Skip to main content

Connect Vanta & Tailscale

J
Written by Jaquez Hodo
Updated this week

Tailscale is a partially open source service that allows users to set up VPNs with little to none configuration.

Vanta offers Access integration capabilities for this service to sync Tailscale connected accounts on an hourly schedule.

Use Cases

Connecting Tailscale will allow users to perform the following compliance tests:

  • Check Tailscale accounts linked in Vanta

  • Check Tailscale accounts deprovisioned when personnel leave

Overview

Vanta requires interacting with Tailscale’s API in order to sync users between both systems and perform the aforementioned compliance tests through its List users API.

Tailscale allows setting up OAuth clients to grant scoped access to its API, and Vanta requires

This article describes how to create an OAuth client in Tailscale and use it to connect Tailscale to Vanta.

Requirements

  • You need an Owner or Admin account in order to access Tailscale Admin console

Install the integration

In your Vanta dashboard, locate TailScale integration at /integrations?details=tailscale

Click on Connect button to open a modal to insert your OAuth app to Vanta. This will redirect you to a guided flow view to connect Tailscale.

Tailscale API requires an organization name to identify the tailnet where requests fetch data from. You can find your organization name at the Settings tab in your Tailscale dashboard, under the Organization input field. Vanta allows to connect multiple organizations if you desire.

Pass the organization name to the input field of the same name and click Next to continue. You can also skip this step if you want to use the default tailscale organization name, which is - (A single hyphen character).

Now, Vanta will prompt a new input form to request your OAuth app credentials, as we need one with Read Users permissions in order to authenticate against Tailscale API and perform requests through the List users API.

If you don’t have an OAuth client that follows these constraints from beforehand, you can create a new one through the Settings → OAuth clients section in your Tailscale dashboard.

Click on Generate OAuth client… button to open the following modal to configure your new OAuth client and select the Users → Read permission only.

After selecting the permission, click on the Generate client button at the bottom of the modal to generate the OAuth app in your Tailscale dashboard.

This will generate a new set of client credentials to access the recently created OAuth app.

Pass the Client ID and Client secret values to Vanta’s form and click the Done button to submit your Tailscale credentials to Vanta.

If everything worked properly, you should see the following screen confirming that the integration was connected successfully.

Vanta supports connecting multiple tailnets as well. You can do this if you go to the integrations?integration-dialog=tailscale&flow=edit tab.

It will allow you to connect or disconnect as many tailnets as you need.

Permissions

Vanta only accesses the following data from your Tailscale networks:

Vanta will be able to view:

  • Data about your users

  • Data about your user details

Vanta will be able to update:

  • Nothing

We only use the List Users endpoint to retrieve the users and their details. These are the fields that we can read and use actively for the Access capability:

  • Id: Unique identifier of a user.

  • Display Name: The full name of the user.

  • Login Name: The email address the user requires to access a Tailscale account.

  • Created Date: The date when the user was created in Tailscale.

  • Role: The role of the user. These are listed here and can be one of the following:

    • Owner

    • Admin

    • Network Admin

    • IT Admin

    • Billing Admin

    • Auditor

    • Member

  • Status: The status of the user. Vanta filters out users that don’t match an active status, but given that there are several ones, Vanta allows the end user to pick the ones that represent active users:

    • Active (By default, we only retrieve users that match this status)

    • Idle

    • Suspended

    • Needs Approval

    • Over Billing Limit

  • Last Seen Date: The last time the user connected to Tailscale. We use it as the last login date for the user.

We can read the following data as well due to the APIs granularity level, but we don’t use it nor store it in our systems.

  • Type: If the user is a member of the tailnet or it's shared across them. Vanta allows end users to pick whether to retrieve members only, shared users only, or all of them.

  • Profile Picture: The profile picture of the user.

  • Tailnet Id: The tailnet that owns the user.

  • Device Count: The number of devices owned by the user.

  • Currently Connected: If the user is currently connected.

Related Articles

Troubleshooting FAQ

Errors during installation

Invalid client credentials

This can happen if the input client credentials are incorrect and prevents Vanta from authenticating against Tailscale. Review that the API client credentials are valid or create a new one with the right permissions in the Settings → OAuth clients tab.

Invalid organization name

Vanta checks if the organization name is valid before connecting the credentials. Make sure it matches the one found in the Settings page.

Invalid scope

This happens if the OAuth client doesn’t have the Read Users permission.

Create a new OAuth app to connect to Vanta if that happens, as Tailscale doesn’t seem to allow changing the client scopes after creating them.