Tailscale: Secure Connectivity Meets Agent Governance

By James Aspinwall, co-written by Alfred Pennyworth (my trusted AI) — March 7, 2026, 13:12

Tailscale builds the secure network that connects everything. WorkingAgents governs the AI agents that operate across that network. One answers “can this device reach that service?” The other answers “is this agent allowed to call that tool?” Together, they deliver zero-trust from the network layer to the application layer — identity-based access control at every point where a connection is made or an action is taken.

What Tailscale Does

Tailscale is a zero-trust networking platform that overlays encrypted, point-to-point WireGuard connections across any infrastructure. 20,000+ companies use it to connect employees, devices, and workloads securely — no open ports, no VPN concentrators, no network complexity.

Core capabilities:

Peer-to-peer WireGuard encryption — direct encrypted connections between nodes, no central relay bottleneck
Identity-based access control — ACLs and grants tied to SSO identity providers, enforceable at every node
MagicDNS — automatic human-readable DNS for every device on the tailnet
Subnet routers — bridge entire subnets into the tailnet without agent installation on every host. HA failover built in
Tailscale SSH — brokered, authenticated SSH without key management. Session recording to S3
Funnel — expose a service to the public internet over HTTPS without opening firewall ports
Exit nodes — route all traffic through designated egress points
Continuous monitoring — network flow logging, configuration audit logging, SIEM log streaming, webhooks
Device posture management — limit access based on device security attributes, MDM integration
Tailnet lock — cryptographic verification preventing unauthorized nodes from joining

The philosophy: identity is woven into the network fabric. Every connection is authenticated. Every policy is identity-based. Every action is logged.

What WorkingAgents Does

WorkingAgents is the governance and control layer between AI agents and enterprise systems. Three gateways, one control plane:

Unified LLM Routing — control which models agents use and how they access them
Agentic Workflow Control — define, supervise, and enforce how agents take actions
Enterprise MCP and A2A Tools Access — connect agents to internal tools with least-privilege permissions

Per-user access control with encrypted permission keys, audit trails on every action, 86+ MCP tools, per-user SQLite databases. Agents inherit the user’s permissions. Same philosophy as Tailscale: identity-based, least-privilege, continuously monitored.

The Architectural Parallel

Tailscale and WorkingAgents are the same security architecture at different layers:

Principle	Tailscale (Network)	WorkingAgents (Application)
Zero trust	Every connection authenticated via identity	Every tool call checked against permissions
Least privilege	ACLs/grants restrict which nodes can reach which services	Permission keys restrict which agents can call which tools
Identity-based	SSO/OIDC identity tied to every network packet	User identity inherited by every agent action
Audit trail	Network flow logs, SSH session recording	Per-action audit logs, task provenance
Policy as code	ACLs in version-controlled policy files, GitOps	Permission keys defined programmatically, role-based
Device posture	EDR integration, device approval	Execution environment verification

Same principles. Different enforcement points. An enterprise that values zero-trust networking (Tailscale) values zero-trust agent governance (WorkingAgents) for the same reasons.

Synergy Areas

1. Tailscale as the Network for Agent-to-Service Communication

WorkingAgents’ MCP server connects AI agents to enterprise tools — databases, APIs, internal services. Those connections need a secure network. Tailscale provides it:

WorkingAgents MCP server on the tailnet — the MCP server is a Tailscale node. Only authenticated devices on the tailnet can reach it. No public endpoints. No firewall rules. No VPN.
Agent-to-tool connections over WireGuard — when an agent calls a WorkingAgents MCP tool that reaches an internal service (database, CRM API, monitoring system), the connection traverses the tailnet. End-to-end encrypted. Identity-authenticated at both ends.
MagicDNS for service discovery — agents reference internal services by human-readable names (crm.tailnet, db.tailnet) instead of IP addresses. WorkingAgents’ tool configurations use stable DNS names that survive infrastructure changes.

The result: WorkingAgents governs what agents can do. Tailscale governs where agents can connect. Both enforcement layers must pass before any action occurs.

2. Dual-Layer Access Control

Tailscale ACLs control network-level access. WorkingAgents permissions control application-level access. Together, they create defense in depth:

Network layer (Tailscale): “This user’s device can reach the WorkingAgents MCP server on port 8443”
Application layer (WorkingAgents): “This user’s agent can call the nis_create_company tool but not access_control_grant“

An attacker who compromises the network layer still can’t call privileged tools — WorkingAgents blocks it. An attacker who bypasses application permissions still can’t reach the service — Tailscale blocks it. Neither layer alone is sufficient. Both together are robust.

Tailscale’s new grants syntax maps naturally to WorkingAgents’ permission model:

// Tailscale grant: user can reach WorkingAgents
{"src": ["group:analysts"], "dst": ["tag:workingagents"], "accept": [{"proto": "tcp", "port": [8443]}]}

// WorkingAgents permission: user can access NIS tools but not admin tools
AccessControl.grant(user_id, [Permissions.Keys.nis()])  # NIS only, no admin

Same user identity. Two enforcement points. One coherent policy.

3. Secure Remote MCP Access

WorkingAgents currently runs as a local MCP server. Enterprises need remote access — agents running in the cloud, on CI/CD pipelines, on developer laptops. Tailscale solves the remote access problem without exposing the MCP server to the internet:

Developer’s laptop (Tailscale node) → connects to WorkingAgents MCP server (Tailscale node) → encrypted, authenticated, no public endpoint
CI/CD pipeline agent (Tailscale node) → runs automated workflows through WorkingAgents MCP tools → network-level authentication via Tailscale + application-level authorization via WorkingAgents permissions
Mobile device → Tailscale app → reaches WorkingAgents for push notification management and task review → device posture verified by Tailscale before connection is allowed

No port forwarding. No VPN concentrators. No public API endpoints to protect. Tailscale handles the network security. WorkingAgents handles the agent security.

4. SSH Session Recording + Agent Audit Trails

Tailscale records SSH sessions to S3-compatible storage. WorkingAgents logs every agent action with timestamps and provenance. Together:

A DevOps agent connects to a server via Tailscale SSH to run a deployment → Tailscale records the SSH session → WorkingAgents logs the agent action that triggered the SSH connection → the audit trail spans from “agent decided to deploy” (WorkingAgents) to “exact commands executed on the server” (Tailscale SSH recording)
Compliance review: “What happened on March 7 at 2pm?” → WorkingAgents shows the agent action log → Tailscale shows the network flow log and SSH session recording → complete chain of evidence from intent to execution

Both streams feed into the enterprise SIEM. Tailscale provides network-level audit. WorkingAgents provides application-level audit. The combination gives compliance teams the full picture.

5. Funnel for Agent-Accessible Webhooks

WorkingAgents’ alarm system and task manager need to receive webhooks from external services — GitHub, monitoring tools, CI/CD pipelines. Exposing webhook endpoints is a security risk. Tailscale Funnel solves this:

WorkingAgents registers a Funnel endpoint for incoming webhooks → external service sends webhook to Funnel URL → Tailscale handles TLS termination and authentication → webhook reaches WorkingAgents securely → WorkingAgents processes the event (creates task, triggers alarm, updates CRM)
No load balancer. No reverse proxy. No firewall rules. Funnel provides a secure HTTPS endpoint that routes directly to WorkingAgents on the tailnet.

For self-hosted WorkingAgents deployments (on-premises, home lab, developer machine), Funnel is the simplest path to receiving external events without infrastructure overhead.

6. Subnet Routers for Legacy System Access

Enterprise AI agents need to access legacy systems — on-premises databases, internal APIs, mainframe services. These systems can’t run a Tailscale agent. Subnet routers bridge the gap:

Tailscale subnet router sits in the legacy network → exposes the entire subnet to the tailnet → WorkingAgents agents access legacy systems through MCP tools → connections are encrypted end-to-end between the agent’s device and the subnet router → WorkingAgents governs which agents can access which legacy systems via permission keys

The enterprise doesn’t need to modify legacy systems. Tailscale provides the network bridge. WorkingAgents provides the agent governance. AI agents interact with 20-year-old systems through natural language MCP tools, secured by modern zero-trust networking.

7. The MCP-Native Connection

A community Tailscale MCP server already exists — it exposes device management, network operations, security controls, DNS configuration, and key management as MCP tools. WorkingAgents can consume these tools:

WorkingAgents agent manages Tailscale network operations through MCP → “Add this new server to the tailnet” → WorkingAgents checks the agent’s permissions → calls the Tailscale MCP tool → Tailscale provisions the node → WorkingAgents logs the action
Network topology changes governed by agent permissions — only authorized agents can modify network configuration
Self-healing network operations: WorkingAgents alarm detects a node is unreachable → triggers Tailscale MCP tool to check status → if node is down, creates a task for the on-call engineer and sends Pushover notification

Both products speak MCP. The integration is configuration, not code.

The Partnership Opportunity

For Tailscale: WorkingAgents extends zero-trust from the network to the application layer. Tailscale’s 20,000 customers secure their networks. WorkingAgents secures their AI agents. As enterprises deploy autonomous agents, they need the same identity-based, least-privilege governance at the agent layer that Tailscale provides at the network layer. WorkingAgents is the natural next layer in Tailscale’s zero-trust story.

For WorkingAgents: Tailscale solves the secure connectivity problem. WorkingAgents needs agents to securely reach internal services, legacy systems, and remote infrastructure — without exposing endpoints to the internet. Tailscale provides this with zero configuration overhead. Every WorkingAgents deployment benefits from running on a tailnet.

For the joint customer: One identity governs network access (Tailscale) and agent behavior (WorkingAgents). One audit trail spans from network flow to agent action. One zero-trust architecture from the WireGuard packet to the MCP tool call. No trust assumptions at any layer.

Concrete Next Steps

Deploy WorkingAgents on a tailnet — run the MCP server as a Tailscale node, verify MCP client connections over WireGuard, configure ACLs for agent access. Estimate: 1 day.
Integrate Tailscale MCP tools — connect the existing community Tailscale MCP server to WorkingAgents, govern network management operations through agent permissions. Estimate: 1 day.
Funnel webhook receiver — configure Tailscale Funnel for WorkingAgents’ webhook endpoints, test with GitHub and monitoring service callbacks. Estimate: half a day.
Joint zero-trust demo — agent requests access to internal service → Tailscale authenticates the network connection → WorkingAgents authorizes the tool call → action executes → both layers log independently → unified audit trail in SIEM.

Tailscale weaves identity into the network. WorkingAgents weaves identity into agent behavior. Same zero-trust philosophy, same least-privilege enforcement, same audit-everything approach — applied at adjacent layers of the stack. The network trusts no connection without identity. The application trusts no agent without permission. Together: zero trust, all the way down.