Secure Remote Access

An engineer needs to troubleshoot a programmable logic controller (PLC) at a remote pumping station. The device sits behind a 4G cellular modem, has no public IP address, and its local network blocks inbound traffic. The engineer cannot reach it. This problem repeats daily across factories, warehouses, solar farms, and toll roads worldwide. That is where Bivocom Tailscale IoT VPN changes everything. When you combine Tailscale’s modern overlay network with Bivocom’s powerful hardware, you get secure, zero‑configuration remote access.

What Is Tailscale?

Tailscale is a zero-trust, identity-based networking platform that replaces traditional VPNs with a simple, high-performance mesh architecture. Built on the fast, audited WireGuard protocol, Tailscale creates an encrypted private network—called a tailnet—where every device authenticates via your existing SSO provider (Google, Microsoft, Okta, or any OIDC-compatible service).

Unlike legacy VPNs, Tailscale requires no manual port forwarding, firewall edits, or complex routing rules. Every connection is continuously verified based on identity, not network location—reducing attack surface while ensuring stable remote control connectivity. Whether you’re connecting a distributed workforce, multi-cloud environments, or field devices, Tailscale delivers low-latency, peer-to-peer connectivity that scales without central bottlenecks.

From tailscale.com

How Tailscale Works？

Tailscale runs on a split control-and-data-plane architecture, centralizing network orchestration while keeping all user traffic fully decentralized and end-to-end encrypted.

1. Control Plane: The Tailscale coordination server handles authentication, key distribution, and access policies (ACLs). It integrates with your existing SSO provider (Google, Okta, etc.) and never touches user traffic—only coordinates.
   
2. Data Plane: Built on WireGuard, Tailscale creates a direct, encrypted peer-to-peer mesh between devices. It automatically traverses firewalls and NAT using STUN and DERP relays, falling back to relays only when direct connections are impossible. All data stays WireGuard-encrypted end to end.

Tailscale IoT VPN supports two dedicated modes for different IoT hardware architectures.

Mode 1: Direct Installation (For Smart Gateways)
This mode applies to gateways with full operating systems, such as Bivocom’s TG465 series. Engineers install the Tailscale client directly on the gateway. The gateway obtains a unique virtual IP and joins the tailnet. Devices prioritize peer-to-peer direct connections; if direct links fail, DERP relays take over. All traffic between Tailscale-enabled devices is encrypted end-to-end.

Mode 2: Subnet Router Mode (For Legacy Dumb Devices)
Most industrial sites rely on dumb terminals—headless endpoints like sensors, meters, and older PLCs—that cannot run Tailscale clients. Subnet router mode solves this: a Bivocom gateway acts as the subnet router, advertising its local IoT network segment to the Tailscale control plane. Administrators approve the route via the admin console. All devices in the tailnet can then remotely access every endpoint behind that gateway by local IP address. This mode preserves native industrial protocols like Modbus, MQTT, and OPC UA, with no changes required to existing field equipment—only the gateway needs Tailscale installed.

Why IoT Needs Tailscale VPN

For many years, industrial teams used traditional VPNs, IPsec, OpenVPN and port forwarding for remote access. These legacy tools have obvious drawbacks. Meanwhile, Tailscale IoT VPN provides targeted fixes for each common issue.

• Mesh architecture: every node connects directly to every other node (when possible), not through a central gateway.
• Zero-trust: devices authenticate via OIDC (Google, Microsoft, GitHub, Okta, etc.) or SSO.
• Automatic NAT traversal: uses a coordination server (control plane) to discover peers and establish direct connections, even behind strict firewalls or carrier-grade NAT.
• Based on WireGuard: inherits its security, small codebase, and high performance.
• No open inbound portsrequired: works out of the box on most networks.
• Tailscale SSH: optional built-in SSH access with authentication and ACLs.

Tailscale offers unmatched ease-of-use and modern zero-trust security, but its reliance on external coordination services can be a constraint under strict data sovereignty rules. Choose Tailscale for agile team deployments, self-hosted OpenVPN for full control, and IPsec for large-scale site interconnectivity.

Bivocom & Tailscale: Native Integration

Bivocom now natively integrates Tailscale IoT VPN across its flagship industrial gateway portfolio. Our portfolio of GNSS/LoRa/5G routers, gateways, and RTUs, and IoT platforms spans Ubuntu and OpenWrt systems to address every industrial use case.

Bivocom IoT Gateway & Ubuntu Open Ecosystem

1. TG465 combines a quad-core ARM Cortex-A55 processor with 1 TOPS NPU, 5G connectivity, and extensive industrial I/O. With Ubuntu and Docker support, it runs Tailscale natively while performing local AI inference and protocol conversion.
   
2. TG452 delivers cost-effective edge connectivity with 4G LTE, multiple serial ports, and OpenWrt or Ubuntu options. Tailscale turns it into a secure remote access point for smaller sites.
   
3. TG462 adds a 7-inch touch screen for on-site visualization. Tailscale provides the remote access backbone, making it an all-in-one HMI and gateway solution.

What Changes with Tailscale on a Bivocom Gateway?

Tailscale IoT VPN integrated with Bivocom delivers secure, frictionless IIoT connectivity out of the box—no public IPs, no port forwarding, no certificate management. One command deploys, existing SSO authenticates, and identity-based ACLs govern access by role and device type. Legacy PLCs, sensors, and cameras become reachable via subnet routing without modification, while Bivocom’s multi-link failover paired with Tailscale’s auto-reconnection ensures field-grade reliability. All gateways join a single tailnet, giving engineers a unified view across 5G factories, remote sites, or brownfield installations.

The result: fewer site visits, lower OPEX, simplified rollouts, and a closed inbound port posture that shrinks attack surfaces—all without altering existing workflows or hardware.

Typical Industrial Use Cases

1. Multi-site IIoT deployments: Build low-latency cross-factory or cross-site connections without expensive leased lines, and seamlessly expand as new locations are added.
2. Field cellular monitoring: Resolve the no-public-IP issue for 4G/5G remote sites, drastically reducing on-site inspection trips and operational costs.
3. Legacy device renovation: Extend the lifespan of existing PLCs, sensors, and serial devices via subnet router mode, with no hardware replacement needed.
4. Cross-border IoT projects: Leverage Tailscale global DERP relays and Bivocom multi-band modules to stabilize cross-region links.
5. Edge AI clusters: Support high-speed peer-to-peer data transfer between edge gateways for real-time applications such as machine vision and AI inference.

About Bivocom

Industrial IoT does not require a tradeoff between security and operational simplicity. Bivocom engineers rugged, reliable industrial-grade gateways purpose-built for harsh field environments, while Tailscale delivers the zero-trust mesh networking layer designed for modern distributed deployments. Combined, they form a robust, easy-to-deploy integrated solution that resolves core IIoT pain points—cumbersome remote access, network security vulnerabilities, and complex operations and maintenance, whether you’re running a 5G smart factory, distributed sensor networks, or legacy brownfield sites. The result: fewer truck rolls, faster root-cause diagnosis, and a consistently hardened posture—all without adding a single layer of managerial complexity. It’s not just interoperable; it’s inherently practical, giving engineering and security teams exactly what they need.

• Zero‑configuration remote access from anywhere – no public IP required.
  
• Identity‑driven security with fine‑grained ACLs and full audit trails.
  
• Subnet routing to reach PLCs, cameras, or sensors behind the gateway.
  
• Linear scalability – from a single test device to thousands of field units.

Ready to try it? 
Reach out to our team at [email protected] to discuss your project requirements and explore a tailored solution. In our next blog, How to Run Tailscale on Bivocom Gateways, we provide a complete technical tutorial: installing Tailscale on Bivocom TG465 Ubuntu gateways, enabling subnet routing, testing connectivity, and deploying at scale.