About the Tailscale.com outage on March 7, 2024

Infrastructure coupling & install script location

  • Many argue install scripts should not live on a marketing site, which is often less secure and less robust.
  • Several recommend a dedicated install domain or a proxy setup where the company fully controls TLS and routing, with the marketing host only serving static content behind that.
  • Some highlight that users perceive “www down” as the entire company being down, even if the core product is fine.

TLS certificate management & monitoring

  • Thread repeatedly notes expiring certs as a common modern outage cause.
  • Suggestions include:
    • Monitoring cert expirations for all public domains (IPv4 and IPv6 separately) and alerting well before expiry.
    • Pushing expiry timestamps into a TSDB, using tools like Uptime Kuma or Jira workflows, or even shared calendars as stopgaps.
  • Some express disbelief that any production infra could lack basic domain/cert expiry monitoring; others admit to overcomplicating what simple calendars can solve in the short term.

IPv6, Vercel, and proxy design

  • Major criticism of choosing a provider without IPv6 when IPv6 is important, and then layering complex workarounds.
  • Commentary on Vercel’s slow/opaque IPv6 roadmap and communication; some say this alone is a reason to avoid it.
  • Technical debate:
    • Current TLS-terminating proxy broke ACME renewals; many push for a non-TLS (TCP) proxy to avoid this.
    • Others raise issues around QUIC/H3, user IP preservation (PROXY protocol), and ACME challenge handling.
  • It’s noted that misconfigured IPv6/AAAA records triggered provider “misconfiguration” alerts for ~90 days before the cert actually expired.

Process & “calendar alerts” joke

  • The “ancestors’ calendar alerts” line is seen as both funny and, in the very short term, a necessary baseline.
  • Some recommend treating recurring tasks (certs, domain renewals) as first-class operational workflows, not ad-hoc cronjobs.

Pricing, value, and self-hosted alternatives

  • Heated discussion around Tailscale pricing:
    • Some find the premium tier (~$18/user/month) “unsellable” for larger user counts when only VPN + ACLs are needed.
    • Others argue the price is fair considering extras (SSH integration, SSO/OAuth, ACME automation, Kubernetes integration), and that free/cheaper tiers are generous.
    • A key complaint: fine-grained ACLs integrated with existing identity are gated behind higher tiers, forcing everyone onto the expensive plan even if only a few need advanced features.
  • Alternatives mentioned: traditional VPNs bundled with networking gear, self-hosted “headscale” or similar; however, several note self-hosting complexity and desire for commercial support in corporate settings.

User sentiment toward Tailscale

  • Many remain very positive about Tailscale’s usability and feature set, describing dramatically simpler remote access and deployment workflows.
  • A minority say any security-adjacent failure makes them wary and that they “need a better story” on reliability and security controls.