The difference between this and Tailscale, is that tailscale is everything open by default, and this would be everything blocked by default. Role and Conditional based access would allow people to touch only what they should have access to, at the network level. Tailscale doesnt mesh Identity/Role/Firewall into a denylist.

+1 @ tailscale, one of the best products I have come across in the last few years (!)

Is tailscale a VPN?

re-posting my own comment: https://news.ycombinator.com/item?id=22194454

My opinion is that, in its current form, tailscale essentially provides a cross-platform super-configurable discovery and key-management layer to a P2P network overlay on top of the public internet, secured by Wireguard.

It's like stunnel or ghosttunnel but for L3, and that let's you replace the gargantuan IPSec with something that's way simpler and nimbler like wireguard.

As for LAN vs BeyondCorp... tailscale has BeyondCorp influences. It uses federated identity (OpenID for instance) and device credentials (see: wireguard crypto-routing) to let you in on any mesh network that you have access to be [on]. It is not something novel but super complicated to do it as simply as possible. And wireguard is a key enabler for just that.

BeyondCorp is obviously much more than just SSO. You might also be interested in: https://www.beyondcorp.com/

Yes, it’s wireguard. But they add support for various auth providers (eg, Okta).