deploying-tailscale-for-zero-trust-vpn

What this skill does

# Deploying Tailscale for Zero Trust VPN

## Overview

Tailscale is a zero trust mesh VPN built on WireGuard that creates encrypted peer-to-peer connections between devices without requiring traditional VPN servers or complex network configuration. Every connection in a Tailscale network (tailnet) is end-to-end encrypted using WireGuard's Noise protocol framework with Curve25519 key exchange. Tailscale implements zero trust networking by authenticating every connection request through identity providers, enforcing granular Access Control Lists (ACLs), and supporting features like exit nodes, subnet routers, MagicDNS, and Tailscale SSH. For organizations preferring self-hosted infrastructure, Headscale provides an open-source implementation of the Tailscale control server.


## When to Use

- When deploying or configuring deploying tailscale for zero trust vpn capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation

## Prerequisites

- Identity provider (Okta, Azure AD, Google Workspace, GitHub, or OIDC-compatible)
- Devices running supported OS (Linux, Windows, macOS, iOS, Android, FreeBSD)
- Administrative access to configure DNS and firewall rules
- Understanding of WireGuard protocol fundamentals
- Network planning documentation for subnet routing requirements

## Architecture

```
                    Tailscale Coordination Server
                    (or self-hosted Headscale)
                           |
                    Key Distribution
                    & NAT Traversal
                           |
         +-----------------+-----------------+
         |                 |                 |
    +----+----+      +----+----+      +----+----+
    | Node A  |<---->| Node B  |<---->| Node C  |
    | (Linux) |      | (macOS) |      |(Windows)|
    +---------+      +---------+      +---------+
    WireGuard         WireGuard        WireGuard
    Encrypted         Encrypted        Encrypted
    P2P Tunnel        P2P Tunnel       P2P Tunnel

    Each node connects directly to every other node.
    DERP relay servers used only when direct P2P fails.
```

## Installation and Setup

### Linux Installation

```bash
# Add Tailscale repository and install
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale and authenticate
sudo tailscale up

# Check connection status
tailscale status

# View assigned IP address
tailscale ip -4
tailscale ip -6
```

### Windows / macOS Installation

```bash
# Windows: Download from https://tailscale.com/download/windows
# macOS: Install via Homebrew
brew install --cask tailscale

# Or download from https://tailscale.com/download/mac
```

### Docker Deployment

```yaml
# docker-compose.yml for Tailscale sidecar
version: '3.8'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: my-service
    environment:
      - TS_AUTHKEY=tskey-auth-xxxxx  # Pre-auth key
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-tags=tag:container
    volumes:
      - tailscale-state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    restart: unless-stopped

volumes:
  tailscale-state:
```

### Kubernetes Deployment

```yaml
# Tailscale operator for Kubernetes
apiVersion: v1
kind: Secret
metadata:
  name: tailscale-auth
  namespace: tailscale
type: Opaque
stringData:
  TS_AUTHKEY: "tskey-auth-xxxxx"
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: tailscale
  namespace: tailscale
spec:
  selector:
    matchLabels:
      app: tailscale
  template:
    metadata:
      labels:
        app: tailscale
    spec:
      containers:
      - name: tailscale
        image: tailscale/tailscale:latest
        env:
        - name: TS_AUTHKEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: TS_AUTHKEY
        - name: TS_KUBE_SECRET
          value: tailscale-state
        - name: TS_USERSPACE
          value: "true"
        securityContext:
          capabilities:
            add: ["NET_ADMIN"]
```

## Access Control Lists (ACLs)

Tailscale ACLs define who can access what within your tailnet using a declarative JSON format. The default policy is deny-all, making it zero trust by design.

```json
{
  "acls": [
    // Engineering team can access development servers
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev-server:*"]
    },
    // SRE team can access production infrastructure
    {
      "action": "accept",
      "src": ["group:sre"],
      "dst": ["tag:production:22,443,8080"]
    },
    // Database access restricted to backend services
    {
      "action": "accept",
      "src": ["tag:backend"],
      "dst": ["tag:database:5432,3306,27017"]
    },
    // All employees can access internal tools
    {
      "action": "accept",
      "src": ["group:employees"],
      "dst": ["tag:internal-tools:443"]
    }
  ],

  "groups": {
    "group:engineering": ["[email protected]", "[email protected]"],
    "group:sre": ["[email protected]", "[email protected]"],
    "group:employees": ["autogroup:members"]
  },

  "tagOwners": {
    "tag:dev-server": ["group:engineering"],
    "tag:production": ["group:sre"],
    "tag:backend": ["group:sre"],
    "tag:database": ["group:sre"],
    "tag:internal-tools": ["group:sre"],
    "tag:container": ["group:sre"]
  },

  "ssh": [
    {
      "action": "check",
      "src": ["group:sre"],
      "dst": ["tag:production"],
      "users": ["root", "admin"]
    },
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev-server"],
      "users": ["autogroup:nonroot"]
    }
  ],

  "nodeAttrs": [
    {
      "target": ["autogroup:members"],
      "attr": ["funnel:deny"]
    }
  ]
}
```

## Exit Nodes and Subnet Routing

### Configure Exit Node

```bash
# On the exit node machine
sudo tailscale up --advertise-exit-node

# On the client machine, use the exit node
sudo tailscale up --exit-node=<exit-node-ip>

# Verify exit node routing
curl ifconfig.me  # Should show exit node's public IP
```

### Subnet Router Configuration

```bash
# Advertise local subnets through Tailscale
sudo tailscale up --advertise-routes=10.0.0.0/24,192.168.1.0/24

# Enable IP forwarding on Linux
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Accept routes on client
sudo tailscale up --accept-routes
```

## Tailscale SSH (Zero Trust SSH)

Tailscale SSH replaces traditional SSH key management with identity-based access.

```bash
# Enable Tailscale SSH on a server
sudo tailscale up --ssh

# Connect using Tailscale SSH (no SSH keys needed)
ssh user@hostname  # Authenticates via Tailscale identity

# Session recording (audit logging)
# Configure in ACL policy:
# "ssh": [{"action": "check", "src": [...], "dst": [...], "users": [...]}]
# "check" action requires re-authentication and records sessions
```

## MagicDNS Configuration

```bash
# MagicDNS is enabled by default in new tailnets
# Access devices by hostname instead of IP
ping my-server  # Resolves via MagicDNS

# Custom DNS configuration via admin console
# Split DNS: route specific domains to internal DNS servers
# Global nameservers: override default DNS resolution
```

## Self-Hosted with Headscale

```bash
# Install Headscale (open-source Tailscale control server)
wget https://github.com/juanfont/headscale/releases/latest/download/headscale_linux_amd64
chmod +x headscale_linux_amd64
sudo mv headscale_linux_amd64 /usr/local/bin/headscale

# Create configuration
sudo mkdir -p /etc/headscale
sudo headscale generate config > /etc/headscale/config.yaml

# Edit config for your environment
# Key settings:
#   server_url: https://headscale.example.c