Virtual Private Network
Dec 20th 2025
Access Gate includes by default a built-in client for the powerful Tailscale VPN solution. This VPN provides a turn-key, no-firewall-change approach to connecting multiple industrial sites over a secure mesh.
Getting Started With Tailscale
If you do not already have a Tailscale account, go to tailscale.com to create one. The friendly built-in menu will guide you through the steps to create your account – you might want to stop as soon as the screen shows to connect devices.
Set up Tailnet IP address range(s)
Every machine connected to Tailnet is assigned an IP address. To control the address pool from which these addresses are assigned add to the Access controls configuration file
"nodeAttrs": [
{
"target": ["*"],
"ipPool": ["100.100.0.0/16"],
},
],
and click Save to save and apply. Optionally, specify different pools for different user groups
"nodeAttrs": [
{
"target": ["autogroup:member"],
"ipPool": ["100.100.1.0/24"],
},
{
"target": ["autogroup:admin"],
"ipPool": ["100.100.2.0/24"],
},
],
To change IP address of already connected machine go to Machines section -> machine options (three dots on the right of the machine info row) -> Edit machine IPv4, enter an available IP from the desired range and press Update IP button.
Set up auto-approval for newly connected machines
By default, each newly added machine is auto-approved to join the Tailnet. It is optional (and safer) to alter this policy and require manual approval for each new machine. To enable that go to Settings -> Device management and set Device Approval to On.
After that each new machine added to Tailnet will appear in the Machines section with "Needs approval" label, and it needs to be manually approved by clicking the machine options (three dots on the right) a selecting Approve.
Set up auto-approval for advertised (shared) routes
When a newly connected machine advertises (shares) routes to be made accessible via Tailnet, these subnets need to be approved in Machines section -> machine options (three dots on the right) -> Edit route settings by enabling the checkbox next to particular subnets.
The subnet approval process can be automated by configuring auto-approval for specific user and specific subnets in Access controls configuration file
"autoApprovers": {
"routes": {
"100.64.0.0/24": [
"autogroup:member",
],
"100.64.0.0/10": [
"autogroup:admin",
],
},
},
Set up machine key expiry
Each machine connected to Tailnet is assigned with a key that is by default valid for 180 days. After that the key expires and the machine needs to be re-authenticated.
The key expiry can be disabled per machine for trusted machines (including AccessGate) in Machines section by clicking machine options (three dots on the right) -> Disable key expiry.
Set up OAuth API access to Tailnet configuration
To allow Access Gate to obtain data about subnets reserved for Tailnet an API access has to be configured and the obtained ID and Secret have to be entered into Access Gate configuration.
To enable the OAuth API access Tailnet go to Settings -> OAuth clients and click Generate OAuth client button. In the open dialog window enter Description (e.g. AccessGate API client), select Read in the Policy File section and click Generate client button on the bottom. Copy and store safely the displayed OAuth client credentials - ID and Secret, and enter them to the AccessGate via AccessGate Web administration -> Settings -> Networking -> VPN Access -> API Credentials.