Tailsnitch: The Essential Security Watchdog for Your Tailscale Network
Tailsnitch
A security auditor for Tailscale configurations. Tailsnitch scans your tailnet for 50+ misconfigurations, overly permissive access controls, and security best practice violations.
Tailscale is a Zero Trust identity-based connectivity platform that replaces your legacy VPN, SASE, and PAM and connects remote teams, multi-cloud environments, CI/CD pipelines, Edge & IoT devices, and AI workloads.
Out-of-the-box, Tailscale solves many networking headaches. It has a customizable configuration to meet the demands of managing a distributed workforce. Tailscale helps provision for internal self-hosted and external third-party applications. It scales for growth as your requirements change.
Security Checks
Tailsnitch performs 52 security checks across 7 categories. See docs/CHECKS.md for detailed documentation of each check.
Critical Severity
| ID | Check | Risk |
|---|---|---|
| ACL-001 | Default ‘allow all’ policy | All devices have unrestricted access |
| ACL-002 | SSH autogroup:nonroot misconfiguration | SSH as any non-root user |
| ACL-006 | tagOwners too broad | Privilege escalation via tags |
| ACL-007 | autogroup:danger-all usage | Access granted to external users |
High Severity
| ID | Check | Risk |
|---|---|---|
| AUTH-001 | Reusable auth keys | Unlimited device additions if stolen |
| AUTH-002 | Long expiry auth keys | Extended exposure window |
| AUTH-003 | Pre-authorized keys | Bypass device approval |
| DEV-001 | Tagged devices without key expiry | Indefinite access |
| DEV-002 | User devices tagged | Persist after user removal |
| DEV-010 | Tailnet Lock disabled | No protection against stolen keys |
| DEV-012 | Pending Tailnet Lock signatures | Unsigned nodes need review |
| NET-001 | Funnel exposure | Public internet access |
| NET-003 | Subnet router trust boundary | Unencrypted traffic on local network |
| SSH-002 | Root SSH without check mode | No re-authentication required |
Medium Severity
| ID | Check | Risk |
|---|---|---|
| ACL-004 | autogroup:member usage | External users included |
| ACL-005 | AutoApprovers configured | Bypass route approval |
| AUTH-004 | Non-ephemeral CI/CD keys | Stale devices accumulate |
| DEV-003 | Outdated clients | Potential vulnerabilities |
| DEV-004 | Stale devices | Unused attack surface |
| DEV-005 | Unauthorized devices | Pending approval queue |
| DEV-007 | Sensitive machine names | CT log exposure |
| DEV-009 | Device approval config | May not be enabled |
| NET-004 | HTTPS CT log exposure | Machine names public |
| NET-005 | Exit node traffic visibility | Operator sees all traffic |
| NET-006 | Serve exposure | Local services on tailnet |
| SSH-003 | Recorder UI exposure | Sessions visible to network |
Informational
Checks for logging configuration, DNS settings, user roles, and manual verification items.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
