Traditional VPNs can be complex, but Tailscale is changing the game. In this episode, Alex Kretzschmar, Head of Developer Relations at Tailscale, joins Jason Pufahl, Michael Grande, and Dylan Marquis to explore how Tailscale’s modern VPN solution simplifies secure remote access, enhances Zero Trust networking, and improves business security.
Tune in to learn how businesses can adopt a more secure and efficient networking approach without the hassle of traditional VPNs.
Narrator 00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I’m your host, Jason Pufahl, joined again, fully virtually, by Michael Grande, and we have Dylan Marquis, thanks Dylan for joining. Yeah, yeah. I mean, we’ve really, we’ve adopted this platform a little bit, I think, yeah, we’ll be back in the studio, no doubt for some upcoming ones, but this has worked better than we anticipated. So, Alex, thanks for joining. Alex Kretzschmar, Head of Developer Relations for TailScale, a product that we’ve fairly recently started to use, really, with only the last maybe, you know, four, four or so months, I think. But have been pretty keen on it for a variety of reasons. So before I talk about the why, maybe Alex, if you want to spend a couple minutes on maybe your background, and you know, really, what TailScale is, and frankly, how you are different in a space that maybe traditionally hasn’t felt that different.
Alex Kretzschmar 01:07
Yeah. Well, hi, yes. My name is Alex. These days live in Raleigh, North Carolina. I’m originally, of course, not from here. Perhaps you could tell from London, originally or just outside anyway, been with TailScale for a couple of years now. And the entire reason I got a job there was because I’m massively into self-hosting. So I like hosting things like a Plex Media Server at home, a home assistant. You know, anything that has a cloud subscription is fair game for me to try and host in my basement. And as such, being a purveyor of self hosted technologies connectivity is the bane of my existence. Like, how do I open as few ports in my firewall and allow people access to those services behind the firewall, ideally without transiting through some kind of a VPS or some other kind of like bastion host or something like that. I want as few hops as possible with as much security as possible. So that’s why I ended up working at TailScale A couple of years ago. Was because I do a podcast called the Self Hosted Podcast, and the people at TailScale at the time were listeners, and I actually sponsored the show, funnily enough, and they said, come make YouTube videos for us about the stuff that you’re talking about on the show and, like, home lobbying and all that kind of stuff. So that’s kind of how I got my start. But what really drew me to TailScale as a user, this is sort of speaking before I had my, you know, Developer Relations hat on, was just how darn simple it was to get started. So within a couple of minutes, I can download an app on my phone and on, you know, could be a Linux server, it could be a Windows computer. It could be a Mac, an Apple TV, like TailScale runs on everything, and I could have these two devices talking to each other as if they were on the same LAN almost anywhere in the world, because TailScale punches through network address translation punches through NAT. So typically, you know, you would get an IPv four address on the public Internet, and you’d have to open ports in the firewall to allow connectivity to things behind that. But with with TailScale, it’s, it’s, literally, I set aside a whole weekend to switch a couple of years ago, and I was done in about 15 minutes. And I was like, what I do with the rest?
Jason Pufahl 03:18
Now, what do I do with myself? Okay, so I think we started talking about it. Dylan, you can, you can let me know if this was the genesis. But, you know, we’ve been trying to figure out a little bit how to do some basic vulnerability scanning within clients in a way that didn’t require that we put, maybe software in place and things like that. And I think that was maybe one of the first times or first places that we started to look for creative solutions around this. Is that fair?
Dylan Marquis 03:45
Yeah, we started to build something kind of along similar lines. Matter of fact, I looked up some white papers from TailScale, and that was how I found out. Was trying to build out something custom. And really, we just kind of decided to make the jump, because things get more and more complicated as you kind of add components in. And we started looking at TailScale. We had a conversation, and it was very productive, and we started integrating. And just it just opened up a whole world for us, the software defined networking, and the kind of options that you have to actually create, define rules and networking within the tailnet and within the inner network on the VPN is just absolutely astounding, and we found more and more uses as kind of we’ve gone along. So it’s really been a great experience.
Jason Pufahl 04:27
So do me favor hit on one or two? So I know obviously the vulnerability skating one is the most familiar to me. I think we met with a client and we talked a little bit about the potential use to move sort of network traffic logs across a variety of different routed bodies that they had in a simpler way. But you know, what are some creative ways people use this?
Dylan Marquis 04:50
I think, kind of touching on, on the vulnerability scanning and sort of what, where our initial use case was, was, you know, we spin up boxes for internal network penetration tests. Kind. On the offensive side. And it was always we have to kind of clear SSH through on the, you know, border firewall. And it sort of increases attack surface. We saw a lot of clients kind of misconfigure it and open it up more so than they should have. So there’s, you know, it was always a conversation making sure it wasn’t actually open. And kind of issues there. Sometimes clients can have external IT, and it takes time to kind of get them to open up firewall rules. So it’s always kind of what Alex said, you know, in terms of its ability to punch through Nat, the ability to just, you know, set something up, run a script on, on the box we need to connect to, and all of a sudden it’s, it’s like it’s adjacent to us. It’s really fantastic. Also the ability to set up fine grain rules. So, you know, staff it’s identity based. So we can say, you know, staffs with machines with this tag and connected machines with this tag. So it’s, it’s very nice and flexible, and it allows us to really get fine grain and do micro segmentation with our different types of machines that are connected to it.
Alex Kretzschmar 05:57
There are a bunch of other features I could drop in at this point too, along those lines, we have a feature called grants, which by default, TailScale is a deny all environment. So when you’re creating those rules that Dylan was talking about, you can specify in the grants stanza, like a JSON file, you can configure all this stuff in right down to the protocol level, so you can say all hosts that are tagged with a specific tag can only reach out to this specific subnet router across UDP, for example, so you’re just instantly blocking all TCP traffic just by virtue of it not being defined. And that model of being deny all by default is it’s not zero trust, but it’s kind of in that same ballpark of you have to explicitly trust stuff on the tailnet in order to allow it. Because one of the things that people, I think, misunderstand potentially, is that because TailScale is creating a mesh network between all of your devices, so each each device connects directly to each other, no matter where it is in the world, you don’t need that hub and spoke so you haven’t got that bottleneck that’s everything’s transiting. And what that means is that some people seem to think that that is like a huge security hole. Well, not if you’re creating a bunch of grants and a bunch of ACL rules to say, No, the Alex’s devices can only talk Alex can’t talk to production unless he changes to a specific user account or something like that. And there’s a bunch more stuff I could get into, but that’ll do for now, I think.
Dylan Marquis 07:43
And actually, to kind of add, Alex, you’re talking about stealth hosting, and that’s another use case that we’ve had. We’ve had services that don’t really need to be exposed to the internet, but we need engineers from, you know, anywhere, you know, from multiple different states, connecting to, you know, a scanner or to a specific service we’re hosting, so it allows us to take it offline and really reduce our attack surface overall. And so it’s been really fabulous for that.
Alex Kretzschmar 08:08
Something else that occurs to me as well is that because you’re doing direct device to device connections, you’re not terminating TLS at the load balancer and then re encrypting it with your own local CA or anything like that. It’s literally encrypted end to end, over the direct wire guard tunnel that gets created device to device. So that’s a huge security benefit too.
Michael Grande 08:30
Is Alex, you touched on some of the unique features. But are there- are there other, any other primary differentiators between what TailScale’s doing in this venue versus the competition?
Alex Kretzschmar 08:42
Well we have a very generous free tier. I don’t know if that, if that counts, but you can get started with 100 devices and three users for free. Obviously, if you are a company’s size, number of seats in your requirements, we have a sales team, tailscale.com/sales, I think, is the URL. But essentially, anybody can get started for free. There’s no credit card required or anything like that. So if the three of you wanted to spin it up at home, you could do so for free. That’s that’s really nice. There is, you know, the thing is, I spend a lot of time at events, talking to people about answering the question, what is TailScale? And the trouble is, is it’s a different thing to each of you. So to the three of you, I’d have to give completely different answer. Different answers, because you all need different things out of connectivity. Some people need the ability to audit those connections. Some people just need the connections to actually work, and then other people are looking to expose things from inside their network outside, using something called TailScale Funnel as a way to do that too? Like it really is just different strokes of different folks, and trying to answer that question is the bane of my existence, to be honest, because it’s such a broad spectrum of networking products.
Michael Grande 09:53
And it seems like the customer base has really expanded recently. Is there a primary driver of that?
Alex Kretzschmar 10:02
Well, I think it’s, you know, the hockey stick effect, as you start to gain traction with, you know, first it was 100 companies, and everybody was super happy about that, and then it was 1000 and then it was five that, and I think we just crossed 10,000 active paying.
Michael Grande 10:16
Congratulations.
Alex Kretzschmar 10:17
With, yeah, thank you. With, with TailScale. And that’s all down to the hard work of the leadership team, you know, making the right hires in engineering and every, you know, all that kind of corporate stuff. You know, it’s just there’s a lot of people doing a lot of stuff and fixing a lot of bugs and just continually, I think, I think Tesco had the first mover advantage too, like we were, we pretty much created this networking category that we are now leading. But also, I think it’s just being willing to listen to all sorts of inputs. A lot of companies like I used to, used to work for an enterprise Linux company with hats of a certain shade of red, and God love them. They did amazing stuff for the open source community through Fedora and CentOS and things like that, but most of the stuff I ended up working on was all pretty much exclusively customer related, paying customer related stuff. And this isn’t to say that tells you doesn’t do that, because they do, but they also somehow managed to balance those priorities of paying customers against what the free users need and want from the product. And a great example of that is the Apple TV app. So let’s say you want to, for some reason, take your Apple TV on holiday with you, and you’re in your hotel room, and you think, I wish I could just access my local TV station from from where I am, I just get the news or whatever, and they geo block you for whatever reason
Jason Pufahl 11:45
or they nag you and tell you you’ve moved right, right?
Alex Kretzschmar 11:48
I mean, you’re in Jamaica, sorry, you can’t watch the subscription you’re paying for in North Carolina. Fine. Well, with TailScale’s Apple TV app, we had people asking for that functionality, so we built it and made it and now you can use an exit node in your house from your Apple TV in Jamaica to pretend you’re in North Carolina. You know, it’s just little things like that that we’ve seen. We’ve seen all the rough edges, because a lot of us at TailScale are those types of nerds too. So we self serve a lot of the stuff in the beginning. You know, to round those rough edges often as time goes by, eventually it just becomes a really, you know, nice product to use.
Jason Pufahl 12:27
You’ve already sold me just, just the fact that I can actually, you know, go skiing and watch a recorded basketball game without having to tell me like it looks like you’ve moved, like I’ve moved, it’s the same person.
Alex Kretzschmar 12:38
We try not to lean too much into that kind of geo restriction, you know, circumvention stuff. But the reality is, if you know what you’re doing, you know you can make networks do a lot of fun stuff, but you know, it can be useful for other more legitimate purposes too, like online banking. They can be really funny about where you log in from. So if I want all that traffic when I’m at the coffee shop to appear as if I’m at my house. I can do that in a couple of clicks.
Jason Pufahl 13:06
So one thing, well, I guess a couple questions. You said you’ve just crossed the 10,000 I think paying subscriber threshold. How long has TailScale been around?
Alex Kretzschmar 13:20
Ooh, I believe it was founded just before the event in 2019 so…
Jason Pufahl 13:25
Okay.
Alex Kretzschmar 13:26
Fully remote company. We don’t have, I think, ostensibly, it’s registered in Toronto, but I don’t believe there’s even more than a PO box there. Everybody, including the CEO, is fully remote. From my perspective, it’s a fully remote company, and there are many people at TailScale I’ve never even met in the real world, and everything just works. Because I think if you end up building a company that is hybrid from the beginning, everybody kind of gets it, but if you try and shoehorn it in later, that the culture isn’t there, and a lot of the core systems aren’t there, whereas, you know, we’re fully remote and always have been. And, you know, for a networking company, that’s kind of a nice, nice little bit notch on the bed post, you know, so…
Jason Pufahl 14:09
You should, yeah, hopefully you have no networking challenges at least.
Alex Kretzschmar 14:12
Oh, well, I mean, I’d be lying if I said there was zero, but, you know.
Jason Pufahl 14:18
So, one thing that jumped out to me, though, is to move into what a business and what do business customers care about? We deal a lot with regulatory compliance, CMMC being one of those. And as you spoke, it just felt like this is probably a really nice solution to some of those more challenging NIST 801 71 objective statements around white listing versus black listing and protecting connectivity in between confidential data hosts, things like that. Do you what can you offer, or what can you sort of shed some light on relative to implementations or new cases like that?
Alex Kretzschmar 15:01
Well, we don’t really care where your infrastructure is. So if you have a bunch of on prem stuff, a bunch of stuff in AWS, a bunch of stuff in as you’re like to us, it’s kind of irrelevant that there might be some, some stuff you got to do with hard NAT, you know, to punch through some of the the more secure environments that exist in those in those realms. But from our perspective, we are all about being the easiest way to connect those devices and services together. And as I’ve mentioned, those devices end up with a direct connection. So you end up with this with a lot more performance than a lot of a lot of standard VPN situations. And because it’s an Identity Aware, like sort of mesh fabric between all of these devices, we can do some really interesting stuff, like inspecting packet headers to determine the origin of those packets. And then it can say, Oh, hey, that must have come from Alex’s device. I’m going to log you in, and we’ve got built in SSO, you know, if you integrate it with OIDC, you can just integrate TailScale directly with an OpenID Connect server, and you don’t need to have an external auth provider even. So there’s all the cool stuff there. Also network logs. We talked a little bit about logging earlier. You can actually use TailScale to stream network logs around the place, so we don’t inspect the contents of the packets. As I mentioned. It’s end to end encrypted. But what we can do is tell you what’s flowing, where and how much, and you know. So we’re looking at the data flows rather than the data contents, right?
Jason Pufahl 16:35
How do you feel? How technical? So we’re TailScale partners. So if the answer is, hey, super technical, that’s okay with us. But you know, what do you typically see as the level of technical expertise for somebody to utilize TailScale? Do you really want to lend lean on somebody like us who has sort of that networking background? You see a lot of customers who have, you know, an IT, person taking advantage of it.
Alex Kretzschmar 16:57
It takes all sorts, really. And you remember when I was talking about how TailScale is different things to different people? I think this question really speaks to that. So let’s just take a really simple example. Let’s say I have a basic web service here that’s an audiobook server or something, just streaming basic files, right? And I want to give my mother access to that, and she lives in England, right? My mother is – God, love her, she’s not a technical person, right? She is great at what she does being a mum, but technical stuff, yeah. So I think to myself, well, what’s the easiest way to do this? And the easiest way is for her to download the TailScale app from the App Store, sign up for an account, which takes a minute, and it’s completely free. I then share a node from my tailnet into her tailnet, and she types in the the address I give her, and she’s done. I don’t have to open any ports. She doesn’t even have to really understand what’s going on. All she does is toggles the TailScale button on her phone and then opens the audiobook app, and she’s off to the races. That’s it. So I don’t think it really gets much easier than that when you’re talking about connectivity of stuff that is still running securely behind a firewall, like it’s not on the public internet at all, and, you know, giving it to the layperson. But if you want to get deep and technical and stuff like that, you can take a look at our documentation and some of some of the stuff we’ve got, like, you can deny connections based on device posture. So let’s say you’ve got a fleet of iOS devices that you you control through mobile device management, which version of the of iOS they’re running. You say, right, I only want to allow iOS 18.2 point to connect to my tailnet, you can write a rule that’s as granular as that. You can say, don’t allow or only allow devices that are not iOS. So you could block all iPhones from TCP connectivity, you know. So it can be really powerful if you need it to be, but it can also be incredibly simple if that’s what you need too.
Dylan Marquis 18:29
Yeah. Just to add a little bit kind of, you know, this is someone that came into the TailScale, you know, ecosystem, and sort of looking at it, you know, and been learning it for the past few months. Definitely, without a doubt, there are some technical aspects to it, but is, you know, for what you’re getting, which is micro segmentation, and, you know, zero trust, networking. It is. It’s very straightforward, and what you can do is very clear, cut and very well thought out. But the documentation is fantastic. You know, as Alex was talking about, documentation is fantastic. It’s one of the things that really drew us to TailScale Initially, and as a company, they’ve been wonderfully receptive, very collaborative, you know, very interested in feedback. And, you know, it’s been a very good experience, kind of integrating it into things, and finding out the new possibilities for how we can kind of leverage it. But, you know, for for the for the end goal of what you’re looking for, for, you know, really locking down services very specifically to, you know, identities or roles, you know, at a network level, only exposing exactly what’s needed for things to run. It’s, it’s really been fantastic. And again, for for the benefit that you’re getting, you know, very straightforward and very clear cut.
Jason Pufahl 18:59
Alex, anything that you’re hoping to cover that, yeah, that we didn’t touch on today, because I think we bounced around a bit.
Alex Kretzschmar 19:16
Well, yeah. I mean, I would just say, go take a look at tailscale.com/kb and have a look at all the cool stuff you can do there. A little plug for myself on YouTube to tailscale.com/- no, youtube.com/tailscale whatever you’ll find this, this beautiful face for radio over there. And we cover all sorts of stuff on the YouTube channel, from home lab all the way up to more exciting business cases and stuff like that. So we’ve got some fun stuff like there, there’s a guy who’s building a drone boat, sailing it around the world using TailScale for connectivity with setup as Starlink. And he’s getting direct connections to his drone boat through that traversal that we can do through Starlink. It’s, it’s just some pretty creative stuff. Yeah, it’s, it’s just a really fun place to work. You know, we get to see all sorts of wacky stuff. Let’s put it that way.
Jason Pufahl 21:11
I mean, certainly, you know, Dylan and Matt in particular have been really positive about all the interactions they’ve had. You know, I was looking forward to having you guys on because I know it is honestly right, the whole networking space, combined with how do I make things secure while keeping things open? It comes up all the time for us, and so I figured it’d be valuable. Certainly, you know, I’d recommend anybody to look at that the knowledge base, and that’ll give them a sense of places to start. But you know, if there’s questions coming out of the podcast, you know, shoot something to, you know, to me, or do Dylan or Michael, or we can get, I’m sure we get Alex back on. He’s got, like he said, he’s got it from the face for radio, so he’s ready to go. I have a feeling. And, and, you know, we’re always happy to answer questions that are ongoing. So if anybody has one, you know, let us know, and we’ll, we’ll figure out how to deal with it. But Alex, thanks for joining. I appreciate it, and you’re providing us an overview of what you do.
Alex Kretzschmar 22:06
Thank you for having me. It was a lot of fun.
Jason Pufahl 22:08
All right. All right, everybody, thank you.
Narrator 22:10
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.
