[nehalem]

Big fan of Tailscale, yet I wonder whether it wouldn’t be better to make internal services securely available over the internet (zero trust rather than castle-and-moat). On the other hand, the former might be just to expensive for smaller organisations.

[Everlag]

nebula[0] may be interesting; you can allow list connectivity for specific groups, all burned into the cert used to join the network. It uses some NAT hole punching orchestration to accomplish connectivity between hosts without opening ports.

The main painful thing I've found has been cert management. PKI, as usual, is not a solved problem.

I've managed to do some fun stuff using salt + nebula on the hobby side.

[0] https://github.com/slackhq/nebula

[willnorris]

I forgot to add a link to our recent announcement blog post to the project README. I've added that now, and I think it may help explain why we specifically built a service like this on top of Tailscale to take advantage of Magic DNS, automatically authenticated connections, etc. https://tailscale.com/blog/golink/

[adhdguy]

Zero trust doesn't mean abandoning defense-in-depth.

[xena]

Stay tuned, I have plans :)

[rkangel]

Tailscale is an alternative architectural approach to doing exactly that. It's a single point-of-auth for a lot of internal services, that you can access from anywhere. It handles it at a completely different layer, but isn't fundamentally different.

[kpolls]

"On the other hand, the former might be just to expensive for smaller organisations."

GCP's Identity Aware Proxy (IAP) comes free with the load balancer

[paxys]

No reason you can’t do both.

[whalesalad]

cloudflared