Virtual Private Network
Access Gate includes by default a built-in client for the powerful Tailscale VPN solution. This VPN provides a turn-key, no-firewall-change approach to connecting multiple industrial sites over a secure mesh.
Getting Started With Tailscale
If you do not already have a Tailscale account, go to tailscale.com to create one. The friendly built-in menu will guide you through the steps to create your account – you might want to stop as soon as the screen shows to connect devices.
Set up Tailnet IP address range(s)
Every machine connected to Tailnet is assigned an IP address. To control the address pool from which these addresses are assigned add to the Access controls configuration file
"nodeAttrs": [
{
"target": ["*"],
"ipPool": ["100.100.0.0/16"],
},
],
and click Save to save and apply. Optionally, specify different pools for different user groups
"nodeAttrs": [
{
"target": ["autogroup:member"],
"ipPool": ["100.100.1.0/24"],
},
{
"target": ["autogroup:admin"],
"ipPool": ["100.100.2.0/24"],
},
],
To change IP address of already connected machine go to Machines section -> machine options (three dots on the right of the machine info row) -> Edit machine IPv4, enter an available IP from the desired range and press Update IP button.
From the UI, you can achieve this in Access Controls > Node Attributes.
Set up auto-approval for newly connected machines
By default, each newly added machine is auto-approved to join the Tailnet. It is optional (and safer) to alter this policy and require manual approval for each new machine. To enable that go to Settings -> Device management and set Device Approval to On.
After that each new machine added to Tailnet will appear in the
Machines section with "Needs approval" label, and it needs to be
manually approved by clicking the machine options (three dots on the
right) a selecting Approve.
From the UI, you can achieve this in Access Controls > Auto approvers.
Set up auto-approval for advertised (shared) routes
When a newly connected machine advertises (shares) routes to be made accessible via Tailnet, these subnets need to be approved in Machines section -> machine options (three dots on the right) -> Edit route settings by enabling the checkbox next to particular subnets.
The subnet approval process can be automated by configuring auto-approval for specific user and specific subnets in Access controls configuration file
"autoApprovers": {
"routes": {
"100.64.0.0/24": [
"autogroup:member",
],
"100.64.0.0/10": [
"autogroup:admin",
],
},
},
Set up machine key expiry
Each machine connected to Tailnet is assigned with a key that is by default valid for 180 days. After that the key expires and the machine needs to be re-authenticated.
The key expiry can be disabled per machine for trusted machines (including AccessGate) in Machines section by clicking machine options (three dots on the right) -> Disable key expiry.
Set up OAuth API access to Tailnet configuration
To allow Access Gate to obtain data about subnets reserved for Tailnet an API access has to be configured and the obtained ID and Secret have to be entered into Access Gate configuration.
To enable the OAuth API access Tailnet, in tailscale:
- In Tailscale, go to Settings -> Trust Credentials -> OAuth clients
- Enter Description (e.g. AccessGate API client)
- Select Policy File -> Read
- Click Generate credential
Copy and store safely the displayed OAuth client credentials - ID and Secret, and enter them to the AccessGate via AccessGate Web administration -> Settings -> Networking -> VPN Access -> API Credentials.
Sync Assets and Users from Tailscale
In Access Gate, click on authenticate and then Get Assets. This will bring Tailscale assets in your the Assets tab.
For Tailscale users, when a user authenticates in the tailnet, their authenticate their current device and it enters the tailnet. At the point, reclick Get Assets, and the the newly registered asset will show up.
Access local Assets
You can now head to Enclaves, and grant access to the Assets and Users you want. To access them, simply use the IP or url display in the Assets tab. The magic happens in the background :)