Securing Finter’s IoT network over 4G

Using Tailscale to manage remote cameras in a hub-and-spoke network.

Finter develops technical solutions for mobility, toll roads, and parking. As a rapidly expanding startup currently employing 20 people, their toll collection system shares traffic information and plans to expand into parking systems in 2022.

When Christian Waatland, Head of Network Operations, joined Finter, there were just 80 processing nodes in their IoT product. The original solution used Teamviewer to manually deploy firmware upgrades. The number of Finter’s processing nodes rapidly doubled and then tripled, and the time Christian spent on firmware update deployments increased. It was time to find a method that would make the process simpler. Tailscale was a perfect fit for Finter’s IoT devices on a 4G network, with frequent updates.

I save a lot of time working over Tailscale. It’s so much simpler that I can now actually do other work. It’s more reliable than the other VPNs that we tried. It never crashes, and it’s always available.
Christian Waatland Head of Network Operations

Finter’s IoT Solution for Toll Collection

Finter’s product is an IoT camera device using artificial intelligence software to classify vehicles and license plates. The camera hangs above a toll road and classifies objects in both directions. Using NVIDIA’s CUDA to do object analysis in conjunction with Finter’s own custom artificial intelligence software running on top of NVIDIA’s Xavier AGX, the device reads license plates and checks billing subscriptions for passing cars.

Finter’s cameras are located across Norway.

Finter’s cameras are located across Norway.

The management network is set up in a hub and spoke pattern, with each site’s processing nodes reporting back to a central operations control point. A virtual machine running Ansible acts as the hub, and is used to send commands out to the devices on site. The Finter app is written to auto discover other nodes on the local area network (LAN), and expects to use a hub and spoke architecture.

Finter's team manages the devices through a hub-and-spoke network setup, with the hub using Ansible to control devices.

Finter’s team manages the devices through a hub-and-spoke network setup, with the hub using Ansible to control devices.

At each site, in addition to cameras, Finter has a cabinet mounted to each camera pole, running networking equipment and processing nodes. Tailscale runs on these processing nodes.

Saving time with Tailscale: It Just Works

Christian first tried ZeroTier to manage the increasing number of devices, but even though the team liked ZeroTier’s management interface, there was too much latency on uploads and downloads over 4G. Next, Christian tried directly using WireGuard®, a popular, lightweight, open source VPN. While WireGuard was fast, it didn’t include the necessary management tools for deploying and updating so many devices. Rolling out WireGuard configurations to hundreds of nodes proved unwieldy.

Tailscale creates a secure mesh network built on top of WireGuard, and manages keys (including rotating keys) automatically. Tailscale turned out to be a perfect fit for Finter’s IoT devices on a 4G network, with frequent updates. Once they had Tailscale installed, the next step for Finter was setting up ACLs, to manage access to devices on their network. Tailscale’s support engineers helped Finter’s technology team to both understand and to get set up quickly, so that their ACLs allow each site to reach the central server, but individual sites are prevented from reaching each other. Now Christian can simply monitor all the nodes from his admin console. To update security keys and device software using Tailscale, Christian writes a few lines of code in Ansible and executes them over Tailscale, which is dramatically simpler than manually connecting to each node in TeamViewer.