Tailscale VPS Setup Guide 2026: Secure Access Without Port Forwarding
TUTORIAL 9 min read fordnox

Tailscale VPS Setup Guide 2026: Secure Access Without Port Forwarding

Set up Tailscale on your VPS for secure remote access without opening ports. Connect your servers, home network, and devices in minutes.


Tailscale VPS Setup Guide: Zero-Config Secure Access

Tailscale creates a mesh VPN between all your devices — VPS, laptop, phone, home server. No port forwarding, no firewall rules, just secure access everywhere.

What is Tailscale?

Tailscale is a zero-config VPN built on WireGuard:

Think of it as a private internet for your devices.

Why Use Tailscale on VPS?

Without Tailscale

Your laptop → Internet → VPS (open port 22, exposed to attacks)

With Tailscale

Your laptop → Tailscale network → VPS (no open ports, encrypted)

Benefits:

Getting Started

Step 1: Create Tailscale Account

  1. Go to tailscale.com
  2. Sign up with Google/Microsoft/GitHub
  3. You get a unique tailnet (like yourname.ts.net)

Step 2: Install on Your Computer

macOS:

brew install tailscale
tailscale up

Linux:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Windows: Download from tailscale.com/download

After running tailscale up, authorize in browser.

Step 3: Install on VPS

SSH into your VPS normally (one last time via public IP):

ssh root@your-vps-ip

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start and authenticate
sudo tailscale up

You'll get a URL to authorize — open it in browser.

Step 4: Connect via Tailscale

Your VPS now has a Tailscale IP (like 100.x.x.x):

# Find your VPS's Tailscale IP
tailscale ip -4

# From your laptop, SSH via Tailscale
ssh root@100.x.x.x

Works from anywhere — coffee shop, hotel, phone hotspot.

Lock Down Your VPS

Now that Tailscale works, close public SSH:

# On your VPS (via Tailscale connection!)
sudo ufw deny 22/tcp

# Or delete the rule entirely
sudo ufw delete allow 22/tcp

# Verify
sudo ufw status

Port 22 is now closed to the internet. Only Tailscale connections work.

Use MagicDNS

Enable MagicDNS in Tailscale admin console for friendly names:

# Instead of:
ssh root@100.64.0.2

# Use:
ssh root@my-vps
# or
ssh root@my-vps.yourname.ts.net

Much easier to remember.

Exit Node: Route Traffic Through VPS

Make your VPS a VPN exit node:

# On VPS
sudo tailscale up --advertise-exit-node

Approve in admin console, then on your laptop:

# Route all traffic through VPS
tailscale up --exit-node=my-vps

# Stop using exit node
tailscale up --exit-node=

Now all your internet traffic routes through your VPS IP. Useful for:

Subnet Router: Access Home Network

Access your home LAN from VPS (or vice versa):

# On home server
sudo tailscale up --advertise-routes=192.168.1.0/24

Approve routes in admin console. Now your VPS can reach 192.168.1.x devices.

Use cases:

SSH Configuration

Add to ~/.ssh/config for convenience:

Host vps
    HostName my-vps.yourname.ts.net
    User root
    
Host vps-direct
    HostName 100.64.0.2
    User root

Now just: ssh vps

Tailscale + Docker

For Docker containers to use Tailscale:

Option 1: Host Network

Container uses host's Tailscale:

services:
  app:
    network_mode: host

Option 2: Tailscale Sidecar

Container gets its own Tailscale identity:

services:
  tailscale:
    image: tailscale/tailscale
    hostname: my-service
    environment:
      - TS_AUTHKEY=tskey-xxxxx
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - tailscale-state:/var/lib/tailscale
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    
  app:
    network_mode: service:tailscale
    depends_on:
      - tailscale

volumes:
  tailscale-state:

Generate auth key in admin console → Settings → Keys.

Tailscale SSH

Tailscale can handle SSH authentication entirely:

# On VPS
sudo tailscale up --ssh

Now SSH works with Tailscale authentication — no SSH keys needed:

ssh my-vps
# Authenticates via Tailscale identity

Configure permissions in admin console → Access Controls.

Share Access with Team

ACL Example

{
  "acls": [
    {
      "action": "accept",
      "src": ["group:devs"],
      "dst": ["tag:servers:*"]
    }
  ],
  "tagOwners": {
    "tag:servers": ["admin@company.com"]
  },
  "groups": {
    "group:devs": ["dev1@company.com", "dev2@company.com"]
  }
}

Tag your VPS:

sudo tailscale up --advertise-tags=tag:servers

Now only group:devs can access tagged servers.

Funnel: Expose Services Publicly

Tailscale Funnel exposes services to the internet via Tailscale's network:

# Expose local port 8080 publicly
tailscale funnel 8080

You get a URL like https://my-vps.yourname.ts.net/

Pros:

Cons:

Best VPS for Tailscale

Tailscale itself is lightweight (<50MB RAM), but your workloads vary:

Provider Plan Price Best For
Hetzner CX11 €3.79/mo Exit node only
Hostinger KVM1 $4.99/mo General use
Vultr VC2 $6/mo Multi-region

For exit nodes in multiple locations, Vultr's 32 regions are ideal.

Monitoring & Troubleshooting

Check Status

tailscale status
# Shows all devices in your tailnet

tailscale netcheck
# Tests connectivity, DERP relays, etc.

tailscale ping my-vps
# Direct connectivity test

Common Issues

Can't connect after reboot:

sudo systemctl enable tailscaled
sudo systemctl start tailscaled
sudo tailscale up

Traffic going through relay (slow):

# Check if direct connection possible
tailscale ping -c 5 my-vps
# "via DERP" means relayed, "pong from" means direct

Direct connection requires:

Device offline in admin console:

# On the device
tailscale status
sudo tailscale up

Advanced: Headscale (Self-Hosted)

Don't want to use Tailscale's coordination server? Run Headscale:

docker run -d \
  -p 8080:8080 \
  -v headscale-data:/var/lib/headscale \
  headscale/headscale

Then connect clients:

tailscale up --login-server=https://your-headscale-server

Trade-offs:

For most users, Tailscale's free tier is enough.

Security Best Practices

1. Use ACLs

Don't use default "allow all". Define explicit permissions:

{"acls": [{"action": "accept", "src": ["*"], "dst": ["*:22,443"]}]}

2. Enable Key Expiry

In admin console, set device key expiry (e.g., 90 days). Forces re-authentication.

3. Use Tags

Tag servers and use tag-based ACLs. Easier to manage than individual devices.

4. MFA on SSO

Your Tailscale account inherits SSO security. Enable MFA on Google/GitHub.

5. Audit Logs

Enable audit logs in admin console. Review access patterns.

FAQ

Is Tailscale free?

Yes, free tier includes 100 devices and 3 users. Plenty for personal use.

Is Tailscale secure?

Yes. WireGuard encryption, end-to-end. Tailscale can't see your traffic (only coordination).

Does Tailscale slow down connections?

Usually no — direct connections are WireGuard-speed. Relayed connections (DERP) are slower but rare.

Can I use Tailscale and regular SSH?

Yes. Keep port 22 open for backup access, or use Tailscale exclusively.

Tailscale vs WireGuard?

Tailscale uses WireGuard underneath. Tailscale adds: zero-config, SSO, ACLs, NAT traversal.

Summary

Tailscale transforms VPS access:

Before After
Port 22 open to internet No open ports
IP whitelist management Access from anywhere
SSH keys everywhere SSO authentication
Complex VPN setup One command install

Setup takes 5 minutes. Close port 22 forever.

Quick start:

# On VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Close public SSH
sudo ufw deny 22/tcp

That's it. Secure VPS access from anywhere.

~/tailscale-vps-guide/get-started

Ready to get started?

Get the best VPS hosting deal today. Hostinger offers 4GB RAM VPS starting at just $4.99/mo.

Get Hostinger VPS — $4.99/mo

// up to 75% off + free domain included

// related topics

tailscale vps tailscale setup vps vpn tailscale server secure vps access

fordnox

Expert VPS reviews and hosting guides. We test every provider we recommend.

// last updated: February 8, 2026. Disclosure: This article may contain affiliate links.