Over the last few months, we’ve completed a company-wide deployment of Tailscale at TTG Imaging Solutions, and it has completely changed how we think about remote access, internal routing, and edge-to-cloud connectivity.
This is easily one of the cleanest and most powerful infrastructure shifts we’ve executed – and I’ll say it upfront: I’m going to need a very compelling reason not to use Tailscale on every environment I touch going forward.
What Is Tailscale?
At its core, Tailscale is a zero-config mesh VPN built on the WireGuard protocol, which is known for being lightweight, fast, and cryptographically sound.
What makes Tailscale unique is its distributed architecture:
-
Each connected device (workstation, server, etc.) sets up its own WireGuard interface
-
Routing entries are added to the local system routing table, enabling direct peer-to-peer communication
-
A lightweight SaaS control plane (Tailscale’s service) manages identity, device authorization, ACLs, and policy enforcement
-
But the data plane is fully decentralized – meaning actual traffic never hits Tailscale servers
The result? A globally distributed, hyper-available VPN that doesn’t rely on central gateways or hub-and-spoke tunnels. Each node is part of the “tailnet” – a private, dynamic mesh of authenticated, routable devices.
From Fortinet to Tailscale
Historically, both Digirad and now TTG relied heavily on the Fortinet suite:
-
FortiGate firewalls for inter-site VPNs
-
FortiClient for workstation VPN
-
EMS for endpoint policy enforcement
-
FortiAuthenticator for MFA and identity binding
This stack has done a lot of heavy lifting – it helped us pass HITRUST and kept our distributed healthcare infrastructure secure.
But it also came with some real pain points:
-
Field engineers struggled with MFA delays and failures via FortiAuthenticator
-
Dial-up and site-to-site VPNs were unreliable, especially in bandwidth-constrained locations
-
Flexibility was limited – every new route or policy meant significant firewall and routing updates
-
Operational overhead was high for small adjustments or temporary access
What Changed with Tailscale
When we rolled out Tailscale, the impact was immediate and wide-reaching:
1. Dial-Up & Site-to-Site VPNs Eliminated
We tore down all traditional VPN tunnels. Every hub site and field system now communicates securely via Tailscale – with direct peer-to-peer links and no need for NAT traversal hacks or static IPs.
2. FortiAuthenticator Retired
MFA is now handled through Tailscale’s native auth – which integrates cleanly with SSO and identity providers, offering passwordless sign-in and mobile app approval. Our field teams stopped submitting tickets about MFA on day one.
3. Centralized Access, No Central Bottleneck
Unlike traditional VPNs, where all traffic flows through a concentrator, Tailscale lets us enforce ACLs at the control plane while data flows directly between peers. That gives us better throughput, lower latency, and resilient connectivity that doesn’t break when the core link is overloaded.
4. Cost Neutral, Functionality Boosted
We did the math – and Tailscale’s pricing came out roughly equivalent to what we were paying Fortinet for the combined licensing of VPN + EMS + FortiAuth. But what we gained in developer experience, agility, and user satisfaction is far beyond what we had before.
Real-World Impact
This shift isn’t just theoretical – it’s already solving problems we’ve lived with for years:
-
Field Service Engineers now have always-on secure access to diagnostic tools and telemetry systems
-
Our hub sites – many with low-end SMB internet connections – stay connected reliably
-
Our IT ops team moves faster with policy and route updates pushed directly through the admin panel
-
And we maintain zero-trust principles through fine-grained ACLs that enforce least-privilege access
What’s Next
We’re now looking at:
-
Integrating Tailscale with Terraform to manage ACLs as code
-
Leveraging Tailscale SSH for temporary admin access without shared credentials
-
Using exit nodes and subnet routers to selectively bridge legacy infrastructure into the mesh
Final Thoughts
Tailscale has fundamentally reshaped how TTG connects. No concentrators, no tunnel fatigue, no firewall gymnastics – just clean, fast, secure connectivity that just works.
It’s the kind of shift that makes you re-evaluate everything you thought was “best practice.”
– Vince