Some context: I’m the senior sysadmin in my company and that also includes “IT”. We currently host some products in GCP and have a lot of internal services running on some Dell servers. These services are mostly engineering related (Jenkins, source control etc). We have a mix of Windows, macOS and Ubuntu workstations. (network is segregated in VLANS)
We currently have a classic VPN server set up that allows employees to connect to the office network and GCP through that via another VPN, but we want to improve security and move away from the idea that what happens in the office is “trusted”. Hence my looking into a solution that can replace the VPNs but also secure the office network.
I’ve currently stranded on 2 main contenders, Twingate and Tailscale, but am now having a hard time deciding between the two. They work in completely different ways and both have advantages and disadvantages. I feel it also depends a bit on how far we want to take the zero trust setup. Should communication between two servers internally go over this solution? Is having to manage the ACL settings in a JSON file a good or bad thing (infra as code)? Twingate could be more of a bottleneck, but Tailscale would need a lot more work for deployment and maintenance, …
What I’m asking here is really, has anyone ran into a similar “problem”? What decision did you end up making and how did it work out? Are there other products that could be better than the two I’m currently looking at? Are you using one of the two products and have good/bad experiences with it? Any insights would be very valuable.
Keep in mind that Zero Trust is not a product, it’s an architectural idea.
Usually it consists of several products, maybe an EMS (Client Posture/Validation) NAC (Client Auth), MFA/SSO (User Auth), and Proxy (VPN alternative).
I’m not familiar with the products you listed, do they have any sort of posture validation (antivirus installed/up-to-date, OS up-to-date, etc)?
I’m personally familiar with Fortinet products, and they have a wide range of products that integrate really well together.
Founder @ https://enclave.io here. Tailscale, ZeroTier and Enclave all share a similar architecture- they build an overlay network which carries whatever traffic you choose to put on top.
Twingate, as you noted, has a different architecture. It’s based on the idea of putting a proxy appliance at the edge of the network, more commonly known as a software defined perimeter.
I’m biased of course, but I’d argue that the overlay network is a better approach. Its less effort to deploy, gives better scalability and doesn’t really care if the traffic flows are east-west or north-south (unlike the sdp architecture which was designed for the north-south / remote access traffic pattern).
How much of your network you bring into the overlay network is really up to you, but if your guiding star is Zero Trust alignment, then the more you include, the better.
I’d also agree that writing policies and ACLs in JSON will get a bit tedious, if that’s a problem for you it might be worth looking at Enclave, we’ve put a lot of effort into keeping the policy engine simple and user-friendly.
Good luck, which ever way you go.
Hence my looking into a solution that can replace the VPNs but also secure the office network.
Yet you are contradicting yourself by replacing VPNs with more VPNs (re: Twingate, Tailscale).
For internal traffic, VPNs are not the solution. What you want is IPsec and firewall ACLs.
If you want to “replace” the VPNs, other self-hosted suggestions are SoftEther (open source) and ZeroTier (dual license).
Have you considered Sophos?
Curious how Twingate (I work there) might be a bottleneck for your use case?
In case it’s helpful, a few capabilities you could test out which might help:
- automation: there’s a rich API and native providers for Terraform and Pulumi if you’d like to implement automation/infra-as-code. This is a very common deployment & management model and makes maintenance extremely easy.
- service accounts: if you have automated services that need narrow access to privileged networks, there are “service accounts” that allows you scope down access permissions. It’s similar to East/West control mechanisms and used for workflows like CI/CD.
I’m happy to see I can get your info if you’re not finding what you need. Let me know!
What did you end up going with? Am starting to look and coming across a ton of newer vendors since my days with Meraki, Forti, PAN gear.
Tailscale seems easy to get going, but seems a bit hard to manage for less tech savvy and don’t really like having to put their agent on everything and DNS is a bit hard to get right.
Twingate seems pretty great as a drop-in replacement for VPN, but would love to hear some experiences with it.
Also looked at cloudflare and openvpn but those products seem like a mess
Not OP but your product seems pretty cool. Unfortunately we run fully on-prem 
Your site is getting a little hammered.
Error when trying to get to the pricing page:
Internal Server Error - Request ID: 01G2SJ33G2SBP0S43K2XK4QHBY
We invested a bunch of time in Twingate and that was looking great but we were also hitting some major roadblocks specific to our case (related to the client-server model it uses) - it was also not properly routing our internal traffic. (it all went to the cloud and back) and they were unable to properly figure out what was wrong. Because of that we are now back to investigating Tailscale.
Yes, sorry about that. We use Netlify to host the front-end of Enclave and they seem to have had a few issues today (albeit resolved and now listed under past incidents @ https://www.netlifystatus.com/)
