TIL - Securing Virtual Private Servers with Tailscale

security Apr 10, 2022

Tailscale is a VPN service that makes our devices and applications accessible from anywhere, securely and effortlessly. I want to emphasize the word "effortlessly" because it is straightforward to set up and use Tailscale. They even brand Tailscale as "Zero config VPN."

Why Tailscale?

Tailscale enables encrypted point-to-point communications using the open-source WireGuard protocol, which means only devices on our private network can communicate with each other. Under the hood, it creates a virtual network interface, sets up public and private SSH keys, and takes care of key rotation, authentication, and network configuration. You can add up to 20 devices to your private network for free as of this date! 🔥

Tailscale builds a more fast, reliable, and secure network fabric that offers speed, stability, and simplicity over traditional VPNs. Unlike traditional VPNs, which tunnel all network traffic through a central VPN gateway server, Tailscale creates a peer-to-peer mesh network called a "tailnet."

For more information on how it works, check out this excellent documentation -

How Tailscale works
People often ask us for an overview of how Tailscale works. We’ve been

Securing an Ubuntu server using Tailscale

Before you begin, you will need -

  • A Ubuntu server, you can use my referral code to get free credits from Digital Ocean.
  • A Tailscale account.

A few other requirements are that Tailscale is installed on your machine (from which you want to access the Ubuntu Server) and logged in to Tailscale. To get through these steps, visit their downloads page - https://tailscale.com/download/.


# ssh into your new Ubuntu server
ssh <username>@<server host ip>

# install tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# authenticate and connect your machine to your tailscale network
sudo tailscale up

# note down the tailscale network ip address
tailscale ip -4

💡
As a security feature, Tailscale requires periodic reauthentication. To prevent getting locked out of the Ubuntu server, you may want to disable key expiration on this server. Disable key expiry by following these instructions.

# access the Ubuntu server over tailscale
ssh <username>@<tailscale ip addr>

# allow access over tailscale, using UFW (Uncomplicated Firewall)
sudo ufw allow in on tailscale0
sudo ufw allow 41641/udp

# enable UFW
sudo ufw enable

# restrict all other traffic (optional)
sudo ufw default deny incoming
sudo ufw default allow outgoing

# deleting SSH access over 22/tcp
sudo ufw delete 22/tcp

# restarting UFW and sshd
sudo ufw reload
sudo service ssh restart

At this point, we have successfully installed and configured Tailscale. The only thing left to do is to verify the connectivity.


# to test and verify connectivity
ssh <username>@<tailscale ip addr>

I hope the installation went smoothly, and you can connect to your Ubuntu server over Tailscale. If you are stuck at any point, please refer to this article -

Use UFW to lock down an Ubuntu server
Any server on the public internet is bound to be attacked by bots looking for weak or leaked passwords and unsafely configured services. Even security experts can misconfigure a database, or an unwitting member of the team can accidentally open up a vulnerability, leaving your devices or network ope…

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.