Setting up Tailscale SSH while making a cup of tea

One of the benefits of working at Tailscale is that I get a sneak preview of the new features which are going to be rolled out.

I decided to set up Tailscale SSH on my two cloud servers. For any kind of system administration tasks, I require a cup of tea, so here was my process:

  • Put the kettle on to boil, just a half-litre of water as I’m only making one cup of tea, and that’s the minimum amount for my kettle.
  • While that’s boiling, I edited my Tailscale ACLs – If you’ve never edited the default ACLs, an entry will be added automatically that allows users to access their own machines if those machines are using Tailscale SSH. 
 "ssh": [
          {
            "action": "accept", //just let them in without reauthenticating
            "src":    ["autogroup:members"], //anyone on my tailnet
            "dst":    ["tag:servers"], //any device tagged server
            "users":  ["autogroup:nonroot"], //login as any user other than root
          },
        ],
  • Kettle hasn’t boiled yet, so I logged in to the two servers and ran `tailscale up –ssh` along with existing flags they had set. 
  • Kettle is ready – I poured it and set a timer for 4 minutes, which is the ideal time for a cup of Bewlies to steep. Bewlies being (I’m told) the side of the Irish Tea Conflict that our family stays on. The family has strong opinions on Barry’s vs Bewlies.
  • Logged into DigitalOcean console and set a firewall rule on my droplet to block port 22.
  • Logged into Vultr console, and set a firewall rule to block port 22 and assigned it to my instance. 
  • Ran ssh user@server1 from another machine on my tailnet, it worked. Tried user@server2, that worked as well. 
  • Waited another minute for my tea to finish steeping. I take it with no milk and no sugar. Just tea.

So I have a secure ssh connection to my production and development servers in less time than it took to make a cup of tea.

I can also change the action line in the ACL to “action”: “check” to force me to reauth through my identity provider when I want to establish the first ssh connection of the day.  I don’t have to distribute or rotate private keys, I don’t have to worry about brute force attacks, since port 22 is not open to the internet. 

Like the broader Tailscale experience, it just works.