About the Tailscale.com outage on March 7, 2024
Infrastructure coupling & install script location
- Many argue install scripts should not live on a marketing site, which is often less secure and less robust.
- Several recommend a dedicated install domain or a proxy setup where the company fully controls TLS and routing, with the marketing host only serving static content behind that.
- Some highlight that users perceive “www down” as the entire company being down, even if the core product is fine.
TLS certificate management & monitoring
- Thread repeatedly notes expiring certs as a common modern outage cause.
- Suggestions include:
- Monitoring cert expirations for all public domains (IPv4 and IPv6 separately) and alerting well before expiry.
- Pushing expiry timestamps into a TSDB, using tools like Uptime Kuma or Jira workflows, or even shared calendars as stopgaps.
- Some express disbelief that any production infra could lack basic domain/cert expiry monitoring; others admit to overcomplicating what simple calendars can solve in the short term.
IPv6, Vercel, and proxy design
- Major criticism of choosing a provider without IPv6 when IPv6 is important, and then layering complex workarounds.
- Commentary on Vercel’s slow/opaque IPv6 roadmap and communication; some say this alone is a reason to avoid it.
- Technical debate:
- Current TLS-terminating proxy broke ACME renewals; many push for a non-TLS (TCP) proxy to avoid this.
- Others raise issues around QUIC/H3, user IP preservation (PROXY protocol), and ACME challenge handling.
- It’s noted that misconfigured IPv6/AAAA records triggered provider “misconfiguration” alerts for ~90 days before the cert actually expired.
Process & “calendar alerts” joke
- The “ancestors’ calendar alerts” line is seen as both funny and, in the very short term, a necessary baseline.
- Some recommend treating recurring tasks (certs, domain renewals) as first-class operational workflows, not ad-hoc cronjobs.
Pricing, value, and self-hosted alternatives
- Heated discussion around Tailscale pricing:
- Some find the premium tier (~$18/user/month) “unsellable” for larger user counts when only VPN + ACLs are needed.
- Others argue the price is fair considering extras (SSH integration, SSO/OAuth, ACME automation, Kubernetes integration), and that free/cheaper tiers are generous.
- A key complaint: fine-grained ACLs integrated with existing identity are gated behind higher tiers, forcing everyone onto the expensive plan even if only a few need advanced features.
- Alternatives mentioned: traditional VPNs bundled with networking gear, self-hosted “headscale” or similar; however, several note self-hosting complexity and desire for commercial support in corporate settings.
User sentiment toward Tailscale
- Many remain very positive about Tailscale’s usability and feature set, describing dramatically simpler remote access and deployment workflows.
- A minority say any security-adjacent failure makes them wary and that they “need a better story” on reliability and security controls.