Tailscale Zero-Trust Access

Identity-based remote access over a WireGuard overlay. No open inbound ports, deny-by-default ACLs as policy-as-code, Pi-hole as subnet router.

open inbound ports

ACL tiers

subnet router

The problem with the old model

A traditional VPN wants an open inbound port, shared credentials, and trusts anything that makes it past the perimeter. For a lab reachable from untrusted networks, that's attack surface bought for convenience. The goal was remote access with none of those tradeoffs.

Architecture

Every client and lab node runs Tailscale. Traffic from a remote client rides the WireGuard overlay, gets its identity verified and ACLs evaluated at connection time, then reaches internal services through a single subnet router. Pi-hole advertises the internal /24 and handles NAT — enrolled clients reach LAN hosts by their real addresses without Tailscale on every box.

Tailscale node overview across the tailnet

ACL tiers — policy as code

tag:adminFull subnet, all hosts, all ports.

tag:dnsPi-hole port 53 only. Verified to deny SSH and Grafana.

tag:monitorGrafana, Prometheus, and Alertmanager — and explicitly nothing else.

No inbound ports

The edge firewall has nothing open. Every connection initiates outbound through Tailscale's coordination server — the internal network is never directly addressable from the internet.

Tags over firewall rules

Segmentation is identity-based and centralized. Adding a node or changing a tier is an ACL edit, not a sweep through per-host iptables.

Pi-hole as the single subnet router

Centralizes both subnet advertisement and DNS filtering on one lightweight node instead of spreading either across the fleet.

Roadmap

→Private service publishing via securebytes.net

→TLS termination through a Caddy reverse proxy

→SSO via Entra ID

→Multi-site subnet routing

Stack

TailscaleWireGuardPi-holeZero Trust ACLs

← Previous

SecureBytes Platform

SecureBytes NOC Stack