Listen to this post:
Good morning,
This Stratechery interview is another installment of the Stratechery Founder series; as a reminder, one of the challenges in covering startups is the lack of available data. My solution is to go in the opposite direction and interview founders directly, letting them give their subjective overview of their companies, while pressing them on their business model, background, and long-term potential.
Today’s Stratechery Interview is with Tailscale Co-Founder and CEO Avery Pennarun. Tailscale is a peer-to-peer VPN with built-in encryption, authentication, and network traversal management; that sounds complicated, but in fact using Tailscale is incredibly easy. I personally am a long-time user and fan, and was very excited to conduct this Interview for not just professional reasons but personal ones as well. I’m also not the only happy user: Tailscale recently surpassed 10,000 business customers and has over 500,000 weekly active users, with a total active userbase in the millions.
What was so interesting about this interview is how nearly every feature that I love about Tailscale has a connection to Pennarun’s background. In this interview we discuss creating a home network as a child, building a Linux driver as a teenager, and starting a company to help small businesses share a dial-up connection as a college student. We then dive into Pennarun’s professional experience with a Canadian bank and Google (and back again), and how that led to both the Tailscale concept and its name. We also get into Tailscale the company, how its model is disruptive, and why Pennarun sees great potential in keeping it that way.
As a reminder, all Stratechery content, including interviews, is available as a podcast; click the link at the top of this email to add Stratechery to your podcast player.
On to the Interview:
An Interview with Tailscale Co-Founder and CEO Avery Pennarun
This interview is lightly edited for clarity.
Topics:
The Networking Thread | The Tailscale Origin Story | Building Tailscale | Peer-to-peer Disruption | Scaling Tailscale | A New InternetThe Networking Thread
Avery Pennarun, welcome to Stratechery.
AP: Hi. Great to be here.
I’m looking forward to learning more about Tailscale. I am a big user, albeit in an unconventional way, although I think there’s a whole host of us that use it in perhaps unexpected setups. I always like to open these interviews by learning more about the person I’m talking to, so tell me your story. Where’d you grow up? How’d you get started in tech? Take me back to the beginning.
AP: Well, let’s see. I was born and raised in Thunder Bay, Ontario, which is the Northwest. Very cold region of Canada.
Yeah. I have driven through there.
AP: A lot of people say that. That’s the exact words they use and that’s because there’s basically one highway that goes all the way across Canada. So if you’re going to drive across Canada, you’re going to drive through Thunder Bay.
There you go.
AP: Some people stop on the way, it is the biggest stop for probably four hours in any direction. So usually you need a bathroom break or a gas stop or something like that.
I will say that I stopped there, because I probably did.
AP: Yeah, you probably stopped briefly, at least. It’s a nice place, I actually quite like it. My dad brought home our first computer when I was three years old, and I was very excited to mash the keys and stuff. I memorized my first program in Basic when I was five, so I could type it in whenever I wanted. It would ask my name, and it would print it out 10 times or something like that and I was basically, hooked for life.
And so that’s been the whole thing ever since. But if you look through your career, you’ve been in networking for a long time. What was it about that, specifically? How’d you go from basic “type my name” to being obsessed with networking?
AP: So the original motivation for networking was the fact that my sister also became obsessed with computers, and she wanted to be online all the time and we only had one modem, and we had one university account, when neither of us were in university, that we shared, that we would dial into the university and use the modem, and we both really wanted to use it at the same time.
So I was playing with this thing called Linux, which had just come out at the time, and I found out that there was networking stuff inside Linux, and if you played with a lot of settings, you could basically connect two computers through the one modem to make it work. And so I fiddled and fiddled and fiddled, and I started — we didn’t have any special networking hardware. We had, at this time, a 386 and a 486, which is our new computer.
Did you get the new one or the old one, or did your sister claim the fast one?
AP: Well, we traded off. My sister was big into IRCs, she was just IRCing constantly. So she was fine with the 386 as long as it was in text mode and IRC, so I used that one as the router with the modem, and then I used a serial port link between the two and I was able to Telnet, at the time, from my 486 into the 386. Then we used a program called Term, which was this sort of efficient multiplexer, if you remember it.
I do.
AP: And we were both able to use network connections to the university. And that was neat, but then I wanted to transfer files between them without using floppy disks and the serial port connection was just no good. So we’re like, “Oh, I heard about this thing called PLIP”, Parallel Line IP, so we got a special parallel cable. My dad was really good at wiring things so we wired up a parallel cable that was wired appropriately for PLIP, and I used parallel line connection between them, which I think I get about 100 or 200 kbps, something like that, which was faster.
Amazing, yeah.
AP: But it was like, “Now I want more”. And so I told my dad, “Hey, can we get network cards?”, and he is like, “What do you mean?”, and I’m like, “Well, I heard about these things that you can use, and then they’re like high-speed connections between computers”. We didn’t have a lot of money so I said, I don’t care about the fastest networking card or the best networking card or whatever, just get us two that are the same, and the right cable that goes with them and he’s like, “Ah, I know the place, I’m going to go to the electronic junk store”, so he went off to the electronic junk store where they have all kinds of components, and he came back that day and he’s like, “Avery, you’ll be so proud of me, I got two network cards, $10 each, plus $5 worth of cable, and I picked the biggest cards, because I figured they would be the best ones”.
(laughing) Oh no!
AP: And that is apparently not how computers work. So these cards were from 1980, they actually literally said “Copyright 1980” on them, and they were ARCNET, which was a networking technology that came out before Ethernet, and it was 2.5 megabits.
But on the upside, these cards were so simple that they were a good platform to learn on, and there was no Linux driver for them, which kind of defeated part of my purpose. So then, I’m like, “Okay, well let’s figure out how to write a network driver, how hard can it be?”, and here I am in grade 10, or something like that, trying to learn how to write network drivers for Linux. But it actually was pretty simple at the time and these cards were really, really simple. You just poke a couple programmable I/O ports into it, like move a packet from one machine to another, I’m like, “Okay, I can do this”.
So I wrote a network driver for Linux, that’s how I got into kernel development, and I actually got this thing working, and now I could transfer files between my computers at high speed.
Did your driver actually make it into Linux, as a whole? Is it still out there?
AP: Oh, yeah, did it ever, and because I was a high school student with nothing better to do, my tech support turnaround time was amazing. So when people were emailing me, it’s like, “Hey, I needed to use ARCNET on Linux for some reason”, because it turned out it was used by ISPs, it was used, I think, still used in car factories and stuff. It’s a really reliable old protocol. And so there are people all over the world using this ARCNET driver. So fast-forward another 10 years or so, and actually while I was in university, a company in Chicago that was that was still making-
This was at Waterloo, right?
AP: Yeah, this was University of Waterloo. A company in Chicago that was still making network cards, they are ARCNET cards. They had upgraded them to, I think, 10 megabits, which was amazing for ARCNET at the time, and their PCI and PCMCIA versions, and they’re like, “Avery, there’s people using these things in factories, the old ISA ones don’t work anymore, because you can’t buy computers with ISA buses, but they’ve got all these million dollar robots that are attached to them. So we built these new devices, but they want to run Linux and your driver doesn’t work with the PCI ARCNET cards, can you do it?”. I’m like, “Well, I guess. If you send me the spec sheets and stuff, I could probably do it”, and they’re like, “Well, how much will it cost?”, and I was a university student, I didn’t know how much anything costs, so I said, “What if we say a hundred dollars an hour? I can probably do it in roughly 60 hours, so that’s like $6,000”.
So I faxed him a quote, because that was the thing you did at the time, and he called me out a day later and he said, “Avery was that quote per day or what?”, and that’s when I knew I had been a little bit too low. But you know what? I was still like, “Look, I can do it in 60 hours at a hundred dollars an hour, that’s way more than I expect to get paid as a university student”. So we did the deal, they flew me down to Chicago, we talked about it a lot, the driver worked for them, and that got me into the technology business, and I just sort of continued from there.
That’s amazing, that is an all time great origin story, I’m glad we got into it. You started, I believe, a company in university, Net Integration Technologies. Is that right?
AP: That is correct.
So what did that do?
AP: That’s actually a great continuation of the same story.
So having now connected our two computers at home, so we could both share the Internet, I ended up working at the first Internet provider in Thunder Bay that wasn’t the university, which also did a bunch of dial up and stuff, and it was run by this guy who owned a computer store, who actually didn’t know how to run an Internet provider. So they tracked me down, through a series of connections, to set up their ISP for them.
He also worked at this computer store and he did consulting for various companies in the city, I didn’t have my driver’s license at the time, so he would shuttle me around from place to place, and we would fix their problems, and one of the observations I had over and over was there was these rooms full of people, and they all wanted to use this guy’s Internet service, which was brand new to Thunder Bay. And so there was one computer in the corner with a modem, and they would line up to check their email, and I’m like, “Well, this is silly, me and my sister, at home, have a better setup than this”.
I didn’t do much about it at the time, because it’s like, “Okay, if we set this up for every single person, it’s just going to be a support nightmare and so on”, but a couple of years later, I had been doing this all the way through high school, and I went off to the University of Waterloo, and me and my roommate were thinking, “Wouldn’t it be good to find out what it’s like to start a company, just as an experiment, so that we can make all the mistakes now and then when we graduate, we can decide if that’s really what we want to do? So let’s do this for a few months and see what happens”.
We were brainstorming ideas for projects, and the project that came to mind is all these companies that have a modem sitting in the corner, “Wouldn’t it be great if they could just share that over the ethernet network they already have? So why don’t we make a box that — famous 19-year-old imagination — we can just make it zero tech support and just plug-and-play, it works perfectly every time, so you don’t need to continue coming back and fixing it”.
It always works perfectly, doesn’t it?
AP: Yeah, exactly. Why don’t we make just a super easy-to-use appliance that’ll let you share your network connection like this? Which it turned out a really unusual idea at the time, nothing like that really existed.
So we built it, we assembled it from a PC. We bought a thousand dollars worth of parts, and then sold it for $2,000, and these companies loved it, and we sold five or ten of them or something like that, which was enough to pay for the — instead of taking a university co-op work term, we paid our own salaries by selling these boxes, which was pretty good.
But then the problem was they loved it so much that they kept telling their friends who would then phone us and say, “Hey, that company that my friend works at has this box that lets you share your Internet connection, can I have one?”. And it’s like, “Well, it’s an instant thousand dollars if I assemble one device, and then ship it to them, so I’m not going to say no to this, that’s a lot of beer and food money”, so we kept selling those things.
Eventually it sort of escalated to the point — I remember, at one point, I had to run out of an exam to answer a phone call, because somebody was having an urgent technical problem. I’m like, “Maybe we need somebody else to be involved in this company”, so it sort of spiraled out of control from there. But Net Integration Technologies started from this, I just need to share my Internet, which well spiraled from there.
Well, it spiraled, it ended up being acquired.
AP: Yeah. We grew to, I think, over a hundred employees, eventually got acquired by IBM. And the reason IBM acquired us was it became the easiest way to install IBM DB2 and Lotus Domino, which were sort of famously difficult to install and configure. And IBM, at the time, was really still feeling jealous of Microsoft about having taken over the PC business, basically, and they were like, “Microsoft Exchange and Outlook are terrible, Lotus Notes is so much better, let’s try to get Lotus Notes to small businesses”, and the only way to get these things to small businesses is super low setup time, which our device could provide, but there’s all sorts of elements of strategy that they were missing there. And so, just the super low setup time was not enough, in fact, to get Lotus Notes into small businesses, but it was our exit.
Did you actually go and work at IBM then?
AP: I didn’t. I bailed very early on, no way I can handle this.
So did you go straight from Waterloo to Google then?
AP: No, I did a brief stopover at a company now called VersaBank, which is actually a bank in Canada. But they had developed their own internal banking software, and they were trying to spin this off and sell it to other banks, especially in Canada, because it was pretty good software and I’m like, “Okay, well, I don’t have anything better to do”, the guy who runs the bank was a friend of the family, he’d known me for a long time, and so the day that my company announced being acquired by IBM, he was on the phone with me. He’s like, “So Avery, I found out that your company had been acquired, are you doing anything important right now?”, and I’m like, “Well, no, I hadn’t decided what to do next”, he’s like, “That’s perfect, come talk to me about this thing”.
So we did that for a little while. Unfortunately, that happened in 2008, which was a not great time to be in the banking world. So no banks, at that time, were like, “Hey, let’s replace all our banking software”, so that direction didn’t really work out, although I did lots of interesting things there. We launched a credit card. I learned a lot about how check processing works, because we implemented a check creation and processing system, and integrated that with the check network.
Well, I have to ask, we had this beautiful thread building up from you and your sister to Tailscale. I have to ask, did check cashing software, does that fit in this story at all? Or is this really just a total aberration?
AP: Well, if you want to connect the threads, first of all, this bank was one of the early customers of my first company, because they had a couple branches and they wanted to interconnect the branches and the first feature we added after the Internet sharing, which they also needed, was VPNing between the branches. So I actually implemented my first VPN in second year university. I called it Tunnel Vision, which I thought was very clever. It was the tunnel, because you see—
I get it.
AP: And this money transfer thing is actually what ended up being my first job at Google, because I interviewed there, and the reason I interviewed there, it’s kind of funny. My friend was trying to convince me to come visit him in New York, and I said, “Well, I don’t know, I don’t have a job right now, I don’t know if I really want to spend the money to fly there”, and he’s like, “Oh, you could just interview at Google”, and I’m like, “What do you mean?”, he’s like, “Well, they’ll fly you here for free”, and I’m like, “Well, that sounds a little unethical just to do a job interview to get a free trip to New York”. He’s like, “No, no, no, as long as you’re willing to honestly consider the job, it’s not unethical, even if you don’t take it”, I’m like, “Hmm, there’s something wrong with this logic, but I can’t figure out what it is”.
So I decided to interview there, and then they convinced me. So the rule I had for Google is like, “Look, I don’t want to work at a big company, I’ve seen IBM close-up already, I’ve worked it at a semiconductor company while I was a university for four months, and big companies are not for me. So if Google totally impresses me with 100% of the interview panel, then maybe I’ll think about it, but that’s impossible”. And then little did I know that, behind the scenes, my friend kind of figured I would do that, and so he made sure that the interview panel was made up of people who would be super fun for me to talk to, and I did.
And then, after you joined Google at that time, they had a completely separate hiring process versus placement process. They hired engineers, and then once you were hired, you got on a list, and then anybody who was trying to find people for their team would look at the list, and so on my list of experiences was money transfer systems, and therefore the Google Wallet people were like, “Oh my God, I need somebody to do money transfer system”, and they scooped me up right away, and that was my first job at Google. So I did that for about a year.
Well, you lasted for quite a while at Google, maybe against your expectations?
AP: Very much against my expectations. Actually, they gave me a signing bonus, and I refused to spend the signing bonus, I left it in my bank account, because you had to pay it back per rata if you left before the first 12 months. And I’m like, “I’m not lasting 12 months at this place, I don’t know how many months I’m going to last, but it’s not going to be 12”, and then it ended up being seven-and-a-half years.
The Tailscale Origin Story
So why was it so good for you?
AP: The next step in that journey was one of my co-op students, from my first startup, was already working at Google, and he found out I was at Google, and he is like, “Avery, there’s this project that I couldn’t tell you about when you were outside Google, because it’s super secret, but I think it’s right up your alley. We’re doing this Internet service, Google Fiber, and they need somebody to build the devices that are going to go in people’s homes that need to be zero maintenance and super easy to use, and do all the networking, multiplexing, and stuff like that. And it’s going to have Wi-Fi and all the other stuff you’re interested in”, and I’m like, “Well, tell me more”.
So I ended up doing sort of a side project, working for that team, while I was doing the money transfer project. Eventually, that side project turned into me working full-time on that team and it was the only way onto that team, it turned out, because it was a team based in California, and they were insistent on not taking people from outside California. But my side project saved them, I think, a million dollars in the first three months or something like that, and they were like, “Okay, well, maybe we’ll make an exception for this one guy working at Google New York”, and that’s how I got back into networking.
So was the back into networking, was that just sort of the working on Google Fiber or was there — I mean Google was, very early on, zero trust networking, and the way they thought about just rethinking the entire architecture. Is that something that left a big impression on you or did that impact what came next?
AP: So I had a really good time at Google, because it’s a super open culture, it’s very unlike most big companies in that way. I don’t know what it’s like today, this was quite a while ago. But at the time when I joined, which was 2011/2012 timeframe, you could learn about anything that anybody was working on just by joining the right mailing list and using the internal — they had Google Buzz, if you remember that, and then eventually Google Plus if you remember that, and then eventually other things.
So I wasn’t directly involved in most of those internal production networking systems, but I was adjacent to a whole bunch of people and everybody who cared about networking at Google of course talked to all the other people who cared about networking at Google. And so I was very close to the people working on BeyondCorp, which was the predecessor to zero trust networking. Somebody outside Google, basically, took the same concept of BeyondCorp, because BeyondCorp was the first paper that somebody outside named it zero trust, which was the name that caught on, because BeyondCorp, nobody knew what it meant, Corp was the name of the corporate Google Network.
Zero trust is a much better name, I’m going to agree with that one.
AP: Exactly. At Google, they had two networks, the Corp network, which is where people were, and the Prod network, which was where computers were, and BeyondCorp was for the Corp network, but the idea was, in the early days, just being physically plugged into the Corp network at your desk using an ethernet cable was enough to get you all kinds of privileges on the network, it made you more of a person, and they realized that physical connectivity was not the most secure thing, we need some kind of cryptography to make this work better. So BeyondCorp was like, “Hey, let’s make it so you can get on the Corp network without actually being plugged into the Corp network”.
There you go, that’s like Stratechery. If I say it’s strategy and technology, people get it. Turns out that’s not good for people who you can’t explain it to, it’s basically the same category as BeyondCorp. I get the name now, it makes sense.
AP: Funny, I think I first ran into Stratechery like more than 10 years ago, and it immediately clicked for me. It’s like, “Oh, yeah, it must be strategy plus technology plus sorcery”.
I like it, you’re one of my people. I appreciate it, thank you.
AP: Does it have sorcery? I assumed sorcery was the third word, because otherwise, why would end in -ry?
I don’t know, strategy. Look, there’s a lot of problems with it, we don’t need to discuss it right now, I’m interviewing you not the other way around! So you’re at Google for seven, seven-and-a-half years. Was the Tailscale idea, did that pull you out of Google or what was the core sort of moment where you’re like, “This is what I want to build next?”.
AP: Well, there’s even more to the story. So I worked on Google Fiber, and we had a pretty good time in Google Fiber, although one of the interesting problems with the devices we made was that if you wanted to change any settings, it took a couple of minutes for those settings to get reflected from the cloud centralized control system down into the devices, and the reason for that was this really bad control protocol that we were using, combined with a very distributed system in the cloud, that just made everything slow for what I always thought as no particularly good reason, but it was the Google way to do it.
But then, eventually, after about five or six years working in Google Fiber, they decided to just spin down the whole thing and it’s still operational, obviously, but they greatly cut the staff of Google Fiber to turn it into a more cost-efficient operation. And so from there, Google is quite an odd place, so everybody who had been working on Google Fiber, they didn’t lay us off in the most technical sense, but they did eliminate our roles, and then said, “Well, you have an unlimited amount of time to find a new role”. I’m like, “Well, that’s very generous”, but I’m not a person who can sit around doing nothing for very long and so, skipping over some details, I ended up working with some people in Google X and Alphabet and some other experimental projects, and one of the things that I noticed, as a repeating pattern in those projects, was in order to use the Google infrastructure to build your prototype, it was really, really expensive.
The Google infrastructure is amazing if you need to, for example, search the entire Internet millions of times per second and return the results in 0.1 seconds, but it’s really annoying to use for a small project that doesn’t need to scale, and that’s the pattern I noticed is that sometimes you have a 20-person team working on some new thing, half the team would be working on DevOps basically, or what we now call DevOps, which is way too much of your team for something that’s experimental, and I observed that. I didn’t do anything about it when I was at Google, but when I eventually left, which I was sort of planning to do ever since they canceled my five-and-a-half year project, I’m like, “I really hate wasting my time, and if you cancel my project, it really wastes a lot of my time”.
I came out into the outside world and I found, to my dismay, that after seven-and-a-half years working at Google, everybody was copying the Google scalable infrastructure design techniques and everybody now had this problem where DevOps is a huge proportion of the development process, because they’re trying to make everything scale before it needs to scale. And so “Tailscale”, the name came before anything else, the name is the opposite of Internet scale. I want to solve problems, I want to solve the long tail of problems, that everybody has, that are not your scaling problems.
There’s so many pieces of Tailscale that go into this that are really compelling. I think a lot of moments in time that came together to make it possible. But before we get to that, for people who aren’t familiar, what is the high level pitch? What is Tailscale? How does it work? And then we can get into the specifics.
AP: Super high level pitch is Tailscale lets you connect any device to any other device anywhere in the world with encryption and identity and firewalling automatically handled for you. That sounds pretty simple on the surface, but to make it happen requires a ton of complexity in the backend, because the devices might be behind firewalls, might be behind multiple levels of firewalls, might be behind NAT or CGNAT or both or multiple NATs, they can be anywhere and Tailscale just makes it so like, look, I have a phone in my hand, I left my laptop at home. I’m sitting in a cafe, and I can still get a file from my laptop to my phone or vice versa, directly, without forwarding through any Tailscale infrastructure. We find a path, despite all of these obstacles, we make a direct connection, so it’s as fast and as low latency as it is possible to be, and we allow you to do whatever you could do if these two devices were plugged directly into each other.
So this is, obviously, a problem for small teams and my use case is that I use this Channels service to be able to watch TV, I’m in Taiwan, to be able to watch TV from anywhere, and I have a Tailscale connection to my Mac Mini located at my place in the US. But also I’ve convinced lots of people here to set up a similar thing, but I manage all of it for them. I have computers all over the US that are on my Tailscale network, and I connect to them directly, and it’s amazing. It’s incredible, it works perfectly every time. Particularly with people’s random home Internet setups, to your point, this stuff’s double-NATed, you don’t know what’s going on. To just be able to consistently break through, it works really, really well.
Still, this is just one of many problems to fix this DevOps issue, to have the long tail of folks be able to do things. Why this one, specifically? Was it your background in networking? Was it just timing? I think you’re using WireGuard. That came out, I think, 2016. What was it that set you to focus on VPNs, VPN-type issues?
AP: Well, since we’re telling my whole life story, I’m going to tie it once again back to my good friend at VersaBank who was still monitoring me when he found out that I left my job at Google. He’s like, “Hey, Avery, I heard you left Google, I have a problem, do you want to come help me solve it?”, I’m like, “Here we go again, I don’t want a job this time”.
It’s worked out well to follow him, so I can see why you keep getting pulled in.
AP: (laughing) It absolutely has. “I don’t want a job this time, but I’ll help you solve your problem, whatever it is. But I’m thinking of starting a company”. He’s like, “Well, maybe the solution to our problem can help you figure out what you want to do in your company”, I’m like, “All right, sounds okay”.
So the problem he described was the banking software, that we originally had been commercializing several years earlier, that I helped build these different features for. Now, their auditor had showed up and said, “Hey, we did a phishing test and half the company is willing to type their username and password into a random website, as half of, basically, every company is. It might be less than half, it might be 20%, doesn’t really matter, if anybody at your company is willing to type their username and password into a random website when they make a mistake, now you have a problem”. So they did the phishing test. Banking employees, of course, some of them failed a phishing test, and this allowed them to get into the core banking software and transfer money and stuff. So it was like, “This is really serious, we’re going to need to do something, phishing is this big new problem that everyone is really concerned about, we need two-factor authentication”.
The thing is, how do you get two-factor authentication into a client server windows application that uses some third-party authentication thing that nobody’s maintaining anymore? And so, we brainstormed for a while, and I said, “Look, I don’t have great ideas, nobody wants to replace the core banking software, because it’s pretty good core banking software, but it’s missing this two-factor authentication. What if we put the bank server on a different network, and the only way to get into that network was to do two-factor authentication?”. We just basically VPN from everybody’s desks into this remote network, even if it’s in the same office or in the same data center, but you have the two-factor authentication steps.
So we talked to the auditors, we talked to the security people, and they’re like, “Yeah, that sounds like that will cross off the checkbox”, and I’m like, “Okay, all I have to do then is find a VPN that works with your SSO, which was Microsoft Azure-based, that you want to leave on all the time, that won’t impact performance or mess up anything else”, and it turned out this didn’t exist. I went out looking, it’s like there’s no feature or no product, at the time, that met that combination of requirements.
And so, we were like, “Okay, well there’s this new thing called WireGuard, I guess if we just took WireGuard, and we made a key generator, and we put WireGuard in the right places, and I’ll do the integration with Azure, we should be able to give you what you need, and we’ll see what happens from there”. So we built it, and it worked, and it solved his problem. And then, not long after that, COVID hit and he was very excited that, “Hey, we just sent all of our employees home with their computers and it kept working, because it turned out the computers were VPNing into the production network instead of physically plugged into it”, so it was just a weird bonus.
But, anyway, I was like, “Okay, this is really cool, but I’ve done my time in the enterprise world, I don’t want to make it enterprise software company, in the sense it’s a company that only does enterprise stuff”.
Building Tailscale
Hey, you don’t want to work at a big company either, so I’m picking up on a theme here.
AP: (laughing) Exactly. So what if we took the same interesting thing and just repackaged it a little to make it so that end users could play with it? Because I need this thing at home, it’s just too enterprisey at the moment, so let’s make it less enterprisey.
And so, me and my two co-founders who were both named David [Carney and Crawshaw], we worked and worked and worked, and we turned it into something that was simpler, and we wrote a little blog post about it and that blog post somehow hit the front page of Hacker News, and we started getting a bunch of people signing up for our waiting list, or the so-called waiting list, which was actually just a thing that sends Avery an email when you fill out a web form and every time somebody sent me an email, I would activate their accounts and reply back to them. I think I stayed up for more than 24 hours just replying to these messages, and asking people for feedback, and activating accounts.
We got hundreds of users in the first night and that’s how I knew I was onto something, then we had this really interesting product that apparently worked for individuals who just want to play with it, and also banks. And then, it’s like, “Well, how do you connect those dots?”, and so I started talking to a lot of other people and eventually we found this concept of the, I guess, “product-led growth” is the word we use now, which had only barely started to come into terminology use in 2019 when we were starting.
Well, the beautiful thing about networking, it’s sort of inherently viral, because it’s more useful the more people are connected to it. I think that’s where the whole thing originated.
AP: They call it the network effect.
That’s right.
AP: And we’ve stopped realizing that the network effect was originally about networks and not about humans, even though it’s the same exact system effect in both cases.
Well, the other thing you mentioned is SSO. Just as far as timing goes, it wasn’t just that you had WireGuard come along, but also everyone was rolling out SSO at this point, and this bit where you get the authentication basically for free. I use my Google account for all my Tailscale implementations, and you don’t have to do anything, the authentication is just built right into the product.
AP: Yeah, absolutely. If there’s one bit of advice I could give to anybody who’s starting a software company that’s selling to businesses, it’s like, stop implementing your own usernames and passwords. It’s the most ridiculous thing at this point. Everybody has an SSO provider, just plug into that, just get out of the business of maintaining usernames and passwords.
When I was working at Google, I was friends with some of the people on the identity team, and they had literally more than a thousand employees over there just dealing with all the problems of authentication at a company the size of Google, because there’s spammers, there’s scammers, there’s abusers, there’s account takeovers, there’s account recovery. You can just get out of all of those things. You can just never think about them by putting a login with Google button, now it’s Google’s problem. Oh, I lost my account. Well, go find it, here’s the people you can ask.
It is amazing how much work that saves, how much more secure it makes everything. Speaking of two-factor authentication, in the end, we never had to implement the two-factor authentication, the two-factor authentication was built into Microsoft’s login system.
You’re also then theoretically plugged into the oldest business model in the book, which is you have to upgrade to use SSO. That was actually inherent to your product.
AP: So we have a blog post called Eliminating the SSO Tax, because we did originally charge extra if you wanted to use certain authentication providers that were highly correlated with people who had more money, but we just wanted to send a message that anybody who’s charging you extra for SSO is actually making security worse for the world.
Yeah, I remember that blog post.
AP: It’s like when Let’s Encrypt came along, it’s like, look, all these people charging money for SSL certificates are stopping SSL certificates from rolling out, SSL certificates are easy to generate, they take a quarter of a second of CPU time, and then we can send you the certificate, it’s absolutely ridiculous, and we’re just going to automate it and we’re going to turn it into a nonprofit organization, so that everybody in the world can get SSL certificates from now on. And within, I think, a year they had more than half of the world on encrypted HTTP instead of unencrypted, just because they need the service. And so it is exactly the same thing, we have to stop charging extra for SSO, it’s nonsense.
So this is a question I’ve always wondered about. How do you get a IP block? So all the Tailscale addresses are 100 dot…which is a great number. I’m curious, how do you get that number?
AP: So that’s actually not our block. That’s a block called the CGNAT block, which is a whole other story.
So most people are familiar with the RFC, I forget which RFC it is [RFC 1918], but 192.168 or 10 dot something, or the much lesser known class B ones, I think 172 dot something or other.
But there’s another RFC that came out quite a bit later where they had tracked down another block of IP addresses that they dedicated for specifically the problem of ISPs that no longer have enough public facing IPs, so they have to have an intermediate transition layer, and they’ve already used up the private IP blocks from the first RFC for their customers, and now they need to take those private blocks, transition to this transition series addresses, and then transition it to the public address. So the double NATing that almost all ISPs have to do now, because not enough blocks.
So Tailscale, we did the architecture diagram and we’re like, “Well actually, we’re the ISP in this virtual network scenario”, and it gets a little complicated, but if you actually look at it, in the virtual network, the only network is the Tailscale network, and therefore there’s no way anybody’s going to be doing CGNAT at the virtual network layer and everybody shouldn’t be seeing CGNAT addresses, because they’re all sitting either on their private networks or on the public network, neither which are CGNAT.
So we picked up that block of addresses, because it would have as few conflicts as possible, but it’s available for use, you just have to be careful about using it if you’re on an ISP that uses CGNAT.
Interesting, that makes total sense.
Peer-to-peer Disruption
There’s so many things about this that lends itself to almost like a disruptive sort of thing. So part of what makes Tailscale so compelling compared to a regular VPN is instead of going to a centralized VPN server, Tailscale is all peer-to-peer, you just orchestrate it on top to connect it together through the key exchanges, all those bits and pieces, but because of that, it makes sense why I can have a ton of devices connected to this, because it’s not actually costing you anything to service these connections. You just facilitated me connecting to my computer back in Wisconsin, and there’s no extra burden on Tailscale.
AP: Right. So that reminds me. There is another through line from my work in Google Fiber to Tailscale, and that is when I was working in Google Fiber, my team was specifically working on the Wi-Fi routers that we put in people’s homes as an ISP, and we really wanted to have multiple Wi-Fi routers throughout the home, because Google Fiber was famously the first gigabit Internet service in North America, and the problem with that is it wasn’t very hard to get the gigabit into your house, it was very hard to get the gigabit throughout your house. The bottleneck was all always Wi-Fi.
People would say, “Why’s my Internet so slow?”, it was actually bad Wi-Fi.
AP: Exactly. So I used to say our team had the dubious distinction of being the reason you weren’t getting a gigabit out of Google Fiber, and therefore the source of all your complaints. So our job was to get it as close to a gigabit as possible so we were trying everything, and this was the early days of mesh Wi-Fi. Some of the work we did turned into what became Google Wifi, if you remember the Google Wifi routers, I don’t even know if they’re still selling them.
AP: They were one of the first ones that came out with a reliable mesh. Anyway, so it was really hard to build a Wi-Fi mesh and it never really quite worked during the time that I was there. We got to a degree of it working, but it has a lot of unreliability.
And so, when we were doing Tailscale, eventually my co-founder, David Crawshaw, the first version we made for the bank was actually hub-and-spoke, because that was good enough for their purposes, they just needed to get into their central network. But my co-founder is like, “Avery, wouldn’t it be neat if we built a mesh network out of Tailscale nodes?”, and I’m like, “Oh, I just spent six years building mesh networks, it’s so hard, you have no idea how hard it’s to build mesh networks”, and he’s like, “Sure, Avery, but remember you were trying to build mesh Wi-Fi networks, and the thing about Wi-Fi, that you don’t know until you start working on it, is about 95% of your problems are just making the stupid chipset do what it’s told, and the remaining 5% is everything else”.
The firmware in these Wi-Fi chipsets is astonishingly terrible across the board, and it’s just buggy like crazy, and everything that it’s supposed to do, you have to fight with it to make it do it. You spend all your time just integrating new chipsets and then next year, there’s a new chipset with new bugs, it’s just the whole thing over again. So he says like, “Well, what if you tried to make a mesh network, but you didn’t have to do that other 95% of the stuff? Maybe you could succeed at building a mesh network”. And I’m like, “I think you’re right, I think maybe we can do it”, so we decided to build a mesh network using Tailscale partly just to get over the trauma of having tried to do it with Wi-Fi routers.
But that’s what unlocks the business model, because you don’t have to maintain hardly any of the infrastructure, because you’re not a part of the traffic going back and forth.
AP: Exactly, so it was pretty easy when you talk it through. It’s like, “Oh, wow, imagine a world where we could make a mesh network of computers on the Internet, any computer you want can talk to any other computer you want”, it would bring back the early days of the Internet where, when I was sitting in high school building these dial-up networks and nobody had, or most people had barely heard of the idea of a firewall, let alone a NAT, any computer could talk to any computer. That was one of the defining features of the original Internet.
There’s this user comment that you’ve cited before, the goal is to make the Internet work like you thought it worked until you learned how it actually worked. That sounds like that’s exactly what you’re talking about.
AP: Exactly. An actual customer told me this, and I’m like, “Oh, my God, that is exactly it. That’s what I’ve been trying to get to all this time is make the Internet work the way it was supposed to work”, everybody knew it was supposed to work that way, and it’s just a series of not even bad decisions, just unfortunate outcomes, over the last 40 years, that resulted in it working the way it does.
So why doesn’t everybody use this solution?
AP: Well, great question. I have another blog post that I wrote quite a while ago, before starting Tailscale, about this idea of wants and needs. So people will use a product if they have, at least one reason that they want it, and you get rid of all of the reasons that they can’t use it, which are needs. Right? Tailscale is always looking for — I think we have a lot of reasons that a lot of people want to use Tailscale, although most of them are pretty technical people, or they’re people who work at companies that employ technical people who know why they want it and then there’s all the needs they have. It’s like, “If I’m going to roll out network technology, it needs to be able to do this and this and this and this and this and this and so on”, and so the process of building Tailscale has been mostly a process of eliminating the blockers to those needs.
So you had the various firewalls, the double NAT, that’s sort of the basic stuff. Then you have SOC compliance and all the weird enterprise stuff, and you’re just knocking them down one by one.
AP: Yeah, exactly. About a year ago, we added device posture checking, so we integrate with all of these endpoint data security tools, like CrowdStrike, that will tell you how good your corporate laptop is, and then we can say, “If your corporate laptop is up to a certain level, like it was issued by the company, it’s running the virus scanner, it has all this stuff, then you can access the super-privileged stuff on your network. If you’re using your bring-your-own Android device that hasn’t been upgraded in five years, then you can look at the dashboard”. Even though it’s the same human identity, the device posture is different.
That was one of the things that people were really asking for, they were mostly asking for “yes” or “no”. If the device posture check works, then you can get into the network, if it doesn’t work, you can’t get into the network. But that didn’t seem quite right to me, because how are you going to fix your device posture if you fall behind on updates, or something like that, and the update server is on your network? If we kick you off the network, you can have a chicken-and-egg problem, which almost every product will produce.
But Tailscale, you can define it so that, “Oh, you fell behind on your posture and you have this kind of device, you can still access the internal update server to be able to get pushed to the updates for your device”, things like that. Those sorts of features are, again, the long tail of things that corporations, especially big enterprises, need to have in order to roll out hundreds of thousands of devices.
So how do you get the feedback that this is a feature that you need? You start out with a post on Hacker News, you have product-led growth, you have hackers thinking, “Wow, this is great, it works really well for me”, what has been the step up the ladder to where, “Okay, we have these crazy enterprise needs, we have to work with CrowdStrike”, how did that progress over time?
AP: It’s pretty easy to get feature requests as any software developer knows. It’s like if you have users, you have feature requests.
One of the weird things about software is that the more users you have, the more bugs are in your bug tracking system. So it’s definitely, you should not look at a product and say like, “Oh, they have thousands of open bugs, this product really sucks”, it’s like, “No, they have thousands of open bugs, that means people were bothering to file thousands of open bugs”. And so the feature requests are not that hard to get.
The actual hardest part of Tailscale is maintaining this dichotomy of, “I still want it to be super easy to use and super, super good for the super low end”, because that’s how everybody discovers Tailscale. Even if they’re buying Tailscale in the enterprise, we’ve been on calls and the CTO of a bank will be like, “Oh, my friend runs an Airbnb, and when he sets up his network of Airbnbs, he uses Tailscale, and he thought maybe it would be a good idea for my bank, so we thought we’d call you”.
That’s why you’re on Stratechery right now! Tailscale has blown my mind for this odd use case. And I can’t remember how we got connected, but I’m like, “I love this product, I want to talk to Avery”, so I can attest to that.
AP: There’s so many weird use cases. There’s a whole club of people with RVs, recreational vehicles, where they put Tailscale and monitoring equipment on this thing, and usually they have Starlink, and they want to connect that back to their lab at home, so they can access all their random hacking stuff when they’re touring the country. There’s like this is the whole thing that people do now. It’s so amazing, all these different use cases and you just get connected to everybody this way and then we also have to make sure we support. I said earlier on, “I don’t want to be an enterprise software company”, but it’s not like I don’t want to sell to enterprise.
But that’s where you’re making money, right?
AP: I don’t want to only make something for enterprise. And Tailscale is, fundamentally, it’s trying to make the Internet work correctly. It’s trying to redefine, like, let’s bring back, this is the Internet, we call it the New Internet sometimes. I have a blog post that called it that and to do that, it has to be for everybody. If you only sell the enterprises where all the money is, you can make a lot of money, but you’re not going to actually fix the Internet. I’m not going to get that itch of my own fixed where I want to get back to my stuff that I have at home without the hassle.
Well, it’s just really interesting, because you think, usually with the freemium model, it’s like, “What’s the cost of supporting all these free users?”, but as we talked about, you don’t really have costs, because of the peer-to-peer nature. But you do have a cost, which is this drive and desire to keep it approachable and easy to use, and it’s a cost you’re happy to bear, but that is if you just did enterprise customers, there’s probably a lot of stuff that would be “easier” for you to implement, because you wouldn’t have to be super accessible.
AP: Oh, much easier. There’s some stuff that enterprises have wanted that we’ve been slower to deliver, like this device posture thing, for example. We knew about it in the first year of developing Tailscale, but if we put work into device posture at that time, we would have had to not put work into some other stuff that would have increased our growth rate at the bottom end of PLG [Product-Led Growth], which was a significant trade-off, strategically. But I’m a big fan of this book called The Innovator’s Dilemma, I’m sure you’ve read it.
Yup.
AP: The one line summary is like, “It’s easy to move up market later, it’s very hard to move down market later”. Tailscale from the very beginning, other than our first customer, which was this bank, we were like, “Look, we have to hold on to the bottom and make sure that we have as little incentive as possible across the company to give up this market at the very bottom, the rest will come naturally, we’ll prioritize it as it happens, we’ll move upwards gently, but we’re going to stick, like crazy, to the bottom”.
By doing that, it’s really — well, first of all, I think our investors, at least, have described us as the first company they’ve ever seen, that does product-led growth in the network infrastructure, security space. Like almost never, especially security products, people do not adopt security products bottom-up, security products just make your job harder to do. So why am I going to bring that to work of my own free will, and try to make my job harder? Well, Tailscale makes your job easier, because it does all these things that are nice, and has these security benefits as a bonus. But that benefit has been really great and it’s something that if you look around at other VPN providers and other net infrastructure providers, they don’t do it this way. They make a corporate product that you have to be a certain size to even bother with or else it’s going to be too complicated.
Was there any pushback on your investors though? Did you have to convince them over time, where they’re like, “Look, the money is up here, you need to go and get that, why are you wasting time serving the random blogger in Taipei that wants to watch TV?”
AP: Especially when we went to get our seed round investment, there was a huge array of disagreement about how we should run our company, and the question I asked each investor upfront was just like, “Okay, I have this interesting situation, I have all these free users who love this product, because it’s easy to use, and I have this bank. Which direction should I go to have the most successful company?”, as happens when you ask everybody for advice, I got all the different answers. But the best answer I got was from Heavybit, who ended up leading our seed round, and their advice is like, “Hey, this is our investment thesis, this is the new upcoming thing, you need to do both, and you need to do this hybrid bottom-up, top-down model and we know companies that do it this way, it’s amazingly successful”. So ultimately, we chose our investors, or our investors chose us, mutually, I guess, based on the fact that we both saw things from this angle. But it certainly was not, especially at the time, a obvious direction to go in.
Scaling Tailscale
So when you’re doing bottoms-up, product-led growth, obviously, you have an easy web interface, you could subscribe, add users. Like you said, it’s a networking product, because you want to add more people to it. I think the limit is three users on the free plans, you add that fourth, you’re going to start paying. At what point did you feel the need to add any sort of sales, even if it’s inward inbound, gathering that up, and do you think you did that too late, in retrospect, or do it just in time?
AP: We initially hired a few individual salespeople, maybe two or three years into the life of the company, just because it was getting to the point where people would use Tailscale for free, they would send us support, we had a small support team at the time. Eventually, they’d be like, “Hey, I want to buy this thing, I want to spend tens of thousands of dollars a year, can someone please just talk to me on the phone?”, and my co-founder, David Carney, was generally the answer to that question. And he was like, “Okay, I just can’t do any more phone calls, we should start hiring somebody to help with this stuff”.
We also didn’t have any kind of enforcement, so you talked about a maximum of three users, all these different of limits and stuff, we didn’t enforce anything. So you could have a hundred people in your company on Tailscale and not be paying us. Then, eventually somebody would look through the database and send you a polite email saying like, “Hey, would you mind paying us”, because we’re Canadian, and it worked pretty well, but we needed somebody to do some of that work. So we hired two or three sales people to do that kind of low pressure sales, you might call it, or exploratory sales, and that was pretty good.
Eventually, it was only less than two years ago, so 2023, four years into life of the company, that we hired our first head of sales, Kevin Kotecki, he started to actually formalize our sales process. But our sales process, still to this day, does not do cold outbound. We basically talk to people who are already using Tailscale, who are already in the funnel, who probably just need to talk to somebody. Maybe we don’t quite wait until they’re begging us for a phone call, now we’re a little more assertive about sending emails and like, “Hey, why don’t you try this?”, or, “Maybe you’d like some help using Tailscale more in your organization”, and that kind of thing. But yeah, it took us a long time.
It’s hard to say if we started that too late or not. I guess, from the revenue growth, you could say we did extremely well with the timing that we had. I would say the thing that we got, after getting a more formal sales process, is we got higher quality feedback about those blockers that were stopping bigger companies from using Tailscale, because there are certain things that people would just look at the website and like, “Oh, Tailscale doesn’t do this, therefore I can’t even think about it”, they would just go away. When you have someone actually, at least, saying, “Hey, as you’re trying Tailscale, have you thought about bringing it to work?”, or questions like that and just getting the answer is like, “Oh, we’re like 90% of the way of being able to buy it, but if only we have this feature and this feature,” which are tiny little things. “If only we had those things, I could buy it, but without those things, I simply cannot, because I’m not going to be able to get it approved by our security team or whatever”. So if we had known those things a little sooner, we could have prioritized those things a little sooner, and possibly found it easier to sell it to bigger companies.
But we only had a certain amount of energy in our engineering team, because we had a certain amount of money, certain amount of ability to spend money, if we had prioritized that stuff instead, we would have had to prioritize less of the stuff at the bottom end, which would have also had disadvantages. So a little hard to say, hypothetically, could we have done better? I think we could have done better, maybe with 6 to 12 months earlier on sales, but not much more than that.
Do you have any nervousness about having a seat-based business model in this brave new world of AI and agents and things like that? Does that change the way you think about the long-term business model?
AP: Well, I like to say all these AI agents are going to need connectivity to the Internet.
They’re going to need networking, that’s right.
AP: So there’s got to be some way this can work.
It turns out, in fact, that lots and lots and lots, almost every AI company, is using Tailscale. It’s a very tight-knit network of people, and the top AI companies employ people that then leave those companies, start their own, and they want to use the same infrastructure, and so they basically all use Tailscale. I kind of joke that it’s the selling shovels in the gold rush model. Tailscale sort of predates the AI gold rush, we’re going to be around after the AI gold rush, and we’re doing really well during the AI gold rush.
But seat-based model, I like the seat-based model. There’s kind of a hole in our pricing right now for what we’re calling machine-to-machine communication, where people are starting to use Tailscale for service meshes, for Kubernetes, for all kinds of big IoT situations where you’ve got tens of thousands of devices or more, and maybe ten people maintaining them all. And it’s like, “Well, we can’t sell you ten seats for your company, that doesn’t add up”, so we need to come up with some kind of pricing model that’s going to make sense for machine-to-machine.
The reason we used a seat-based model is we want to make it easy for an engineer sitting on the eng team to roll out more Tailscale nodes without worrying about it. It’s like, “Look, you’re already paid for, deploy a lot of Tailscale”, and that has worked really well for us, within reason, for a normal sort of use case that involves what we call human-to-machine but as soon as you get into machine-to-machine, we kind of need to repackage I think.
That makes sense. You’ve talked about this “The New Internet”, how does this extend beyond what you’ve built so far? All these features you’re talking about, it’s going into the core Tailscale product, you’re a one product company. Is that a product? Is that a feature? Is it something that needs to — you have all this in on these companies, do you expand beyond that? Or am I conflating two things, this sort of ideological or idealistic, I should say, view of this New Internet versus the business realities of Tailscale in the long run?
AP: People inside Tailscale ask me that a lot. It’s like, “Avery, when are we launching our second product? I think we’re at the stage now, we’re big enough, we’ve got lots of people, we’ve got lots of money, let’s launch a second product”. I’m like, “Well, I don’t think we’ve maximized the opportunity of our first product yet”, because when you think about it, the first product is really, it sounds big to call it the New Internet, but it is. It fixes the Internet, it makes the Internet work the way it was supposed to work with a bunch of stuff added on that we never would’ve thought we needed in the 1970s and 1980s. And it just works, but it’s not in the hands of nearly as many people as should have it.
I’m pretty sure the way Tailscale is going to grow, and should grow, is just to stick to this core thing, and get it into people’s hands, as many people’s hands as possible. The simple metaphor is like TCP/IP. You don’t need to keep adding features to TCP/IP in order for it to continue to be extremely popular, to spread all over the world. You need a really, really tight core of extremely, extremely high quality, reliable stuff that everybody can use, and build on top of, and feel confident that it’s not going to break. So we have to provide that same promise. It is very contrary to the cloud world of like, “Look, you need to be on the upgrade treadmill, you have to have the latest version of everything all the time, because security problems and upgrade problems and compatibility problems and version skew problems, you’re going to be in trouble”. Tailscale, we have never deprecated a version of the client software that anybody is using.
I’m paranoid about this, about updating some of these computers, because people are not there. I’m like, I’m not even going to risk it. Next time someone is there, I will update it, I’m not going to touch it until then, and it always works.
AP: Exactly. But I have software for the paying parking meters in Montreal where I live and this software, if I don’t upgrade it, stops working every couple months. It’s like, parking meter payments, who knows? “That protocol, we can’t keep that backward-compatible, we upgraded the server, it doesn’t work with your client, upgrade your client please.” It’s like there’s no reason for that. Tailscale has a protocol that we’re upgrading all the time. I think we’re up to version 137, or something like that, that somebody told me the other day, but we support all the previous versions on our control server.
If it goes by your version numbering, I think you’re on like 180 or something now, but maybe it’s something different.
AP: Sometimes we upgrade the protocol version multiple times per version. Because every time we add some new feature, we upgrade the protocol version, so we know exactly what is supported by each client, and we don’t try to use a protocol feature when sending messages to that client if it doesn’t support them and it is a fair bit of work to make that work. But it’s worth it, because people have this guarantee, when they install Tailscale, it will keep working, that version will keep working. I made a device in my factory five years ago, and that device hasn’t been plugged in for five years, but when they plug it in, it’s going to work and when you have that kind of promise, then you can build things on top of it, then you’ve got what people call a platform.
A New Internet
On that platform point — again, I have my own sort of network — I’ve connected to, I think, one other person or someone was helping me debug something, so he hooked in from his Tailscale into my Tailscale, but it was a little tricky to do, and I think it wasn’t that tricky, he sent me a link or something, but is there almost like a social network possibility here? You talk about the New Internet, it’s a New Internet if it’s all your devices with your Tailscale account on them. Is there a future of making it easy to tie all these together?
AP: Man, it is like you read my mind. I guess you really do strategy and technology. Tailscale is what I call small human scale networks, interconnected and so we’re doing really well at the small human scale networks right now. In fact, because we’ve been pulled this direction by companies, we also do, now, large less human scale networks that have tens or hundreds of thousands of computers on a single Tailnet.
And you just passed 10,000 companies, so something’s working well.
AP: Yeah. So it was going pretty well and it’s no longer just small networks. But the interconnected part, like interconnecting one network to another, we’re still a little weak on.
So we have a feature called node sharing, which is unfortunately little known, but you can find it in the admin panel, and you can share a node from your network with somebody on another Tailnet or as many other Tailnets as you want. The UI is a little janky to do, because you have to do a node by node, person by person, which is not the best way to build a social network. But it does work, and it shows that the technology is possible.
I want to get it to a point where you should be able to write something in your policy file, like, “Share everything in my network that’s tagged like this with everybody in a particular group in the SSO provider at such and such company”, is the example.
Because you want to get to the state where you just assume everyone has Tailscale installed, that goes back to your bit about you just need to get more distribution, you need to focus on the low end. Because if everyone has the client on their computer, then it’s a one-click connection that really opens up a lot of doors.
AP: Yeah, exactly. And this lack of interconnection actually gets in the way for people who are using it for fun at home, but then they want to use it at work. It’s like, “Well, now I have to switch back and forth between Tailnets”, and, “Well, that sucks, when I didn’t use it at work, at least, I could be on my home network all the time”.
(laughing) I punish myself.
AP: And so we need to make it because you’re just one person, you’re the same person both times, and so you as that person should have access to your stuff at home, but also your stuff at work, but nobody else at work should have access to your stuff at home, unless you want to share it with them. We wanted to find a model that’s a little bit beyond Tailnets and more about identity, gives you access to things and those things that you get access to are shared with you by other people with other identities. We’re very close to that now, but that’s the sort of thing that’s coming down the pipe and when that happens, that’s going to give you a real New Internet of all sorts of things connected to all sorts of other things. But now with identity, cryptography, security built in, out, and with this basic platform of, “It’s not going to break”, because we’re never going to break it.
Is there more you could do if you were even more deeply integrated into operating systems in particular? So it’s on my phone, I have it on all the time, but it’s in userspace, obviously. Is this something that you are knocking on Apple’s door, or on Google’s door saying, “Can you give us a little bit deeper hooks here?”
AP: I think the deeper hooks would be mainly like, “Don’t pop up with the VPN warning on your taskbar just because you’re running Tailscale”, and I understand why that warning is there.
I posted a screen share from my phone in my Article today and I almost redid it, because as I was doing it, the VPN thing came up. I’m like, “That’s kind of a distraction”, but I left it there, that’s exactly what happened.
AP: Exactly. And people are like, “Ah, VPN”, like, “Ah, is it bad?”, because the reason Apple, for example, pops up that warning is just so you know, because if you install the wrong app, it could be routing all your traffic through some other place, and you don’t know what’s happening in your traffic. Tailscale doesn’t route all your traffic unless you ask it to, it’ll route some of your traffic that’s intended for these private nodes and there’s no danger in doing that. But Apple has no way of telling whether it was dangerous or not so it’d be great if there was a little bit more control there.
I do have a feature request while we’re here. I do have the Tailscale widget on my phone, and it has a power button to turn it on and off, but that’s only to turn Tailscale on or off. What I need is exit node on or off, instead of having to go into the app. So as long as you’re mentioning it, that did occur to me. I just leave it on all the time, so there you go.
AP: Make sure this ends up in the podcast and I guarantee you someone on our team will hear it and listen to you!
But, I think, if it was less scary, if everybody was running Tailscale all the time, I think you’d have this world — I saw a post on Bluesky a few weeks ago, and somebody was like, “I want to self-host my own website. How do I do it, and without using any corporate-type products?”, and there was, basically, no way one way or another you have to tunnel something from somewhere, because they’re behind a CGNAT on their ISP. It’s just game over.
But wouldn’t it be nice if we were in a world where if it was Tailscale or the Tailscale protocol, and we could just make it so that anybody in the world can access the server that you want to share with them, peer-to-peer, because the connection gets facilitated, but not relayed by us.
I think it would be, “Get back to a world where I can just host a web server on any device, anywhere, anytime, for anybody, and not have to pay hosting fees or bandwidth fees or egress fees or storage fees to anybody, because it’s on my device”. It should be actually possible, your phone in your pocket is a supercomputer, it should be able to run a website, there’s no actual reason that it can’t.
You have the magic name. Is that what it is? Where you could do it instead of the IP number.
AP: MagicDNS.
MagicDNS, thank you. Is this where the social network aspect comes in? You’re going to be maintaining your own namespace, pretty soon?
AP: It’s MagicDNS that actually uses ts.net domains, which we paid fair and square for ts.net. It was surprisingly affordable, nobody wanted it, for some reason. So everything in MagicDNS is located under ts.net, which is regular DNS. For people who are not running Tailscale, you can use Tailscale Funnel and share your stuff through Funnel. That shows up on the ts.net domain in the public Internet, and then people can come in through there. To do that, we have to relay the traffic ourselves.
Got it. That’s where it goes through the centralized server.
AP: Just because if they’re not running Tailscale, there’s no way for us to do the efficient point-to-point connection. But, in theory, at least, if they did run Tailscale, then they could access anything that would be shared on over Tailscale Funnel, but efficiently. So you get this sort of benefit of like, “Oh, well, you can access it at all, normally. Oh, you’re sad that it’s slow. Install Tailscale on your computer and magically you’re going to have fast access to anything in the ts.net domain”.
It is really interesting. So build the New Internet that feels like the Old Internet, that’s sort of the one-sentence summary.
AP: Yeah, it feels like the Old Internet, but also for everybody, because the Old Internet was actually for not very many people. It was too technical, too hard to use. It was really neat if you’re super nerdy computer person. But if you’re random, non-super nerdy computer person, the Internet is usable today, but with all these limitations. So I want to get it back to like what if you could do all the stuff you could do on the Old Internet, but also now for everybody, safely and securely.
That’s the thread. Make it easy to use, you don’t need a support call, you don’t need maintenance. No, it’s great. Like I said, I was super pumped to do this, I love the product and the fact that I find the story of your various startups and companies, the thread is so compelling going through it, I can’t imagine anyone else building this company, it was really cool to hear.
AP: Nobody else did, I guess.
Like you said, you looked around, it didn’t exist.
AP: I never know quite what it is that got us here, but it is pretty unique and people love it, because they try it, and they feel it right away and that’s the neat thing about Tailscale is you could feel it when you install it. And, I guess, I should say, I always forget to say, but you can install this thing in five minutes. You download it from the App Store, you log in with your Google account, you do that again on one of your other devices, and that’s it. Right now, those two devices are connected to each other.
Five minutes is pessimistic, it works faster than that. Congrats on a great product, I think it’s really compelling and I look forward to seeing what happens next.
AP: Me too. Thanks, this has been great.
This Daily Update Interview is also available as a podcast. To receive it in your podcast player, visit Stratechery.
The Daily Update is intended for a single recipient, but occasional forwarding is totally fine! If you would like to order multiple subscriptions for your team with a group discount (minimum 5), please contact me directly.
Thanks for being a supporter, and have a great day!