Mastering Tailscale VPN: A Comprehensive Guide to Secure Network Connections
How to Setup Tailscale VPN
In today’s highly connected world, remote work has become more common than ever before. This has led to an increased need for secure, reliable, and efficient ways for teams to collaborate and access company resources from anywhere in the world. Tailscale is a virtual private network (VPN) solution that can help meet these needs by creating an overlay mesh network that connects all devices together in a mesh topology.
Unlike traditional VPN solutions that use a hub-and-spoke topology, Tailscale’s mesh network allows devices to connect directly to each other, creating a more resilient and efficient network. This means that if one device goes down, the rest of the network can continue to function without interruption. Additionally, Tailscale’s mesh network eliminates the need for a central hub, which can reduce the risk of bottlenecks and single points of failure.
Tailscale also offers powerful access control features that can help organizations better manage network access. With Tailscale’s ACLs, organizations can create fine-grained access controls that limit which devices are allowed to access which resources. This can help prevent unauthorized access to sensitive data and reduce the risk of data breaches.
In this blog post, we will explore how Tailscale can be implemented in a small corporate environment, and the benefits it can offer over traditional VPN solutions. We’ll cover everything from setting up a Tailscale network to configuring access controls, and provide tips and best practices for using Tailscale in a corporate environment.
In our company, we have two critical applications: a WordPress website and an ERP system powered by ERPNext. These applications rely on a MariaDB database hosted on a separate server.
To ensure secure connectivity, we have isolated the database and ERP servers from the public internet using Firewall-1. The web-server, which hosts our company website, is accessible to the public through Firewall-2, which allows traffic on ports 80 and 443.
Our company has three users: the administrator, developer, and Database Administrator (DBA). Through Tailscale’s Access Control Lists (ACLs), we can control who has access to what resources in our network. For example, the DBA can access the database and ERP servers via SSH (port 22), while the developer can access the ERP application and the WordPress server through ports 80 and 443. The administrator has full access to all servers. Tailscale is configured to deny access between users by default, but we can explicitly define access in our ACLs as needed. By implementing Tailscale in our network architecture, we have created a more secure and efficient environment for our critical applications and restricted access to only those who require it. Below is the Tailscale admin console where all the devices are live and connected.
Access Control List (ACL)
To ensure secure connectivity in our network, we’ve implemented Tailscale’s Access Control Lists (ACLs) to control which workstations can access which servers. As shown in the diagram, our network includes three workstations: laptop-client-dba, laptop-client-admin, and mobile-client-dev. Each workstation has its own set of access controls defined in our ACLs to limit access to specific resources.
For example, the laptop-client-dba has access to the db-server and erp-server via SSH on port 22, while the laptop-client-admin has full access to all servers. The mobile-client-dev has access to the erp-server and web-server via ports 80 and 443 for development purposes.
By defining these access controls, we can restrict access to only those who require it, reducing the risk of unauthorized access and potential security breaches. Furthermore, Tailscale is configured to deny access between users by default, ensuring an added layer of security for our network.
{
"acls": [
{
// Admin has access to all servers
"action": "accept",
"src": ["rtcs-org@github"],
"dst": ["db-server:*", "erp-server:*", "web-server:*"],
},
{
// dba can access erp and db server via ssh
"action": "accept",
"src": ["dave-red-threat@github"],
"dst": ["db-server:22", "erp-server:22"],
},
{
// dev can access erp (80,443) and web (22) servers
"action": "accept",
"src": ["drmel-red-threat@github"],
"dst": ["erp-server:80,443"],
},
{
// Web server can access db server for database communication
"action": "accept",
"src": ["web-server"],
"dst": ["db-server:3306"],
},
],
"groups": {
"group:employees": [
"drmel-red-threat@github",
"dave-red-threat@github",
"rtcs-org@github",
],
},
"hosts": {
"db-server": "100.118.137.111",
"erp-server": "100.93.133.104",
"web-server": "100.77.148.85",
},
Now lets see our VPN in action. First lets verify if the admin has ssh access to all the servers
As we’ve established, our network is protected by firewalls that restrict access from the public internet to our servers. This means that even if the administrator attempts to access the servers using their public IP addresses, they would be denied access. Instead, access to the servers is only permitted through Tailscale’s secure overlay network, which ensures that all traffic is encrypted and authenticated.
On the other hand, our developer (drmel) is using a mobile phone to access the network, and their access is limited by the ACLs we’ve put in place. Specifically, they have been granted access to the ERP website and the WordPress admin console via ports 80 and 443, but they cannot access any other servers or resources on the network. This granular level of access control ensures that the developer can perform their tasks without exposing the network to unnecessary risk.
Let’s put our access control configuration to the test by checking whether our developer (drmel) can indeed access the ERP and WordPress admin panels using their mobile phone (mobile-client-dev).
ERP AccessWordPress Admin panel access
Excellent! Now that we’ve confirmed that the developer can access the necessary servers, let’s move on to testing the access of our database administrator, Dave. We’ll check whether Dave can access the database on the db-server, as well as whether he can connect to the erp-server to configure the database connections needed for his work.
The screenshots below shows that dave (DBA) can access the db-server and erp-server from his workstation:
In today’s digital age, protecting a business’s digital assets is more important than ever. Small businesses, in particular, may feel overwhelmed when it comes to securing their IT infrastructure, especially if they lack specialized IT staff or expensive hardware. However, with Tailscale, small businesses can create a secure overlay mesh network that connects all their devices in a simple and intuitive manner, regardless of their physical location.
By implementing Tailscale, businesses can protect their critical servers and applications from unauthorized access by utilizing granular access control through ACL. Tailscale’s security measures ensure that only authorized personnel can access critical business applications, such as the ERP and customer databases, which is essential in today’s data-driven business environment. Additionally, Tailscale’s built-in encryption ensures that all data transferred between devices is secure and protected from interception by malicious actors.
Moreover, Tailscale’s ease of use and flexibility make it an excellent choice for small businesses that require robust security measures without the need for specialized IT staff or expensive hardware. The ability to manage access control and network connectivity through a single interface makes Tailscale an intuitive and straightforward solution for small businesses. Tailscale’s seamless integration with existing network infrastructure and cloud services further enhances its appeal, making it an ideal choice for small businesses looking to streamline their cybersecurity posture.
In conclusion, Tailscale provides small businesses with a powerful yet straightforward solution to protect their digital assets. Its robust security measures and ease of use make it an ideal choice for businesses that require secure connectivity and granular access control. With Tailscale, small businesses can focus on growing their business, secure in the knowledge that their digital assets are protected from unauthorized access and interception by malicious actors.
