Restricting SSH connections to devices within a Tailscale network

I'm running an AWS Lightsail instance and I want to only be able to SSH to it from devices connected to my Tailscale network.

I installed Tailscale on the instance using their Ubuntu installation instructions. I have it running on my laptop and phone as well.

I ran ifconfig tailscale0 to find the Tailscale IP for instance:

$ ifconfig tailscale0
tailscale0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1420
        inet 100.122.168.55  netmask 255.192.0.0  destination 100.122.168.55
        inet6 fe80::33a:342a:2733:186a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 2147  bytes 95030 (95.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 990  bytes 66448 (66.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Then I ran sudo vi /etc/ssh/sshd_config and added that address as the only ListenAddress:

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 100.122.168.55

Then restarted SSH:

sudo service ssh restart

I can now SSH to Tailscale from my laptop, but only if I use the Tailscale IP address for the server (I thought it was broken at first because I was still SSHing to the internet public IP):

ssh ubuntu@100.122.168.55 -i lightsail.pem

Bonus: point a real DNS subdomain at the Tailscale IP and you can ssh ubuntu@realsubdomain.example.com instead of remembering the IP address.

Handy debugging tip: tail -f /var/log/auth.log shows recent sign-in attempts.

Thanks to @apenwarr for tips.

Alternative pattern

This conversation questions if the above recipe will work correctly when a server reboots. It seems it's possible that sshd might start up before the tailscale0 network has been created, resulting in problems.

@bradfitz instead recommends adding the following line:

AllowUsers *@100.64.0.0/10

This will allow SSH access only from users within the Tailscale range of IPs. It shouldn't cause any problems during server startup.

⚠️ Warning!

This is complicated. See https://github.com/simonw/til/issues/7 for an explanation of a potential vulnerability in this pattern.

Related

• macos Local wildcard DNS on macOS with dnsmasq - 2023-06-30
• fly How to scp files to and from Fly - 2022-09-02
• fly Wildcard DNS and SSL on Fly - 2022-05-25
• aws Recovering data from AWS Lightsail using EC2 - 2021-01-16
• linux Enabling a user to execute a specific command as root without a password - 2022-02-13
• macos Running Docker on an M1 Mac - 2021-05-25
• caddy Pausing traffic and retrying in Caddy - 2021-11-24
• github Running a Django and PostgreSQL development environment in GitHub Codespaces - 2023-08-10
• github Setting up a custom subdomain for a GitHub Pages site - 2022-05-04
• docker Allowing a container in Docker Desktop for Mac to talk to a PostgreSQL server on the host machine - 2022-03-31

Created 2020-04-23T07:21:22-07:00, updated 2020-04-29T18:29:59-07:00 · History · Edit