π‘οΈWhat is Tailscale?
π Secure Remote Access with Tailscale Mesh VPN
Tailscale is a modern mesh VPN that replaces traditional VPN appliances and port-forwarding schemes with identity-aware networking. In the managed services environment, Tailscale enables secure, encrypted communication between authorized support workstations and client servers, while significantly reducing attack surface and complexity.
π« No Open Firewall Ports Required
Unlike legacy VPNs, Tailscale requires no inbound ports to be opened on firewalls. Devices initiate outbound connections over HTTPS to Tailscale's coordination service and establish encrypted tunnels using WireGuard.
This allows:
Full NAT traversal
No changes to client network firewalls
Reduced security risk by eliminating exposed services
π Mesh Connectivity with Granular Access Control
Tailscale forms a peer-to-peer mesh network, with access restricted using an Access Control List (ACL) based on device tags and identity.
Hereβs how access is managed:
β Allowed Communication Paths:
Support workstations can communicate with:
Other support workstations on all ports
Client servers on TCP ports 443, 9090, and 22
Client servers via Tailscale SSH (distinct from traditional SSH over port 22)
Client servers using ICMP (ping) for basic network diagnostics (via
:1pseudo-port)
π« Blocked Communication:
Client servers cannot communicate with one another β this east-west traffic is intentionally blocked to contain potential threats and enforce segmentation.
No external users or devices can access Tailscale-connected systems unless explicitly allowed via ACL.
π Port-Level and Protocol-Level Restrictions
Protocol/Port | Purpose | Who Can Access |
|---|---|---|
TCP 443 | Web interfaces / APIs (HTTPS) | Support workstations only |
TCP 9090 | Cockpit or other admin dashboards | Support workstations only |
TCP 22 | Traditional SSH, SCP, Rsync | Support workstations only |
Tailscale SSH | Encrypted SSH over Tailscale | Support workstations only |
ICMP (Ping) | Network diagnostics | Support workstations only |
Tailscale SSH does not use TCP port 22. Itβs a built-in feature that allows authorized users to initiate SSH sessions based on identity, not IP or port.
π‘οΈ Identity-Based Security and Tagging
Each device in the Tailscale network is tagged with a functional role. These tags are assigned by administrators and used in ACL policies to tightly control access.
Benefits:
Access is role-based, not IP-based
Dynamic IPs or network changes have no impact on access
All access is logged and auditable
β Summary of Benefits
Feature | Traditional VPN | Tailscale Mesh VPN |
|---|---|---|
Requires inbound firewall rules | β Yes | β No |
Centralized VPN gateway needed | β Yes | β No (peer-to-peer) |
Peer-to-peer connectivity | β No | β Yes |
Port-based access restrictions | β οΈ Complex ACLs | β Simple, enforced via config |
Device identity-based security | β IP-based | β User and device-based |
Granular access by role/tag | β οΈ Limited | β Fully customizable |
Server-to-server communication | β Possible by default | β Explicitly blocked |
SSH control with auditability | β External dependency | β Built-in via Tailscale SSH |
Diagnostic access (ICMP) | β οΈ Rarely permitted | β Controlled via dummy port |
π§ Additional Notes
No VPN client configuration is required on client networksβonly the Tailscale client installed on managed devices.
No static IP management is needed; device names and identities stay consistent across network changes.
Logging and auditability: Tailscale SSH and ACL enforcement actions are logged and traceable for security reviews.