Aperture beta is now available. Start building with AI safely in minutes.READ MORE ->

Secure remote access for work from home or remote employees

Last validated:

Featured solution guide:

Create a secure connection to MongoDB Atlas

Securely connect to a MongoDB Atlas database and permit access only to your Tailscale network.

Remote and work-from-home employees need access to on-premises and in-office resources without being physically on-site. Tailscale connects them using subnet routers to expose corporate networks, exit nodes to tunnel all traffic through a corporate gateway, and access control policies to define who can reach what.

Route all traffic through a corporate gateway

Employees working from untrusted networks, or subject to compliance policies that require all traffic to route through the corporate network, need more than just access to specific resources. Exit nodes route all of a device's internet traffic through a designated node on your network, acting as a complete VPN replacement. Unlike subnet routers, which expose specific network ranges, an exit node captures all outbound traffic.

  1. Configure a device on your corporate network to advertise itself as an exit node.
  2. Allow the exit node from the admin console.
  3. Configure remote employee devices to use the exit node through their Tailscale client.
  4. (Optional) Use system policies to require Tailscale users to always run on employee devices and prevent employees from disabling it.

Once configured, all internet traffic from those devices routes through the exit node, securing their connection regardless of what network they're on.

Connect to your corporate network

Some resources like file servers, internal apps, and databases can't have Tailscale installed directly. A subnet router runs Tailscale on a device within your corporate network and advertises routes to the surrounding subnet, giving remote employees access to those resources without requiring Tailscale on each one.

  1. Install Tailscale on a device within your corporate network that will act as the gateway.
  2. Advertise the subnet routes from that device.
  3. Enable the advertised routes from the admin console.
  4. Add access rules for the subnet.
  5. (Optional) Set up high availability so that your subnet router is not a single point of failure for connectivity.

Remote employees can then reach any resource on that subnet through the tailnet without any additional configuration on those devices.

Limit access by group and role

Access control policies ensure remote employees can only reach the resources relevant to their role, preventing lateral movement across your network. Use groups, tags, and grants to define these boundaries, such as allowing access to different environments by group or routing traffic through exit nodes based on location.

  1. Open the Access controls page of the admin console to manage your tailnet policy file.

  2. Define a group and associate it with users.

    {
  "groups": {
    "group:remote": ["alice@example.com"]
  }
}

    In this example, a "Remote" (remote) group is created.

  3. Define a tag and associate it with devices.

    {
  "tagOwners": {
    "tag:internal-tools": ["autogroup:admin"]
  }
}

    In this example, an "Internal Tools" (internal-tools) tag is created.

  4. Define a grant and associate groups with tags.

    {
  "grants": [
    {
      "src": ["group:remote"],
      "dst": ["tag:internal-tools"],
      "ip": ["*"]
    }
  ]
}

autogroup:shared can be a useful selector for contractors joining your tailnet.