top | item 33980235

(no title)

nehalem | 3 years ago

Big fan of Tailscale, yet I wonder whether it wouldn’t be better to make internal services securely available over the internet (zero trust rather than castle-and-moat). On the other hand, the former might be just to expensive for smaller organisations.

discuss

Everlag|3 years ago

nebula[0] may be interesting; you can allow list connectivity for specific groups, all burned into the cert used to join the network. It uses some NAT hole punching orchestration to accomplish connectivity between hosts without opening ports.

The main painful thing I've found has been cert management. PKI, as usual, is not a solved problem.

I've managed to do some fun stuff using salt + nebula on the hobby side.

[0] https://github.com/slackhq/nebula

willnorris|3 years ago

I forgot to add a link to our recent announcement blog post to the project README. I've added that now, and I think it may help explain why we specifically built a service like this on top of Tailscale to take advantage of Magic DNS, automatically authenticated connections, etc. https://tailscale.com/blog/golink/

adhdguy|3 years ago

Zero trust doesn't mean abandoning defense-in-depth.

xena|3 years ago

Stay tuned, I have plans :)

rkangel|3 years ago

Tailscale is an alternative architectural approach to doing exactly that. It's a single point-of-auth for a lot of internal services, that you can access from anywhere. It handles it at a completely different layer, but isn't fundamentally different.

kpolls|3 years ago

"On the other hand, the former might be just to expensive for smaller organisations."

GCP's Identity Aware Proxy (IAP) comes free with the load balancer

paxys|3 years ago

No reason you can’t do both.

whalesalad|3 years ago

cloudflared