Remote Access for Remote Teams: Securely Connecting Distributed Workforces with SSH and VPN
This article explores how you can use SSH and VPN to securely connect distributed workforces—and how Tailscale can get you there quicker.
Implementing effective remote workflows can be challenging: how can you open remote access to systems without introducing security issues or creating friction for developers?
SSH has been the standard protocol for securely connecting to remote systems for decades, but configuring safe and compliant team access to multiple machines and resources is hard. SSH lacks integrated central management capabilities, preventing you from easily setting and changing access controls, authentication requirements, and audit mechanisms.
In this article, we’ll explore how you can securely connect distributed workforces using VPNs while still retaining the benefits of SSH. You’ll learn how Tailscale lets you easily connect to any of your devices with zero configuration.
Why Use a Remote Access Solution?
Remote work doesn’t work without good tools for remote access, collaboration, and sharing. Even if your team members are distributed around the world, they need to collaborate on projects, files, and infrastructure that reside in centralized systems.
For your workers to be productive, access must be as straightforward as possible. Simultaneously, robust security protections are paramount. Remote working without proper controls inevitably increases the risk that a security incident will occur; for example, employees could use compromised devices or connect from insecure networks.
You can try to assemble your own remote access solution using technologies such as SSH, which enables shell sessions and file transfers. But these aren’t designed for today’s remote working practices. Exposing an SSH server on each machine is labor-intensive and creates an attractive target for attackers. Managing access to each resource requires the clunky distribution of SSH keys.
Dedicated VPN-based remote access solutions like Tailscale address these concerns.
Creating a private, encrypted overlay network for your devices facilitates secure access from anywhere, even if the physical network you’re using has been compromised. Devices within your overlay network can auto-discover each other, while the network management plane provides powerful features such as integration with existing identity providers and MFA solutions.
It’s a simple experience for end users—who can simply join the network and then access shared resources such as servers and databases—while offering administrators full oversight.
Using Tailscale to Securely Connect Engineering Teams
Tailscale is an enterprise-grade private networking solution. It joins your devices into a software-defined overlay network that uses the WireGuard VPN tunneling protocol.
Tailscale provides a cohesive remote working experience for your team. Remote workers can install Tailscale on their devices to then access the other machines within your network. Those machines will appear as network devices with auto-assigned IP addresses and host names.
Easy to Deploy
Tailscale is quick and easy to deploy. While many other VPN solutions force you to make complex changes to your operating system settings, Tailscale only requires that you download the client application and log in on each device. The network that Tailscale creates is referred to as your tailnet.
Once it’s running, Tailscale assigns your device a stable IP address that you can reach from any of the other devices in your tailnet, regardless of the physical network that each endpoint is connected to.
The ease of deployment makes Tailscale an ideal solution for distributed workforces. The zero-config experience means it’s even suitable for nontechnical team members who might struggle to manually configure other VPN solutions.
Supports Multiple Operating Systems
Alternative VPN tools often have limited cross-platform functionality that proves restrictive as your team scales. If you can’t join all your devices to your network, some connections will depend on direct routes that could be insecure on public networks.
Tailscale works on all major operating systems, though: Windows, macOS, Linux, Android, and iOS. Additional integrations allow you to join your cloud assets to your tailnet too, including workloads in AWS, GCP, Azure, DigitalOcean, and Kubernetes.
This universality ensures Tailscale can support all your team members, irrespective of their personal device preferences. It also accommodates hybrid cloud workflows where you use a combination of on-premise and public cloud infrastructure. With Tailscale, users in your tailnet can access your cloud inventory as easily as your other physical devices.
Secure End-to-End Tunneling
Tailscale’s VPN functionality is implemented using the WireGuard protocol. WireGuard is fast, secure, and purpose-built to support modern VPN systems. It uses cutting-edge cryptography—including ChaCha20 symmetric encryption—to keep your data private as it moves across the internet.
Because Tailscale is built on top of WireGuard, it inherits the same strong security protections and point-to-point encryption. Devices communicate in your tailnet by tunneling directly to each other, preventing snooping and interception.
DIY remote access approaches using SSH or legacy VPNs can be cumbersome to configure for security. You may have to modify your network routers, firewalls, and switches to open your communication tunnels.
Tailscale handles this complexity for you, automatically figuring out the best way to route between your devices without requiring any manual configuration. If your devices have internet access, they should be able to reach each other from wherever they are.
This has clear benefits for connecting distributed workforces. You might not know which physical networks your workers will use, which makes it challenging to keep router and firewall settings updated. Tailscale ensures users can always connect to the other resources in your tailnet.
Control User Access with ACLs
Maintaining correct authorization and access controls is a critical part of modern systems security, especially when remote work is involved. Improperly secured remote access increases the opportunities for credentials to be lost or stolen—if a privileged account is affected, attackers could gain far-reaching capabilities.
Traditional VPNs are often lacking in this regard. Meshing all your devices into a single network is inadequate if you can’t control which devices can actually talk to each other. A developer may reasonably require access to your staging server, for example, but won’t necessarily need to interact with production.
Tailscale includes built-in access control list (ACL) functionality that solves this challenge. ACLs are created as simple rules in a JSON file that control which users and devices can connect to each other. Tailscale prevents unauthorized connections from occurring, ensuring that users can’t access off-limits resources.
Tailscale ACLs are automatically distributed to your devices by your network’s control plane layer. Rules are enforced by each device with no dependency on the Tailscale servers. When you change your ACLs, they’ll be redistributed across your tailnet. By default, Tailscale allows all your devices to freely communicate with each other, so defining your ACLs should be the first step you take after installation.
Tailscale uses your existing identity provider to handle user authentication. Users can log in with their existing account from services such as Google and Microsoft, ensuring your organization’s existing authentication constraints, including multi-factor authentication, have been met.
Built-In SSH Support
Remote engineering teams will inevitably require SSH access to interact with servers and diagnose problems. Tailscale includes built-in SSH support that allows you to connect to any of the devices in your tailnet.
Tailscale runs its own SSH server separately from the standard SSH server you may deploy to individual devices. Users can access SSH without requiring keys to be manually distributed between devices. This cuts the overheads associated with SSH management, particularly for large workforces where many users need to share a resource. Copying users’ public keys onto servers is clunky; it also creates the risk of users retaining access after they leave your organization unless administrators remember to manually remove the key from the server.
Because Tailscale SSH is fully integrated with the rest of your tailnet, you can use ACLs to control which users have SSH access into each of your devices. You can mandate reauthentication before an SSH session begins and use session recording to inspect which commands are being run by users. This produces a convenient remote access solution that facilitates safe remote work without the risk of security oversights that regular SSH incurs.
Simple Central Management
All of Tailscale’s features—including ACLs and SSH—can be centrally managed by administrators using the admin console, CLI, or API. Changes are automatically distributed across your tailnet.
Administrators can easily reconfigure the network with new devices, DNS rules, ACLs, and other capabilities without having to manually modify each device’s settings. This reduces the burden on admins, makes it quicker and easier to provision new devices and users, and promotes auditability by allowing you to track changes to your network’s configuration.
Tailscale also supports infrastructure-as-code (IaC) management via Terraform. You could define your Tailscale settings as code in a source repository, then automatically roll out changes using a CI/CD pipeline-based approach.
Besides making it easier for others to contribute to revisions, IaC-powered management also facilitates quick rollbacks to earlier configurations and creates more opportunities to detect errors as you write and review your Terraform files.
Conclusion: Use a Remote Access Solution to Connect Your Workforce
Remote working is popular, but without dedicated tools and processes, you will struggle to connect distributed workforces efficiently and securely.
Tailscale is a secure, easy-to-use, zero-configuration remote access solution that’s designed to support modern engineering workflows. With Tailscale, you can join all your devices to a private network, authenticate with your existing identity provider, centrally manage access controls, and use SSH to access your infrastructure components.
This means you and your workers can access private and shared resources on any device, from anywhere, with constant end-to-end encryption. Ready to try it out? Download Tailscale on your devices to get started for free.
