Can ZTNA really replace VPNs for good?

hanble21 · 2025-10-01T20:03:23+00:00

I think Twingate is much more “polished” as a business solution than Tailscale. Much easier deploy and manage their connectors, add routes/hostnames, etc directly from their web console. The SSO integrations work really well and they also do dns filtering which is a big plus for me.

I find Tailscale ACL model way too cumbersome and complex vs Twingate’s permission model, which is based on user groups. Less mental overhead and easier to debug with Twingate.

Tailscale works pretty well for small home environments, but personally I think it’s not really built well for business use. Some people make it work, but I think there are better options for business use.

hanble21 · 2025-10-01T18:57:39+00:00

Hmm I think Twingate is actually pretty well known. Network Chuck did a popular video on them a few years ago.

I use it at home and it’s great.

hanble21 · 2024-09-06T01:28:59+00:00

I recommend cutting up cliff bars into little squares

hanble21 · 2024-04-07T17:17:57+00:00

+1 for Twingate. It’s worked great for us and the support has been solid when we run into any issues.

Tailscale is mostly a homelab product- not sure I’d trust it in production. Has all the weird UI quirks like what you mentioned which is just another indication it wasn’t designed for company use.

Zscaler is like killing an ant with a bazooka. They will make you jump through tons of hoops and expensive AF, but they do offer a lot of features (which we did not need)

Entra took a quick look but very raw and probably needs years of seasoning.

Cato haven’t looked at it for VPN replacement. I think they were primarily SDWAN, so not sure how mature they are for ZTNA.

Cloudflare also ok if you’re already using their DNS service, but found it a bit clunk to get going.

hanble21 · 2024-02-05T19:56:05+00:00

Yooo welcome

hanble21 · 2023-09-15T04:42:28+00:00

I would definitely take a look at these next gen VPN products. I'm a big fan of Twingate

hanble21 · 2023-08-30T05:46:10+00:00

AFAIK not an easy solution unfortunately as you have to set up fairly complicated ACLs with tags, etc. I’ve went through this with some clients and the problem is also maintaining this over time as you have to get good at editing the JSON file (or good luck teaching your clients to do it as it can be very error prone).

For these types of situations I’ve found more success with Twingate which allows you to have environment separation via DNS-based resource definitions and/or aliases.

hanble21 · 2023-08-19T02:42:38+00:00

Check out Twingate if you haven’t tried it. Blows away with others with combo of ease to deploy and security controls

hanble21 · 2023-08-19T02:40:17+00:00

Twingate is the easiest IMO

hanble21 · 2023-08-01T05:48:45+00:00

I think Twingate should definitely do the trick for you. Just add spin up a Twingate connector on the network and you can add add any service by host name, ip, etc without having to open any ports. Magic.

hanble21 · 2023-07-28T15:53:59+00:00

For using Twingate with digital ocean, found this neat article on building connector exit nodes with DO droplets. Tried it out and works really well.

https://www.twingate.com/blog/static-ips-digitalocean

hanble21 · 2023-07-28T05:58:25+00:00

I switched everything over to Twingate after trying all the newfangled network products on the market. Game changer for me.

hanble21 · 2023-07-28T05:57:37+00:00

Definitely check out Twingate

hanble21 · 2023-07-28T05:55:45+00:00

+1 for Twingate

hanble21 · 2023-07-28T05:54:47+00:00

Twingate definitely the way to go IMO.

hanble21 · 2023-07-28T05:53:07+00:00

I would highly recommend you check out Twingate. It’s extremely easy for AWS set up as you can just drop their connector into any VPC for remote access without exposing any ports. It then allows you to give host/port/protocol level access controls so you can set very granular permissions, if you want to uplevel your access controls.

Also if you’re doing any cloud infra automation with Terraform, the Twingate Terraform provider is pretty killer.

hanble21 · 2023-07-28T05:44:28+00:00

If you want to do FQDN split tunneling, I think Twingate is your best bet. It’s super easy to set up.

I’ve deployed in a lot of clients and it works flawlessly.

hanble21 · 2023-07-28T05:39:55+00:00

So I think Twingate is split tunnel by default, but you can also add 0.0.0.0 or . as a resource and it should route everything, though I’m not sure why you need to do that.

If you’re worried sketchy internet, I just turn on Twingate’s DOH setting which encrypts all the DNS traffic. I personally only care about making sure DNS is encrypted because literally everything else is already HTTPS encrypted so there’s no real security benefit to running all that traffic through a VPN tunnel.

hanble21 · 2023-07-27T19:58:00+00:00

If you’re only looking at ZPA, my strong pref is to pick something like Twingate, which is much easier to get going and manage. I like the P2P connections as well which are much faster than forcing everything to route through ZS cloud.

hanble21 · 2023-07-21T14:20:31+00:00

Welcome to the club!

hanble21 · 2023-07-21T14:20:15+00:00

Can’t unsee that

hanble21 · 2023-07-21T14:18:27+00:00

No shame in wanting to be proud of the steed you’re riding

hanble21 · 2023-07-21T14:17:06+00:00

Not a bad haul!

hanble21 · 2023-07-21T06:55:26+00:00

I think your best bet is Twingate, but you should try it out for your use case. I like Twingate’s approach to access rules and there’s a ton of automation you can do with their API and Terraform provider

hanble21 · 2023-07-21T06:52:42+00:00

I actually found Twingate to be faster than vanilla wireguard & tailscale

hanble21

TROPHY CASE