81 lines
2.8 KiB
Markdown
81 lines
2.8 KiB
Markdown
# Tailscale Infrastructure Access
|
|
|
|
Standard for accessing servers and services that don't need public internet exposure. All IT Pro Partner infrastructure joins the same tailnet.
|
|
|
|
## Installation (server side)
|
|
|
|
```bash
|
|
curl -fsSL https://tailscale.com/install.sh | sh
|
|
tailscale up
|
|
```
|
|
|
|
This prints a one-time auth URL. Send it to the user to open in their browser. The command times out after 15s if the URL isn't opened — that's expected, the URL is still valid. Re-run `tailscale up` for a fresh URL if needed.
|
|
|
|
Rename the hostname from the auto-generated to a clean name:
|
|
```bash
|
|
tailscale set --hostname <name>
|
|
```
|
|
|
|
## Installation (client devices)
|
|
|
|
| Device | Download |
|
|
|---|---|
|
|
| macOS | tailscale.com/download-mac |
|
|
| iPhone/iPad | App Store → "Tailscale" |
|
|
| Linux | `curl -fsSL https://tailscale.com/install.sh \| sh` |
|
|
|
|
Sign in with the same Google account on every device. Devices auto-discover.
|
|
|
|
## Post-setup verification
|
|
|
|
```bash
|
|
tailscale status # list all connected devices
|
|
tailscale ip -4 # get this box's tailscale IP
|
|
```
|
|
|
|
## Tailscale-only service access (with HTTPS)
|
|
|
|
For Vaultwarden and other internal-only services:
|
|
|
|
```bash
|
|
# Expose a local Docker port via Tailscale HTTPS
|
|
tailscale serve --bg --https 443 --set-path / http://127.0.0.1:<port>
|
|
|
|
# Verify
|
|
tailscale serve status
|
|
# → https://<hostname>.tail<random>.ts.net/ → proxy http://127.0.0.1:<port>
|
|
```
|
|
|
|
The `.ts.net` URL has a valid auto-TLS certificate. Only reachable from tailnet devices.
|
|
|
|
## UFW rules
|
|
|
|
Creating a Tailscale-only service is a multi-step process — don't close the UFW port until the Tailscale Serve is verified:
|
|
|
|
```bash
|
|
ufw allow <port>/tcp comment 'temp' # step 1: open for testing
|
|
# ... test Tailscale access ...
|
|
ufw delete allow <port>/tcp # step 2: close when verified
|
|
ufw reload
|
|
```
|
|
|
|
For services that must also be accessible locally (SSH, HTTP management), keep those ports open.
|
|
|
|
## Renaming a Tailscale node
|
|
|
|
```bash
|
|
tailscale set --hostname <new-name>
|
|
# Takes effect immediately in status and admin console
|
|
# Taliscale Serve: turn off and re-enable to pick up the new hostname
|
|
```
|
|
|
|
Important: if the auto-generated hostname has confusable characters (`0` vs `O`), rename before deploying services. Some mobile apps (Bitwarden) silently corrupt zero characters in URL text fields.
|
|
|
|
## Pitfalls
|
|
|
|
- `tailscale up` times out after 15s — expected. The URL stays valid.
|
|
- The 100.x.x.x IP can change on re-authentication. Use the `.ts.net` hostname for stable references.
|
|
- After a reboot, run `tailscale up` again.
|
|
- UFW does NOT auto-deny — new ports are public unless explicitly blocked. For tailnet-only services, verify with `ufw status`.
|
|
- Safari on iOS/Mac shows "Not Secure" on HTTP over tailnet — cosmetic. Use Tailscale Serve HTTPS for browser-based services.
|