VPNs and firewalls are part of an traditional security strategy that went like this: create a perimeter around your private network, and users who can connect to the private network will have access to the resources inside.
This is what is known as the “castle and moat” model. VPNs are the bridges, and firewalls are the locked doors that you need a secret password to open. As organizations migrate to cloud-based infrastructure and remote work, they’re shifting away from this kind of perimeter-based security.
When resources are distributed and remote workers use various devices, it no longer makes sense to assume the walls around a physical location are enough to protect all your assets. That’s why companies are moving toward a “zero trust,” identity-based approach to security, and leaning heavily on strong authentication and authorization for every service and endpoint.
You may be wondering how Hashicorp’s line of products relates to Tailscale’s WireGuard-based VPN. Hashicorp and Tailscale have both designed zero trust solutions with cloud-based infrastructure in mind. Some organizations use both solutions at the same time. Let’s do a side-by-side comparison.
Hashicorp is a leader in cloud infrastructure automation. They offer a range of products, including Terraform, Nomad, and Sentinel. Amongst their offerings, Boundary and Vault have the most in common with Tailscale.
While Hashicorp and Tailscale are part of the same generation of identity-based security companies, our products take quite different approaches. Hashicorp products provision, run, and secure cloud computing infrastructure, while Tailscale’s core offering is a modern remote-access VPN.
Nevertheless, both product lines can be used to serve similar purposes. Hashicorp Vault was first released in 2015, and it offers “secrets” (or private credentials) management, identity-based access to services, and auditable control of secrets amongst applications and users. Hashicorp Boundary was first released in 2020, and provides secure remote access to private systems based on trusted identity.
|Hashicorp Boundary and Vault
|Yes, a WireGuard-based remote-access VPN
|No, not a VPN
|Single Sign-On and Integration with Identity Providers?
|Yes (supports Google GSuite, Office 365/Azure Active Directory, Okta, and OneLogin
|Yes (Vault supports Microsoft Azure Active Directory, Okta, AWS IAM, Kubernetes, GitHub, Google Cloud, and Centrify)
|Role-based access control?
|Yes: Tailscale users can configure a policy that defines which users can access which servers, and these policies are automatically enforced by each node.
Tailscale also makes it easy for users to build complex RBAC/ABAC rule sets, based on identities retrieved from identity providers. When a change is made to a user’s group membership (i.e., roles and attributes) or the tailnet policy file, the changes are immediately reflected out to and enforced by all Tailscale nodes.
|Yes: Hashicorp Boundary facilitates TCP sessions, connecting authenticated and authorized users with applications using role-based access controls.
|Yes: Tailscale uses per-device keys that rotate periodically, making it easy to detect credential theft.
Hashicorp Boundary uses ephemeral session credentials. These work for a
limited amount of time, and then new credentials are generated. One user on
two different devices can have two different session credentials.
|No: encryption is removed at the Boundary worker node, before forwarding to the final endpoint.
|Do I need to open firewall ports for it to work?
Users don’t need to open any network firewall ports for Tailscale to work;
NAT traversal techniques safely connect Tailscale nodes without manual
|No: Users never actually enter any given private network, just communicate with Boundary worker nodes.
|Yes: the coordination server manages key distribution, key exchanges, and key rotations (centralized security that doesn’t create a bottleneck when nodes are trying to connect)
|Yes: Hashicorp Vault is an industry-standard secrets management system.
|Auditing and Logging?
|Yes: Tailscale nodes can be configured to relay packet headers to a central set of servers for auditing and tracking. Since every Tailscale connection passes through two nodes (client and server), the two streams can both be logged and checked for inconsistencies, which prevents tampering with the logs.
|Yes: Boundary supports monitoring and logging of session metadata. Since
each user session has unique ephemeral credentials, it’s possible for Boundary
to identify exactly where an issue has occurred.
Hashicorp key features
No need to onboard users at scale
Onboarding users to a corporate network can be cumbersome, especially when more and more of those users are connecting remotely. Usually, this process involves attaining SSH keys, VPN credentials, application credentials, and IP addresses. If organizations are relying on a traditional VPN, many users have to get past a VPN concentrator, which can create a bottleneck.
Using Hashicorp Boundary, there is no onboarding process. Users are simply authenticated and authorized, and then Boundary runs a connection to whichever resources the user is authorized to access.
Decreased attack surface via limited access
Hashicorp Boundary users don’t ever have full access to a private network; instead, a user will establish a TCP session through Boundary, and a Boundary “worker” node (a server) will proxy the connection. That way, the worker node stands in for the user, and the user doesn’t have access to anything within the private network, including the target application’s credentials.
No need to manage and track credentials
Since Boundary uses “dynamic credentials” for each session, users can authenticate through their existing identity provider, and then per-session credentials are generated on the backend (instead of reusing the user’s static credentials). Using dynamic credentials helps to solve the problem of secret sprawl: if applications never have access to users' credentials (and vice versa), then old applications and user accounts cannot leak keys and passwords.
Tailscale key features
Lightweight connectivity: a low latency, easy to use VPN
Tailscale operates at a lower level than Hashicorp Boundary. Instead of proxying TCP connections, Tailscale forward IPv4 or IPv6 packets directly between any two devices using a peer-to-peer network with NAT traversal.
Tailscale’s WireGuard-based VPN ensures low-latency, reliable connections regardless of the network path, and without needing to deploy additional components like concentrators or proxies.
End-to-end encryption: no middleboxes or interference
Users’ connections through Tailscale are peer-to-peer and end-to-end encrypted. No one, including anyone at Tailscale, can ever read or decrypt communications, because the private keys never leave a user’s device.
Tailscale leverages identity-based security like Hashicorp Boundary, when establishing a session. But Tailscale allows a user’s traffic to be delivered directly, without passing through any Tailscale relays and without the possibility of decryption before it reaches its destination.
Tailscale leverages identity-based security
Tailscale’s security philosophy is similar to Hashicorp’s, but our architecture is different: instead of using “worker” nodes to proxy connections between the user and whichever resource they’re trying to access, Tailscale’s nodes talk directly. This isn’t a security disadvantage: in Tailscale, administrators can define access control lists (ACLs) that determine which users and nodes can access which IP addresses and specific services.
Based on these rules, a customized packet filter is generated for each Tailscale node and distributed by the coordination server. Thus, each node in the Tailscale mesh network acts as its own firewall. This gives all the security of a Zero Trust network without adding centralized firewalls that can become a bottleneck.
Like Hashicorp, Tailscale uses role-based access control (RBAC), where authorizations are made according to each user’s defined role. Tailscale also uses attribute-based access control (ABAC), where users or servers can be tagged with a set of “attributes” (e.g., “employee+engineer+Toronto”) so that they can get access to services relevant to them. Immediately after roles or attributes change, packet filters are recompiled across the entire Tailscale network to grant or revoke access. The update generally completes in less than a second.
Tailscale has advanced logging
Each Tailscale node logs its connections to a central logging service, meaning that every connection is logged twice (since both partners in a connection log their connection). This makes log tampering easy to detect: if one machine were trying to reach another, this would be logged, but the destination machine wouldn’t have anything to log, creating a noticeable inconsistency.
Because of this double-entry logging design, a central bottleneck for monitoring traffic is not necessary.
The bottom line
Tailscale and Hashicorp’s products are part of the same wave in the movement toward de-perimeterized, identity-based security, but they offer different products with distinct architectures.
Tailscale is a remote-access VPN that has a large focus on improving users’ connectivity. In its peer-to-peer mesh network, connections require little to no configuration, they’re low-latency (thanks to WireGuard’s lightweight tunnels), and they’re highly-reliable. Hashicorp Boundary, in contrast, offers a centrally managed proxy service that facilitates authorized and authenticated communications.
If you’re working in a multi-cloud environment and you want to allow users access to specific services, but restrict their access to the network itself, use Hashicorp Boundary. If you want an easy-to-use, remote-access VPN that leverages rules-based access controls and provides true end-to-end encryption, use Tailscale.