Real-world Tailscale business use case

Question

I've been reading about the different zero-trust networking solutions (Tailscale, Zerotier, Nebula), and they seem great with peer to peer networking, strong encryption, UDP hole punching, fine grained role based access control, and so on. Tailscale especially goes so far as implying that other authentication and authorization solutions have been obviated by this techonology by writing in their blog about previous generation networking solutions the following:"As a result, you end up having to add more layers of authentication, at the transport or application layers. Why do you need ssh or HTTPS? Because the network layer is too insecure to be trusted."Ok, I'm willing to accept that an encrypted mesh network is so secure that you need neither the secure part in SSH nor PAM servers taking care of authentication. But then, how does this work in practice? To reify the confusion, here's a concrete example:An organization uses Tailscale. There's 'server102' that is connected to the Tailscale network that all users of the `devops` team have access to. A new employee, Alice, joins the company. Sysadmins set up her SSO account, as well as makes her part of `devops` on Tailscale.Alice gets her company computer, sets it up, connects to Tailscale, fires up her shell, types in `ssh alice.p.hacker@server102`, presses Enter.What happens next?

e1g · Accepted Answer

I rolled out Tailscale for our network and loving it. "What happens next" is very well outlined in this article on their blog [1], and it's worth reading.
In my specific case, we were mainly on AWS and used Security Groups to control network access. "Allow SSH from these IPs, allow server connections between these EC2". This setup was fine for a small team, but the complexity grew exponentially. Alice just joined the company and started working from home with a dynamic IP - this messes up our allow-list based on static IPs. Then we started using Google Cloud, and guarding traffic between two VMs across two clouds is quite complex. Then we wanted to do automated deployments, so something from the outside needed to connect securely to our prod env.
Using Tailscale eliminated an entire category of complexity around identifying & securing inbound network connections, even if we ignore the NAT traversal magic. It's now a standard part of our stack, and I'm feeling a lot more in control of our network comms with minimal overheads - which is critical as we can focus on shipping instead of orchestrating.
[1] https://tailscale.com/blog/2021-05-life-of-a-packet/
edit: P.S. I picked Tailscale over the rest (Zero Tier / Nebula) because of a) the incredible strength of the team and b) funding + focus on the business. They have world-class talent and significant resources dedicated to this problem, so I believe they will make better progress over the next three years than the "best-effort" alternatives.

samlewis · Answer

Shameless plug but I was also interested in the magic behind these mesh networking tools, so I wrote my own toy version that was very much inspired by the tools you mentioned. I blogged about it here: https://www.samlewis.me/2021/07/creating-mesh-vpn-tool-for-f...The short answer to your question though is that the packets are sent over a secure tunnel.