Tailscale VPS Setup Guide: Zero-Config Secure Access

Tailscale creates a mesh VPN between all your devices — VPS, laptop, phone, home server. No port forwarding, no firewall rules, just secure access everywhere.

What is Tailscale?

Tailscale is a zero-config VPN built on WireGuard:

• Mesh network — Every device connects directly to every other
• No central server — Traffic goes device-to-device
• Punch through NAT — Works behind firewalls/CGNAT
• SSO integration — Use Google/Microsoft/GitHub login
• Free tier — 100 devices, 3 users

Think of it as a private internet for your devices.

Why Use Tailscale on VPS?

Without Tailscale

Your laptop → Internet → VPS (open port 22, exposed to attacks)

With Tailscale

Your laptop → Tailscale network → VPS (no open ports, encrypted)

Benefits:

• Close port 22 to the internet
• Access VPS from anywhere without IP whitelisting
• Connect VPS to home network resources
• Share access with team members safely

Getting Started

Step 1: Create Tailscale Account

1. Go to tailscale.com
2. Sign up with Google/Microsoft/GitHub
3. You get a unique tailnet (like yourname.ts.net)

Step 2: Install on Your Computer

macOS:

brew install tailscale
tailscale up

Linux:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Windows: Download from tailscale.com/download

After running tailscale up, authorize in browser.

Step 3: Install on VPS

SSH into your VPS normally (one last time via public IP):

ssh root@your-vps-ip

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start and authenticate
sudo tailscale up

You'll get a URL to authorize — open it in browser.

Step 4: Connect via Tailscale

Your VPS now has a Tailscale IP (like 100.x.x.x):

# Find your VPS's Tailscale IP
tailscale ip -4

# From your laptop, SSH via Tailscale
ssh root@100.x.x.x

Works from anywhere — coffee shop, hotel, phone hotspot.

Lock Down Your VPS

Now that Tailscale works, close public SSH:

# On your VPS (via Tailscale connection!)
sudo ufw deny 22/tcp

# Or delete the rule entirely
sudo ufw delete allow 22/tcp

# Verify
sudo ufw status

Port 22 is now closed to the internet. Only Tailscale connections work.

Use MagicDNS

Enable MagicDNS in Tailscale admin console for friendly names:

# Instead of:
ssh root@100.64.0.2

# Use:
ssh root@my-vps
# or
ssh root@my-vps.yourname.ts.net

Much easier to remember.

Exit Node: Route Traffic Through VPS

Make your VPS a VPN exit node:

# On VPS
sudo tailscale up --advertise-exit-node

Approve in admin console, then on your laptop:

# Route all traffic through VPS
tailscale up --exit-node=my-vps

# Stop using exit node
tailscale up --exit-node=

Now all your internet traffic routes through your VPS IP. Useful for:

• Bypassing geo-restrictions
• Consistent IP for services that whitelist
• Privacy on public WiFi

Subnet Router: Access Home Network

Access your home LAN from VPS (or vice versa):

# On home server
sudo tailscale up --advertise-routes=192.168.1.0/24

Approve routes in admin console. Now your VPS can reach 192.168.1.x devices.

Use cases:

• VPS accessing home NAS
• Home automation from anywhere
• Backup VPS to home storage

SSH Configuration

Add to ~/.ssh/config for convenience:

Host vps
    HostName my-vps.yourname.ts.net
    User root
    
Host vps-direct
    HostName 100.64.0.2
    User root

Now just: ssh vps

Tailscale + Docker

For Docker containers to use Tailscale:

Option 1: Host Network

Container uses host's Tailscale:

services:
  app:
    network_mode: host

Option 2: Tailscale Sidecar

Container gets its own Tailscale identity:

services:
  tailscale:
    image: tailscale/tailscale
    hostname: my-service
    environment:
      - TS_AUTHKEY=tskey-xxxxx
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - tailscale-state:/var/lib/tailscale
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    
  app:
    network_mode: service:tailscale
    depends_on:
      - tailscale

volumes:
  tailscale-state:

Generate auth key in admin console → Settings → Keys.

Tailscale SSH

Tailscale can handle SSH authentication entirely:

# On VPS
sudo tailscale up --ssh

Now SSH works with Tailscale authentication — no SSH keys needed:

ssh my-vps
# Authenticates via Tailscale identity

Configure permissions in admin console → Access Controls.

Share Access with Team

ACL Example

{
  "acls": [
    {
      "action": "accept",
      "src": ["group:devs"],
      "dst": ["tag:servers:*"]
    }
  ],
  "tagOwners": {
    "tag:servers": ["admin@company.com"]
  },
  "groups": {
    "group:devs": ["dev1@company.com", "dev2@company.com"]
  }
}

Tag your VPS:

sudo tailscale up --advertise-tags=tag:servers

Now only group:devs can access tagged servers.

Funnel: Expose Services Publicly

Tailscale Funnel exposes services to the internet via Tailscale's network:

# Expose local port 8080 publicly
tailscale funnel 8080

You get a URL like https://my-vps.yourname.ts.net/

Pros:

• No port forwarding needed
• Automatic HTTPS
• Works behind CGNAT

Cons:

• Traffic routes through Tailscale
• Limited bandwidth on free tier
• Only HTTPS (ports 443, 8443, 10000)

Best VPS for Tailscale

Tailscale itself is lightweight (<50MB RAM), but your workloads vary:

Provider	Plan	Price	Best For
Hetzner	CX11	€3.79/mo	Exit node only
Hostinger	KVM1	$4.99/mo	General use
Vultr	VC2	$6/mo	Multi-region

For exit nodes in multiple locations, Vultr's 32 regions are ideal.

Monitoring & Troubleshooting

Check Status

tailscale status
# Shows all devices in your tailnet

tailscale netcheck
# Tests connectivity, DERP relays, etc.

tailscale ping my-vps
# Direct connectivity test

Common Issues

Can't connect after reboot:

sudo systemctl enable tailscaled
sudo systemctl start tailscaled
sudo tailscale up

Traffic going through relay (slow):

# Check if direct connection possible
tailscale ping -c 5 my-vps
# "via DERP" means relayed, "pong from" means direct

Direct connection requires:

• UDP port 41641 outbound (usually open)
• Or both devices on same network

Device offline in admin console:

# On the device
tailscale status
sudo tailscale up

Advanced: Headscale (Self-Hosted)

Don't want to use Tailscale's coordination server? Run Headscale:

docker run -d \
  -p 8080:8080 \
  -v headscale-data:/var/lib/headscale \
  headscale/headscale

Then connect clients:

tailscale up --login-server=https://your-headscale-server

Trade-offs:

• Full control
• No Tailscale account needed
• But: No MagicDNS, Funnel, or admin console

For most users, Tailscale's free tier is enough.

Security Best Practices

1. Use ACLs

Don't use default "allow all". Define explicit permissions:

{"acls": [{"action": "accept", "src": ["*"], "dst": ["*:22,443"]}]}

2. Enable Key Expiry

In admin console, set device key expiry (e.g., 90 days). Forces re-authentication.

3. Use Tags

Tag servers and use tag-based ACLs. Easier to manage than individual devices.

4. MFA on SSO

Your Tailscale account inherits SSO security. Enable MFA on Google/GitHub.

5. Audit Logs

Enable audit logs in admin console. Review access patterns.

FAQ

Is Tailscale free?

Yes, free tier includes 100 devices and 3 users. Plenty for personal use.

Is Tailscale secure?

Yes. WireGuard encryption, end-to-end. Tailscale can't see your traffic (only coordination).

Does Tailscale slow down connections?

Usually no — direct connections are WireGuard-speed. Relayed connections (DERP) are slower but rare.

Can I use Tailscale and regular SSH?

Yes. Keep port 22 open for backup access, or use Tailscale exclusively.

Tailscale vs WireGuard?

Tailscale uses WireGuard underneath. Tailscale adds: zero-config, SSO, ACLs, NAT traversal.

Summary

Tailscale transforms VPS access:

Before	After
Port 22 open to internet	No open ports
IP whitelist management	Access from anywhere
SSH keys everywhere	SSO authentication
Complex VPN setup	One command install

Setup takes 5 minutes. Close port 22 forever.

Quick start:

# On VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Close public SSH
sudo ufw deny 22/tcp

That's it. Secure VPS access from anywhere.