Ask HN: Real-world Tailscale business use case
"As a result, you end up having to add more layers of authentication, at the transport or application layers. Why do you need ssh or HTTPS? Because the network layer is too insecure to be trusted."
Ok, I'm willing to accept that an encrypted mesh network is so secure that you need neither the secure part in SSH nor PAM servers taking care of authentication. But then, how does this work in practice? To reify the confusion, here's a concrete example:
An organization uses Tailscale. There's 'server102' that is connected to the Tailscale network that all users of the `devops` team have access to. A new employee, Alice, joins the company. Sysadmins set up her SSO account, as well as makes her part of `devops` on Tailscale.
Alice gets her company computer, sets it up, connects to Tailscale, fires up her shell, types in `ssh alice.p.hacker@server102`, presses Enter.
What happens next?
6 comments
[ 3.3 ms ] story [ 24.3 ms ] threadIn my specific case, we were mainly on AWS and used Security Groups to control network access. "Allow SSH from these IPs, allow server connections between these EC2". This setup was fine for a small team, but the complexity grew exponentially. Alice just joined the company and started working from home with a dynamic IP - this messes up our allow-list based on static IPs. Then we started using Google Cloud, and guarding traffic between two VMs across two clouds is quite complex. Then we wanted to do automated deployments, so something from the outside needed to connect securely to our prod env.
Using Tailscale eliminated an entire category of complexity around identifying & securing inbound network connections, even if we ignore the NAT traversal magic. It's now a standard part of our stack, and I'm feeling a lot more in control of our network comms with minimal overheads - which is critical as we can focus on shipping instead of orchestrating.
[1] https://tailscale.com/blog/2021-05-life-of-a-packet/
edit: P.S. I picked Tailscale over the rest (Zero Tier / Nebula) because of a) the incredible strength of the team and b) funding + focus on the business. They have world-class talent and significant resources dedicated to this problem, so I believe they will make better progress over the next three years than the "best-effort" alternatives.
In the above example, when Alice types `ssh alice.p.hacker@server102` and presses enter, is she now logged in? E.g., does tailscale takes care of having a user on the machine and assigning the known public key through some SAML/LDAP/PAM/sssd-ish magic?
Or does Alice gets 'access denied', then calls the sysadmins who still need to make a user for her on `server102`?
The second option would be understandable, but a bit of a bummer, as in that case the fancy RBAC rules have to be essentially recreated somewhere else for the application layer.
Tailscale allows Alice to merely connect to the IP/port, but whatever service is listening on that port still behaves as usual. So if you have an HTTP service that requires Basic auth, that's still required. If it's a MySQL server, still need an account there to login. If it's SSH, you still need a key/password - or whatever your SSH authentication mode is.
Think of Tailscale like a "jet bridge" securely connecting a bunch of buildings - you can use it to walk up to the front door safely (and Tailscale ACL controls traffic inside the tunnels), but to get inside you still need a key for that door (or whatever your auth method is).
Thanks!
The short answer to your question though is that the packets are sent over a secure tunnel.