The Distributed-Team & Access Stack

The post-office network is not one product; it is a stack. Distributed teams run four overlapping layers: a network fabric, an SSH workspace, a directory, and an access policy. The four tools below each occupy one layer.

Tailscale and NordLayer handle the network path in opposite ways. Tailscale meshes WireGuard tunnels between devices authenticated to your IdP^[1]; NordLayer terminates tunnels at managed gateways with ZTNA segmentation^[2]. Not interchangeable; often run concurrently.

Termius is a different layer — the workspace where SSH happens, independent of the network^[3]. JumpCloud sits beneath the others, supplying the directory and MDM they consume^[4]. The yardstick: what does this give a team with no office, no AD, and engineers in six time zones?

A control plane that turns existing devices into a flat private network. WireGuard handles cryptography; an external IdP handles who is allowed in.

The model is closer to the inverse of a VPN than to one. No concentrator, no dialling in, no central termination. Every enrolled device is a peer; the agent opens direct WireGuard sessions to peers it can reach, falling back to relays only when NAT traversal fails^[1].

Two consequences: the network is the same shape in a café as in an office, and access is policy not topology — a JSON ACL declares that infra can reach port 22 on tagged hosts. Tailscale SSH issues short-lived certificates; subnet routers project legacy CIDR; exit nodes cover fixed egress.

Use Tailscale when many engineers reach many small services, no compliance reason forces a fixed egress, and access can be expressed declaratively.

Field notes

Pattern

Peer-to-peer WireGuard mesh, managed coordination plane

Identity

Google, Entra, Okta, GitHub, Apple, generic OIDC, JumpCloud

Policy

Declarative ACL; groups and tags rather than IPs

Best fit

Engineering-led orgs exposing internal tooling to staff and cloud workloads

Limits

Not a content-inspection gateway; not a compliance egress

A managed business VPN that has grown a zero-trust segmentation layer over its gateway model. Centralised control plane; data plane terminates at regional servers.

The opposite stance to Tailscale: instead of meshing endpoints, NordLayer operates fixed gateways in chosen regions; clients authenticate to a central directory and tunnel via WireGuard or IKEv2^[2]. From a destination's view the gateway is the visible peer, so allow-listing becomes trivial — a database expecting a fixed CIDR trusts the gateway's IP block.

ZTNA features add granularity, not shape: device posture, role-based segmentation, threat filtering, split tunnelling — all enforced at or just behind the gateway. SSO ties back to Entra, Google, Okta or JumpCloud.

Use NordLayer when traffic must exit from specific countries, when third parties enforce IP allow-lists, or when compliance is easier to describe as "we route through these gateways."

Field notes

Pattern

Client-to-gateway VPN with ZTNA segmentation behind it

Transport

WireGuard (NordLynx) or IKEv2 to managed regional servers

Identity

SSO from Entra, Google, Okta, OneLogin, JumpCloud, others

Best fit

Compliance, region-locked access, fixed-IP allow-lists

Limits

Sub-optimal for arbitrary device-to-device internal traffic

An SSH client that treats hosts, credentials, snippets and team permissions as one synchronised dataset — identical on a laptop, workstation and phone.

For a small team an SSH client is a personal artefact: ~/.ssh/config plus muscle memory. Past about five engineers that decays — credentials drift, host lists go stale. Termius treats the SSH surface as account-bound data, synchronised across every device that signs in: hosts, tags, jump configs, snippets, vaults^[3].

Team-plan features cover the rest: scoped permissions, audit logs, SSO, plus SFTP / port-forwarding / Mosh / serial-console so ad-hoc work needs no second tool. Mobile clients are not a checkbox — incident response from a phone is plausible when the host list is genuinely there.

Use Termius when SSH is a daily team activity and inconsistent host configurations have become a measurable cost. The underlying network is irrelevant to the workspace.

Field notes

Pattern

Native SSH client with cloud-synced, team-scoped config

Platforms

macOS, Windows, Linux, iOS, Android

Team layer

Shared vaults, role permissions, audit log, SSO

Best fit

Teams touching dozens to hundreds of hosts across devices

Limits

Not a network layer; cannot grant connectivity

A cloud-native replacement for the Active Directory most distributed teams never installed, plus the MDM most never wanted to source separately.

Not a network tool. Included because the other three consume an external IdP and many teams have no natural one — no Windows AD, mixed Google/Microsoft tenants, MDM needed for macOS, Windows and Linux alike^[4].

The platform supplies users, groups, password policy, SAML/OIDC SSO, SCIM, and MDM configuration for enrolled endpoints. The relevant face here is the IdP role: Tailscale federates against it, NordLayer accepts it as SSO, Termius integrates, SaaS consumes the same SAML.

Use JumpCloud when there is no incumbent identity platform and the team wants directory, MDM and SSO from a single vendor.

Field notes

Pattern

Cloud directory + MDM + SSO, vendor-neutral on endpoint OS

Supplies

Users/groups, SAML/OIDC SSO, SCIM, MDM policies, conditional access

Consumed by

Tailscale, NordLayer, Termius, plus SaaS

Best fit

Teams without Google Workspace, Entra, or Okta to extend

Limits

Not a network or shell tool; supplies identity only

Four answers to the same four questions, as parallel cards rather than a table.

The useful question is not "which one" but "what does each layer need to do."

None of these are strict competitors; the architectural friction of combining them is low.