Once upon a time, besides the star-endpoint network model, many small networks used a peer-to-peer (P2P) model. You may recall it from such network operating systems as LANtastic and Windows for Workgroups. Now, new company Tailscale is taking that old idea and adding in the new open-source Wireguard Virtual Private Network (VPN) to create a new kind of secure P2P mesh network for the computers and containers of the 21st century.
David Crawshaw, co-founder of Tailscale, has fond memories of working with this old-school network architecture in the 90s. He used Netware when he was a kid growing up in Northern Australia. So, he decided to see if its virtues couldn't be recreated in today's very different network world.
Why? Because Cranshaw argues we can use the lightweight Wireguard-powered VPNs to recreate that easy-to-use and program-network world. Specifically, with it, we can:
- Use the global internet identity system of your choice for authentication, and do cryptographic authorization at the IP level.
- Using keys, which are generated and rotated for you automatically.
- People map directly to unspoofable IP addresses.
- Run custom servers on your network and access is limited to only those people on the network.
- Your data is protected by the simple yet powerful social dynamics of small groups.
Wireguard works well with the switch-endpoint or hub-and-spoke network model. But Tailscale's developers realized that, since Wireguard can create extremely lightweight secure tunnels, it could be used in a mesh architecture to create a new kind of virtual network as well. This kind of mesh is not the same as the popular Wi-Fi mesh network.
With Wireguard's extremely lightweight tunnels, Tailscale can be used to build networks where all nodes securely connect. True, a 10-node local area network (LAN) would require 90 Wireguard tunnels. But Wireguard is light enough on system and network resources that you can run that many connections without giving up speed.
To secure such a network, Tailscale uses its open-source Tailscale node program. This talks to what Tailscale calls a "coordination server" such as login.tailscale.com. This is essentially a shared Dropbox for public keys. It's secured by two-factor authentication (2FA).
Tailscale doesn't handle 2FA itself. Instead, it outsources authentication to an OAuth2, OIDC (OpenID Connect), or SAML provider. So, for example, you could use Okta, Active Directory, Google Suite, or Office 365 authentication to log into a Tailscale mesh network.
Within this network, each node generates a random public/private keypair for itself and associates the public key with its identity. The node contacts the coordination server and leaves its public key and a note about where that node can currently be found, and what domain it's in.
At the same time, it downloads a list of public keys and addresses in its domain, which have been left on the coordination server by other nodes. The node then configures its WireGuard instance with the appropriate set of public keys.
The private key never leaves its node. This is important because the private key is the only thing that could potentially be used to impersonate that node when negotiating a Wireguard session. As a result, only that node can encrypt packets addressed from itself, or decrypt packets addressed to itself. It's important to keep that in mind: Tailscale node connections are end-to-end encrypted -- a concept called "zero-trust networking."
To get the network to work whether a node is in a home office, company HQ, or a coffee shop, Tailscale uses Session Traversal Utilities for NAT (STUN) and Interactive Connectivity Establishment (ICE) standards. This also enables a Tailscale virtual network to sidestep the need for firewall configurations or any public-facing open ports.
Of course, Tailscale can be used for more than revisiting and restoring an old networking model. It can also be used to secure, for example, Docker container networks.
David Carney, Tailscale co-founder, announced the program's general availability:
"We handle key management and NAT [Network address translation] traversal, making it easy to deploy WireGuard, which is responsible for the transport and security. Everything scales nicely because it's a mesh; there aren't any VPN gateways or bottlenecks to worry about. In short, it just works and is exactly what you want from something so fundamental to your infrastructure. "
So, how well does that work in practice? And what will you be able to do with it? Let's find out. You can sign up for a free, personal Tailscale account, which can handle up to 100 nodes. It's currently available for Linux, iOS, MacOS, Windows, Raspberry Pi, and other ARM-powered devices. It will be available on Android shortly.
I think this is a fascinating network approach and I think it deserves a long, hard look by anyone wanting to explore new-old ways of using an easy-to-secure virtual network.