I’m currently evaluating the possibility of using Tailscale for a similar setup, but even with ACLs I’m concerned about the always-online state of Tailscale as a means for accessing the prod network even with ACLs in place.
Having production machines constantly reachable asks for mistakes being made by authorized users or all too easy access for compromised client machines (which is probably the most likely attack vector anyways).
I was considering using the Tailscale API to dynamically set ACLs for limited time periods, but at that point why not just use a session based VPN - especially considering that Tailscale API keys have a limited time validity and can only be renewed manually.
What are everybody’s opinions about using an always-on VPN for prod network access?
If you have serious data that you need to keep safe, you need to use applications and access mechanisms that are always authenticated anyway. Just because you’re on the VPN it doesn’t mean you should be able to drop tables or whatever – it’s just another perimeter layer. You should still be using SSH with hardware tokens, some kind of 2FA, etc. Your application components (internal services, databases, etc) should ideally use mutual TLS authentication to communicate. At that point, VPN access isn’t magically equivalent to superuser access, it’s just a convenient way to not have to give everything a public IP.
Yeah I share similar concerns, and it seems like some kind of ephemeral access would be a big boon here. A la Teleport. If Tailscale could bake something like that (short or time based duration access) in to their system it’d be pretty cool.
I didn’t see how this new setup, as good as it is (and it does appear to be a good set up) solves the initially stated issue of when employees leave and revoking their OpenVPN certificates? The same would still have to happen here, albeit just with a more friendly web interface. Does Tailscale support integration with things like Yubikeys (or other similar devices)?
There is no “revoking” certs. We just deprovision their GSuite account and we’re done.
The great thing a out Tailscale is that they do all authentication via external services like Google or even GitHub.
While you can easily forget to revoke a client cert (plus: certificate revocation is still tricky), you probably won’t forget to revoke GitHub org access.