We have a setup where a customer has an on prem agent that connects to us, and we connect to the on prem agent. This is to facilitate some bidirectional integration.
We have a fixed IP, and the customer has a fixed IP because we are connecting over a semiprivate network that requires registration.
Now the solution is moving away from the semiprivate network, the customer’s IP will no longer be fixed, and we would like to beef up the security (to much higher than it was originally).
I’m wondering if we use Tailscale, how this could work in detail. Initiating and securing an outbound connection to us would be relatively easy, as we have a fixed IP. How could we solve this in the other direction?
I had some thoughts:
- both ends connect to a cheap VPS with a fixed IP that can maintain open connections, and act as a VPN hub of sorts
- same as above, but perhaps Tailscale has a product that does this for us
- customer connects to us and (somehow) Wireguard makes this into a bidirectional network
I don’t know if any of these are suitable, but I wanted to ask as the other alternative is to rewrite the software to make it only need to connect outbound to customer, which would be a lot more work, and I’m struggling with the Tailscale docs to make headway.
Any thoughts? Could any Tailscale products map on to any of the above ideas, or is there a better idea?