A Raspberry Pi in the corner of a cluttered garage office blinks green—Tailscale’s magic weaving secure tunnels across firewalls, no ports punched, no VPN client nagging.
Tailscale’s platform evolution hits like a stealth upgrade. From a simple WireGuard mesh—Tailnet—they’re layering on TSIDP, TSNet, multiple tailnets, and Aperture. It’s not hype; it’s a calculated shift toward owning the full stack of zero-trust networking, identity, and now AI gateways. David Carney, Tailscale’s Chief Strategy Officer, laid it out in a recent Changelog podcast: products like these aren’t bolt-ons, they’re the new foundation.
Here’s the thing. Tailscale started as that dev tool you whisper about—peer-to-peer VPN that just works. But now? They’re betting big on TSIDP (Tailscale Identity Provider), a clickless auth system that turns your Tailnet into its own OIDC realm. No more wrestling Okta or Entra ID for homelabs or edge deploys.
“Be your own OIDC.” —David Carney, unpacking TSIDP’s self-sovereign vibe.
Short. Punchy. Revolutionary for ops folks tired of identity sprawl.
What Even is TSIDP, and Why Should You Care?
TSIDP isn’t another IdP clone. It’s Tailscale-native, leveraging your existing Tailnet for dynamic client registration via MCP—the Model Context Protocol. Think OIDC flows, but zero-config: apps register clients on-the-fly, auth tokens flow without browser redirects. Carney calls it “clickless login”—your CLI tool or homelab service just… works.
And here’s my unique angle, one the podcast glosses over: this echoes SSH’s quiet empire-building. Back in the ’90s, SSH wasn’t just key auth; it morphed into bastions, agents, port forwards—the de facto remote layer. Tailscale’s doing that for WireGuard-era networking, but with identity baked in from day zero. Prediction? In two years, TSIDP becomes the default for Kubernetes edge auth, sidelining heavier IdPs in air-gapped setups.
Self-host it on Proxmox or Incus? Absolutely. Carney pushes cloud-first for velocity, but the open-source ethos shines—deploy TSIDP anywhere your Tailnet reaches.
Tailscale’s cool factor? Understated. Devs rave in Slack channels, but enterprises sleep on it. No wonder Carney geeks out on homelab wins.
But wait—multiple tailnets. That’s the isolation play.
Why Multiple Tailnets Fix Your Security Nightmares
One Tailnet per org? Cute in theory, brittle in practice. Hack one node, own the mesh. Tailscale’s multi-tailnet flips that: policy files define isolated networks, cross-talk only via explicit ACLs. It’s like VLANs on steroids, but peer-to-peer.
Carney dives deep: “Network isolation”—segment prod from staging, teams from contractors, without firewall roulette. Tailnet policy file syntax gets Turing-complete with Oso or Cerbos vibes, but simpler. Go’s concurrency makes it snappy.
And TSNet? The platform primitive. Build apps that embed Tailscale networking—no separate VPN daemon. Your Go binary spins up a tailnet slice, routes traffic, done. Fly.io vibes, but private by default.
This isn’t incremental. It’s an architectural pivot: Tailscale as the platform, Tailnet as the transport. Devs get velocity; ops get control.
Sponsor breaks aside—NordLayer, Squarespace, Fly.io—they underscore the meta: networking’s hot, but Tailscale’s threading the needle toward AI.
Aperture: Tailscale’s AI Firewall, or Clever Cash Grab?
Aperture steals the show. Private AI gateway for API keys, observability, agent security. Feed it Anthropic, Bedrock calls—Tailscale proxies, rate-limits, logs without exposing keys.
Cloud or self-hosted? Carney: cloud for speed, self-host for paranoia. Multi-tenant ready, partners incoming.
“Aperture as AI gateway/firewall” —straight from the pod, nailing the why: secure agents in multi-tailnet worlds.
Skepticism check: Tailscale’s PR spins it as zero-trust AI. Fair, but it’s also monetization gold—SaaS wrappers on open-source networking. Still, the how impresses: MCP spec enables dynamic routing to models, context-aware policies. No vendor lock; integrate Salesforce, Google Workspace auth upstream.
What’s next? Carney hints at GopherCon talks, Simon Willison nods—Tailscale’s embedding in the Go ecosystem, powering edge AI without cloud dependency.
Look. In a world of Vercel hype and AWS sprawl, Tailscale’s platform feels like the anti-cloud: own your stack, pay for control. Multi-tailnet kills shadow IT; Aperture tames LLM chaos; TSIDP erases auth friction.
But is it big bother? Carney laughs it off—setup’s minutes, not migrations.
Email [email protected] for collabs. Show off your setups; they’re listening.
Why Does Tailscale’s Platform Matter for Developers?
Devs: this means apps with baked-in networking. No iptables hacks. TSNet apps deploy to homelab or colo, auth via TSIDP, AI calls firewalled by Aperture.
Architectural shift? From siloed tools—VPN here, IdP there, API gateway elsewhere—to unified plane. Tailscale owns the ACL layer, WireGuard under the hood.
Bold call: they’re building the zero-trust kernel for distributed systems. Parallels OpenSSH’s rise, but for meshes. Ignore at your peril.
Is Tailscale Replacing Traditional VPNs?
Not quite—enhancing. But for greenfield? Yes. Zero-config global anycast, like Fly.io shouts.
Wrapping up the deep dive: Tailscale’s not yelling from rooftops. They’re shipping. Your move.
**
🧬 Related Insights
- Read more: Kubernetes Node Readiness Controller: Taming Bootstrapping Chaos at Last?
- Read more:
Frequently Asked Questions**
What is Tailscale Aperture?
Aperture’s Tailscale’s secure AI gateway—manages API keys for LLMs like Anthropic, adds observability and agent policies, cloud or self-hosted.
How does TSIDP work for homelabs?
TSIDP turns your Tailnet into an OIDC provider; apps get clickless auth via dynamic registration—no extra IdPs needed.
What are multiple tailnets in Tailscale?
Isolated networks within one org, enforced by policy files—perfect for prod/staging separation without complex firewalls.
