The IT admin’s guide to optimizing management of the company VPN
Administering a business VPN has often been a time-intensive undertaking for companies — but it doesn’t have to be that way. In this article, we explore some common challenges IT professionals face managing the company network, and how Tailscale can help.
IT professionals responsible for managing the company VPN — or, in many cases, multiple VPNs — know all too well how user management and network performance challenges can consume a disproportionate amount of IT’s resources. They lack automated processes for tasks such as onboarding new employees and effectively segmenting access to infrastructure resources. These ineffective management processes can compound the impact of mistakes and, consequently, potentially compromise your company’s security posture — especially in this era of widespread remote work and bring-your-own-device policies.
Challenges with VPN user management
Whether you’re an IT specialist at a lean startup or at a large enterprise managing thousands of users, VPN user management is typically a never-ending manual process of onboarding and offboarding users, managing user roles, updating permissions, and more.
Tailscale is a reliable and low-maintenance VPN that doesn’t require admins to configure firewall ports, and offers a suite of features that streamline and simplify many of the challenges organizations are experiencing every day. Let’s break them down.
Inviting new users to your network
For admins managing their company’s VPN, the process of getting new users connected is often a laborious process involving downloading multiple software clients, key management, manual permission configurations, and more.
With Tailscale, new employees are able to join their companies’ network (known as a tailnet) just by signing in using their company email address.
To make the process even simpler for employees, Tailscale allows admins to send users an invitation to join the appropriate network for their role and department. The email they receive comes with a link to get them started; there’s no need for a separate set of credentials to manage. The user invitation feature also allows admins to send multiple invites at once and track the status of each one.
User approval
If your security policies don’t allow new users to join the network automatically, or you just want to maintain more control over who can join, you can use Tailscale’s user approval feature. When user approval is enabled, the first time a user logs in to Tailscale, they are put in a “pending” state, which allows admins to easily identify the request and approve or remove the user as appropriate. Users who have been sent an invite to join a tailnet, however, are approved automatically — there’s no need for any additional action on the part of network administrators.
Defining and changing user roles
By adopting principles of identity and access management across your network, users can access only those resources they need to do their jobs, and no more. Tailscale’s user roles help you implement such least privilege safeguards by allowing admins to scope what users can, and cannot, do in the admin console.
For example, a user with the Owner role has complete authority to make any changes whatsoever to a tailnet, whereas a user with the IT Admin role can manage users and devices, but not make changes to the tailnet configuration or DNS settings.
When employees in the company move into a new role or to a different team, adjusting their level of permissions to reflect their new responsibilities is as simple as changing their user role in the Users tab of the admin console.
Provisioning access
Provisioning users’ access to the company VPN can be an incredibly time-consuming task, fraught with opportunities for error. Tweaking settings on users’ devices, verifying a user’s identity, and troubleshooting problems can quickly commandeer hours of the IT department’s time.
Tailscale provisions access via popular identity providers (IdPs) including Google, Microsoft AD, GitHub, and Okta, as well as custom OpenID Connect (OIDC)-compliant providers. Because you can leverage your current IdP, all new users need to do to get started is download the client on their device, install it, and sign in with their company email address. This makes the process easy for users and minimizes the time IT has to spend troubleshooting.
Network access controls (ACLs)
User roles are a powerful feature, but IT admins often need more granular control for granting permissions. With traditional VPNs, this process can involve complex and time-consuming manual configurations.
Fine-tuning access controls can be accomplished in Tailscale simply by editing the access rules directly in the admin console or through the Tailscale API via a single HuJSON file. ACLs are distributed to all devices in your tailnet and are enforced on each device directly. Tags allow you to further refine permissions by assigning an identity to a device itself based on its function.
Removing and suspending users
Offboarding users when they leave the company, whether temporarily or permanently, is one of the most critical functions of user management: Doing it wrong represents a serious potential security risk by allowing previous employees to retain access to sensitive data. Tailscale centralizes the offboarding process in the admin console; there, you can either temporarily suspend or permanently delete users you no longer want to have access to your tailnet.
Suspending a user — when they go on leave, for example — temporarily disables their devices from your tailnet, prevents them from adding any new devices, and prevents their API access tokens and auth keys from working. These holds are easily reversed by using the Restore user option, also via the admin console.
Deleting a user does just that — revokes all their access permanently. All of it. Specifically, it deletes all their devices and removes their keys from the coordination server to block any future requests from those devices.
Exporting a list of tailnet users or devices
If you need a list of users or devices on your tailnet for auditing purposes, you can quickly export one from the admin console. Lists are exported in comma-separated values (CSV) format for easy importing into a spreadsheet.
For a more in-depth look at how IT can manage users with Tailscale, please see our knowledge base article on managing users.
Performance considerations with corporate VPN management
Besides user management, other common challenges with managing a corporate VPN revolve around the performance of the network itself.
Disconnecting and reconnecting
Employees, especially remote workers, can find themselves in any number of scenarios that cause them to lose connectivity to the company network. This could include things as seemingly benign as closing a laptop for a coffee break, or a period of inactivity sending the computer into sleep mode. For remote users on the go, switching between Wi-Fi networks, or between Wi-Fi and cellular connections, or even a poor cell signal, can cause the VPN to disconnect.
To get back into the network after a disconnection, typically a VPN will force users to log back in and reauthenticate. There might be sound security-related reasons for this requirement, but the disruption causes lost productivity — and a whole lot of aggravation. A better solution would be to prevent unintentional disconnections in the first place.
Because it’s built on top of WireGuard®, Tailscale remains connected even when a device itself temporarily disconnects, and Tailscale lets you seamlessly jump between networks with no disconnection at all. If you want a device to disconnect under certain circumstances for security reasons, Tailscale gives you options for that, including the ability to configure a time period (from one to 180 days) after which users must reauthenticate.
Performance and latency
Even when the network is up and running normally, sluggish VPN performance caused by latency can take a toll on employees’ productivity and morale. Twiddling your thumbs while you wait for something to load is a terrible use of anyone’s time.
Problems with latency can typically be traced to issues with network traffic congestion or physical distance separating users from the resources they need to access. Tailscale’s peer-to-peer mesh network reduces traffic congestion by allowing endpoints to communicate directly with each other, instead of being routed through a central bastion host or other network gatekeeper. Because data flows directly point-to-point, latency is as low as it can get.
Tailscale also hosts a network of DERP servers distributed around the globe as a fallback for those instances when a true peer-to-peer connection isn’t possible. The DERP servers forward your already-encrypted packets, meaning they are as secure as Tailscale’s mesh network, and your tailnet automatically chooses the DERP server that is geographically closest to you to keep latency to a minimum.
For a more in-depth look into the reliability of Tailscale, please see the Reliability section of our VPN reviewers guide.
Wrapping up
Problems with managing a company’s users and network performance can create a significant tech debt and a seemingly endless stream of support tickets for IT support teams. Simplifying the company VPN management process with Tailscale reduces both.
Download Tailscale today and give it a spin — it’s free for up to three users.
FAQs
What are some of the challenges of VPN user management?
Managing users with a typical VPN often involves complicated and time-consuming manual work to get new users onto the network, provision and control their level of access, track changes to their level of permissions as they are promoted or move to a different role, and, when the time comes, to suspend or delete their access altogether. Automating these functions whenever possible can save time and help prevent errors that could jeopardize security.
What are some challenges associated with managing network performance?
Network performance has a direct impact on one of your most important resources: time. When a device unnecessarily or unexpectedly disconnects from the network, end users must often go through reauthentication, causing lost productivity and frustration. And if the VPN itself is lethargic due to high latency, end users can experience disruptions and squander time when trying to access the resources they need to do their work.
