Tailscale is a partially open source service that allows users to set up VPNs with little to none configuration.
Vanta offers Access integration capabilities for this service to sync Tailscale connected accounts on an hourly schedule.
Use Cases
Connecting Tailscale will allow users to perform the following compliance tests:
Check Tailscale accounts linked in Vanta
Check Tailscale accounts deprovisioned when personnel leave
Overview
Vanta requires interacting with Tailscale’s API in order to sync users between both systems and perform the aforementioned compliance tests through its List users API.
Tailscale allows setting up OAuth clients to grant scoped access to its API, and Vanta requires
This article describes how to create an OAuth client in Tailscale and use it to connect Tailscale to Vanta.
Requirements
You need an Owner or Admin account in order to access Tailscale Admin console
Install the integration
In your Vanta dashboard, locate TailScale integration at /integrations?details=tailscale
Click on Connect button to open a modal to insert your OAuth app to Vanta. This will redirect you to a guided flow view to connect Tailscale.
Tailscale API requires an organization name to identify the tailnet where requests fetch data from. You can find your organization name at the Settings tab in your Tailscale dashboard, under the Organization input field. Vanta allows to connect multiple organizations if you desire.
Pass the organization name to the input field of the same name and click Next to continue. You can also skip this step if you want to use the default tailscale organization name, which is - (A single hyphen character).
Now, Vanta will prompt a new input form to request your OAuth app credentials, as we need one with Read Users permissions in order to authenticate against Tailscale API and perform requests through the List users API.
If you don’t have an OAuth client that follows these constraints from beforehand, you can create a new one through the Settings → OAuth clients section in your Tailscale dashboard.
Click on Generate OAuth client… button to open the following modal to configure your new OAuth client and select the Users → Read permission only.
After selecting the permission, click on the Generate client button at the bottom of the modal to generate the OAuth app in your Tailscale dashboard.
This will generate a new set of client credentials to access the recently created OAuth app.
Pass the Client ID and Client secret values to Vanta’s form and click the Done button to submit your Tailscale credentials to Vanta.
If everything worked properly, you should see the following screen confirming that the integration was connected successfully.
Vanta supports connecting multiple tailnets as well. You can do this if you go to the integrations?integration-dialog=tailscale&flow=edit tab.
It will allow you to connect or disconnect as many tailnets as you need.
Permissions
Vanta only accesses the following data from your Tailscale networks:
Vanta will be able to view:
Data about your users
Data about your user details
Vanta will be able to update:
Nothing
We only use the List Users endpoint to retrieve the users and their details. These are the fields that we can read and use actively for the Access capability:
Id: Unique identifier of a user.
Display Name: The full name of the user.
Login Name: The email address the user requires to access a Tailscale account.
Created Date: The date when the user was created in Tailscale.
Role: The role of the user. These are listed here and can be one of the following:
Owner
Admin
Network Admin
IT Admin
Billing Admin
Auditor
Member
Status: The status of the user. Vanta filters out users that don’t match an active status, but given that there are several ones, Vanta allows the end user to pick the ones that represent active users:
Active (By default, we only retrieve users that match this status)
Idle
Suspended
Needs Approval
Over Billing Limit
Last Seen Date: The last time the user connected to Tailscale. We use it as the last login date for the user.
We can read the following data as well due to the APIs granularity level, but we don’t use it nor store it in our systems.
Type: If the user is a member of the tailnet or it's shared across them. Vanta allows end users to pick whether to retrieve members only, shared users only, or all of them.
Profile Picture: The profile picture of the user.
Tailnet Id: The tailnet that owns the user.
Device Count: The number of devices owned by the user.
Currently Connected: If the user is currently connected.
Related Articles
Troubleshooting FAQ
Errors during installation
Invalid client credentials
This can happen if the input client credentials are incorrect and prevents Vanta from authenticating against Tailscale. Review that the API client credentials are valid or create a new one with the right permissions in the Settings → OAuth clients tab.
Invalid organization name
Vanta checks if the organization name is valid before connecting the credentials. Make sure it matches the one found in the Settings page.
Invalid scope
This happens if the OAuth client doesn’t have the Read Users permission.
Create a new OAuth app to connect to Vanta if that happens, as Tailscale doesn’t seem to allow changing the client scopes after creating them.