What is Tailscale?
by Erin Risk

What is Tailscale?

Tailscale is a secure, peer-to-peer VPN alternative. Founded in 2019 by former Google engineers, this Canadian company launched its access control product in early 2020 — just as work from home went into overdrive. Unlike the hub-and-spoke topology of traditional VPN solutions, Tailscale creates a virtual mesh network between a company’s network nodes. These nodes could be on-premises resources, cloud applications, managed devices, or user-owned devices.

Promising rapid deployments and simpler administration, Tailscale pitches itself as a way for companies to seamlessly migrate to modern, Zero Trust network architectures.

Tailscale

About Tailscale

Tailscale uses the open-source WireGuard protocol to create encrypted peer-to-peer connections between nodes on a network. Tailscale eliminates the performance bottlenecks created by VPN gateways and replaces them with a system based on two components:

  • Client app running on user devices, servers, cloud resources, and other network nodes.
  • Proprietary coordination server provides authentication, distributes WireGuard public keys, and sets access control policies.
  • Tailscale’s approach separates the control plane from the data plane. As a result, a company’s data never passes through Tailscale’s server.

Applications

  • Personal applications for remote access to home networks.
  • Alternative approach for site-to-site VPN.
  • Remote access solution for businesses.
  • Access solution for DevOps and other teams.
  • Decentralized Zero Trust network architecture

Benefits

  • No concentration of traffic through gateway appliances.
  • Higher throughput and lower latency.
  • P2P stabilizes networks by reducing single points of failure.
  • Software solution requires few changes to networks or resources.
  • All price tiers support popular single sign-on and multi-factor authentication providers.
  • WireGuard end-to-end encryption is more secure since private keys never - leave the nodes.
  • Tailscale ACLs limit the nodes users may access.

Considerations

  • Still in development, business-critical features may not be available.
  • Okta and Active Directory integrations only support authentication, not user management.
  • SAML and OIDC support is only available at the custom price tier.
  • Tailscale ACLs do not synchronize with existing security systems.
  • Tailscale ACLs must be written using Tailscale’s JSON format.

Twingate

About Twingate

Twingate helps companies migrate to modern Zero Trust Network Access (ZTNA) architectures without disrupting their daily operations. ZTNA dramatically reduces a company’s attack surface while constraining the blast radius of successful security breaches.

Twingate’s approach hides on-premises and cloud-based resources behind software-defined perimeters. Scanning tools can no longer discover the public IP address of outward-facing resources. Hackers who breach a private network can no longer see the attached resources.

Beyond security, Twingate’s distributed technology improves performance and the user experience by eliminating the need for VPN gateways. Connections between user devices and resources follow the most direct, low-latency routes. Traffic between users and cloud resources no longer passes through private networks, improving overall network performance.

Applications

  • Controlling access for remote, on-premises, and third-party users.
  • Controlling access to on-premises and cloud resources.
  • Migrating to more secure, performant Zero Trust architectures.

Benefits

  • Eliminate redundant access control systems.
  • Improve security posture without changing networks, resources, or user devices.
  • Coexists with existing VPN systems and integrates with security stack.
  • Simple consoles unify user management and access management.
  • Deployments take as little as 15 minutes.

Considerations

  • Monthly cost is based on user count and network count.
  • Some advanced features are only available in the Enterprise tier.

Tailscale Security Capabilities Vs. Twingate and Zero Trust

Zero Trust is the modern approach to secure network access that companies need to handle today’s security challenges. Sophisticated cybercriminals, distributed workforces, and ever-more decentralized network architectures dramatically weaken companies’ security postures. VPN makes things worse. Easily discoverable on the public internet, VPN gateways are vulnerable to attack. And VPN’s permissive design gives compromised devices full access to protected networks.

Tailscale and Twingate address these issues by separating the control plane from the data plane. In Tailscale’s case, the open-source WireGuard protocol handles the data plane while the proprietary coordination server handles the control plane. Each node, however, is issued a unique IP address that companies typically publish to a DNS server.

Twingate’s approach hides all resources behind software-defined perimeters, eliminating the need for visible IP addresses entirely. Rather than centralizing policy enforcement, Twingate pushes the execution of access policies to both user devices and protected resources.

Tailscale Performance Vs. Twingate

VPN and other legacy remote access technologies funnel user traffic through gateways. Even when running as virtual instances, these gateways become chokepoints in the network. All user traffic passes through the gateway whether resources are on-premises or in the cloud. A sudden spike in users working from home destroys throughput and increases latency. Fixing these issues requires expensive, time-consuming upgrades.

Twingate and Tailscale directly connect user devices and resources to eliminate these issues entirely. The only remote traffic accessing a company’s private network is going to on-premises resources. Traffic meant for cloud-based resources gets routed across the public internet.

Tailscale Ease of Use Vs. Twingate

In addition to these impacts, VPN technologies are getting more difficult to manage. Network segmentation slows lateral movement during security breaches. Since each segment requires its own VPN gateway, however, networks become more complex and brittle. Since these VPN gateways only protect private networks, cloud-based resources require unique access control solutions that are often specific to each cloud service provider.

Besides the growing administrative overhead, multiple overlapping VPN systems undermine user productivity. Remote users must connect and disconnect their VPN clients as they switch between resources. And since VPN only applies to remote users, office users must use a different system to access resources from their desks.

Both Twingate and Tailscale eliminate this fragmentation by providing a single access control system for on-premises and cloud resources. The user experience improves. And access administration becomes much simpler.

Tailscale scalability Vs Twingate

The sudden shift to remote work policies exposed the risk of coupling access with architecture. Even with virtualization, VPN is an integral part of a company’s network architecture. Networks designed for large on-premises workforces could not change rapidly or cheaply to the new normal of large remote workforces.

As discussed earlier, modern software-based solutions such as those from Tailscale and Twingate decouple access and architecture. Adding users and changing policies does not impact the underlying network.

Tailscale, however, does not support features many businesses expect. Integration with Okta and Active Directory, for example, is limited to authentication only. Changes made to group or user policies in these third-party solutions do not propagate to the Tailscale server. This may not be an issue for Tailscale’s early adopters. But companies with more demanding networks may prefer Twingate’s more robust feature set.

Tailscale Support Vs. Twingate Support

Twingate and Tailscale provide knowledge bases, community forums, and email support resources. Priority support options are available to customers subscribing to customized service tiers. Unlike Twingate, Tailscale extends email support to customers at its free pricing tiers.

Enhancing security with Twingate

Twingate’s modern, Zero Trust-based solution offers benefits beyond access control with advanced features such as device posture enforcement, deep activity logging, and extending multi-factor authentication to vulnerable services.

Administrators can define access control policies based on the state of each user’s devices. Operating system version, antivirus status, and other device states can determine whether a user may access sensitive resources. As company-managed systems get replaced by user-owned devices, the ability to deny access based on device posture further reduces a company’s attack surface.

Twingate indexes its extensive logs of network activity by user and device. These logs help identify unusual behavior that may be a sign of a breach in progress. Reducing the time hackers have for lateral movement minimizes the attack’s impact.

One consequence of lateral movement is hackers’ ability to escalate their access to SSH and other network services. Twingate gives customers more control over privileged access by extending multi-factor authentication (MFA) to these services. Any attempt to use SSH gets challenged and logged, reducing the time it takes to identify inappropriate use.

Twingate’s secure Zero Trust solution is ready for business today

VPN and other legacy access control technologies impede productivity, performance, and security. With resources and users distributed far beyond the office, companies need a modern approach to secure access control.

Twingate’s solution replaces the weaknesses and risks of VPN while making Zero Trust Network Access architectures much simpler to adopt. Try it out yourself with Twingate’s free Starter tier for individuals and small teams. Or contact Twingate to learn how your organization can deploy Zero Trust security in minutes.


Featured Articles