How Mercari improved accessibility, security, and made VPNs simple with Tailscale

Translated into: 日本語

Based in Japan, Mercari is an online marketplace for preloved items, connecting buyers and sellers across the U.S. and Japan. With more than 20 million active monthly users, their mobile app allows users to sell and purchase everything from clothing, jewelry, and electronics to office and pet supplies.

As a remote company with offices in the U.S. and Japan, Mercari leverages Google Cloud Platform (GCP) to host their app, virtual machines (VMs), and large amounts of data. As a result, employees at Mercari need to securely access company resources — such as financial services platforms and third-party APIs — from approved IP addresses.

Hirotaka Nakajima is a senior software engineer at Mercari who first tried Tailscale on his home network, and Yohei Kanemaru is a software engineer on his team. They tell us that bringing Tailscale to Mercari was a game changer for the company.

“From our perspective, Tailscale is easy to use, which is the biggest benefit to us,” says Yohei.

Other VPN solutions were slow, unreliable, and required a lot of support

Prior to implementing Tailscale, Mercari used a traditional VPN solution, but they found it to be inadequate for many of their critical needs because it required users to constantly re-login, performed sluggishly, lacked the identity provider (IdP) support they needed, and didn’t include a mobile client.

Since Mercari is a large enterprise company with a mobile app, their QA engineers regularly need to perform tests using mobile devices. These tests also require a VPN connection to run against their test endpoint. Mercari’s old VPN didn’t have a mobile client, and their workaround required engineers to re-authenticate every time they turned the VPN off and back on, which they had to do frequently to perform their tests. This led to a lot of headaches and ultimately caused Mercari to search for a more scalable solution. Hiro notes, “QA engineers put this project as a high priority because VPN problems caused productivity issues for their use cases.”

Perhaps most notably, Mercari engineers were spending too much time troubleshooting VPN-related problems on a daily basis. All of this was a major drag on productivity, which only intensified when COVID-19 hit and most of Mercari’s 2,000+ employees transitioned to remote work. When that happened, Mercari found it difficult to scale their existing VPN to meet the increasing number of demands by employees requesting remote access to company resources.

Hiro evaluated several VPN solutions. He knew that WireGuard was fast and reliable, but he also wanted a solution that would give Mercari an easy way to manage users. While searching for a more scalable solution, Hiro discovered Tailscale, which is built on WireGuard, and put it to the test on his personal development environment — including a homelab and servers in multiple data centers. He was impressed with Tailscale’s functionality, including user management, built-in support for subnet routers, and not needing to switch the network on and off when he traveled. He was also running CI/CD for development using GitHub Actions, and he was concerned about accessing datacenter machines from GitHub Actions, but he quickly realized how easy it was using Tailscale. This was key to embracing Tailscale for a trial run at Mercari.

Satisfied that Tailscale was the solution he was looking for, Hiro pitched adopting it at Mercari. Since many of his colleagues on the network and platform teams were already familiar with the product, the decision to switch was a simple one.

Tailscale at Mercari: A simple and secure VPN with no support overhead

Shortly after implementing Tailscale and rolling it out to a significant portion of Mercari’s workforce, Hiro and his team noticed that the number of user-related VPN issues dropped from 1-2 per day with their old VPN to almost zero in the months since they started using Tailscale. This freed up significant bandwidth for more important priorities. “We used to suffer from all kinds of inquiries from users, but now we don’t have to deal with that. We can focus on maintaining and improving our infrastructure,” says Yohei.

Mercari also leverages Tailscale to filter traffic from allowlisted IP addresses to access secure third-party systems, financial services platforms, and bank APIs. They’re able to do this by running multiple Tailscale exit nodes in custom Google Cloud VMs. Now, employees with access to these exit nodes can securely access internal company resources, and Mercari has an additional layer of control — managing which employees have access to these nodes with device tags and Tailscale ACLs.

With our old VPN, we didn’t need to worry about infrastructure, but we did spend a lot of time worrying about client-side issues for our users. With Tailscale, we do need to maintain some infrastructure, but from an engineering perspective, that’s easy compared to the chaotic client-side issues we used to deal with.

Hirotaka Nakajima Senior Software Engineer

Hiro and Yohei also benefit from Tailscale’s SAML-based authentication, enabling them to manage and authenticate users with their identity provider, Okta.

Mercari’s conclusion: Tailscale is reliable, transparent, and easy to deploy

Engineers really enjoy being able to try software at home in their own environments before bringing it to work, and that’s exactly what Hiro did before rolling out Tailscale at Mercari. And this is just the beginning for Mercari and Tailscale, as Hiro points out: “There are also some use cases not yet deployed that other teams want to use Tailscalse for — such as CI/CD, branch-to-branch communication, and controlling traffic between devices on our tailnet.”

Mercari engineers also appreciate Tailscale’s straightforward pricing and open source development. “Pricing is transparent and easy to estimate… and development is very fast. Also, we like being able to create an issue on GitHub,” says Hiro. But above all, Hiro and Yohei love Tailscale’s reliability and how easy it is to run exit nodes, implement SSO, and manage their private network. “It’s like magic,” says Yohei.