Skip to content
2 min read

Zero-trust network

Tailscale: private services only exist for authenticated devices on the tailnet.

SecureMaintainablePrivate

Context / need

A self-hosted platform quickly accumulates sensitive services: administration dashboards, password manager, internal tools. Exposing them on the Internet behind a simple login means offering your attack surface to the Internet’s constant scanning. Roaming access is needed (travel, mobile) without ever publishing these services.

Constraints

Options considered

Decision & why

Tailscale as the private access plane. Every device is authenticated and a member of an encrypted mesh network, the tailnet. Private services are only routable there.

Defense in depth: even if a private service answered by mistake on the public edge, the tailscale-only Traefik middleware only accepts connections coming from the tailnet. A service’s exposure is declared in its configuration, independently of where it runs.

A subnet router extends access to equipment that cannot run the Tailscale client. Remote access then goes through an authenticated tailnet node rather than through direct exposure.

Accepted tradeoff

The control plane (coordination, identity) depends on a third party, Tailscale, and identity is backed by an SSO provider. Accepted compromise: traffic stays encrypted peer to peer, the third party does not see the data, and the self-managed alternative would cost a disproportionate operational burden for a single maintainer. If the situation changes, an exit path exists (Headscale, bare WireGuard).

Outcome

Public / private split (what answers to what)

Without topology details, the split rule is simple:

  • Public: client sites, and the only endpoints designed to receive external traffic, such as the Hub event ingest, rate-limited and authenticated.
  • Tailnet only: everything else. Dashboards, administration, internal tools, password manager.
  • Hybrid: a single service can expose a public part and a private part. The boundary is declared route by route at the edge (Reverse proxy & TLS).