Secure Access: SSH & Tailscale Guide

his comprehensive guide will walk you through setting up SSH and Tailscale on your Ubuntu server, enabling secure remote access without complex router configurations.

Why This Setup?

• SSH: Secure Shell protocol for remote server access
• Tailscale: Zero-config VPN that creates a secure network between your devices
• No Router Config: Bypass port forwarding and firewall complexities

Prerequisites

Before starting, ensure you have:

• Ubuntu 20.04 or newer installed
• Sudo privileges on the server
• Active internet connection
• Basic terminal knowledge

---

Method 1: Manual Step-by-Step Setup

Step 1: Update System Packages

First, update your system to ensure all packages are current:

sudo apt update && sudo apt upgrade -y

What this does: Downloads package information and upgrades installed packages to their latest versions.

Step 2: Install OpenSSH Server

Install the SSH server package:

sudo apt install openssh-server -y

What this does: Installs the OpenSSH server which allows remote connections to your machine.

Step 3: Start and Enable SSH Service

Enable SSH to start automatically on boot:

sudo systemctl start ssh
sudo systemctl enable ssh

Verify SSH is running:

sudo systemctl status ssh

Expected output: The expected output should be "active (running)" or if not, and if it is "active (dead)", follow the below.

Step 4: Configure Firewall for SSH

Allow SSH through UFW firewall:

sudo ufw allow ssh
sudo ufw reload
sudo ufw status

What this does: Opens port 22 for SSH connections and reloads firewall rules.

Step 5: Configure SSH for Password Authentication

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and modify these lines:

PasswordAuthentication yes
PermitRootLogin no

Save the file (Ctrl+X, then Y, then Enter) and restart SSH:

sudo systemctl restart ssh

Security note: Disabling root login and using password authentication for simplicity. For production, consider SSH keys.

Step 6: Find Your Local IP Address

Get your machine's local IP:

hostname -I

Save this IP: You'll use it to connect from devices on the same network.

Step 7: Install Tailscale

Note: On newly installed Ubuntu systems, curl may not be preinstalled. If you encounter a "command not found" error, install curl first:

sudo apt-get update
sudo apt-get install curl -y

Download and install Tailscale:

curl -fsSL https://tailscale.com/install.sh | sh

What this does: Downloads and runs Tailscale's official installation script.

Step 8: Enable Tailscale Service

Start the Tailscale daemon:

sudo systemctl enable --now tailscaled

Step 9: Connect to Tailscale Network

Bring Tailscale up and authenticate:

sudo tailscale up

Follow the authentication link: The command will display a URL. Open it in a browser to log in with your Tailscale account.

Step 10: Get Your Tailscale IP

Once authenticated, get your Tailscale IP:

tailscale ip -4

Save this IP: This is your permanent IP for accessing this server from anywhere.

---

Method 2: Automated Script Setup

For quick deployment, use this automated bash script that handles everything:

#!/bin/bash

# =====================================
# Ubuntu SSH + Tailscale Setup Script
# Password Authentication Only
# Sudo password cached for session
# =====================================

# Replace this with your sudo password
SUDOPASS="server1"

# Function to run sudo commands non-interactively
run_sudo() {
  echo "$SUDOPASS" | sudo -S "$@"
}

# Keep sudo alive for the whole script
echo "$SUDOPASS" | sudo -v

# Refresh sudo timestamp in background
while true; do sudo -v; sleep 60; done 2>/dev/null &
SUDOPID=$!

echo "=== Updating system ==="
run_sudo apt update && run_sudo apt upgrade -y

echo "=== Installing OpenSSH Server ==="
run_sudo apt install openssh-server -y

echo "=== Starting and enabling SSH service ==="
run_sudo systemctl start ssh
run_sudo systemctl enable ssh

echo "=== Checking SSH status ==="
run_sudo systemctl status ssh --no-pager

echo "=== Allowing SSH through UFW firewall ==="
run_sudo ufw allow ssh
run_sudo ufw reload
run_sudo ufw status

echo "=== Ensuring password authentication is enabled ==="
run_sudo sed -i 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config
run_sudo sed -i 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
run_sudo systemctl restart ssh

echo "=== Your Ubuntu machine local IP ==="
hostname -I

# -------------------------------
# Tailscale installation (recommended)
# -------------------------------
echo "=== Installing curl (required for Tailscale installation) ==="
run_sudo apt-get update
run_sudo apt-get install curl -y

echo "=== Installing Tailscale ==="
curl -fsSL https://tailscale.com/install.sh | sh

echo "=== Enabling and starting Tailscale daemon ==="
run_sudo systemctl enable --now tailscaled

echo "=== Bring Tailscale up (login URL will appear) ==="
run_sudo tailscale up

echo "=== Your Tailscale IP for remote SSH ==="
tailscale ip -4

# Kill the sudo keep-alive background process
kill $SUDOPID

echo "=== SSH + Tailscale setup complete ==="
echo "Connect via LAN: ssh your_username@<local-ip>"
echo "Connect remotely via Tailscale: ssh your_username@<tailscale-ip>"

How to Use the Script

1. Save the script: Copy the script above and save it as setup-ssh-tailscale.sh

2. Make it executable:
   

   chmod +x setup-ssh-tailscale.sh

1. Edit your sudo password: Open the script and replace server1 with your actual sudo password

2. Run the script:
   

   ./setup-ssh-tailscale.sh

1. Follow Tailscale authentication: When prompted, open the authentication URL in your browser

---

Connecting to Your Server

Local Network Connection

From any device on the same network:

ssh your_username@<local-ip>

Example:

ssh john@192.168.1.100

Remote Connection via Tailscale

From any device with Tailscale installed:

ssh your_username@<tailscale-ip>

Example:

ssh john@100.101.102.103

---

Troubleshooting

SSH Connection Refused

Problem: ssh: connect to host X.X.X.X port 22: Connection refused

Solutions:

1. Check if SSH service is running:

   sudo systemctl status ssh

1. Verify firewall allows SSH:

   sudo ufw status

1. Check SSH is listening on port 22:

   sudo netstat -tlnp | grep :22

Tailscale Not Connecting

Problem: Unable to reach server via Tailscale IP

Solutions:

1. Verify Tailscale is running:

   sudo systemctl status tailscaled

1. Check if authenticated:

   tailscale status

1. Re-authenticate if needed:

   sudo tailscale up

Permission Denied (publickey)

Problem: Authentication fails when connecting

Solutions:

1. Ensure password authentication is enabled in /etc/ssh/sshd_config

2. Restart SSH after config changes:
   

   sudo systemctl restart ssh

1. Verify your username is correct

---

Security Best Practices

1. Use SSH Keys: For production environments, disable password authentication and use SSH key pairs

2. Change Default SSH Port: Consider changing from port 22 to reduce automated attacks

3. Enable Fail2Ban: Install Fail2Ban to automatically block repeated failed login attempts

4. Regular Updates: Keep your system updated with security patches

5. Monitor Logs: Regularly check /var/log/auth.log for suspicious activity

---

Next Steps

Now that SSH and Tailscale are configured:

• Learn about SSH key authentication
• Explore Tailscale ACLs for fine-grained access control
• Set up automatic security updates
• Configure SSH tunneling for secure port forwarding

---

Conclusion

You now have a secure, accessible Ubuntu server with SSH and Tailscale configured. Access your server from anywhere without complex networking setup!

Questions or issues? Feel free to reach out or check our troubleshooting section above.

Comments

[Aayush Adhikari]

helpful