Connect k8s and on prem, with on prem floating IP?

Tailscale About articles (troubleshooting, info)
#1

We have a setup where a customer has an on prem agent that connects to us, and we connect to the on prem agent. This is to facilitate some bidirectional integration.

We have a fixed IP, and the customer has a fixed IP because we are connecting over a semiprivate network that requires registration.

Now the solution is moving away from the semiprivate network, the customer’s IP will no longer be fixed, and we would like to beef up the security (to much higher than it was originally).

I’m wondering if we use Tailscale, how this could work in detail. Initiating and securing an outbound connection to us would be relatively easy, as we have a fixed IP. How could we solve this in the other direction?

I had some thoughts:

  • both ends connect to a cheap VPS with a fixed IP that can maintain open connections, and act as a VPN hub of sorts
  • same as above, but perhaps Tailscale has a product that does this for us
  • customer connects to us and (somehow) Wireguard makes this into a bidirectional network

I don’t know if any of these are suitable, but I wanted to ask as the other alternative is to rewrite the software to make it only need to connect outbound to customer, which would be a lot more work, and I’m struggling with the Tailscale docs to make headway.

Any thoughts? Could any Tailscale products map on to any of the above ideas, or is there a better idea?

#2

Tailscale is an overlay network, meaning:

  • each node gets an IP address on the tailnet, 100.x.y.z
  • wireguard tunnels carry tailnet traffic through the public Internet

The tailscale daemon keeps track of its public IP addresses and communicates them to other nodes on the tailnet to be able to connect the Wireguard tunnels. It doesn’t need a static address, it will notice when the public IP changes and adapt.

You can try it for free and see if it would work.

#3

Thanks @DGentry that makes sense, and I really appreciate the info. I’ve uncovered some more information - it’s quite possible that the customer side might not have a public IP address at all, and may only be able to do outbound connections. Would that scupper the use of Wireguard/Tailscale?

(Happy to add that to the original question if that’s better etiquette on this site; I just didn’t want to edit the question from under your.)

#4

Via NAT traversal, Tailscale can still work even if one end of the link doesn’t allow incoming connections: How NAT traversal works · Tailscale

I’d recommend just trying it. It takes 5 minutes to install and can be used for free to try it and see if it would work in your environment.

1 Like