Apple @ Work: Tailscale is a first-principles approach to VPN technology with full macOS and iOS support

By: Anry Sergeev | 23.04.2022, 15:10

Apple @ Work is brought to you by Mosyle, the leader in modern mobile device management (MDM) and security for Apple enterprise and education customers. Over 28,000 organizations leverage Mosyle solutions to automate the deployment, management and security of millions of Apple devices daily. Request a FREE account today and discover how you can put your Apple fleet on auto-pilot at a price point that is hard to believe.

There’s a concept of building from first principles that can create some pretty incredible products. VPN is one example of a technology I have long believed was too complicated. Remote work has brought VPNs to the forefront, with employees wanting access to company resources wherever they may be. I recently came across a product that works great on macOS that takes that first-principles approach to how VPN connections work, and it’s called Tailscale.


About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

VPN setup is clunky at best. Different firewalls require different setups, and it can sometimes be challenging to get the proper devices to the correct servers depending on the subnet, IP scheme, etc. By implementing Tailscale, it’s easy to connect to another network by using a stable IP address for each device (server, laptop, etc.). No matter the location of nodes in the physical world, these addresses remain the same. Each device gets an IP in the 100.X range, and it’s assigned based on the device and the Tailscale login.

Using Tailscale with macOS

I’ve got a fairly simple use case with Tailscale for personal use. I want to access my Umbrel server (learn how to build one in my past guide) remotely as well as my Plex server. Umbrel has a Tailscale app in its App Store, so the setup was painless. It is now accessible from any location. Because it’s on my Umbrel and Plex servers, when I need to access them directly I enable Tailscale on Mac. Then I can easily connect to these devices.

What problem does this solve in the enterprise?

Tailscale is built on top of WireGuard. WireGuard, a secure encrypted network protocol with a lot of benefits over traditional VPNs, is fast and reliable. Tailscale adds to WireGuard by adding automatic mesh configuration, single sign-on support, 2-multi-factor authentication, NAT traversal, and centralized Access Control Lists (ACLs).

Let’s suppose you have employees scattered across the country or world. You want to secure let them use company resources such as internal servers via VPN, while still allowing public internet traffic to run locally. TailScale works this way out of the box. Tailscale acts as an overlay network, routing traffic only between Tailscale devices. It doesn’t handle traffic that isn’t aimed at Tailscale devices. This default configuration allows Tailscale to run on macOS and iOS at all times, without having all traffic sent through it.

To sum it up, Tailscale is an affordable VPN that requires no configuration, installs on any device in a few seconds, handles firewall rules for you, and works from anywhere. While my use case is 100% personal, you can see the benefits it could bring to enterprises everywhere. Tailscale is truly a VPN for the remote-work world. It’s one of those rare solutions that “just works.” Pricing starts at free for one user with up to 20 devices, and paid plans start at $5/month (paid annually). So, if you’re struggling to roll out VPN access to your entire company in a way that’s not stretching your team with troubleshooting, check out Tailscale. Its VPN so simple, I am not sure Apple or Google could have made it any easier. It works great on macOS and iPhone and iPad.