Skip to content
Public attack surface removed in one afternoon

Replaced an internet-facing VPN appliance with a zero-trust mesh

A team running an internet-facing VPN appliance, the exact category behind a wave of 2024 CVEs, moved to a Tailscale and Cloudflare Tunnel mesh and removed the public concentrator entirely.

The problem

A company depended on an internet-facing VPN appliance for engineer and admin access, the same class of device behind the Ivanti, Citrix, and Palo Alto CVEs of 2023 and 2024. It was a single high-value target with an inbound port the whole internet could reach.

The approach

  • Mapped who actually needed access to what, then replaced blanket VPN access with least-privilege, identity-based routing.
  • Stood up a Tailscale mesh for engineer access and Cloudflare Tunnel for the internal web apps that used to sit behind the VPN. Neither needs a public inbound port.
  • Cut over service by service so nothing broke, then decommissioned the appliance and closed the inbound firewall rule for good.
  • Documented the topology and access model so the team could grant and revoke access without filing a ticket.

The result

  • The public-facing concentrator and its inbound port are gone
  • Access is identity-based and least-privilege instead of all-or-nothing
  • No appliance left to patch against the next VPN CVE
  • Cutover finished in an afternoon with zero downtime

stack: Tailscale · Cloudflare Tunnel · WireGuard · Kubernetes

The attack surface you can only delete

You can patch a VPN appliance forever and it’s still an internet-facing box whose entire job is to terminate untrusted connections. The only real fix is to take the concentrator out of the picture. A mesh has no central portal and no inbound port, so there’s nothing sitting out front to exploit, and the recurring “drop everything and patch the VPN” fire drill just stops happening. This is the network-plane version of the Lazy SRE approach I write about.

Done by Harshit Luthra, an independent infrastructure and AI engineering consultant. Bring me a similar problem →

Questions about this work

Why replace a VPN appliance instead of just patching it?+

An internet-facing VPN appliance is a single high-value target with an inbound port the whole internet can reach, the exact class behind the Ivanti, Citrix, and Palo Alto CVEs. You can patch it forever and it's still that box. A mesh has no central portal and no inbound port, so there's nothing out front to exploit and the patch fire-drill stops.

How long does a VPN-to-mesh migration take?+

This cutover finished in an afternoon with zero downtime. It went service by service so nothing broke, then the appliance was decommissioned and the inbound firewall rule closed for good. Timeline depends on how many internal apps sit behind the VPN today.

What replaces the VPN for engineer and app access?+

A Tailscale mesh for engineer access and Cloudflare Tunnel for the internal web apps that used to sit behind the VPN. Neither needs a public inbound port, and access becomes identity-based and least-privilege instead of all-or-nothing.

Have a similar problem?

Book a free 30-minute call. We diagnose it together, and you walk away with a plan you can act on. You’ll get a straight read either way.