tailscale in what it does except they also got an open-source control server. They have self-hosting doc right in their web site. Looks interesting. Can’t find much about the company other than it’s based in Berlin and it’s currently private - Wiretrustee UG.
What’s the difference with their open-source control server, from headscale? That it’s officially published by the company?
Headscale is great if you like networking fun, but that aside I’m not understanding why VC funding is such a black mark to the poster. Tailscale doesn’t generate meaningful revenue streams as its early-stage, so it has to secure funding to continue operations until they achieve high enough revenue to go public. That’s pretty standard in a business life-cycle, though. It seems like the main complaint is that Tailscale is a business.
Yup, I don’t know if that is OP’s intention, but I would agree myself with the complaint that “Tailscale is a business”
The way I see it, if it’s a business it must generate revenue (either now or down the road), and that is enough to have me worried. I do have a Tailscale registration, and the way they approach email communication is already a yellow flag to me (too many ad emails)
That’s not really a justifiable reason, though. The Linux Foundation provides grants and scholarships to the open source community, but they do that through private equity business. So transitively, many open source projects are funded by businesses looking to capitalize on that innovation. Do you consider that when pulling from a git repository? No, that’s overbearing. Additionally Headscale is in part maintained by a Tailscale employee. That would surely create a conflict of interest given Tailscale is solely interested in generating revenue.
I get your point, though Tailscale specifically crosses a line for me in this sense:
- Using code created/maintained by businesses: ok
- Relying in infrastructure maintained by businesses: not ok
I am not that big of an enthusiast, but the way I see it, if a company goes rogue and you’re using their open source code, it’s just a matter of forking it (I’m thinking about Emby/Jellyfin as an example) If you rely on their infrastructure (such as Tailscale servers) then you are at the mercy of the companies
To that end: I’d say that OP is prettt on point by suggesting Headscale, you’re still “using Tailscale” in a sense, but without chaining yourself to the business
I am not that big of an enthusiast, but the way I see it, if a company goes rogue and you’re using their open source code, it’s just a matter of forking it (I’m thinking about Emby/Jellyfin as an example) If you rely on their infrastructure (such as Tailscale servers) then you are at the mercy of the companies
🏅
That’s not really a justifiable reason, though.
To you it isn’t, but to some of us it is. For me the standard business cycle is not acceptable because I almost inevitably end up under the bus.
The Linux Foundation isn’t a comparable example for me since it’s a non-profit. As a result it isn’t subject to the same market pressures for-profit businesses do, let alone VC-funded ones.
At this point, with everything I know and have experienced about the economy, politics and the world, I am trying to avoid depending on for-profit businesses as much as I can. I know how businesses operate, I know why they operate the way they do, I know what dynamics push them in the directions they go and I’m tired of being run over by the bus. If I ever form a business myself it would either be a non-profit, or a worker co-op, or both, as this will signal everyone who knows what I know what the direction of this business would be about.
Firstly, I’m not trying to start a flame war with commenters, I genuinely just disagree on something and some people are getting a little hot under the collar by it. The Linux Foundation comment I made because ultimately VC touches more than people think. Even its something that isn’t directly tied to VC, that money filters through groups like LF which is a non-profit and most would argue a quite legitimate organization. The point is there really is no separation or clear line of demarcation on what is “good” funding and what is “bad” funding.
The point is there really is no separation or clear line of demarcation on what is “good” funding and what is “bad” funding.
I understand and I disagree. A demarcation emerges from the goal of the funding and its effects. For me, one example of bad funding is funding that drives user acquisition at unsustainable prices by a firm that is also significantly controlled by the funding source. This is predominantly what VC-funding goes to. VC-funding that goes to a non-profit that the VC has no control over, where the VC can’t and does not demand financial return from, is not bad funding in my books. Corporate funding doing the same thing is also not bad funding. Government funding often has the least strings attached as it does not demand direct return, and this also is not bad funding. To top that off citizens can exercise control over government funding via the democratic process, unlike corporate or VC funding, where the vast majority have zero control, and the businesses funded have no accountability to.
Historically, Accel has never pushed acquisition. On the contrary, they do the opposite. Its why they VC fund over 300 companies, but you’ve never heard of them. That’s not to say they couldn’t, but they haven’t ever acted in that manner previously so logically it would be safe to assume that trend continues with Tailscale. I think that’s important here: its not about ability its about intent. If as a organization you give funding to another organization (even non-profits) you exercise at least some control over them as they are dependent on that money to function. This is actually a point other commenters have made in regards to Headscale. Headscale is maintained by a Tailscale employee. As they fund him personally, they can exercise some control over him as he depends on that money/employment. Again, even their comments circle back to ability vs intent. Tailscale could influence their employee, but would they? That’s where a lot of the VC argument goes. Its just speculation as what a group could do, not what they would do.
“The trend” is making money no matter what. That means they’re gonna screw you over eventually, the countdown has already begun, and it’s just a matter of time
yellow flag to me (too many ad emails)
Weird. I’m not saying you’re lying, but besides the registration email, and onboarding welcome email, I can’t think of any others I’ve received from Tailscale. In fact, I just did a search of my email client, and those were the only ones I’ve received.
I do believe my experience in this regard is not representative of everyone, I probably failed to untick some checkbox (regarding communications) and the “too many ad emails” are a handful (in 3 months), which to me is a handful too much (having to untick a box should not be necessary)
That’s cool. I don’t like spam either. You are correct in that you should have to opt in instead of opt out.
It seems like the main complaint is that Tailscale is a business. And what about the Linux Foundation?
The Linux Foundation is not a business.
The businesses that fund the Linux Foundation through private equity are though, aren’t they?
Sure. Do you have a point?
Yeah, I think you missed that. Go back through and reread comments please. Thank you.
Could you summarise for us please? It’s not clear.
Not that it is a business but is a specific kind of business. VC funded startups eyeing an IPO more often than not start doing things users are not happy with. Maybe tailscale won’t, but might as well be aware what kind of company they are acknowledge there is a decent chance of rugpulls
The problem, though, is that VC-funded projects bite off way more than they can chew from the start and have to enshittify to keep shareholders happy at that level.
Growth for the sake of growth is a fundamentally broken concept. Tailscale provides a free service that many use. They already offer a paid support tier for companies, like other certain FOSS projects do, so why not call it good there? Grow based on actual customer needs, instead of shareholder bullshit “needs” (line must go up 🙄).
Meh. I will keep using it
deleted by creator
And here I am, still using OpenVPN in 2025 lol
Used to run OpenVPN. Tried Wireguard and the performance was much better, although lacking some of the features some might need/want fit credential-based logins etc
Yeah, OpenVPN definitely doesn’t have light spec requirements 😅 thankfully hardware is unfathomably powerful these days.
Sure but wireguards connection is just faster.
I can highly recommend Netbird selfhosted, it has SSO support, logins, complex network topologies, it uses wireguard under the hood and it’s open source.
That sounds kinda cool. I’ll have to check it out. It’s kinda hard sometimes to push FOSS stuff in a largercorporate environment but this looks like something I could recommend/build for small-mid private SOHO clients.
They also had a major ass security issue that a security company should not be able to get away with the other day: assuming everyone with access to an email domain trusts each other unless it’s a known-to-them freemail address. And it was by design “to reduce friction”.
I don’t think a security company where an intentional decision like that can pass through design, development and review can make security products that are fit for purpose. This extends to their published client tooling as used by Headscale, and to some extent the Headscale maintainer hours contributed by Tailscale (which are significant and probably also the first thing to go if the company falls down the usual IPO enshittification).
Isn’t that the entire design philosophy of tailscale?: reduce friction, at the cost of some security.
If security is your main priority, you should be using more secure options, even if they are less convenient or tougher to maintain.
Headscale maintainer hours contributed by Tailscale
Could you expand on this?
There’s a disclaimer in the readme: https://github.com/juanfont/headscale/?tab=readme-ov-file#disclaimer
The maintainer Tailscale contributes happens to be the lead developer by commit count at the moment.
Nerds stop recommending corporate crap: challenge: impossible
I didn’t really get the allure of it TBH. For most home-based nerds a simple Wireguard host (or OpnSense, OpenWRT etc running such) should be fine, and there are better options for commercial from better-known vendors in the network security space
The “well known vendors” tend to be crap especially on a security level
Ok and?
Just use normal wireguard, why do you need tails or heads at all?
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
I’m curious what kind of a use case you can think of that “traditional wireguard” can’t replace tailscale for.
Tailscale has a maximum of 3 users on their free tier, so it seems like a super limited use case of people who DIY their own servers for Jellyfin or HomAssistant or whatever, but just a tad too lazy to setup their own Wireguard service in addition to whatever it is they’d be using it for… I think the vast majority of free tailscale users have simply never actually tried wg-easy , because if they did they wouldnt need to use a third party service.
@gravitywell you miss the whole goodie-part like funnels, acls, certs etc.
ACLs for me are really valuable as i’m using for a small team (3ppl) for server/app admin. @ShortN0teI think ACL is a paid feature with TS, but maybe im wrong. Once you get to the paid tier, you are just paying someone else to manage your VPN, which is fair enough but its not something you could’t also pay someone to do with wireguard (or openVPN for that matter). I think its fair to say “I pay for this service because i don’t want to have to deal with configuring it myself”, it might be easier to setup for some use cases, but if someone is already self-hosting things and has a DIY attitude to it, I don’t think tailscale can do anything wireguard can’t also do (it is based on WG afterall)
Maybe I’m not familiar enough with other kinds of setups to think of things though. My wireguard setup is basically a meshnet between several people’s home servers, each person has their own subnet only they can use, but the wider 10.X.X.X is shared by everyone, its certainly not the most secure because it doesnt need to be, but if i wanted to restrict one persons access to something i certainly could do that.
ACLs are on the free tier too.
Big difference in users and devices here. Tailscale might have a 3 user limit, but you can add up to 100 devices for free. So for me for example I have tailscale running in each and every docker container in my NAS. So each and every container can now act as a node on my tailnet. Users isn’t a big deal, any one node can activate funnel with a simple command and poof its available to the public. The convenience coupled with simplicity is what makes Tailscale so god damn good.
Can you segregate connections between different nodes on the tailnet, like say node G and H can only talk to each other and no other nodes?
Not sure, not tried that as that’s outside my use case. But I would assume its possible with ACLs!
Accessing your home network that is kept inside a NAT by your ISP, without you having to acquire an online server somewhere.
Except you do need to acquire an online server somewhere, its just one that tailscale owns and controls instead of you, and when tailscale decides to enshittify and kill of their free tier you’ll be left wondering why you didn’t just rent a cheap VPS sooner.
Ask yourself, what is tailscale getting out of those “free” users that makes it worth providing services to them that they’d otherwsie need to rent a VPS for? What do you think their response would be if for example they got pressured about maybe too many users on their network are running a certain video streaming app?
You really don’t though. I use wireguard myself under the same scenario without issue. You just need to use some form of dynamic DNS to mitigate the potentially changing IP. Even if you’re using Tailscale you’ll still need to have something running a service all the time anyways, so may as well skip the proxy.
If you only need to worry about the IP changing, then your ISP is not using NAT, or CGNAT as it is better known. I’m pretty sure that you can also use port forwarding, which is not commonly available under CGNAT.
Ah, I see where I got confused. Yeah, CGNAT isn’t very common around here. I don’t think I’ve ever run into an ISP that uses it. I can see how that complicates things.
Your approach won’t work if you’re behind carrier grade NAT or you can’t open ports. My landlord provides my internet so I use tailscale (with headscale on my long distance vps) to connect everything and it works great. It uses LAN when I’m home, and NAT punches when I’m elsewhere.
