All pages
Powered by GitBook
1 of 1

Setting up Tailscale VPN

This is optional. You only need to consider this section if you run a node at home and would like to connect to it from outside of your home network.

If you would like to log into your home network remotely, such as while on vacation or on a business trip, the most common route is to use a Virtual Private Network server. This will allow you to connect to your node via SSH and view your monitoring dashboards from anywhere in the world, all without exposing your SSH port to the internet.

Setting Tailscale Up

It is recommended that you enable 2FA (Two Factor Authentication) on whichever identity provider you choose for added security.

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Now, install Tailscale on your node:

sudo apt-get update
sudo apt-get install tailscale

Finally, authenticate and connect your machine to your Tailscale network on your node:

sudo tailscale up

You’re connected! You can find your Tailscale IPv4 address by running:

tailscale ip -4

You should now see your node machine added to the Tailscale dashboard ↗. You may also change the name of the node machine and disable key expiry through the dashboard.

If you would like to access your node using its name rather than its IP address, you can do so by enabling MagicDNS ↗ in the Tailscale settings.

You should now be able to exit the SSH session to your node on your client, and SSH into your node again through Tailscale using ssh <user>@<node-name> -p <ssh-port>.

Updating UFW

If you have UFW configured, you can now add a rule to accept any incoming SSH connections over Tailscale ↗.

The following steps will modify your firewall rules. You must have at least 2 SSH sessions open to your node machine before proceeding - one for modifying the configuration and testing it afterward, and one that will stay logged in as a backup in case your changes break SSH so you can revert them!

Run these commands on the node machine.

Allow access to all incoming ssh connections over Tailscale.

sudo ufw allow in on tailscale0

You may also remove access to the SSH port to completely lock down your node. Note that you will not be able to log in from the local network as Tailscale will become the only way to log in. Only run the following command if you are okay with this.

sudo ufw delete "22/tcp"

Once you’ve set up firewall rules to restrict all non-Tailscale connections, restart UFW and SSH:

sudo ufw reload
sudo service ssh restart

Now, confirm that everything is working as expected. exit from one of your current SSH sessions (but remember to keep the second one open as a backup). Next, connect to the node machine via SSH using the Tailscale IP address or hostname: ssh <user>@<node-name> -p <ssh-port>

If it works, you did everything right and can now safely log into your home network while abroad!

If you've previously port-forwarded your node's SSH port in your router, you can now remove it.

This documentation was adapted from the Rocket Pool docs ↗