Locara

Tailscale

What it is: Mesh VPN-as-a-service built on WireGuard, plus a control plane for identity/auth/policies. Founded 2019 by ex-Google networking engineers (Avery Pennarun, Crawford Beveridge, David Crawshaw, David Carney). Recently raised significant capital at high valuations. Status: Mature, fast-growing, profitable. ~$160M raised across rounds. Heavy OSS contributions. Most relevant to Locara: A masterclass in careful build-in-public — substantive long-form blog posts, deep technical communication, founder transparency without performative cringe. The opposite end of the build-in-public spectrum from Pieter Levels — bigger team, real funding, but same commitment to honest communication.

Background

Tailscale’s founders saw that WireGuard (Jason Donenfeld’s modern VPN protocol) solved the cryptographic and performance problems of older VPNs but left the “how do I onboard 50 employees onto my private network” problem unaddressed. Tailscale built the auth + policy + NAT-traversal layer on top, made the client OSS (or near-OSS), and monetized the control plane.

Their content has shaped engineering culture far beyond their product. Posts like “How NAT Traversal Works,” “The Sad State of Personal Data and Backups,” and Avery Pennarun’s “Systems Design Explains the World” have outsized influence in the developer community.

Key principles / decisions

  • Open clients, proprietary control plane. Most clients (CLI, daemons) are open source on GitHub. The control plane is closed.
  • Long-form technical writing as marketing. ~10–20 min essays with deep technical substance, not blog spam.
  • Founder voice. Avery Pennarun (CEO) writes regularly, in his own voice, on the company blog. Often opinionated, sometimes contrarian.
  • Engineering decisions documented. When they choose Go over Rust, they explain. When they wrap WireGuard, they explain. When they choose to charge or not, they explain.
  • Free tier with real value. Up to 100 devices, 3 users, generous. The free tier is the conversion engine.
  • Acquihired into Avery’s old company structure. Original team was mostly an existing team that pivoted, not a “from zero.”
  • Slow, thoughtful product cadence. Big features launch in beta, public preview, then GA, with real time between stages.
  • Status page transparency. Real incidents documented in detail, postmortems publicly available.
  • No NPS-spam, no “hi I noticed you signed up” cold emails. Marketing is opt-in (newsletter, blog).

What worked

  • Trust through writing. Tailscale built deep trust with developer-buyers because the writing demonstrated competence. Hard to fake.
  • Free tier converts. Devs use it personally → introduce at work → company buys.
  • OSS clients reduce vendor-lock-in fear. Even though the control plane is closed, the data path uses your own keys + WireGuard. Forks like Headscale exist (community-built compatible control planes), and Tailscale tolerates them.
  • Founder is the writer. Avery’s voice is recognizable; the brand is consistent because one human is shaping it.
  • Deep technical depth in marketing. “How NAT Traversal Works” is a multi-thousand-word post that’s genuinely educational. Acts as recruiting + marketing + technical leadership simultaneously.
  • Acquisition signals are honest. When they raised, when they hired, what’s working, what’s not — discussed candidly.

What failed / criticisms

  • Pricing has shifted. Various tier changes have hit users; the “Being the adult in the room” post is partly a response to community concerns about pricing alignment.
  • Closed control plane is a real constraint. Some users genuinely need fully OSS, can’t use Tailscale, go to alternatives (Headscale).
  • Slow on some user-requested features because of careful cadence.
  • Audience overlap with hyperscaler products — Cloudflare Zero Trust, etc. competing on similar ground with deeper pockets.
  • VC pressure is real. Recent rounds at high valuations create exit pressure that may eventually corrupt the careful product cadence.

Specific learnings for Locara

  1. Long-form writing as primary marketing channel. Locara’s blog should publish substantive engineering posts (e.g., “How we sandbox tool execution,” “Why content-addressed model storage,” “Capability inference for review pipelines”). Audience trusts what they can verify.
  2. Founder voice + recognizable identity. Even as a one-person project, the writing should feel like someone, not generic startup-blog. Pieter Levels does this brashly; Avery does it earnestly. Pick a register and own it.
  3. Document engineering decisions publicly. ADRs (Architecture Decision Records) committed to the repo, summarized as blog posts. “Why Tauri over Electron.” “Why sqlite-vec as default.” “Why we chose to depend on Hugging Face for weights.”
  4. OSS where possible, closed where strategic. Tailscale’s split is instructive: data plane open (you can verify nothing weird happens with your packets), control plane closed (the moat). For Locara: framework/SDK/runtime open; potentially the registry/review-pipeline operations remain Locara-managed (the moat is operational quality, not source-code secrecy).
  5. Free tier with real value. Locara’s “free” is “everything,” because it’s local-first OSS. But: the free registry needs to feel premium, not like a barebones dump.
  6. Slow careful product cadence. Resist shipping half-baked. Tailscale’s beta → preview → GA discipline is exemplary. Ship Locara phases the same way.
  7. Public postmortems. When Locara has incidents (a malicious app slips through, a registry outage, a manifest schema migration breaks things), publish details. Trust earned through transparency in failure.
  8. Tolerate ecosystem alternatives. Tailscale tolerates Headscale rather than fighting it. Locara should similarly tolerate community-run registries, alternative runtimes, etc. — fighting them costs trust.
  9. Audience grows compounding. Tailscale’s blog grew slowly for years before it started compounding. Plan for the long arc.
  10. Resist VC unless it serves the project. Tailscale shows you can take VC and stay good for years; Pieter Levels shows you can also avoid it. Either path works, but mixing them poorly (taking VC then trying to operate like an indie) doesn’t.

References