Secure Remote Access to a Windows Machine from Debian Using SSH and Tailscale

Introduction (Motive)

I wanted a reliable way to remotely access my Windows machine (with a dedicated GPU) from a Debian laptop, from anywhere in the world, without exposing ports, dealing with dynamic IPs, or relying on fragile tunneling tools.

The goal was:

• Secure remote terminal access
• Works across different networks
• No router port forwarding
• Stable and production-grade
• Compatible with VS Code Remote development

This post documents the exact steps, pitfalls, and final configuration that worked.

---

System Setup

• Remote machine: Windows 11 (Home/Pro), GPU-enabled
• Client machine: Debian Linux
• Remote access: OpenSSH
• Networking: Tailscale (WireGuard-based mesh VPN)
• Editor: VS Code with Remote SSH extension

---

High-Level Architecture

Debian Laptop
   |
   |  (Encrypted Tailscale tunnel)
   |
Windows PC (sshd running)

Tailscale provides a private network (100.x.x.x) between devices. SSH runs inside this network, so nothing is exposed to the public internet.

---

Step 1: Enable OpenSSH Server on Windows

1.1 Install OpenSSH Server (manual MSI method)

On recent Windows builds, the optional feature install may hang. The reliable approach is to install OpenSSH manually.

Download the Win64 OpenSSH MSI from:

https://github.com/PowerShell/Win32-OpenSSH/releases

Install it, then verify binaries exist at:

C:\Program Files\OpenSSH\

---

1.2 Create and start the sshd service

Open PowerShell as Administrator:

sc.exe create sshd binPath= "C:\Program Files\OpenSSH\sshd.exe" start= auto
sc.exe description sshd "OpenSSH SSH Server"
Start-Service sshd

Verify:

Get-Service sshd

Expected:

Status : Running
StartType : Automatic

---

1.3 Allow SSH through Windows Firewall

New-NetFirewallRule `
  -Name sshd `
  -DisplayName "OpenSSH Server" `
  -Enabled True `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 22 `
  -Action Allow

---

Step 2: Configure SSH Authentication

2.1 Generate SSH key on Debian

On Debian:

ssh-keygen -t ed25519

Public key location:

~/.ssh/id_ed25519.pub

---

2.2 Add public key to Windows

On Windows, create:

C:\Users\JohnDoe\.ssh\authorized_keys

Paste the entire public key line into this file.

---

2.3 Fix permissions (important)

Run in PowerShell (Admin):

cmd /c 'icacls "C:\Users\JohnDoe\.ssh" /inheritance:r'
cmd /c 'icacls "C:\Users\JohnDoe\.ssh" /grant JohnDoe:(F)'
cmd /c 'icacls "C:\Users\JohnDoe\.ssh\authorized_keys" /inheritance:r'
cmd /c 'icacls "C:\Users\JohnDoe\.ssh\authorized_keys" /grant JohnDoe:(R)'

Incorrect permissions will cause SSH login failures.

---

2.4 If you don’t have a Windows password

SSH requires a Windows account password.

Set one:

net user JohnDoe *

---

Step 3: Install Tailscale on Windows

3.1 Install via MSI (recommended)

Download:

https://pkgs.tailscale.com/stable/tailscale-setup-<version>-amd64.msi

Install normally.

Verify service:

Get-Service Tailscale

---

3.2 Login to Tailscale

Use the system tray icon to log in.

Check status:

& "C:\Program Files\Tailscale\tailscale.exe" status

You should see:

100.xxx.xxx.xxx  windows-machine-name  windows

---

Step 4: Install Tailscale on Debian

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Authenticate using the same account.

Verify:

tailscale status

Both machines should appear.

---

Step 5: SSH Over Tailscale (Global Access)

From Debian:

ssh JohnDoe@100.xxx.xxx.xxx

or using hostname:

ssh JohnDoe@windows-machine-name

This works from:

• Different Wi-Fi
• Mobile hotspot
• University or office networks
• Anywhere in the world

No port forwarding required.

---

Step 6: VS Code Remote SSH (Optional but Recommended)

6.1 Install extension on Debian

Remote - SSH (ms-vscode-remote.remote-ssh)

---

6.2 Add SSH host

Command Palette:

Remote-SSH: Add New SSH Host

ssh JohnDoe@100.xxx.xxx.xxx

Config file:

~/.ssh/config

Example entry:

Host windows
    HostName 100.xxx.xxx.xxx
    User JohnDoe
    IdentityFile ~/.ssh/id_ed25519

---

6.3 Connect and open a specific folder

Command Palette:

Remote-SSH: Connect to Host
Remote-SSH: Open Folder

Example Windows path:

D:\projects\my_project

VS Code now runs fully remote on Windows.

---

Common Pitfalls and Fixes

SSH asks for password repeatedly

• Check authorized_keys permissions
• Ensure key is one single line
• Verify correct Windows username

VS Code code . doesn’t open over SSH

• SSH sessions are headless
• Use VS Code Remote SSH, not GUI commands

SSH doesn’t work after reboot

• You must log in once after boot
• Sleep/hibernate disables networking

---

Power and Boot Behavior (Important)

This setup works if:

• Windows is powered on
• You have logged in after boot
• Tailscale and sshd services are running

It does not work if the system is:

• Shut down
• Sleeping
• Stuck at login screen

Auto-login and Wake-on-LAN can be added later if needed.

---

Conclusion

With OpenSSH and Tailscale, it’s possible to build a secure, production-grade remote access setup without exposing ports or relying on third-party tunneling services.

This approach is stable, scalable, and ideal for:

• Remote development
• GPU workloads
• Cross-platform workflows

I plan to extend this setup further with stricter SSH policies and automated boot-time connectivity.

---