Security / Networking

Tailscale: A Virtual Private Network for Zero Trust Security

3 Jan 2022 4:00am, by

Well before launching their company, the founders of Tailscale knew what they wanted to accomplish: give developers small, trusted, human-scale networks to work in, with devices and applications of everyone on that network accessible to each other, and only to each other.

Which is, of course, what virtual private networks (VPNs) are supposed to do. But problems with VPN security had already emerged before the pandemic. Since then, the big jump in remote work sparked by lockdowns has only revealed just how vulnerable they can be.

Even enterprise-grade VPNs are riddled with security problems. In fact, a Zscaler survey of cybersecurity pros found that 93% of organizations still use VPNs even though they know these services have become a target for cybercriminals.

Consequently, two-thirds of businesses are looking at alternatives to traditional VPNs for remote access. And because of growing VPN-related security risks, 72% are focusing on adopting zero trust security practices.

So along with co-founders Chief Technology Officer David Crawshaw and Chief Operating Officer David Carney, CEO Avery Pennarun wanted to give developers a secure, scalable alternative to traditional VPNs.

“Our big vision is to help developers be reasonable about scale,” said Pennarun, a former Google engineer. Although the big tech companies’ influence has prompted many enterprises to build everything for maximum scale, “the long tail of software development is mostly small projects used by small groups,” he said. “The way you design for a billion users is very different from how you design for fewer users, even for a million users.”

That meant creating small-scale networks that don’t require developers to get tangled up in security concerns or fixing overhead problems so they can spend their time on developing. The company’s guiding principles include “Small is beautiful” and “It has to ‘just work.'”

Human-Scale Private Networks

Once upon a time, the interconnected networks comprising the Internet included the kind of small, trusted, human-scale networks Tailscale provides. Many of these connected users with private, distributed peer-to-peer communications, in an early vision of what the Internet could become.

Eventually, these small networks and larger ones were interconnected in the public Internet that now includes potentially everyone around the globe. But security concerns about malware beginning in the 1990s that led to setting up firewalls everywhere have meant that peer-to-peer connections across the public Internet simply aren’t possible anymore.

Firewalls everywhere also came with the need to spend lots more employee time on security. To create small, trusted, distributed networks like developer teams need, “You either run stuff on a LAN and people can’t reach it remotely, or you run it on the public Internet and spend all this time locking it down,” said Pennarun.

The traditional security model of a VPN protected by firewalls has been called the “castle” approach. It’s problematic because, once attackers breach the perimeter, everything inside it — network, devices and applications — may become compromised.

This model is often contrasted with the zero trust security model now gaining ground throughout industry and the federal government. Instead of the old assumption that anyone on the network has the right to be there — “trust but don’t verify” — zero trust requires the opposite assumption of “never trust, always verify.”

Technically, Tailscale’s VPN service is a zero-trust network. But Pennarun doesn’t like that term because it’s phrased negatively. “What people want is to be able to trust,” he said. “In a small network of humans or computers, if you can establish trust between them then most security problems will go away. Your small group of humans is a lot less dangerous than billions of potential attackers on the open internet.”

Developers Need Build Small

Today, only cloud providers have public IP addresses that aren’t behind firewalls. “Even if you’re running your service for only 10 people, you still have to host it on the public Internet, and then you have to figure out how to secure it,” said Pennarun. “The point of Tailscale is to skip all that.”

When the founders looked at how developers work, they discovered that most of their time is spent not on solving customer problems, but on obstacles in the development environment, such as infrastructure problems and unnecessary complexity. “For example, Kubernetes scales infinitely, but if I don’t need to run on 1,000 machines, I don’t need to scale,” said Pennarun. “And developing on Kubernetes is incredibly complex.”

Their answer was to create a developer infrastructure company so developers can build small projects, in large and small teams, that serve “customer groups that are smaller than everyone on the internet,” said Pennarun. “Let’s make it easy to build and run simple things so you can then move on to the harder parts when you really need to.”

The idea is to scale the systems, not the overhead involved in securing them or in coping with hassles in the development environment.

According to the Tailscale website, “Developers can use Tailscale for publishing experimental services to their team without the hassle of configuring firewall rules and network configurations.”

Of course, enterprises and businesses can also use the service for remote access by employees working from home, or to reduce the complexity of internal networks.

Direct, Distributed Connections

Unlike traditional, hub-and-spoke VPN network architectures that send network traffic through a central gateway, Tailscale creates a peer-to-peer mesh network. This mesh topology connects each device to every other device directly.

A hub-and-spoke architecture is simpler than mesh, but it’s got some downsides: higher latency for remote users, not allowing direct connections between individual nodes, being harder to scale, and providing a single point of failure that can break the entire network.

In contrast, a peer-to-peer mesh network results in lower latency and higher throughput and eliminates the need to manually configure port forwarding. It also allows for connection migration: existing connections are maintained even when switching to a different network, such as from WiFi to wired.

The idea of mesh VPNs has been around for a while, mostly for niche uses. But the advent of cloud-based infrastructure coupled with the rise in remote workers has made organizations take a closer look at them, wrote senior writer Lucian Constantin in CSO Online.

To enable encrypted, point-to-point, mesh connections, Tailscale’s service is built on top of the open source WireGuard Layer 3 Secure VPN protocol.

WireGuard is known for its use of state-of-the-art cryptography; VPN connections are made using simple public keys. It’s easier by far to configure than other solutions, only requiring a few lines of code. The entire codebase constitutes only around 4,000 lines compared to more than 100,000 for OpenVPN.

The simplest way to install Tailscale is to download it and install it on two devices, which are then connected, said Pennarun. As the home page on Tailscale’s website describes it, the service is “A secure network that just works. Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere.”

“Yes, users have to trust that Tailscale itself will do the right thing, that in providing this service and software we’ll take on the overhead of making sure our whole system and supply chain is secure,” said Pennarun. “But if you trust us, then we create a secure network where it doesn’t matter so much whether or not the rest of your software is secure because we’ve kept bad people out in the first place.”

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Tailscale.