I work for a company which at the moment is using OpenVPN self hosted access server as vpn concentrator. ACL rules are manager on the firewall.
as the company is growing fast and working a lot with external companies which have access to internal systems including some very critical assets the configuration both on the vpn concentrator as well as on the firewall gets more and more complicated.
I’m looking for a replacement which should leverage our security measures and also simplify the configuration and management of remote access and smartworking.
I came across tailscale and see lots of post here from people which seem to use tailscale in home environment. I’m wondering if there are any companies out there which use it and how satisfied they are with tailscale.
we are a company with about 1200 people working in around 20 location around the globe with the main side being located in Europe. we have a few hundred VM in a datacenter in Europe but are migrating stuff in azure and AWS.
Hello, we have a number of customers who are broadly dispersed at your scale. A few who have given permission to share are listed here:
A good first step would be to contact [email protected] - We can talk about technical fit with one of our solutions engineers (like me), and coordinate a PoC.
Multi-cloud, and a hybrid on-prem/cloud environment is one of the things that I see Tailscale bringing the most value to.
hey /u/Glad-Age-1402! - Tailscale can definitely fit this need/use case. We have over 9K (and counting!) customers today and many very large enterprises as well.
What you are looking to do is a standard Tailscale use case. I’m one of the SE’s over here so I talk to a lot of customers with the same questions you have.
Feel free to start a trial with Tailscale and give it a whirl. You can always reach to our sales team for more info (or shoot me a DM here on reddit).
I’m an enterprise customer of Tailscale.
I use it personally, but my company also has a fairly large contract.
I can say with confidence that Tailscale has fundamentally changed the way our network functions for the better. Over the past 6-8 months I’ve evaluated every major VPN/private access solution. Tailscale ended up being the right solution for us and so far everyone has loved it.
An item to consider: Tailscale is NOT an internet protection solution. If you require filtering internet traffic through a firewall of some kind, you will need a way to do this. Happy to discuss in a DM.
Overall- I’ve been extremely happy with Tailscale in an enterprise setting.
I think of Tailscale as mostly home use, but the Tailscale sales team should be able to walk you through whether the use case fits.
For simple openVPN replacement the most common evaluation set I’m seeing with clients is Tailscale, Cloudflare, and Twingate. Each has their own merits but usually find those 3 to be the most commonly evaluated together (which you’ll probably want to look at a few options as a larger company to see what works best for you).
Cloudflare and Twingate also give you web filtering, whereas Tailscale is more straight VPN. Sometimes you’ll see folks also look at zscaler and Palo Alto networks, but personally find those overkill especially if you don’t want all the packet inspection stuff (or have an army of people to babysit it).
I have used Tailscale to improve our security posture at two companies now. Both companies operate in regulated sectors where due diligence in vendor selection is required, as is regular internal and external audits.
While both companies are not quite at the scale of users you have, my previous company has a similar VM fleet size. Additionally for that company we specifically wanted to remove OpenVPN for the following reasons:
- too slow
- not flexible enough
- management was becoming too much of a burden
- it’s moat and castle, it didn’t match the way we actually worked and the connectivity we needed
Tailscale has allowed us to have a better posture, move faster, and secure networking in ways and areas that are simply not possible with OpenVPN and similar legacy technologies.
We use a lot of Tailscale features because they are well designed and simple to use:
- App connectors for vendors that require IP whitelisting
- Magic DNS with TLS
- Kubernetes operator
- Exit nodes for travelers
- Subnet routing
- Peer reviewed ACL through GitHub
- Audit logs
In the last few years there’s been only a single occasion where I wasn’t able to leverage Tailscale due to the nature of the sandboxed execution runtime I was testing in (GCP Cloud Run). Magic DNS resolution currently fails in that environment using Tailscale as a SOCKS5 proxy.
You will need to engage with your external partners, sharing connectivity for them will have some impact.
We faced a little bit of push back in this regard because OpenVPN doesn’t require dedicated accounts in a service outside of the access server, but we found that once we explained the benefits of Tailscale vs OpenVPN they were keen to engage and at least a couple of them went on to use Tailscale for their own needs.
Lastly, Tailscale engineers are some of the best in the business. We knew their previous work and reputation from e.g. Google, Go language and so on. And we’ve found Tailscale support to be first class.
yes the various branches are connected either via MPLS links or site2site VPN. my concerns are primarily mobile users which connect via vpn to use resources in the datacenter or Need to reach resources in our AWS environment.
thanks for the feedback. that seems to be our exact use case / my scenario I’m facing at the moment. Thanks for offering to contact you via DM! I might do so soon!
Tailscale is perfect for your own mobile users, where you control laptop/OS/etc. Not perfect for “external company” mobile users, where company might have own VPN. Normally, that’s external company have to treat that traffic as it’s own, VPN back, and then use mentioned site2site VPN to reach your system. Or RDP into onprem server and connect to your resources.
I think tailscale is wrong tool for the job TBH. But I’d love to see large-scale high-load deployment of Tailscale, if such exists.
Interesting. I didnt gather that from my first read, but if that’s the case, you want a solution that provides the external company with policy mngt, i.e., distributed control, so that they can define what access is or is not allowed.
It’s political(aka secirity) concern: you’re requiring partner company to install software on lotsbof computers. Generally bad idea and no big companies will do that. Small company might agree. Running managed node in partner company’s DMZ might be possible solution, but at this point easier to run ipsec.
You’d want some solution that is industry standart and tailscale (wireguard) at this point isn’t. We can argue about wireguard and kernel-level support, but it’s not supported with enterprise network vendors.
You don’t want to run two VPN solution and normally external company won’t allow you to install (and manage) software on their devices.
Now that comes with some assumptions (that external company got own VPN in place for example) but still. Rules can be bent is one company is too big/small.
Probably dont care if its supported by enterprise network vendors as its connectivity for mobile/laptop/OS/etc. Definitely agree it should be standard and open source, IMHO Wireguard while great, does not include all the control plane stuff (which is why everything like Tailscale exists) which is needed. I also think such a solution needs a stronger implementation of ‘zero trust’, particularly with service rather than host based access. The no install can be solved using a ‘clientless’ endpoint which gets loaded into the users browser once they authenticate to an IdP. Thats great for a contractor or 3rd party scenario.