Zero-Trust Remote Access
with Tailscale & Access Gate.
PAM-grade remote access across IT and OT networks, without touching existing infrastructure or VLANs. Tailscale provides encrypted tunnels. Access Gate adds identity enforcement, session brokering, and centralized audit.
Architecture Overview.
Access Gate integrates with Tailscale to deliver privileged remote access across IT and OT networks. Tailscale provides a modern WireGuard-based overlay: zero-config, peer-to-peer encrypted tunnels. Access Gate adds identity enforcement, privileged session brokering, OT asset visibility, and centralized audit.
No VPN Appliance Required
Tailscale replaces traditional VPN concentrators with WireGuard-based encrypted tunnels. Native API integration with Access Gate.
MFA + Session Brokering
Access Gate presents MFA splash page for desired session, and proxy communication. Users never get direct network access to endpoints.
Micro-Segmentation
Access Gate enclave model segments LAN access per user, per resource, per protocol. No flat network exposure.
Full Audit Trail
Every remote session is recorded and logged. Access Gate ships events, anomalies, and session alerts to SIEM.
Remote Access Topology.
The architecture shows three distinct flows: remote user access via Firewall/Router, vendor access via Tailscale directly to Access Gate, and log forwarding to Cloud SIEM. Access Gate sits inside the LAN and brokers all sessions to IT and OT subnets.
(1) Remote User Access to Database
• Remote user opens Tailscale client, tunnel established to Access Gate • Connection routed to Access Gate proxy • MFA splash page presented, user authenticates • Session extended to Database — no direct network reach for the user • Session recorded and logged
(2) Vendor Privilege Access to Control System
• Remote vendor opens Tailscale client, tunnel established to Access Gate • Access Gate applies ACL, presents MFA splash page + VDI screen • Vendor authenticates • Session extended to Control System only • Session recorded and logged in Access Gate audit trail
(3) Log Skimming to Cloud SIEM
• Optional ICS stream log to Access Gate • Access Gate skims logs and processes proxy logs to rsyslog format • Access Gate establishes tunnel to Cloud SIEM and forwards logs
Compliance Requirements Checklist.
How Access Gate + Tailscale covers key compliance requirements for remote access.
| Requirement | How Access Gate + Tailscale covers it | |
|---|---|---|
| Multi-factor authentication on remote sessions | Tailscale device auth & Access Gate splash-page for multi-factor authentication | ✓ |
| Least-privilege & role-based access control | Permission Matrix in Access Gate enforces per-user, per-resource, per-protocol rules | ✓ |
| Privileged access management (PAM) identified and proxied | Privileged sessions proxied through Access Gate; no direct network access to OT endpoints | ✓ |
| Session recording & audit trail for privileged sessions | Access Gate logs session events; forwarded to SIEM | ✓ |
| Encrypted remote access (in-transit protection) | WireGuard (Tailscale) provides end-to-end or end-to-hub encryption | ✓ |
| Micro-segmentation | Access Gate enclave model segments LAN access | ✓ |
| Monitoring & alerting on remote access events | Access Gate ships auth events, anomalies, session alerts to SIEM | ✓ |
| Continuous connection inventory | Access Gate logs every remote access session | ✓ |
Download the Remote Access Architecture.
Get the architecture diagram and compliance checklist as a downloadable pack.
One Gateway Architecture
Starting with a simpler deployment? The one-gateway architecture covers both IT and OT from a single Access Gate with no changes to your existing perimeter.
Double Gateway Architecture
Need coverage for both IT and OT with separate enforcement zones? The double gateway architecture adds a second layer of protection.
Common Questions About Secure Remote Access.
VPN appliances required. Tailscale + Access Gate replaces traditional VPN concentrators entirely.
Not immediately. Tailscale can run alongside existing VPNs. You can migrate users incrementally. Once all remote sessions route through Tailscale + Access Gate, the legacy VPN concentrator can be decommissioned.
Vendors connect via Tailscale directly to the Access Gate (flow 2). Access Gate applies vendor-specific ACLs, presents MFA and a VDI screen, and scopes the session to specific control systems only. Vendors never get broad LAN access.
Access Gate performs protocol-level inspection on industrial protocols (Modbus, EtherNet/IP, OPC-UA) and standard IT protocols (RDP, SSH, HTTP/S). Sessions are broken and re-established through the proxy for full visibility.
Yes. Access Gate processes proxy logs to rsyslog format and establishes a tunnel to your Cloud SIEM. It supports standard syslog forwarding as well as direct integration with common SIEM platforms.