It does look very nice. It's a shame that it depends on third parties for authentication, and that they have gems like this in their documentation:
> No app-level integration or reconfiguration is required, because security is built into the network itself. If you configure your network to require Tailscale, every one of your internal services will be subject to multi-factor authentication.
Which is simply not true. I've had 2FA for my Cisco AnyConnect VPN for years. That does not mean my applications I access through the VPN are now magically subject to MFA.
Maybe in time this may end up being viable for me, and maybe it already is for other people. For now, I'd rather my VPN didn't depend on Google, Microsoft, Okta, etc.
The idea of a vulnerability in any app I run having access to all my things is quite scary. Status quo is that they at least have to reach the file storing browser cookies before they "become me"; the way Tailscale is talking about their system sounds like fewer barriers.
Network authentication is not the same as application authentication.
If I plug a cable into your LAN, I am not subject to MFA to login to a server on your LAN.
If you have a lock on the network port that requires me to type in a PIN code and stick in a key to unlock, and expose the port, that then results in MFA to connect to your network. Your applications behind your network remain without MFA.
MFA VPN is essentially the same thing as the above, but for remote access to the LAN. Applications should still be properly secured.
I suppose it could be argued that this provides a client-side agent to authenticate the end user as well (mumble mumble 802.1x), and if so, then it's arguable whether or not you need another layer of authentication on the application, or if this qualifies as SSO to authenticate you to everything you have access to in the network (so passwordless login to servers, desktops, webapps, etc)
Another example of a product that looks interesting, but the folks responsible for marketing it make it a pain in the arse.
This looks like it solves a problem I have. Looks like it might be a commercial product (mentions of Okta and "get started for free"), but I can't find out any more information without signing up which I don't want to do if it doesn't support the configuration I want or is more expensive than my budget for such things.
They want early adopters (their friends) to play with their prototype, and they don't want to commit to pricing and long term support before they know what they can build and if it will work and how much it costs.
How does this thing even work? do they host the gateways for you and do the authentication at the start of VPN sessions and generate the wireguard keys for you? so you simply need to connect your networks hosting services and such to their gateways?
