If my enterprise network managers could buy a Tailscale Box, they'd readily consider it. As-is, this is a bit far-fetched relative to their current modus operandi -- `Advanced corporate VPNs like Tailscale can abolish concentrators completely: every server can run Tailscale directly, and individual clients can form point-to-point connections to each server it needs to talk to.`
Anyone figured out how to bridge the gap from legacy here?
Yes - you run one or more Tailscale subnet routers instead of your existing concentrators, then slowly migrate to running Tailscale directly from new deployments at your convenience.
Running a subnet router is a matter of installing the Tailscale package on a server and authorizing it to route traffic to certain subnets over Tailscale.
It's an entirely different set of teams who run anything "on a server". Besides the gap in teams or legacy demarcations of responsibility, their next disqualifier is having to think about maintaining a server. At best, the network team has just barely automated their switches & routers with Ansible. The VPN concentrators are treated as black box. And NetEng seem to prefer to stay within that box!
Maybe we're just not normal? (UK/EMEA, public company)
(I wrote the article.) You're not that unusual, we just haven’t had time to address that use case directly yet. I expect an ecosystem of MSPs may arise to offer physical boxes, or some such thing, since the tailscale client is open source. (Or you could buy a Synology with tailscale on it I suppose!)
Many companies just run tailscale in a VM to replace their physical VPN concentrator boxes.
If someone pointedly asked me this in a meeting, my off the cuff response would be "bastion hosts, probably".
if the named service completely integrates with whatever access control a company uses (radius, SAP, whatever) then there shouldn't be any reason to not use this in lieu of concentrators. At least you lose that bottleneck and point of failure. For larger and more geographically disparate companies, i could see this being an even better proposition, but only because this is merely the second time i've seen tailscale at all.
All i know is i've used wireguard recently, and it took me a few tries to get it to do what i wanted. a decade ago i was trying to get some corporate VPN software working on Gentoo, and i managed to cobble enough correct settings to get it working, too. I don't wish that on any user.
I loathe setting up a dialer to connect to a VPN, and even worse is the 3rd party app "ssl VPN" junk - most of the ones we've tried just lose settings on my computers, to the point where dark fiber seems like a better investment of my time.
Anyone figured out how to bridge the gap from legacy here?