[basch]

Tailscale isnt a deny first, allow based on role/condition type product. Tailscale creates the equivalent of a wide open lan (it has other isolation options but that kind of control based on the identity of the person on the network, isnt its intended goal) where everyone connected can see everyone else.

[philsnow]

From what little I know of both, Tailscale provides L2 access into a network that you might not otherwise have access and once you're in you can get anywhere from there, but Boundary hands out individual, already-connected TCP sockets directly to services running on endpoints.

If you're looking for something like a VPN and you're just going to SSH over it, either would probably work for you, but while Boundary can allow users to only connect to port 22 on certain hosts, I think if you wanted to do similar with Tailscale you'd be in iptables/ufw and "tagging / authz-ing traffic with unix uids" territory.

[lifty]

Tailscale is based on wireguard, so only does L3.