Secure Remote Access with TailScale + Hardened SSH

This guide walks you through setting up secure remote access using TailScale VPN with MagicDNS for easy hostname access along with steps to harden SSH with key-based login.

STEP 1: Install TailScale

  1. SSH into your server or use its console.

  2. Run the TailScale install script:

    curl -fsSL https://tailscale.com/install.sh | sh

  3. Authenticate the server with your TailScale account:

    sudo tailscale up

    • Open the provided URL in your browser to log in.

STEP 2: Enable MagicDNS

  1. Log in to your TailScale Admin Console at login.tailscale.com.

  2. Go to "DNS" settings in the menu and enable MagicDNS.

  3. With MagicDNS enabled, you can access your server via a hostname like server-name.tailnet-name.ts.net.

STEP 3: Harden SSH Access

A. Set Up SSH Key Authentication

  1. On your local machine, generate an SSH key pair (if needed):

    ssh-keygen -t rsa -b 4096

  2. Copy your public key to the server:

    ssh-copy-id user@server-ip

B. Disable Password Authentication

  1. Edit SSH config:

  2. Set:

  3. Restart SSH:

C. Change Default SSH Port (Optional)

  1. In /etc/ssh/sshd_config, change:

  2. Restart SSH:

  3. Update your firewall rules (e.g., UFW):

STEP 4: Install and Configure fail2ban

  1. Install fail2ban:

  2. Create a config file:

    Example config:

  3. Restart fail2ban:

STEP 5: SSH Tunnel to Access Server Web UI (Optional)

To securely access a web interface (e.g., Proxmox UI) via SSH:

Then open in your browser:

(Optional) Restrict SSH to TailScale IPs Only

To limit SSH access to only TailScale-connected devices:

Summary Table

Feature
Configured?

TailScale VPN

✅ Yes

MagicDNS

✅ Yes

SSH Key Authentication

✅ Yes

Password Login Disabled

✅ Yes

Custom SSH Port

✅ Yes (2222)

fail2ban Protection

✅ Yes

SSH Tunnel to Web UI

✅ Optional

SSH Access via TailScale IP

✅ Optional

PreviousIdle Proxmox Auto-ShutdownNextExpose the Web UI over Tailnet

Last updated