The Linux Foundation is a non-profit organization that hosts open-source projects while providing governance, support, and community for over 13,000 developers. Founded in 2000 with just a handful of employees, it currently has hundreds of employees and serves as a trusted resource in the open-source ecosystem.

Konstantin Ryabitsev, Director of Core Projects at the Linux Foundation, describes how becoming an early adopter of Tailscale helped the organization improve its network layout and end its OpenVPN struggles.

“It completely replaced OpenVPN, which we were happy to get rid of because of the key management and access management. ACLs with Tailscale made that dramatically simpler for us to manage.”

Fostering fair open source

Starting as a combination of the Open Source Development Labs (OSDL) and the Free Standards Group (FSG), the Linux Foundation grew slowly at first. However, its popularity increased as its value as a neutral governance body for open-source projects became widely recognized.

As Konstantin explains, “If companies that are competitors are building on Linux and open-source technologies, they can come to the Linux Foundation to have their project hosted in a neutral environment, so nobody can point and say ‘This other company is getting an unfair advantage by hosting this important project.’” When the Linux Foundation hosts an open-source project, any company can contribute without feeling like their competitors are getting an upper hand.

The struggle of OpenVPN

Before Tailscale, the Linux Foundation used OpenVPN and a custom, in-house VPN on WireGuard. However, issues arose with these approaches, and their team was inspired to seek out alternatives.

One of their pain points revolved around the burden of managing certificates in OpenVPN. As Konstantin explains, “You deploy certificates. Then you have to manage them, and when they expire, you have to re-enroll.” OpenVPN requires multiple layers of certification that require maintenance. Therefore, if any parent certificate (such as the CA) expires, then all subordinate certificates become invalid as well.

“I understand why a corporate environment might want to use a system of CA, intermediary CA, and then the actual certificate, but it was just overkill for us. Everybody hated dealing with that,” Konstantin explains.

Besides these issues, the Linux Foundation also had to manage its routing for its custom VPN on WireGuard. “We were using WireGuard with private keys, but using direct WireGuard doesn't solve the problem. You still have to set up your edge routing. You still have to set up your ingress nodes,” he explains. “Multiply this by 10 different cloud providers, and suddenly you have 10 different routing setups that you have to worry about. Switching to Tailscale helped us completely get rid of that.”

Selecting and implementing Tailscale

The Linux Foundation was an early adopter of Tailscale after their team grew frustrated with the maintenance required by their previous solutions. Not only was the selection process direct, but Tailscale’s rollout was also straightforward. Regarding their rollout, Konstantin says, “You make it work on the old VPN and Tailscale because it was a gradual rollout,” he explains. “This was just a minor networking thing.”

Overall, Konstantin feels that getting Tailscale up and running went smoothly, stating, “I don’t believe there were any stumbling blocks.”

“We don't have to worry about setting up firewalls, poking holes in firewalls, or setting up routing for external access to those systems. We can go directly from that internal host to any other host that is on our Tailscale tailnet and restrict that with ACLs.”

Living in the cloud

The Linux Foundation began with a hybrid infrastructure, with some on-premises deployments around the time they adopted Tailscale. However, they were already in the process of moving to a cloud-based system directly.

“We started with hybrid and eventually migrated to all cloud,” explains Konstantin. “Everything is in the cloud right now for us, though some of it is still running on dedicated metal. When we first realized that, we had a way to run things directly on metal, so we were like, ‘Why would we have our own data center if we can just use a metal deployment?’”

Now, they have several arrangements that provide them with metal-hosted setups so they “have no reason to run anything on-premises.”

Tailscale connects without complications

One crucial use case for Tailscale at the Linux Foundation was granting admins access to their clouds, specifically for backend access to virtual machines (VMs) that are restricted from external access.

“It completely replaced OpenVPN, which we were happy to get rid of because of the key management and access management. ACLs with Tailscale made that dramatically simpler for us to manage,” shares Konstantin.

The Linux Foundation also benefits from Tailscale-to-Tailscale access on the backend. “We can have an Ansible host that has complete access to any of the systems via ACL-protected rulesets,” shares Konstantin. “We don't have to worry about setting up firewalls, poking holes in firewalls, or setting up routing for external access to those systems. We can go directly from that internal host to any other host that is on our Tailscale tailnet and restrict that with ACLs.”

Essentially, Tailscale is used to facilitate “human-to-machine” access, where admins access resources in the cloud, and “machine-to-machine” access, where nodes communicate with each other.

“Machine-to-machine does a lot of replication directly on Tailscale. On providers where we have direct access and don't have to rely on a DERP server, we're better able to benefit from machine-to-machine Tailscale access.”

Time saved and shrinking support tickets

According to Konstantin, Tailscale’s features have had a significant impact on the Linux Foundation. He cites Single Sign-On (SSO) as particularly convenient, and he expresses appreciation for the access control facilitated by Tailscale’s ACLs.

“We can say this group of people can access everything, and this group of people can only access HTTPS on the following systems,” he explains. “Especially when managing machine-to-machine connections, we can say this system can access these ports, but nothing else can connect to it except for a group of admins.”

In terms of hours and costs saved, Konstantin notes a significant reduction in support tickets since the Linux Foundation adopted Tailscale. Their IT team also avoids wasting time and labor on “weird networking routing issues.”

“That's the primary benefit,” he shares. “We used to have ‘Don't touch networking on the following system’ alerts. But now, with end-to-end connections, I know that I can access this VM regardless of what's in front of it, as long as we've made sure that it's able to go out to Tailscale.”

Looking toward the future

As for the future, Konstantin and his team are happy with Tailscale and their current systems. “We're comfortable where we are,” he shares. “I keep an eye on everything that’s released. I read the monthly updates.”

As it stands, Konstantin is very content with how the Linux Foundation shares and accesses its resources.

“We're happy users of Tailscale. We're glad we adopted it, and it saved us a dramatic amount of time.”

Great organizations deserve great networking

The Linux Foundation didn’t settle for networking that was just getting them by. Tailscale is a convenient and easy-to-manage solution that allows smart teams to do great work with less hassle.

Don't settle for networking that only does the bare minimum. Contact our sales team for a demo of Tailscale today.