Tailscale
Recently I have been extremely interested in the concept of SASE networking (I really don’t like the name and the way it’s pronounced - “sassy”, but I digress), which stands for Secure Access Service Edge - Wikipedia. Almost every vendor defines this differently, but in my mind the main point is that the traditional network model of having a “corporate network”, with a firewall and forcing everything you can to go through that corporate network in order to remain “secure” is dead, and that there should be (and is) a better way to secure things with modern technology.
To me it’s clear that the future of networking is more of a mesh or a fabric of interconnected networks, services, and devices, connected with the principles of Zero Trust (another buzzword that has tons of different meanings, but the concept is really solid. I wrote a little bit about this here - Zero Trust). This allows people to be a lot more flexible with how they are connecting to the services that they need, while remaining more secure than ever by adding Access Control, Device Posture, Strong Authentication, and more, regardless of where or how you are connecting. I believe this trend was inevitable even pre-pandemic, but the sudden rush to work from home dramatically accelerated the need to redefine the traditional network.
I will write a series of blogs on different SASE technologies that I am experimenting with, and what I like and don’t like about them, as well as expanding more on what I see as the future of the technology, but I don’t want to go too far down that rabbit hole in this post.
Mesh Point to Point VPN
One of the worst parts of the “traditional network” is using VPN’s. If you’ve ever used one, you know what I mean. If you’ve ever had to configure and maintain one, your blood pressure might go up just with the mention of the term VPN. VPN stands for Virtual Private Network, and in short, it’s a way to securely connect to a traditional network remotely. While the technology itself is definitely secure, and it still has it’s place (for now), it’s extremely difficult to make it a good experience, and it’s often extremely onerous and often really flaky.
This makes VPN technology ripe for disruption by SASE network methodology. Since SASE is largely a marketing term that doesn’t actually mean anything specifically, I’ll mention it as a concept, but I mostly mean a more modern and flexible way to accomplish the same tasks as a VPN. In other words, take the traditional “castle and moat” network model, and build more flexible and more direct tunnels to the actual services that you need while not exposing everything on the network. It also should be possible to make it easy to connect to AND more secure.
One of the solutions I’ve been experimenting with and testing to solve the VPN issue is called Tailscale. Put simply, Tailscale creates a point to point VPN (I hesitate to even call it a VPN, honestly, but it’s currently probably the best term for it). This makes it easy to connect to only the things that you need, and nothing else. It’s also point to point, unlike many other solutions, so it does not run through servers hosted elsewhere.
How do you use it?
To get started with Tailcale, all you really need to do is install it on any of your endpoints that you want to be part of your network, and then authenticate them to your account. By the way, it’s free for personal use, for one user up to 20 devices.
Once authenticated, each endpoint is given a Tailscale IP, which you can see by opening the Tailscale app on your own computer or phone. Simply hit that Tailscale IP when you are trying to connect to that service, and you can connect to it from anywhere.
For authentication, you can use all sorts of SSO providers, such as Google, Microsoft, etc. so you don’t need to keep track of another password. Using one of these methods, it will also comply with your 2FA requirements from that service, which is an added benefit of using SSO.
If you just want a few connections and want it to act like you’re on the same network wherever you are, then you’re pretty much done. You can SSH in to any computer that is connected, or use Remote Desktop, SMB file sharing, etc. You can also set it up to be an Exit Node on your Tailscale network, if you want to run all network traffic through one of the endpoints (although this is getting back to being a traditional VPN, sometimes that may still be necessary).
Currently in beta, there is a feature called Magic DNS which allows you to actually use the hostnames of the devices connected to the network rather than needing to use the DNS names for everything.
Conclusion
Of all of the solutions I will blog about, Tailscale is arguably not really part of what “SASE” is strictly speaking, because has a fairly limited scope of coverage, however in my personal definition of what the future of networking will look like, a better VPN solution is high priority.
Regardless, Tailscale seems to be a really great solution for the use cases that it fulfills. I have been using it to access my home iMac for some time now and it does a great job. Also, one of my favorite parts is that they have a Synology app that you can install right on your Synology and access it from anywhere as well. The other solutions I will talk about later typically require that you relay their service through a local computer, since they don’t offer native Synology apps or services.
They have recently been adding (in beta) other features that sit on top of the service, such as Taildrop, which lets you use the built in macOS share sheet to take a file and just send it to another device on your Tailscale network. I have experimented with this a bit and it seems to work really well. I’m excited to see what other features they layer on top of the Tailscale service as this continues to grow.