I have for many years paid to have a fixed IP number at home. The main reason was to allow me to access servers and have the remote access restricted to the home IP number. This was just one of many layers of the security of the server and the SSH setup, but no more.

I’ve been playing with (Tailscale)[https://tailscale.com/] which essentially provide an overlay network and allows you to have a secure private network across the public internet. Tailscale has a free plan perfectly suitable for my uses and clients for just about any machine, so getting all machines attached to a private network through Tailscale is surprising easy.

I’ve installed Tailscale on my server(s) and the laptop(s) I work on, and attached them to my tailscale account. This creates a new network device on the servers, which is the interface to the private network.

Open access from within the Tailscale network

On Ubuntu servers I use UFW as firewall. With tailscale installed and running, I’ve opened up for access to the server from the Tailscale VPN network like:

ufw allow in on tailscale0

It could be more restricted only allowing connections on SSH, but as I trust Tailscale and the VPN, then all access from the VPN is fine. Once this is in place, then the public netwokrk interface on the server (facing the intenret), can be locked down and only allow for services intended for public consumption (which often only is ports 80 and 443).

Access to the server requires you’re connected to Tailscale VPN.

Emergency Entry

Tailscale also has another cool feature - Tailscale SSH. To enable it you need to start the tailscale client on the server using the command:

tailscale up --ssh

Once you’ve done that, you can - for emergencies or backup - access the server through SSh by logging in through the Tailscale Admin console and launching a browser-based SSH from there.