Backend Engineer

Tailscale makes first acquisition with Border0 purchase. Corporate VPN startup will expand Vancouver footprint as it absorbs entire Border0 team. Toronto-based corporate virtual private network (VPN) startup Tailscale has made its first acquisition as it aims to improve its application security layer. Tailscale announced on Tuesday morning that it has purchased Border0, a Vancouver-based privileged access management (PAM) security platform. PAM helps companies manage who or what has access to sensitive digital infrastructure, like production systems or databases. Border0's entire seven-person team is joining Tailscale, which is expanding its engineering footprint in Vancouver with a larger office. Tailscale spokesperson Will Moore told BetaKit in an email that the company already had "foundational PAM-style capabilities," but that Border0 adds deeper application-layer access and authorization on top of that foundation. "The acquisition helps us move faster on building out a more complete and modern PAM offering," Moore said. The terms of the deal were not disclosed. Border0's entire seven-person team is joining Tailscale, including Border0 founder Andree Toonk, who becomes the director of engineering to focus on building out Tailscale's privileged access management capabilities, Moore said. Moore added that, with the acquisition, Tailscale is expanding its engineering footprint in Vancouver with a larger office. While Moore said Tailscale doesn't have a hiring target for the city, the company is looking to increase its headcount globally from 250 to 400 employees over the next year. Founded in 2019 by former Google software engineers, Tailscale helps companies and individuals secure and control their data with its zero-configuration VPN, which can be installed on any device, manages firewall rules for users, and works from anywhere. One of Tailscale's key selling points is its software's accessibility, which enables people and teams to securely access network services without the long setup times and complexity of traditional VPNs. It's this accessibility that meshes so well with Border0, Tailscale CEO Avery Pennarun said in a blog post. While Tailscale's platform handles system access features like connectivity, identity-based permissions, and network layer auditability, Pennarun said that Border0 brings protocol-aware controls, session visibility, and approval workflows. Once you move from 'Can this machine reach that machine?' to 'Who should be allowed into this database, cluster, or admin interface, for how long, and with what visibility into what happened after they got there?', the problem changes shape a bit," Pennarun wrote. "Those are exactly the kinds of things that are hard to bolt on later, and even harder to do well without making the whole system miserable to use," Pennarun added. Tailscale's customer base has grown rapidly since 2024, partly due to the explosion of agentic AI. The new market has found significant value using Tailscale's platform to act essentially as an air traffic control system for agents accessing and acting on corporate data. Last April, Tailscale raised $160 million USD ($230 million CAD) in Series C funding to grow its team and keep up with the "surprising number" of AI companies using its software. Following the purchase of Border0, Moore didn't rule out future acquisitions from Tailscale, but said the company is focused on building with the Border0 team for the time being. Feature image courtesy Tailscale.

Tailscale and LM Studio introduce 'LM Link' to provide encrypted point-to-point access to your private GPU hardware assets. For the modern AI developer productivity is often tied to a physical location. You likely have a 'Big Rig' at home or the office - a workstation humming with NVIDIA RTX cards - and a 'Travel Rig,' a sleek laptop that's perfect for coffee shops but struggles to run even a quantized Llama-3 variant. Until now, bridging that gap meant venturing into the 'networking dark arts.' You either wrestled with brittle SSH tunnels, exposed private APIs to the public internet, or paid for cloud GPUs while your own hardware sat idle. This week, LM Studio and Tailscale launched LM Link, a feature that treats your remote hardware as if it were plugged directly into your laptop. The problem: API Key Sprawl and public exposure. Running LLMs locally offers privacy and zero per-token costs, but mobility remains the bottleneck. Traditional remote access requires a public endpoint, which creates two massive headaches: * Security Risk: Opening ports to the internet invites constant scanning and potential exploitation. * API Key Sprawl: Managing static tokens across various environments is a secret-management nightmare. One leaked .env file can compromise your entire inference server. The solution: identity-based inference. LM Link replaces public gateways with a private, encrypted tunnel. The architecture is built on identity-based access - your LM Studio and Tailscale credentials act as the gatekeeper. Because the connection is peer-to-peer and authenticated via your account, there are no public endpoints to attack and no API keys to manage. If you are logged in, the model is available. If you aren't, the host machine simply doesn't exist to the outside world. Under the hood: userspace Networking with tsnet. The 'magic' that allows LM Link to bypass firewalls without configuration is Tailscale. Specifically, LM Link integrates tsnet, a library version of Tailscale that runs entirely in userspace. Unlike traditional VPNs that require kernel-level permissions and alter your system's global routing tables, tsnet allows LM Studio to function as a standalone node on your private 'tailnet.' * Encryption: Every request is wrapped in WireGuard(R) encryption. * Privacy: Prompts, response inferences, and model weights are sent point-to-point. Neither Tailscale nor LM Studio's backend can 'see' the data. * Zero-Config: It works across CGNAT and corporate firewalls without manual port forwarding. The workflow: A Unified Local API. The most impressive part of LM Link is how it handles integration. You don't have to rewrite your Python scripts or change your LangChain configurations when switching from local to remote hardware. * On the Host: You load your heavy models (like a GPT-OSS 120B) and run lms link enable via the CLI (or toggle it in the app). * On the Client: You open LM Studio and log in. The remote models appear in your library alongside your local ones. * The Interface: LM Studio serves these remote models via its built-in local server at localhost:1234. This means you can point any tool - Claude Code, OpenCode, or your own custom SDK - to your local port. LM Studio handles the heavy lifting of routing that request through the encrypted tunnel to your high-VRAM machine, wherever it is in the world. Key takeaways. * Seamless Remote Inference: LM Link allows you to load and use LLMs hosted on remote hardware (like a dedicated home GPU rig) as if they were running natively on your current device, effectively bridging the gap between mobile laptops and high-VRAM workstations. * Zero-Config Networking with tsnet: By leveraging Tailscale's tsnet library, LM Link operates entirely in userspace. This enables secure, peer-to-peer connections that bypass firewalls and NAT without requiring complex manual port forwarding or kernel-level networking changes. * Elimination of API Key Sprawl: Access is governed by identity-based authentication through your LM Studio account. This removes the need to manage, rotate, or secure static API keys, as the network itself ensures only authorized users can reach the inference server. * Hardened Privacy and Security: All traffic is end-to-end encrypted via the WireGuard(R) protocol. Data - including prompts and model weights - is sent directly between your devices; neither Tailscale nor LM Studio can access the content of your AI interactions. * Unified Local API Surface: Remote models are served through the standard localhost:1234 endpoint. This allows existing workflows, developer tools, and SDKs to use remote hardware without any code changes - simply point your application to your local port and LM Studio handles the routing.

This month at Tailscale: Fall updates, GitHub actions, and tailnet name types. Tailscale Inc. continuously ship updates to make your network more reliable, manageable, and secure. Each month, Tailscale Inc. highlight some of the most impactful changes across clients, admin tools, integrations, and infrastructure - so you can stay on top of what's new and what's better. This month's updates include all the features announced during Tailscale's Fall Update Week, an updated GitHub Action, plus other improvements. For instructions on how to update to the latest version, visit its update guide. Tailscale's GitHub Action, rewritten in TypeScript, added a number of improvements. It supports a ping parameter to verify tailnet connections, can log out ephemeral nodes after CI runs, and has improved its logging efficiency. Tailscale Services, allows for the creation and management of dedicated applications and services on your tailnet, without tying them to any one device. (Blog) Tailscale Peer Relays allow for controlling your own UDP-based relays, providing high-performance traffic routing inside hard firewalls and cloud infrastructure. (Blog) Workload identity federation simplifies the creation of agents and workloads in infrastructure and CI/CD environments, utilizing Tailscale identity data instead of managing keys and secrets. (Blog) The visual policy editor, which allows for creating and editing policies with browser-based controls and search, is now generally available. Changes have been made to Tailscale's admin console to reflect new naming tools, and better support multiple tailnets. * Display name is an optional field that lets you assign a custom display name to your tailnet that appears in the admin console, client UI, and client CLI, instead of your domain or email address. * Tailnet ID should be used in the tailnetId field for Tailscale API path parameters instead of your organization name. * Legacy ID has replaced the Organization field in the console. Organization field will continue to display for existing tailnets but will not display for newly created tailnets. Tailscale Inc. released a series of updates and fixes to improve security and stability across all platforms. * A deadlock issue no longer occurs in the client when checking for the network to be available. * tailscaled shuts down as expected and without panic. * Clients can use configured DNS resolvers for all domains even when the client also uses an exit node using the nameserver settings in the DNS page of the admin console. * Node keys will be renewed seamlessly, so clients will maintain existing connections while re-authenticating. * Tailscale SSH no longer hangs for 10s when connecting to tsrecorder. This affected tailnets that use Tailscale SSH recording. * tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present. * tailscaled starts up as expected in a no router configuration environment.An iptables regression on non-amd64/arm64 platforms is resolved, and the client starts as expected. * Running Tailscale on devices equipped with Trusted Platform Module (TPM) 1.x no longer causes the tailscaled daemon to fail. * Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage. * tailscaled no longer sporadically panics when a Trusted Platform Module (TPM) device is present. * Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage. * The Tailscale dock icon closes as expected when the client is not using the windowed UI (beta). * The Hide Dock Icon checkbox located in Settings lets you remove the Tailscale icon from the macOS dock when the client window is closed. * The tailscale drive CLI command for sharing Taildrive directories is no longer available. Use the client GUI for sharing directories instead. * Node key sealing is GA (generally available) and enabled by default. For more information, refer to Secure node state storage.Exit node selection using the macOS Shortcuts app work as expected. * Accounts displayed using the macOS menu bar Tailscale icon load as expected. * Client users preference for automatic/recommended exit node selection is remembered as expected. * Exit node selection using the iOS Shortcuts app work as expected. * Client users preference for automatic/recommended exit node selection is remembered as expected. * Client is able to establish direct connections as expected. * The JS/WASM client used by tsconnect no longer crashes unexpectedly. * tailscaled starts up as expected in a no router configuration environment. This version contains no changes except for library updates. * DNSConfig nameserver supports Pods with IPv6 addresses and will serve AAAA records. * DNSConfig nameserver supports specifying a replica count for high-availability deployment. * DNSConfig nameserver supports specifying pod tolerations. * ProxyClass now supports the dnsConfig and dnsPolicy fields for refined DNS specifications. * Reconciler logs are now sent to the Tailscale control plane in addition to the core client logs that are already sent. As before, this can be disabled by setting the TS_NO_LOGS_NO_SUPPORT environment variable to true within the operator deployment. * tsrecorder is updated with web interface search, filtering and, enhanced design. * kubectl exec sessions record as expected. * Cached recordings on large datasets no longer fail if the caching process exceeds one minute. * Recordings are no longer stopped when a session exceeds one minute. Those are the highlights for this month. If you have questions or feedback, Tailscale Inc. is here to help. Thank you for using Tailscale.