Setup Tailscale on your server to join the tailnet.
- Go to tailscale.com and sign up
- Note your tailnet name (e.g.,
tail123456) from the admin console
Tip
Change tailnet name now if needed!
Go to Settings → General and update your Tailnet name before proceeding.
Changing it later is complicated — it affects:
- All machine hostnames (
*.ts.net) - DNS records
- Kubernetes ingress configurations
- Saved bookmarks and scripts
SSH to your server (via local network or provider console):
curl -fsSL https://tailscale.com/install.sh | shsudo tailscale upFollow the link to authenticate with your Tailscale account.
tailscale statusYour server is now part of your tailnet.
Tailscale SSH allows secure SSH access without exposing port 22 to the internet.
Open ACL Editor and add:
{
"tagOwners": {
"tag:server": ["autogroup:admin"]
},
"ssh": [
{
"action": "check",
"src": ["autogroup:admin"],
"dst": ["tag:server"],
"users": ["autogroup:nonroot", "root"]
}
]
}| Parameter | Value | Purpose |
|---|---|---|
action |
check |
Browser prompt to confirm SSH session |
src |
autogroup:admin |
Only admins can SSH |
dst |
tag:server |
Only devices with tag:server |
users |
nonroot, root |
Can login as ubuntu or root |
sudo tailscale up --ssh --advertise-tags=tag:server- macOS:
brew install tailscaleor download - Windows: download
- Linux:
curl -fsSL https://tailscale.com/install.sh | sh
Connect to your tailnet:
tailscale upFind your server's Tailscale hostname in admin console.
ssh user@<server-tailscale-hostname>
# or using Tailscale IP
ssh user@100.x.x.x- No exposed SSH port (22) to internet
- No SSH key management needed
- Access from anywhere via Tailscale
- Automatic encryption via WireGuard
-
Check both machines are in same tailnet:
tailscale status
-
Check Tailscale SSH is enabled on server:
tailscale status --self # Should show: offers: ssh -
Re-enable SSH:
sudo tailscale up --ssh
Check Tailscale is running:
sudo systemctl status tailscaled