Rolling Out Tailscale for Your Team

Rolling out a virtual private network (VPN) for your business shouldn’t be a daunting and cumbersome task. Tailscale is an easy-to-use VPN replacement, built on WireGuard that creates a peer-to-peer, mesh network requiring zero configuration. With the right planning, you can execute a cost-effective and seamless adoption of Tailscale rollout to improve your organization’s security.

In this article, you will learn more about Tailscale and how it secures your network connections, tips for rolling Tailscale rout across your organization, and must follow security best practices.

How does Tailscale work?

Tailscale is built on top of WireGuard®, which is one of the fastest and most secure VPN protocols available today. When Tailscale is installed on a device, it is automatically added to the private network with no configuration needed.

With traditional VPNs, users first connect to a VPN gateway server that then forwards the connection to the destination server. If many users are on the VPN at once, latency issues worsen due to this architecture. Setting up and maintaining a traditional VPN can also be complex as it requires extensive knowledge of network configuration, firewall setup, user management, and authentication.

Unlike traditional VPNs, Tailscale creates a peer-to-peer mesh network that consists of nodes, including servers and clients, all interconnected directly with each other. This means that Tailscale devices can communicate directly without the need for a gateway server, which improves performance and speed compared to traditional VPNs. Tailscale also eliminates the need for setting up complex networking configurations, setting firewall rules, or installing specialized software.

Tailscale secures access to your network by employing a series of zero-trust security controls such as all devices and users having to get authenticated and authorized before they are allowed to access the network. All traffic within the tailnet is encrypted, and every event is logged for improved compliance and security.

On the user privacy level, when you set up two-factor authentication (2FA) or multi-factor authentication (MFA) with your identity provider, Tailscale automatically uses it to authenticate users. This means Tailscale never stores your username and password information.

How to plan and execute your Tailscale rollout

With most of the technical complexity taken care of, you still need to plan and implement your Tailscale rollout. Here are some best practices to consider.

Assess your organization’s needs

The first thing to consider when planning a rollout is your organization’s needs. Identifying the most critical requirements for your team enables you to make an informed decision about how many licenses you will need and determine which plan is right for you. 

Consider the following in your assessment:

• The number of users who need to remotely access your network
• Which users need to access which systems, applications, and resources
• The systems, applications, and resources that need to be available on the network
• The type of devices and operating systems that need to connect to your network

Rollout Tailscale incrementally

Before attempting a wider rollout to your entire organization, consider running a test with a smaller group. It will familiarize your network admins with how Tailcale works, provide time to prepare your team for the new update, and help identify potential issues to resolve before implementing the wider rollout.

Start by identifying the key stakeholders for each team and invite them to participate in the trial run.

Next, identify which services and applications to test, whether those are remote workstations, testing servers, database servers, or internal systems installed on the company’s servers.

Lastly, decide on a time frame for this trial run based on the size of your team and the number of resources needed for remote access. It can range from a few weeks to a few months.

Once you start the testing phase, remember to collect feedback from the participants, address any concerns, and take note of what you’ll do differently during your wider rollout. The results of the testing phase will give you an indication of what a full rollout will be like so that you can be prepared.

Implement a wider rollout

Once you’re ready for your wider rollout, implement best practices right from the start to ensure the security of your network and make it easier to manage it.

Define ACLs

Access control lists (ACLs) are a set of rules that define the type of access allowed in your network. Tailscale’s ACL rules can define which users, groups, hosts, and devices can connect to each other.

ACLs allow you to easily control access to the devices in your network based on user identities instead of IP addresses. For example, you can set your ACL rules so that a software developer can access only the development environment and database servers while a DevOps engineer can access production servers.

All new networks are created with an allow “all access” policy by default, so it’s important to define your ACLs up front.

Use Groups and Tags in Your ACLs

Groups and tags are features that make the access management of your network much easier.

Groups let you assign ACL rules for sets of users. Instead of setting rules for each user individually, you can manage access based on the type of job people do. It makes managing onboarding, offboarding, and role changes much simpler.

While groups let you manage ACLs for users, tags help you to manage ACLs for the devices in your network. Instead of having to reconfigure devices when their users change, you can assign a tag to a device and use the tag to give a user or a group access to this device.

Enable MFA in your identity provider

Enabling 2FA or MFA is recommended since it adds an extra layer of security to prevent unwanted access to your network.

Tailscale doesn’t support signing up using an email and a password. Instead, it works on top of your existing identity provider (IdP) or single sign-on (SSO) provider. Tailscale supports a wide range of identity providers, including Google, GitHub, Microsoft, Okta, OneLogin, and many other custom OIDC providers.

Enable 2FA or MFA through your identity provider to have it automatically apply to Tailscale.

Monitor your events using webhooks

When a new device is added to your network or an update is made to your Tailscale policy file, you’ll want to know about it. A webhook is a way to get notifications when events like these happen in your network.

You can create webhook endpoints from your admin console and choose the notification events you want to subscribe to. The webhook endpoint could be something like a Slack channel or any app that offers webhook integration.

Conclusion

Rolling out Tailscale isn’t technically complex, but it’s important to keep best practices in mind. Start by assessing your organization’s needs, then run a test with a smaller group. When you’re ready to roll out to your wider team, start on the right foot by using ACLs, groups, and tags, enabling MFA, and monitoring network events with webhooks.

Tailscale is a peer-to-peer business VPN solution that can be seamlessly set up with zero configuration. By employing a zero-trust security policy, it ensures that all the connections are end-to-end encrypted and all devices and users are authenticated with each connection to the network.