Secure Remote Access with TailScale + Hardened SSH

This guide walks you through setting up secure remote access using TailScale VPN with MagicDNS for easy hostname access along with steps to harden SSH with key-based login.

STEP 1: Install TailScale

  1. SSH into your server or use its console.

  2. Run the TailScale install script:

    curl -fsSL https://tailscale.com/install.sh | sh

  3. Authenticate the server with your TailScale account:

    sudo tailscale up

    • Open the provided URL in your browser to log in.

STEP 2: Enable MagicDNS

  1. Log in to your TailScale Admin Console at login.tailscale.com.

  2. Go to "DNS" settings in the menu and enable MagicDNS.

  3. With MagicDNS enabled, you can access your server via a hostname like server-name.tailnet-name.ts.net.

STEP 3: Harden SSH Access

A. Set Up SSH Key Authentication

  1. On your local machine, generate an SSH key pair (if needed):

    ssh-keygen -t rsa -b 4096

  2. Copy your public key to the server:

    ssh-copy-id user@server-ip

B. Disable Password Authentication

  1. Edit SSH config:

    sudo nano /etc/ssh/sshd_config

  2. Set:

    PasswordAuthentication no

  3. Restart SSH:

    sudo systemctl restart sshd

C. Change Default SSH Port (Optional)

  1. In /etc/ssh/sshd_config, change:

    Port 2222

  2. Restart SSH:

    sudo systemctl restart sshd

  3. Update your firewall rules (e.g., UFW):

    sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

STEP 4: Install and Configure fail2ban

  1. Install fail2ban:

    sudo apt update
sudo apt install fail2ban

  2. Create a config file:

    sudo nano /etc/fail2ban/jail.local

    Example config:

    [sshd]
enabled  = true
port     = 2222
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 600
findtime = 600

  3. Restart fail2ban:

    sudo systemctl restart fail2ban

STEP 5: SSH Tunnel to Access Server Web UI (Optional)

To securely access a web interface (e.g., Proxmox UI) via SSH:

ssh -L 8006:localhost:8006 user@server-ip -p 2222

Then open in your browser:

https://localhost:8006

(Optional) Restrict SSH to TailScale IPs Only

To limit SSH access to only TailScale-connected devices:

sudo ufw allow from 100.64.0.0/10 to any port 2222 proto tcp

Summary Table

Feature
Configured?

TailScale VPN

✅ Yes

MagicDNS

✅ Yes

SSH Key Authentication

✅ Yes

Password Login Disabled

✅ Yes

Custom SSH Port

✅ Yes (2222)

fail2ban Protection

✅ Yes

SSH Tunnel to Web UI

✅ Optional

SSH Access via TailScale IP

✅ Optional

PreviousIdle Proxmox Auto-ShutdownNextExpose the Web UI over Tailnet

Last updated