Tailscale for remote worker AD auth and domain access?

Hello all,

We are investigating options to replace our aging SonicWall SSL VPN infrastructure for about 20 permanently remote users and 50 or so users who have laptops that they use remotely and in the office.

I have spun up a demo of Tailscale and have it working with two test devices, and a device configured as a subnet router to provide access to the subnet where active directory domain controllers/dns and file/app servers live. This seems to be a direct replacement for our existing setup but also allows us to run the client in unattended mode which is a plus so that any policies/updates/etc pushed from AD or Group Policy will always hit our remote laptops and we don’t have to wait for a remote user to turn it on and sign in to the VPN. This seems to introduce some measurable latency with the subnet router, vs if I attempt to ping a server directly via its Tailscale IP.

I am looking to see if anyone has any success with setting this up in such a way that we do not use a subnet router, and have the Tailscale client installed on every domain controller and server. Has anyone had any success on this?

If not I believe I can make it work via the subnet router option and can see if there are any way to reduce latency with that.

People definitely do install the Tailscale agent directly on domain controllers, SQL servers, etc.

However the subnet router generally doesn’t add significant latency. How long is “significant” ?

Tailscale (remote laptop) to Tailscale (file server) I was seeing consistent 10-11MS ping times. If I went remote laptop to files server via the subnet router it jumps to 150-200MS ping times. Granted I am running the subnet router currently on an old Windows box with 4th Gen I3 and 4GB of RAM. I have some time later today where I am going to spin up a linux VM and see how that performs as a subnet router.

How are you running the Subnet router in Windows? The tailscale Windows service doesn’t support Subnet Routing to my knowledge.

We have a linux VM (Fedora 31 Server, 2GB of memory, 16GB VHD) running on a Hyper-V server for our subnet router and the additional latency is very low: 13ms over tailscale to AD DC. 10ms direct to WAN Gateway.

The Windows installer puts a tailscale.exe command in %PATH% which takes the same arguments as the Linux CLI command. From cmd.exe you can run tailscale up --advertise-routes=192.168.1.0/24 and the Windows system will work as a subnet router.

1 Like

I went back and tested with a Ubuntu 20.04 server and the tailscale client on there set as a subnet router and got much better performance. Almost identical latency as Tailscale to Tailscale which is great.

As a followup to this, if we configure machines to run in unattended mode and the user is on a laptop and comes back into the office, is there a way for Tailscale to recognize it is on a local LAN and no use the subnet router, maybe giving lower priority to the Tailscale interface?

2 Likes

Devices will tend to use the most specific route. So if you advertise the subnet one bit wider, any local route should “win”.

So instead of advertising 192.168.1.0/24 you would advertise 192.168.1.0/23 - which includes some addresses outside of the range, but odds are that they don’t exist on your network. This way, when you’re local, the /24 route managed internally will be more specific than the /23 route of the tailscale interface.

2 Likes

You can likely fix the subnet router performance by adding GOGC=100 (environment variable) to the launch of the tailscaled that is hosting the subnet router. The 1.24 release will very likely include this change so it won’t be necessary anymore.