Skip to main content

Overview

Tailscale provides secure remote access for administration tasks. It’s used exclusively for SSH access to the server—not for accessing services (which go through Cloudflare Tunnel).
Tailscale creates a private mesh network. No ports need to be opened, and connections are end-to-end encrypted.

Use Case

UseMethod
Access servicesCloudflare Tunnel
SSH to serverTailscale
Emergency accessTailscale

Installation on Fedora CoreOS

Tailscale is installed directly on the host (not containerized) for full network access.

Ignition Configuration

{
  "ignition": { "version": "3.4.0" },
  "systemd": {
    "units": [
      {
        "name": "tailscaled.service",
        "enabled": true
      }
    ]
  }
}

Manual Setup

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate
sudo tailscale up

# Verify connection
tailscale status

Terraform Configuration

Tailscale ACLs and device authorization are managed via Terraform: 
resource "tailscale_acl" "homelab" {
  acl = jsonencode({
    acls = [
      {
        action = "accept"
        src    = ["tag:admin"]
        dst    = ["tag:server:22"]
      }
    ]
    tagOwners = {
      "tag:admin"  = ["autogroup:owner"]
      "tag:server" = ["autogroup:owner"]
    }
  })
}

Authentication

Tailscale is configured to authenticate via an OAuth provider (GitHub, Google, etc.). This keeps authentication simple and separate from the Authentik setup used for services.

Security Considerations

SSH Only

Tailscale is only used for SSH access. Services are accessed via Cloudflare Tunnel with proper authentication.

ACL Restricted

Tailscale ACLs limit which devices can reach which ports. Only admin-tagged devices can SSH.

Troubleshooting

Check Tailscale status on the server:
tailscale status
Verify:
  • Server is online in Tailscale admin console
  • ACLs allow your device to reach the server
  • SSH service is running: systemctl status sshd
Re-authenticate if the session expired:
sudo tailscale up --reset