Private Networks (VPN)

Powered by Tailscale

Need to integrate with ERP systems, databases, or APIs hosted in-house or on restricted cloud infrastructure? Retrieve seamlessly connects to private servers that aren't exposed to the public internet through secure VPN technology powered by our partner, Tailscale.

๐Ÿ”’ Why Private Networks?

  • Security First - Keep sensitive systems private without exposing them to the public internet
  • Enterprise Systems - Access on-premise ERP, OMS, databases, and custom applications
  • Zero-Trust Architecture - Enterprise-grade encryption with Tailscale's proven security model
  • Simple Setup - Connect in under 5 minutes without complex VPN configuration
  • Cost Effective - Tailscale's free tier supports up to 100 devices

What is Tailscale?

Tailscale is a modern VPN built on WireGuardยฎ that creates secure point-to-point connections between your devices. Unlike traditional VPNs that route all traffic through a central server, Tailscale establishes direct encrypted connections between devices.

๐Ÿš€ Zero Configuration Networking

No port forwarding, firewall rules, or network expertise required. Tailscale handles NAT traversal automatically.

๐Ÿ” Zero-Trust Security

Every connection is authenticated and encrypted. Your data never touches the public internet unencrypted.

โšก High Performance

Built on WireGuard for minimal latency and maximum throughput. Direct peer-to-peer connections when possible.

๐Ÿ’ฐ Free Tier Available

Up to 100 devices for free. Perfect for small to medium businesses. View Tailscale pricing

How It Works

Retrieve uses Tailscale to create a secure connection between your dedicated integration server and your private network:

1

Install Tailscale

Install the Tailscale client on your private server or a machine that can access your private resources

2

Generate Auth Key

In your Tailscale account, generate a reusable auth key (we recommend 90-day expiration)

3

Connect Retrieve

Add your Tailscale auth key to Retrieve in the VPN settings

4

Secure Connection Established

Your Retrieve server joins your Tailscale network and can securely access your private resources

5

Integration Runs

Your workflows can now connect to private databases, APIs, and applications as if they were on the same network

Setup Guide

Prerequisites

  • A Tailscale account (free for up to 100 devices)
  • Access to the server/machine you want to connect to Retrieve
  • Basic command-line knowledge (for installation)

Step 1: Install Tailscale on Your Private Server

Visit tailscale.com/download and follow the installation instructions for your operating system.

Linux Installation

curl -fsSL https://tailscale.com/install.sh | sh
# Follow the on-screen instructions to authenticate

Windows Installation

Download the Tailscale Windows installer and run it. Follow the setup wizard.

macOS Installation

brew install tailscale
sudo tailscale up

Or download from the Mac App Store.

Docker Installation

docker run -d \
  --name=tailscale \
  --restart=unless-stopped \
  --network=host \
  -v /var/lib/tailscale:/var/lib/tailscale \
  tailscale/tailscale:latest \
  tailscaled --state=/var/lib/tailscale/tailscaled.state

Step 2: Authenticate Tailscale

After installation, authenticate with your Tailscale account:

sudo tailscale up
# Opens browser for authentication

This will open a browser window where you can log in to your Tailscale account and authorize the device.

Step 3: Generate an Auth Key

To connect Retrieve to your Tailscale network, you need to generate a reusable auth key:

  1. Log in to the Tailscale admin console
  2. Navigate to Settings โ†’ Keys
  3. Click Generate auth key
  4. Configure the key settings:
    • โœ… Reusable - Check this box (allows Retrieve to reconnect)
    • โœ… Ephemeral - Optional (device is removed when it disconnects)
    • โฐ Expiration - Set to 90 days (Retrieve will notify you before expiration)
    • ๐Ÿ“ Description - e.g., "Retrieve Integration Server"
  5. Click Generate key and copy it

๐Ÿ’ก Auth Key Best Practices

  • Use reusable keys so Retrieve can reconnect automatically
  • Set expiration to 90 days for security
  • Retrieve will notify you 7 days before expiration so you can regenerate
  • Keep your auth keys secure - treat them like passwords

Step 4: Add Auth Key to Retrieve

In your Retrieve application:

  1. Navigate to Settings โ†’ VPN
  2. Click Add Tailscale Connection
  3. Paste your auth key
  4. Click Connect

Retrieve will now join your Tailscale network and establish a secure connection to your private resources.

โœ… Connection Successful!

You can now use private IP addresses or hostnames in your integrations. For example:

  • mysql://10.0.0.5:3306/database
  • http://192.168.1.100/api
  • postgresql://private-server:5432/db

Step 5: Verify the Connection

To verify that Retrieve successfully joined your Tailscale network:

  1. Go to the Tailscale admin console โ†’ Machines
  2. Look for a device named retrieve-{your-app-id}
  3. Check that it shows as "Connected"
  4. Note its Tailscale IP address (e.g., 100.x.x.x)

Common Use Cases

Use Case 1: Private MySQL Database

Scenario: Your company's ERP system runs on a MySQL database in your office, not accessible from the internet.

Setup:

  1. Install Tailscale on the MySQL server (or a machine that can access it)
  2. Connect Retrieve to your Tailscale network
  3. Create integration using the MySQL server's private IP: 10.0.0.5:3306
{
  "host": "10.0.0.5",
  "port": 3306,
  "database": "erp_database",
  "user": "retrieve_user",
  "password": "secure_password"
}

Use Case 2: On-Premise REST API

Scenario: Custom ERP system exposes a REST API on your internal network at http://192.168.1.50/api

Setup:

  1. Install Tailscale on a server within your office network
  2. Connect Retrieve to Tailscale
  3. Configure integration to use the private API endpoint
// Use private API endpoint in integration
const response = await fetch('http://192.168.1.50/api/orders', {
  headers: {
    'Authorization': 'Bearer YOUR_TOKEN'
  }
});

const orders = await response.json();

Use Case 3: Port Forwarding for Restricted Servers

Scenario: You can't install Tailscale directly on your database server due to IT restrictions.

Solution: Use port forwarding from another machine on the same network:

  1. Install Tailscale on a separate machine (e.g., a Linux VM) that can access the database
  2. Set up port forwarding on that machine to proxy connections to the database
  3. Retrieve connects to the proxy machine via Tailscale
# On the proxy machine (has Tailscale installed)
# Forward local port 3306 to database server
ssh -L 3306:192.168.1.10:3306 -N -f user@localhost

# Retrieve connects to: 100.x.x.x:3306

Now Retrieve can connect to 100.x.x.x:3306 (the proxy machine) which forwards to 192.168.1.10:3306 (the database).

Security Considerations

Tailscale Security Model

Tailscale implements a zero-trust network architecture:

  • Device Authentication - Every device must authenticate with your Tailscale account
  • End-to-End Encryption - All connections use WireGuard encryption (ChaCha20-Poly1305)
  • No Central Server - Traffic flows directly between devices (peer-to-peer when possible)
  • Access Control Lists - Define which devices can access which resources
  • Audit Logs - See all connection attempts and network activity

Best Practices

โœ…

Use ACLs to Restrict Access

Configure Tailscale ACLs to limit which devices can connect to your private servers. For example, only allow your Retrieve server to access specific ports.

โœ…

Enable MagicDNS

MagicDNS provides automatic DNS for your Tailscale network, making it easier to use hostnames instead of IP addresses.

โœ…

Rotate Auth Keys Regularly

Set auth key expiration to 90 days and rotate them regularly. Retrieve will notify you before expiration.

โœ…

Monitor Connection Logs

Review the Tailscale audit logs regularly to monitor for suspicious activity.

โœ…

Use Subnet Routing for Complex Networks

If you need to access multiple private subnets, use Tailscale subnet routing instead of installing Tailscale on every server.

Troubleshooting

Common Issues and Solutions

โŒ Issue: "Connection Refused" When Accessing Private Server

Possible Causes:

  • Tailscale is not running on the private server
  • Firewall blocking connections
  • Wrong IP address or port

Solutions:

  • Verify Tailscale is active: tailscale status
  • Check firewall allows connections from Tailscale interface
  • Verify the correct Tailscale IP in the admin console
  • Test connection manually: ping 100.x.x.x or telnet 100.x.x.x 3306

โŒ Issue: Retrieve Not Showing in Tailscale Admin

Possible Causes:

  • Invalid auth key
  • Auth key expired
  • Connection failed during setup

Solutions:

  • Generate a new auth key in Tailscale admin console
  • Ensure "Reusable" is checked when generating the key
  • Re-add the auth key in Retrieve VPN settings
  • Check Retrieve logs for connection errors

โŒ Issue: Slow Connection Speed

Possible Causes:

  • Traffic being relayed through Tailscale DERP servers
  • Network congestion
  • NAT traversal issues preventing direct connection

Solutions:

  • Check if connection is direct or relayed: tailscale status
  • Enable UPnP on your routers if possible
  • Consider using subnet routing for better performance
  • Contact Tailscale support for advanced troubleshooting

โŒ Issue: Auth Key Expiration Warning

What Happens:

Retrieve notifies you 7 days before your Tailscale auth key expires.

Solution:

  1. Generate a new auth key in Tailscale admin
  2. In Retrieve, go to Settings โ†’ VPN
  3. Update the auth key
  4. Click Save to maintain uninterrupted connectivity

Advanced Configuration

Subnet Routing

Instead of installing Tailscale on every private server, you can configure one machine as a subnet router to expose entire networks:

# On the subnet router machine
sudo tailscale up --advertise-routes=192.168.1.0/24

# Approve in Tailscale admin console
# Now all devices on 192.168.1.0/24 are accessible

This allows Retrieve to access all devices on the 192.168.1.0/24 network through a single Tailscale connection.

MagicDNS for Easy Hostname Access

Enable MagicDNS in your Tailscale settings to use hostnames instead of IP addresses:

{
  "host": "mysql-server",
  "port": 3306,
  "database": "erp_database"
}

Access Control Lists (ACLs)

Restrict which devices can access specific resources using Tailscale ACLs:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:retrieve"],
      "dst": ["tag:database:3306"]
    }
  ],
  "tagOwners": {
    "tag:retrieve": ["your-email@company.com"],
    "tag:database": ["your-email@company.com"]
  }
}

This ACL allows only the Retrieve server to access MySQL on port 3306.

Pricing & Limits

Tailscale offers generous free and paid plans. See Tailscale's pricing page for current details.

Tailscale Free

$0/month

  • โœ… Up to 100 devices
  • โœ… Unlimited users
  • โœ… All core features
  • โœ… Community support

Perfect for small to medium businesses

Tailscale Personal Pro

$6/user/month

  • โœ… Everything in Free
  • โœ… Device approval
  • โœ… Custom DERP servers
  • โœ… Priority support

Enhanced features for power users

Tailscale Business

$18/user/month

  • โœ… Everything in Personal Pro
  • โœ… User/device management
  • โœ… SSO integration
  • โœ… Advanced ACLs
  • โœ… Audit logs

Enterprise-grade security and control

๐Ÿ’ก Retrieve + Tailscale Costs

For most Retrieve users, the Tailscale free tier is sufficient. You only need one Tailscale connection per Retrieve application (your dedicated integration server), plus Tailscale on your private servers.

Example: If you have 1 Retrieve server connecting to 3 private databases = 4 devices total = Free tier โœ…

Alternatives to Tailscale

While Retrieve officially partners with Tailscale, you can technically use other VPN solutions if needed:

Tailscale (Recommended)

โœ… Zero configuration โ€ข โœ… Best performance โ€ข โœ… Official support

WireGuard

Manual setup required โ€ข High performance โ€ข Open source

OpenVPN

Complex configuration โ€ข Mature ecosystem โ€ข Widely supported

ZeroTier

Similar to Tailscale โ€ข Alternative option โ€ข Different pricing model

However, we strongly recommend Tailscale for its ease of use, security, and performance. Our integration is optimized for Tailscale.

Learn More

How Tailscale Works

Deep dive into Tailscale's architecture and security model

โ†’

Tailscale Knowledge Base

Comprehensive documentation for all Tailscale features

โ†’

Tailscale Blog

Latest updates, tutorials, and networking insights

โ†’

Tailscale Support

Get help directly from the Tailscale team

โ†’

Next Steps

  • Integrations - Learn how to use private network connections in your integrations
  • Architecture - Understand how VPN fits into Retrieve's infrastructure
  • Quick Start - Configure your first integration with private network access