Installing Tailscale

Linux

Distros With a Package Manager

To download the package via the terminal, run the following:

curl -fsSL https://tailscale.com/install.sh | sh 

Once it's downloaded, initialize Tailscale client via:

sudo tailscale up

This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.

Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network).

Distros/Clients Without a Package Manager

MOST PEOPLE SHOULD BE USING THE ABOVE METHOD AND NOT THIS ONE

But if your distro/client does not have a package manager or are more obscure distributions, you can download the version for your system from here.

Extract the downloaded archive:

tar xvf tailscale_*.tgz

Start the downloaded daemon (tailscaled) via:

sudo tailscaled --state=tailscaled.state

And then to start the client and connect the machine to your tailnet:

sudo tailscale up

This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.

Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network)

Access Controls

Access Controls (ACLs) are managed via the GUI builder or the editable JSON file accessible, both from within the admin console. Tailscale's documentation for this is great, so be sure to see their examples page for reference.

Tailscale SSH is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console.

Examples

By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes.

Default

This initial, permit-all, ACL looks like this:

{
  "grants": [
    {
      "src": ["*"],
      "dst": ["*"],
      "ip": ["*"]
    }
  ]
}

Owners' Devices Only

To allow individuals to access the devices that are owned by themselves in the TailNet:

{
  "grants": [
    {
      "src": ["autogroup:member"],
      "dst": ["autogroup:self"],
      "ip": ["*"]
    }
  ]
}

Groups

Tags

Tailscale SSH

To enable SSH on a particular host, that you're currently logged into:

sudo tailscale set --ssh

This should almost immediately reflect on the Admin console as well with an SSH label.

ACL Configuration

By default, all the hosts on your tailnet can access all the other hosts, they're "granted" this permission via the ACL in the Admin console.

To restrict which users/hosts can access other hosts (via SSH specifically), the ACL needs to be updated.

Restricting SSH Via Groups

This would restrict SSH access to the 'servers' group to only the 'admin' group, using any username, with the 'check' mode enabled:

"ssh": [
		{
			"action": "check", // Check mode requires re-authentication when connecting after a time
			"src":    ["group:admin"],
			"dst":    ["group:servers"],
			"users":  ["*"],
		},
	],

Restricting SSH Via Users

Restricting SSH Via Tags

Disable Logging

PLEASE READ THIS CAREFULLY BEFORE PROCEEDING TO FOLLOW THE COMMANDS, PERFORMING THESE ACTIONS MAY IMPACT YOUR ABILITY TO RECEIVE SUPPORT (IF NEEDED) FROM TAILSCALE

Tailscale is configured by default to send logs and diagnostic data regarding connectivity to Tailscale servers (not your servers, their servers) to assist in troubleshooting issues. You may disable this functionality at the cost of potentially being unable to receive support from Tailscale.

To do so, add:

TS_NO_LOGS_NO_SUPPORT=true

To the file located here:

/etc/default/tailscaled

Or using the command:

sudo tailscale set --no-logs-no-support

Additional Resources

Tailscale Documentation