Skip to Content
Security & TrustRemote Access

Remote Access

This page pre-answers the “does this open a hole in our firewall?” question before it’s asked. We are direct about what Tailscale is and how it works — including the fact that the management tunnel is bidirectional — so you don’t feel misled later.

What It Is

TAPP uses Tailscale  (a mesh VPN built on WireGuard ) to remotely access the Network Router for configuration, diagnostics, and wireless sensor health monitoring. Remote access cannot reach the equipment side of the TAPP Gateway — the one-way data transfer gateway allows no path from the network side to the equipment side, so there is nothing for Tailscale to cross into.

Tailscale connects devices to each other using a coordination server as a key-exchange “drop box”; the encryption keys that actually secure traffic never leave each device. See Tailscale’s how it works  overview and its encryption  and security  documentation for the full model.

How the Tunnel Works

  • The Network Router initiates an outbound connection to Tailscale’s coordination server — no inbound connection is ever established to your network.
  • Your firewall does not need any inbound rules for this to work. Tailscale documents this in its firewall guidance .
  • Tailscale attempts a direct peer-to-peer connection using UDP 41641 (NAT traversal ). If that port is blocked, it automatically falls back to an encrypted relay (DERP ) over outbound TCP 443. See connection types  for how direct vs. relayed connections are chosen.
  • The tunnel is bidirectional for management traffic — TAPP technicians can read and write configuration on the router itself. This access cannot reach any equipment control system or the equipment side of the TAPP Gateway.
  • Access is scoped using Tailscale access controls (ACLs)  so that only authorized TAPP devices can reach the Network Router.

What TAPP Can Access via Remote

  • Network Router configuration and diagnostics
  • Wireless sensor health and radio status
  • Node-RED data handoff on the router

What TAPP Cannot Access via Remote

  • The equipment side of the TAPP Gateway (there is no return path across the one-way gateway)
  • Any equipment control system — a boiler, chiller, water chemistry controller, or other connected equipment
  • Any other device on the customer network — the Network Router is NAT’d and isolated

Available Concessions (if your security policy requires)

If the standard Tailscale configuration doesn’t meet your security requirements, TAPP can accommodate the following:

  1. Force relay-only over TCP 443 — disable direct UDP 41641 tunneling entirely; all remote management traffic uses an outbound TCP 443 relay only.
  2. Run Tailscale over cellular — configure the remote management tunnel to use the cellular backup uplink exclusively, so it never touches the customer network at all.

Either concession can be configured before or after installation. Contact your TAPP project manager to request a modified configuration.

Last updated on