Connect Vanta & Tailscale

Tailscale is a partially open source service that allows users to set up VPNs with little to none configuration.

Vanta offers Access integration capabilities for this service to sync Tailscale connected accounts on an hourly schedule.

Connecting Tailscale will allow users to perform the following compliance tests:

Vanta requires interacting with Tailscale’s API in order to sync users between both systems and perform the aforementioned compliance tests through its List users API.

Tailscale allows setting up OAuth clients to grant scoped access to its API, and Vanta requires

This article describes how to create an OAuth client in Tailscale and use it to connect Tailscale to Vanta.

In your Vanta dashboard, locate TailScale integration at /integrations?details=tailscale

Click on Connect button to open a modal to insert your OAuth app to Vanta. This will redirect you to a guided flow view to connect Tailscale.

Tailscale API requires an organization name to identify the tailnet where requests fetch data from. You can find your organization name at the Settings tab in your Tailscale dashboard, under the Organization input field.

Pass the organization name to the input field of the same name and click Next to continue. You can also skip this step if you want to use the default tailscale organization name, which is - (A single hyphen character).

Now, Vanta will prompt a new input form to request your OAuth app credentials, as we need one with Read Users permissions in order to authenticate against Tailscale API and perform requests through the List users API.

If you don’t have an OAuth client that follows these constraints from beforehand, you can create a new one through the Settings → OAuth clients section in your Tailscale dashboard.

Click on Generate OAuth client… button to open the following modal to configure your new OAuth client and select the Users → Read permission only.

After selecting the permission, click on the Generate client button at the bottom of the modal to generate the OAuth app in your Tailscale dashboard.

This will generate a new set of client credentials to access the recently created OAuth app.

Pass the Client ID and Client secret values to Vanta’s form and click the Done button to submit your Tailscale credentials to Vanta.

If everything worked properly, you should see the following screen confirming that the integration was connected successfully.

Vanta supports connecting multiple tailnets as well. You can do this if you go to the integrations?integration-dialog=tailscale&flow=edit tab.

It will allow you to connect or disconnect as many tailnets as you need.

Vanta only accesses the following data from your Tailscale networks:

Vanta will be able to view:

Vanta will be able to do:

This can happen if the input client credentials are incorrect and prevents Vanta from authenticating against Tailscale. Review that the API client credentials are valid or create a new one with the right permissions in the Settings → OAuth clients tab.

Vanta checks if the organization name is valid before connecting the credentials. Make sure it matches the one found in the Settings page.

This happens if the OAuth client doesn’t have the Read Users permission.

Create a new OAuth app to connect to Vanta if that happens, as Tailscale doesn’t seem to allow changing the client scopes after creating them.