Secure Remote Access with TailScale + Hardened SSH

This guide walks you through setting up secure remote access using TailScale VPN with MagicDNS for easy hostname access along with steps to harden SSH with key-based login.

STEP 1: Install TailScale

SSH into your server or use its console.

Run the TailScale install script:

curl -fsSL https://tailscale.com/install.sh | sh

Authenticate the server with your TailScale account:
```
sudo tailscale up
```
- Open the provided URL in your browser to log in.

STEP 2: Enable MagicDNS

Log in to your TailScale Admin Console at login.tailscale.com.
Go to "DNS" settings in the menu and enable MagicDNS.
With MagicDNS enabled, you can access your server via a hostname like server-name.tailnet-name.ts.net.

STEP 3: Harden SSH Access

A. Set Up SSH Key Authentication

On your local machine, generate an SSH key pair (if needed):
```
ssh-keygen -t rsa -b 4096
```
Copy your public key to the server:
```
ssh-copy-id user@server-ip
```

B. Disable Password Authentication

Edit SSH config:
```
sudo nano /etc/ssh/sshd_config
```
Set:
```
PasswordAuthentication no
```
Restart SSH:
```
sudo systemctl restart sshd
```

C. Change Default SSH Port (Optional)

In /etc/ssh/sshd_config, change:
```
Port 2222
```
Restart SSH:
```
sudo systemctl restart sshd
```

Update your firewall rules (e.g., UFW):

sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

STEP 4: Install and Configure fail2ban

Install fail2ban:

sudo apt update
sudo apt install fail2ban

Create a config file:

sudo nano /etc/fail2ban/jail.local

Example config:

[sshd]
enabled  = true
port     = 2222
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 600
findtime = 600

Restart fail2ban:
```
sudo systemctl restart fail2ban
```

STEP 5: SSH Tunnel to Access Server Web UI (Optional)

To securely access a web interface (e.g., Proxmox UI) via SSH:

ssh -L 8006:localhost:8006 user@server-ip -p 2222

Then open in your browser:

https://localhost:8006

(Optional) Restrict SSH to TailScale IPs Only

To limit SSH access to only TailScale-connected devices:

sudo ufw allow from 100.64.0.0/10 to any port 2222 proto tcp

Summary Table

Feature

Configured?

TailScale VPN

✅ Yes

MagicDNS

✅ Yes

SSH Key Authentication

✅ Yes

Password Login Disabled

✅ Yes

Custom SSH Port

✅ Yes (2222)

fail2ban Protection

✅ Yes

SSH Tunnel to Web UI

✅ Optional

SSH Access via TailScale IP

✅ Optional

PreviousIdle Proxmox Auto-Shutdown NextExpose the Web UI over Tailnet

Last updated 5 months ago

hashtagSTEP 1: Install TailScale

hashtagSTEP 2: Enable MagicDNS

hashtagSTEP 3: Harden SSH Access

hashtagA. Set Up SSH Key Authentication

hashtagB. Disable Password Authentication

hashtagC. Change Default SSH Port (Optional)

hashtagSTEP 4: Install and Configure fail2ban

hashtagSTEP 5: SSH Tunnel to Access Server Web UI (Optional)

hashtag(Optional) Restrict SSH to TailScale IPs Only

hashtagSummary Table

STEP 1: Install TailScale

STEP 2: Enable MagicDNS

STEP 3: Harden SSH Access

A. Set Up SSH Key Authentication

B. Disable Password Authentication

C. Change Default SSH Port (Optional)

STEP 4: Install and Configure fail2ban

STEP 5: SSH Tunnel to Access Server Web UI (Optional)

(Optional) Restrict SSH to TailScale IPs Only

Summary Table