42. Avery Pennarun, Co-Founder and CEO of Tailscale, the Anti-Google: Rebuilding a Secure Internet from the Bottom-Up

Hello everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm here today with an amazing guest, Avery Pettero, the co-founder and CEO of the beloved Tailscale, the best VPN out there. Welcome to the show, Avery. Avery Pettero Hi there.

Hello everybody. Avery has a really unique background. He started his first company in college. She later sold it to IBM.

He took a break by working at Google for eight years and then decided to set out with other former Googlers to create the anti-Google, Fortune, Cyber60, startup, security startup, Tailscale, which is now close to being a billion dollar company. That's a huge success. And I compress so much just into that little blurb. Maybe you'd like to expand on any of it.

Yeah, that's just my entire career history. I compressed it in a pretty short time, but yeah, you got it. You got it pretty actually. Just to clarify the billion dollars in Tailscale is not revenue.

That's just the valuation that we ever had in our last one round or approximately. Oh no. Did I say revenue? But they said a billion dollar company and I'm like, oh, that could be taken the wrong way.

Not that maybe I shouldn't correct you. Oh yeah. He said it, not me. I don't know.

But yeah, we're still a little bit small. But we're growing quickly. All right. So share with our folks.

You think of yourself as a security person at heart. Do I? That's an interesting question. I really, I've always been a networking person.

A networking person. And that's the secret of Tailscale is that it is a security product. It's also a networking product. And the thing is people generally kind of reason security products.

So the job of security products is to stop doing stuff. Image engineers generally don't like to be stopped from doing stuff. Whereas the job of networking tools is to help you do stuff. And so Tailscale does a little bit of each, right?

So people generally buy it because they wanted to solve some sort of connectivity networking problem. And then they're like a little surprise that came along with these security features that didn't get in your way. And in fact, now you're more secure by default. You were before you adopted Tailscale, even though you're also solving your problem.

And that's kind of like the secret to how Tailscale became the first security infrastructure product probably believe that has never been adopted bottom up by individual engineers instead of sort of foisted on them by the security department. Yeah, that's awesome. So it was you took the business model right out of the book from you probably beat the Slack to that, didn't you? As well, I mean, Slack was definitely considerably before we were, but I wouldn't describe Slack as a security product really.

No, not at all. But it definitely had that bottom up sort of. And ever since then, all of the VCs always seem to be overly excited about bottom up go to market strategies. They're very excited.

I can see why it turns out it works really well. It's super low cost compared to like sort of sending a field team out to capture people with spam and unwanted phone calls. And hey, have you heard about this product you've never heard of? And then maybe sometimes they'll be willing to talk to you.

And maybe some of those times managed to make a sale. Like the opposite is Tailscale. Our sales team only talks to people who like someone at the company has already signed up for Tailscale, even voluntarily. And there's somebody at the company who's interested.

Usually they tell them in a mail form saying, Hey, I'm trying to buy this. Can you help me? And it's a completely different conversation then, right? Because there's somebody inside the company who's already excited about it.

And now you're just like, what can I do to get the friction out of the way? Yeah, exactly. That's perfect. It's beautiful.

So it's no cold calling. No interrupting someone's dinner. Nothing like that. Exactly.

So as co-founder and CEO, what exactly do you do at Tailscale? I ask myself that every day. I think there's, I don't think I'll get it right. But I read on the internet a few years ago, and it's something like, as a founder, you're already failing at your job.

Oh, sorry. You haven't since started. I'm going to get it wrong. As if someone phoned you up one day and said, Hey, congratulations.

You got a new job. I actually got it several months ago and you're already failing at it. And that is basically the life of a CEO of any startup and probably a founder of any startup, and maybe many of the jobs that you start up. And in the earliest days, I was one of the people who wrote to code for Tailscale.

I haven't been allowed to write any code for Tailscale for quite a while. So I've now currently filled most of my days with meetings. A large fraction of my meetings are recruiting people or doing coordination meetings or what I call unblocking meetings, where you've got people from multiple different departments or, Hey, I don't know whose job it is to make this decision. And if that's the case, it's my job.

And so I show up in some decision where I'm definitely the person in the room with the least information and try to help them like conclude something so that I can take the pressure off whoever it is. I was most worried about putting the company at risk and say, don't worry. I guess I'll put the company at risk. Go do the thing you want to do.

And that takes a lot of my time. I mean, it sounds like you're very comfortable being uncomfortable. Yeah. You have to be a founder for sure.

I've been that way for quite a while. I sort of, I guess I secretly see myself as a person. It's not like I thrive in chaos exactly, but I eat chaos and then release organized things on the outside. And so it's like, without the chaos, there's nothing really for me to do, but I'm, I'm always looking for like how I can turn that into stability.

What's the thing that's missing that is making it not come together. I love that. I think you, you approach things that are new, that are a little bit less explored, that a little bit gray. Yeah, exactly.

I mean, things that are like already solved, I get bored pretty quickly. But I've met other people who are like almost the same and they're like, they got bored with things that are stable. And so they go create some chaos. That's not a great way to go.

Oh yeah. Yeah. Then maybe you're talking about red teams. Yeah, exactly.

I was just describing one of the people at our company as basically the red team accidentally. But there's always this tension between red teams and blue teams, where you actually need a little bit of both of them. And it's, it's, it is usually a healthy tension if you manage it properly. Agent Smith, the Neo and the Matrix.

It's you, you don't have a blockbuster hit unless you have the dynamic between the two and they have to duke it out. That's true. It would have been a pretty boring movie actually. It would have been so dry.

It's so dry. We wouldn't have had the great spectacular feats of, of any of that. Do you remember back in the day when the internet was actually simple and you could plug in your local computers to a hub, didn't even need a switch, just use the hub and everything was just so easy to use. It wasn't any complexity.

And I look around today and there's just all these products and services and this complexity and we have cloud service providers and all these running protocols. They just, what happened? I mean, you have to remember not, not all of it should be viewed to really color glasses. Computers were pretty broken at the time, right?

It was like DOS and Windows and like, you had to go fiddling around with your auto-advent mat and stuff to get the memory manager installed. So you could make the video game work or maybe uninstall the memory manager. So the other video game would work. Those were just networking that was simple.

Part of that was because it was so new. Nobody had come on to all the stuff that could happen with networking yet. But as the network got bigger and bigger, one of the, the greatest accomplishments and biggest mistakes we ever made was we like connected those networks to each other. And I created this thing that we call the internet, right?

The network of networks. And I have my, my view on the internet is that there's never going to be multiple internets, right? Because there's always going to be some jerk. If you have two internets, somebody's going to plug them together and find some tin can and string or whatever to connect these two networks together.

And next day we've got one big network. So now we've got one big network made of a protocol that was designed for something considerably smaller. And they were very sure it could never possibly grow as big as it has grown. And that's why the IPv6 project got started.

Like in the 1990s, IPv4 was only got 4 billion addresses and we were wasting most of them. So at most you're going to get like several million people on this thing. And now they are considerably more than 4 billion computers on the internet. And the only reason that works is that we're reusing addresses, set up firewalls and maps and interconnections and waves of lying and proxies and all this other stuff.

And it's gotten really complicated for like multiple reasons. One of them is random addresses. Another one is the protocol that it's based on was just never meant for any of this. Nobody thought it would work for any of this.

The fact that it worked at all, it's sort of an amazing achievement of the entire network engineering profession. Is the protocol that you're referring to IP? Yeah, IPv4. IPv4.

Yeah. Yeah. V4. Yes.

The old, the original. The one that has run out. Yeah. The one that we're all using.

The one that has run out of all of the numbers. Exactly. And the price of the numbers now grows up a little bit every year. Haven't heard the latest numbers.

I've doing like $40 per address most recently that I saw. Yeah. So given the state of the world at Tailscale, what do you guys do better than anyone else in the world? And what's your vision for navigating that?

So with Tailscale, I guess, let's see. The secret of Tailscale, which I can share with you because I've shared it with many people and nobody ever copies it, is we just do things the easy way instead of the hard way. And this is actually much more difficult than it sounds, right? Because first of all, I'm convincing you to just do things the easy way is usually an uphill battle.

But that wouldn't be as cool as, what if I created like a Kubernetes cluster of 10, 000 machines doing things the easy way? I'm like, oh, it wouldn't be easy anymore if you did it that way. And so we're always looking for what's the way to sort of cheat your way out of the problem. So the problem with the internet, which I'm now building some people on it and even more, probably 10 times as many devices, is you have to not have everything directly connected to everything.

It's like the back opposite to what you think the internet is supposed to be. Back in the 90s, I was like, oh, the whole world, world piece to communications is what was in my head. If we could just all talk to each other and we had automatic translators and stuff, it's probably coming in the future. We'll all be able to explain what our disagreement is and just talk it out and we'll be over with, right?

There won't need, it won't need any more. And all the more and people will be so happy. Yeah. And it just turned out that's not the case.

And it's actually the reason it's not the case is really sad. The reason is that something like 99. 999% of people are good and want to produce good outcomes. And like 0.

000, some number of 0. 1% are bad people and are willing to destroy everything. And if you connect billions of people to one big network and then give them an ultra scalable way, or give these like tiny fraction of people an ultra scalable way to attack everybody simultaneously, then we're all going to get attacked with this teeny tiny fraction of people, right? So tiny little corrupting influence brings it for everybody because we made the network as good as it is.

Right? And so the secret of 10LKL is just to realize that instead of trying to defend ourselves against 100% of people, we say like, why don't we make the networks small enough? So the probability of one of the really terrible people being in your networks is really low, right? And then we'll find a way to interconnect those networks again, right?

So we're again resetting all the way back to individual network and then let's glue them together. We'll interconnect them. It'll be an internet, but an internet where we're thoughtful about how we connect, thoughtful about what traffic we forward from one to the other. And it's not going to be because we ran IP addresses.

It'll be based on some other process. And the process we've been set on is identity. So I think the thing we do at tail scale that's different from everybody else is go all the way back to like first principles, right? We're not putting a firewall on the internet.

We're not putting a proxy server in here because I could be four is too hard. So I'm going to put something in layer seven. Like no, we inserted in the mid layer way back down, IP4, right? Actually like another IP4 on top of IP4, because it's a layer three tunnel.

We solved the problem at this super low level that allows us to actually solve the problem. And when you actually solve the problem, subtracting layers of junk from the whole system, and when you subtract layers of junk, you end up doing less work, right? So we're like doing less work to solve the problem better than you might expect. So wait, you're doing less work.

We're making things simpler to use and improving everyone's live in the process. Oh, and not to mention, make the thing secure because now things are properly segmented based on identity. Exactly. So you've fixed the networking connectivity part and you've fixed the segmentation security part, and you've tied everything to identity and we added encryption while you're there.

I love it. It reminds me of that saying that you have in fashion. When you were talking about makeup, less is more. I tend to think of security and architecture, like design in general.

It's really difficult actually to bubble down a problem into its simplest, purest solution. And when you get to something and you can't remove anything from it without destroying your solution, that is actually very difficult. It's easy to build these monstrosities, just complexity and everything is wobbly. And there's been a huge shift in computer science and in engineering in general.

It's just like machines have gotten so cheap. CPUs have gotten so cheap. Memory has gotten so cheap that it's maybe cheaper to move quickly and take advantage of all that stuff and just put stuff in there, put stuff in there, build things. Oh, look, it kind of works.

One of my friend's quotes, I forget who it was who originally said this. He said there, we can solve any problem with another layer of abstraction, except the problem with too many layers of abstraction. Who said this quote? Who is it?

I don't know. We're going to ask a lot of that one out because I can never remember who said it, but it's absolutely true. Right. And there's another quote who I also can't remember, but it might've been the little prince died.

Antoine de Saint-Denis Supreme. The perfection is achieved not when there's nothing more to add, but when there's nothing more to take away. Right. I love that.

Yes. And that's, that is, both of those are rules that people sort of just sort of discovered when they're doing engineering. It is so much easier to add a layer and it almost always can solve today's problem that people just add the layers over and over again. And so it does take a different way of thinking and be like, wait, why don't we just move a little slower, take a bunch of the junk out and we're going to start from a place where look, some of the stuff isn't going to work right now, but we'll get there eventually.

In the meantime, other stuff is going to work so much better than it's going to make up for it. And that's actually the name tail scale. It comes from that concept. The opposite of internet scale.

A lot of people are out there trying to build stuff that's going to be able to like, this will support my production infrastructure for serving a billion users. And it's great. I mean, something needs to support your infrastructure for supporting a billion users, although chances are you won't actually have a billion users for quite some time, but you know, it's still necessary eventually until kill a look that exists. There are people doing that.

Here's another saying for you that I really like software should order. Good engineering should make the hard problem or sort of easy things, easy and hard things possible. And right now, almost everybody out there, it's focused on making hard things possible because it was impossible yesterday to make it possible today. It feels like pushing, pushing the boundaries and like it does, moving technology forward.

But nobody is working on making easy things easy. And that's what most of us actually need. Most of us wake up in the morning and have some work to do and it should be easy and it's not. Yes, please.

And why is this not easy? Well, because 25 tools I have to use to do this easy thing. Right? Tailkill just bypasses for a particular subset of easy problems.

Like no, look, tail kill doesn't work if you have to connect the building devices to your network. Sorry, it's not made for that. You can use the internet for that. Right?

Something's already there for that problem. Tailkill is great if you need to connect 100, 000 devices. Still a lot, but it's not a billion. Right?

And 100, 000 is a completely different class of problem than a billion devices. You know, as a security contractor, I go into startups all of the time. I help them raise their security maturity level. We do SOC2, we do ISO, we do all of the, all of those different acronyms.

And every time someone is like, oh, do we need VPN? I'm like, yes. Tail scale. Here we go.

It's just the easy solution. Please don't mess with anything else. Drop it in. It works.

It's intuitive. It's, yes. It's all depreciation of the world for adopting those core principles. They're just going after the simple low hanging fruit that just makes everyone's life better and makes the internet safer.

Like I said, it's nobody ever copies us. It's kind of weird. I could be here that and they're just like, I think that makes sense. Every once in a while, I'll get someone that asks me like, hey, why did you go into computer science?

I have an engineering background and they're like, oh, why did you do that? What about computers? And I was like, and I joke with them, you know, and I say, I say, I just think that computers should do all of the dirty work. I don't want to have to do any of that.

Let's make life easier. Let's make things better. And computers seem to be a nice tool to help with that. Yeah.

So all the appreciation in the world, it takes, it takes a sense of humility to step back and look at the bigger picture and see how technology can fit into it. And that really, like less is something very special to be treasured. It is hard to get to. It's hard to isolate.

It takes a strong sense of focus. Yeah. One of the things that becomes possible when you make things simpler is suddenly all these people who are afraid to touch it are no longer afraid to touch it anymore. So there's an interesting element of, look, there's, should computers do all the dirty work?

Sure. Probably we should. Right. But like, how do you teach a computer to do the dirty work?

It got me, if you remember back in the 1990s, I don't know if you do or not, I was growing up at that time and I remember very early Microsoft Access. And Microsoft Access was something, and I'm not exaggerating. Like I've visited, I worked at a computer store for a while and did some like, you know, when I was in high school and we did some consulting for like different places around town. And there were multiple places I went to where the receptionist had built a Microsoft Access database for tracking inventory or something in their store more than 10 years ago.

And this thing just like lasts and the receptionist was long gone. And people, this thing was like in production in the sense that the place would have collapsed without it. And the thing was, it was really easy to build a database app on a Microsoft Access system that would work fine for everybody in the store. Like again, non-stealable.

It only, only two people at a time ever had to use it and maybe 10 people total because they had a repeating set of employees or whatever. But it was absolutely critical to the business. And it was perfectly tuned for that instance, because anytime they wanted to change it, they would hire another high school student like me. I would come in, poke at the database a little bit in this nice visual ledger and save the changes to the file.

And now it's an updated database, right? And we just can't do that anymore. It's actually really weird how hard it is to do something that simple nowadays. And we tell ourselves it's because of the things you can buy and the SaaS product is just always so much cheaper.

Or are they amortizing the cost against so many users? Or maybe the world is just more complicated now. Or maybe the SaaS products are so much better than I ever could have done in Microsoft Access. But no, it's actually, it's not really any of those things.

It's that we've added so many layers of gunk on top. And now only a professional can understand all the layers of gunk. Right? If you remove all the layers of gunk, suddenly things are possible that were not possible anymore.

Like tailscale, one of the things you get when you try it, like you can put it on your phone and on your laptop. Here's another thing for you, one of our consumers. Tailscale is you thought the internet worked before you learned how the internet works. Right?

Any normal person has a phone and a laptop and they're like, I want to transfer a file between my phone and my laptop, even though I left my laptop at home plugged in and I'm not at home right now. I should be able to just send a file to my laptop, just like I could if they were sitting side by side. Right? And I had some kind of simple file sharing app.

Because it just doesn't work that way. Right? The two devices can't actually bind each other because they don't have a DNS theme. They're both behind two different firewalls, two different mats.

They probably don't even have the application installed on them. It allows you to transfer a file between them because who doesn't anymore? It always goes through, you know, send it through an instant messenger out to the cloud and back. Right?

Yeah. It makes a little bouncy thing off the cloud. Yeah. And of course they're scraping your data and everything.

So. Yep. And so I was a grade nine person in high school and I'm like, I see this world and I want to make a file transfer app. It's really complicated.

You've made two of the steps of making a file transfer app and like you've given up halfway through. It was actually really hard. There's authentication, there's encryption. Where am I going to store it?

I guess I'm going to put it in the cloud somewhere. How much is it going to cost? Because I got to pay Amazon for the storage and the data transfer and the app to run blah, blah, blah, blah. Ingress and egress.

Ingress and egress. Right? And what if I'm, what if my app gets popular? I'm going to go bankrupt.

You can figure it out for all the data transfer. Right? With Tailscale, you put the copy on your laptop, you put a copy on your phone. Right?

And if you want it, you can build an app that just like sits and listens on a socket. Right? And another app that goes and calls the socket and outputs the file to it. Right?

And it costs you nothing if it's not going through the cloud. Right? And it can scale to any number of users who want to use this app. And it works when your laptop and your phone are not side by side because Tailscale does make the network work the way it was supposed to work in the first place.

So all of a sudden, all the stuff that used to be easy, that got incredibly hard, can be easy again, but secure because it's encrypted by itself. It's attached to your identity. You can set up an ACL. You can make sure that only the people who are supposed to be able to access your app can access your app.

Right? And if you give your app to somebody else, they can make sure that only people are supposed to access their copy of that app should access. Right? And then the same thing expands to, of course, if you're running another company, about like a hundred apps like that, development team is built.

Right? Or dashboards or whatever. One of our use kits that we started with were dashboards. But we just said, look, what's the thing that every developer eventually, you know, sooner or later has to do that turns out to be like more than 50% grunt work.

It's like starting a dashboard. So we made a list of a hundred things that are grunt work about making a dashboard. And the top two were like connectivity and security. Getting your coworkers able to connect to the dashboard, it's connectivity.

And getting people who are not your coworkers not able to connect to the dashboard, and your security. Right? And it's easy to do one or the other, but it's really hard to do both of those things. And that's what we built Tailscale for.

It's basically the tool, I like the easiest tool for making an intruder dashboard. And then we never got to the other 98 things that are on the list of tedious stuff to do. I got me to DNS data. It was another one of the problems.

Oh, nice. What do you guys do with DNS? Oh, we have this thing called Magic DNS. I don't know if it was magical.

No, I haven't heard of this. So you install Tailscale and it also fixes your DNS problems. So I guess your audience is security people. So you'll probably appreciate this much more than with the regular humans.

So Magic DNS actually runs a DNS server inside the Tailscale instance on each of your devices. That DNS server gets pushed the names of all of the services and machines on your Tailscale network so that it knows all of them locally. So instead of being a relaying DNS server, it is a primary DNS server. And then it registers itself as the DNS resolver for your domain or domains on the local device.

So that when that device, if you say paying host name, normally has DNS is not encrypted. So you can't count on it not to lie to you about what the IP address is. And that's why we put TLS in because at the very least, it basically removes the incentive to lie to you about what the DNS name is. Because even if you do, you connect to the wrong server, the search gets rejected.

But the magic DNS can't be intercepted because it's only a local OSPAC. And the answer is right inside the Tailscale client at the time. So when I say peaking server name, I get the right IP address, which is a Tailscale IP address. And the server can then go out over that IP address, which auto-encrypts it over wire guide and it was with the Tailscale networks to get to that server.

You don't need to use TLS at all. But you get this highly, you have completely secure DNS servers. So you don't, you also don't have to worry about DDoS or overloading because the number of DNS servers increases with the number of clients. Right?

Client is only ever bothering its own DNS server. So you don't actually need, you have a hundred thousand employees at your company. You don't need a DNS server that can handle a hundred thousand people's worth of requests. Right?

Because the client can handle the request and they get push notification, but update. They also DNS has like expiry time of thing. Have everyone's heard about that. That's kind of a hassle.

Don't need to worry about that here because we don't use caching in that regular sense of an IP address change. You just achieve it instantly because we push the notifications instead of waiting for an expiration. It actually resolves all problems with DNS like a bit. And then you can do that for load balancing, high availability, all that stuff.

Amazing. And it sounds like you could reference like the local host names too, just almost like Kubernetes style. Almost like that. Yeah.

I mean, you can, if you start up a few different Linux boxes or whatever, like instantaneously, those host names show up and you just go pay posting or you can SSH hosting. We have to appeal to SSH, by the way, it manages your SSH key for it or rather bypasses the need for SSH keys. Authenticates using your tail skill identity. So you run a tail skill, say run tail skill up by an SSH analytics box and that's it.

Now all of a sudden you can SSH to your box without having to ever manage any SSH keys. Really? Okay. It's almost, it reminds me of that other service.

Is it called telegraph? Teleport. Teleports. I'm so sorry.

So sorry for all of the people out there, but yeah. Yeah. Pretty similar. Teleport is really, really high end.

So they do a whole bunch of stuff that we don't do on the Ultra Enterprise compliance compliance. Sure. Sure. But they're based on an open source project.

I mean, one thing to be fair. Yeah. There's an open source version of teleport. Tailscale is like the, we do have session logging and the tail skill SSH integrates with tail skill.

And we also will get you through firewall automatically. So you put tail skill SSH on some server in your back room behind three levels firewall. You'll still be able to SSH into it with your identity on your corporate tail net without having to open any ports or anything like that. So you have this extra protection of people not being able to come from the outside and guess passwords and stuff.

Oh, perfect. You also don't have to worry about someone lifting me a SSH key you haven't remembered to rotate for the last 10 years. Yeah. I was going to ask like, where does the SSH keys, the private SSH keys are associated to your identity, but those reside on your endpoints where you install tail scale as a client?

Yes. Yeah. But the nice thing about that is the identity can expire periodically. So you have to re-authenticate with your identity provider.

And if some, for example, your account gets deleted because maybe an employee is off-corted, all of the devices are instantly deactivated and the keys on those devices don't work anymore. Oh, perfect. Perfect. You just solved all of the problems with SSH.

Exactly. I love it. This is simple. It's like gluing all the core of this simple thing.

One if every session on the whole network didn't matter where you physically were. Didn't you care about firewalls? Didn't you care about NAT and had your identity connected? And you can do a whole bunch of things.

And you could integrate, for example, two factor authentication on top of the authentication for tail scales. So now you've got two of a on top of your SSH. Yep. I was actually one of our, one of our first customers needed something like that for a Windows client server app that was built in the 1990s.

And there was no chance this app was ever going to get two factor authentication added. Right. But look, they had the choice of either add two factor authentication to this app somehow, or tear out the app and replace it around the order of like millions of dollars of software purchase. No, like I don't want to spend millions of dollars.

What can I do? And so I came in and I helped answer my question. I said, what if we just moved your server to a private network and you had to like VPN in my network with two factor authentication before you could even try to access your app? And they're like, that sounds great.

What do I do? And I'm like, I'm sure I can track down some VPN that's going to be easy to configure and want to leave it on all the time. And it's not going to flow down all the rest of your traffic and it'll do your factor authentication and it'll integrate with your identity provider. I'm sure someone must have done this by then.

Turn out the end. And so I'm just like, fine. There's this wired red thing. Let me throw you my key generator.

Basically it was the, I think the first time tailgate got announced on Hacker News, some commenter said the absolutely cliche thing. Like I could build this in a weekend. I'm like, I have one up on you. I already built it in a weekend.

That is my company product. That's the inception story. Yeah, exactly. Of course it's improved a lot since we built it in a weekend, in particular for all the like rapid key regeneration and rotation and like all the other ACLs and stuff like that.

But it ultimately solved the problem, right? This tool that never had the concept of two factor authentication that wasn't even web based. So you couldn't put a web proxy in front or something like that. When we intercepted at layer three, just the fact that it used TCP, IP to clock between the client and the server, it solved the problem.

Amazing. I love it. So how big is tail scale today? Let's see.

We're over a hundred employees now, which on some measures is huge. Other measures is tiny. We doubled revenue last year. Looks like we're set to double it again next year.

We just had a blog post about 5, 000 paying customers. It doesn't include people in our personal growth plan. Congratulations. Thank you.

Thank you. The company of the customer sizes range from like one or two employees all the way up to 10, 000 feet. Wow. Going after the whole market space.

Yeah. It's very horizontal. And what I tell people is that we're going to fix the internet. You can't fix the internet if you don't support teeny tiny customers as well as huge customers, right?

Otherwise, it's not really the internet. It's just some enterprise tool. But we wanted to be able to prove that it does also work for enterprise. And so it was important for us to get a couple of enterprise customers early on, as well as sort of not the $0.

I think there's a lot of the market. So we really do cover the whole span. And now it's just a matter of, okay, where's the most lucrative thing to work on right now. Right.

Where's that next step for the business? The, that's an incredible engineering feat and business feat to be able to service both ends of that huge spectrum flawlessly. And again, the, the trick that I'll tell you, no one ever manages to copy it. She's picked up the trick.

This is the third time you're sharing that. Go ahead, go ahead, go ahead. Please, please. We just solved the problem, the easy parts and we avoided all the hard parts.

If you're an enterprise, you have a bunch of like super, scalable, complicated problems. You can solve those problems with a bunch of tools that already exist, but your developers still have trouble launching dashboards. You still have trouble connecting like your PostBase backend to your app backend in a different AWS region. All these like little things that are needed to keep the system running, but are not ever going to be a billion users worth of staff, right?

That you need to get these problems out of the way. We solved just those. And we solved those, just those because everybody at every time of the company has some problems. The whole internet has these problems.

So share with us, is it, are there, is the main drive to try out tail scale? Is it, do you notice that it mostly comes from the security side of the house or connectivity networking side of the house or what's that initial pain point that most of your customers feel that most people use tail scale? You've it for free at home. We call them the home labbers.

The most vigorous users in tail scale are ones with, I don't know, most serious ones have rack racks in the garage and they bought all kind of random junk and they want to connect to that stuff. Other people just really do have the laptop and the phone they want to connect to each other, but it's individuals using tail scale. And we're now like hundreds of thousands of weekly active users of like individuals using tail scale for free. Some of those people, because they're almost always some kind of engineer who's interested in tail scale.

I think eventually we're going to expand to like the left technical people, but not yet. And that's okay because all of these people are almost all of them have jobs somewhere. And then they have this beautiful network at home and then they go to work and what is this big thing that we're looking to use? Or maybe I'm using like SSH jump box and managing a whole bunch of SSH by hand.

Oh my goodness. Or maybe I'm funneling all my traffic. We actually ran into this, a big company that had a VPN concentrator in one of their data centers. And there was a snowstorm and the data center in that city went out and then it turned out to get access any of their other data centers.

They had to go to this concentrator in the first data center and then they had point to point links between all the data centers. Suddenly they couldn't access anything. They said, we solved the problem by a sense somebody driving to another one of our data centers and they put one tail scale node inside the other data center. And then we all installed tail scale and we were able to get to the rest of our network.

It's always some like random point like that, but someone who used tail scale at home was like, oh, I can fix this if I just bring tail scale to work. And it's usually just some engineer who's like throwing something together with themselves and like a few other people on their team. And then it expands and expands. Eventually the key gets involved and eventually like, hey, maybe we need to talk to a sales team to get them.

It has an enterprise version that has SSO integrations or whatever the needs are. Like audit trails, I imagine. Yeah. Lots of audit trails, more kinds of control, especially ACLs are really neat.

So you can like some places and use groups with your SSO and say everybody in the engineering team is allowed to SSH to every device that's tagged like test cluster or something like that. And of course, that'll automatically manage your tail scale SSH. So no dealing with SSH. Kiki just opens up, so now you get into the devices in this group.

Anything that almost always is key lifecycle management is a win in my books. Yeah. And we do a really good job of that. It's pretty beautiful.

But yeah, it almost always starts with individual engineers trying to solve connection problems. And then the security team usually get pulled in somewhere along the way. And as to the IT team, just to say like, okay, is this thing going to get us in trouble or not? And the security team looks at us, wait a minute.

Is this a zero trust product? Because I have a budget for zero trust stuff and I didn't know how to do it. And the answer is yes, TatoScale is zero trust. But if you go to our homepage, you probably, I mean, depending on which AP test you around, but you probably will not see anything about zero trust.

Right? Why? It's because the security team is almost never in the first people. The first bite.

It's never the first bite. You just get really excited what somebody else brings within. And that's very unusual, right? Usually security and connectivity are kind of at bonds with each other.

Tailed Guild case, we just kind of give some, we have something forever. Amazing. So if you fast forward into the future, and I will let you decide how far into the future we would like to travel here. But if we fast forward- 100 years.

100 years? Oh, oh boy. Okay. If we go into that future, if we go into the future, what does the internet really look like from your point of view?

And how do you see Tailed Scale like providing the steps to get there? Tailed Scale If you go all the way back, 1994, I remember this year, I was not cool. Yeah. The year before Windows 95 came out.

Yep. Right. Back then, IPv4 was not a thing to include by defaulting Windows. If you can believe it, you had to get an add-on and like shareware in order to run this to get your Windows device, just to connect to the internet.

Because Bill Gates didn't think the internet was going to be a big thing. Remember, he's starting to like MSN, the Microsoft network, which is now a TV channel. I don't know why that is, but whatever. It's so funny.

Yes. And he had a whole book like The Road Ahead and he like, he famously missed the internet as the famous thing that was going to happen. Right. But anyway, so eventually their customers pressured them into, hey, we better put TCEIP into Windows.

So that was 1995. It's now almost to 2025. So almost 30 years later. And the internet is now on everything, right?

I got an Apple watch for my birthday. And nowadays, if someone buys you a watch and it doesn't have TCEIP on it, it's like, what's wrong with this watch? It doesn't do anything. It's broken.

It doesn't know what time it is. You have to set the times. Well, what is wrong with this thing? I know.

I know. Even the GPS watch wants to have connectivity to the internet. Yeah, exactly. GPS is wanting to connect to the internet.

Exactly. So interestingly, not too many years later, like 1997 or eight or something like that, the IPv6 project kicked off and IPv6 amazingly still not rolled out. Right. Yeah, it exists.

There are people who have it, but the problem with it is you can't just have some people with it because first of all, it's this connection involved. So the client and the server both have to have it, but also all the routers in between have to have it. Right. And so IPv6 is this horrible fate of being incredibly complicated to roll out.

And you don't get any benefit until everybody's got it. Right. 20, 25 plus years of trying to roll an IPv6, it hasn't happened. And so the internet hasn't evolved since before that.

Right. It's the same IPv4 that Bill Gates put into Windows 95 back in 1995. Right. And if you imagine, let's say instead of a hundred years, let's say 25 years in the future, I don't know if Tailscale is going to be the thing that's on everybody's teeny tiny little gadget, but something like Tailscale is going to be on it.

Chances are it might still be on IPv4 to everyone's great sadness, but Tailscale finds a wish through the limited number of IP addresses, the firewalls, the NADs. You can, by then you would have probably five layers of NADs and all kinds of incredibly complicated firewalls, but the same techniques work no matter how many layers you have. Something like Tailscale up for a single device, because you need to be able to connect every device to every other device, because it's incredibly silly for all of your traffic in the world to have to bounce up to some cloud provider and pay them rent and then come back. Right.

It's just not going to persist. Something is going to change. Right. And hopefully Tailscale makes much money along the way, but one way or the other, some architecture that's sort of like Tailscale is going to have to win out because we have to progress the internet.

The internet has been stuck for now 30 years, right? Something's got to change. Everybody knows. Not everybody.

Nobody really realizes anymore how much it sucks, but going back to the core. People have kind of gotten used to the pain a little bit, but there's still huge pain points there. And there's huge amounts of money to be saved by not paying AWS and GCP and Microsoft. Oh, there we go.

And there's cloud providers for every single team, you know, kind of thing you do. Yes, please. Let's, let's spend our hard-earned money like more efficiently. Exactly.

Exactly. I'm cooler gadgets. I mean, the phone in my pocket is as powerful as the supercomputer in 1995. I was just thinking about that.

Yeah. The phones these days are incredible machines and they rival compute just a couple of years ago. Like, yeah, but it's a brick without the cloud. I can't even transfer a file between my supercomputer and my other supercomputer.

They're going to your cloud provider and paying somebody rents an event. What's been your best day at Tailscale so far? Best day at Tailscale. I mean, we have a lot of good days at Tailscale.

I think the best thing for me. It's hard to pick just one. Yeah. Yeah.

The best days for me are the ones where I like learn something new that I never would have guessed before. Where when somebody, an example of a really good day at Tailscale a few months ago, maybe six months ago, I can't remember, maybe a year already. One of our engineers should have showed up and said, Hey, I've been working on this project for six months. I know you think I wasn't doing anything, but I made WireGuard and Tailscale go more than twice as fast as WireGuard in the kernel.

And I'm like, wait, what? And so you remember, everyone was like, I'm a Tailscale user-based WireGuard written in Go. And therefore it's going to be slower than the kernel WireGuard. And we get all this black from customers, but like, how come you're slower than the kernel WireGuard?

Because nothing can ever be the fastest kernel WireGuard, but so at least it's advantages. So I made it twice as fast as kernel WireGuard. How? I can't make it really rid of long quotes so you can find it.

But they really made it twice as fast. And literally nobody thought they would be able to do that. And the person just sat there. Tailscale's a remote company.

So they sat at home and just poked at it, poked at it, poked at it, poked at it, poked at it, and solved it. And that's the kind of like neat thing that happens around here where we have an engineering team, I don't know, weirdly super nerdy about networking that they can solve like a series of problems like this. The day we actually got the natural result working reliably, it's a pretty amazing day of the day that like Dave Anderson finally got magic DNS working for the first time. Like all of that stuff is just, I don't know, most companies would have written off each of these things as impossible, never mind hard.

Right? And we do like impossible things sometimes. And those things are like really fun. That's been some actually pushing network forward.

And I love that you appreciate those wins too. I think about engineering feats in like the architectural sense that people will travel just to see them. You can look at a building, you can look at the Eiffel tower or whatever it is that you're looking at. You can, you put your eyes on it and people can appreciate it that way.

But with technology, there's no physical form. So you have to understand. I mean, it's interesting, right? Because the iPhone is obviously like cool looking.

It does. It's very cool. Yeah. Apple, they make stuff look cool.

You can do that. And networking has a strange problem where it's jobs to be in. You see, if you can see your network app, it's kind of doing its job wrong. And so when we started Tailscale, I was like, well, that's the trade-off.

I guess we're never going to get like viral word of mouth throws in something that the better it works, the more you forget you had it. But it turns out not the case, at least among the users who really love Tailscale. There's a certain group of people that just like you install it and people are like, okay, I did something wrong. Because all I did was install the app from the app store and then I logged in a Google account and it didn't have to do anything else.

And we probably should work on the onboarding and lore. But that's the thing it's working at that point. And then some people would be like, okay, let me go find a tutorial. I can't find one because it's only got one step, but just install the big login.

But then they're like, okay, I'll pay the name of my mat like iPhone. And it like, it answers the pig. And some people are like, start to get the inkling of, hey, wait a minute. It's been done with a word computer.

It's like, how can I just, how come I can just SSH to this computer name? And there is a feeling that if you've done networking before, it's like, it's a really, you've never had the feeling of networking working right. You just didn't realize that you've gone to your whole life with the networking not working right. And then with Tailscale, it's, hey, wait, this is how it's supposed to feel.

I've never felt it before, but I don't know. It's hard to explain if you ever use like a VR headset and it's just like the latency is super low. Right. And then you go back and you play like a Nintendo switch or something and the latency is like pretty low.

It's not that low. And they're like VR, this is what it's supposed to feel like. Right. This is what low latency is.

Right. And Tailscale, this is what the network is supposed to be. Right. And a lot of people, they get it and they start to kind of lose their minds a little and they have to tell all the friends.

And that's why we have so much word of mouth and growth. But it's really all about that. We don't really have virality features. It's just like people get so ridiculously excited, but they won't leave their friends alone.

There's something about that that can't even tell you what it is, but like you try it and you get it. And then their friends don't get it because not everybody gets it. It's okay. Yeah.

It's the magic, I guess. When people are like so used to not having magic, especially in networking, infrastructure and security where everything is just pain all the time. Right. And like, what if it just wasn't pain one day?

Is someone waking up? That would be my seven week old. Seven week old. Oh, okay.

Okay. It sounds like someone's on dead duty. And this has been an absolutely incredible show. Thank you so much, Avery, for joining and sharing your stories, your insights, your vision for the future.

I'm sure that the entrepreneurs, the engineers, the security experts, and the investors that listen to this are all most intrigued and appreciative as well. I hope so. We've had a good time. Thanks for hosting me.

I appreciate the invitation. Would you like to leave our listeners with any final words of wisdom? Wow. The words of wisdom.

Let's see. I don't know. I guess, I guess the word of wisdom has to be like, go ahead and try and tail scale. It is free for up to a hundred devices.

And it will only take you five minutes to last, I guarantee it to get two devices connected to each other. That's quite the claim. But speaking from experience, it's more than doable. More than doable.

Avery, thank you so much. And I'm John McLaughlin, your host of the security podcast of Silicon Valley. That's a Y security production. And thank you to all of our listeners for tuning in for another episode.