Replacing SSH over Cloudflare with Tailscale


I wrote SSH into your private machines from anywhere, for free, using Cloudflare Tunnel in April which led to a lot of discussion on Hacker News. A lot of people started mentioning alternatives (Tailscale, ZeroTier and issues with Cloudflare).

If you like this, you’re gonna love Tailscale https://tailscale.com/ - mmettler

Tailscale has a beta product, Tailscale SSH with 2 significant differences:

  • Easier setup: Tailscale SSH is easy to configure (I don’t really need to write the setup steps).
  • Less security: Cloudflare Tunnel didn’t replace authentication, but Tailscale SSH does. This means Tailscale could SSH (and access files) into my machine if they wanted to, but Cloudflare can’t. With Cloudflare, I still had to authenticate with my private key.

Steps 🛼

  • Install tailscale on client machine (e.g. macOS) and login
  • Install tailscale on SSH server (e.g. raspberry pi)
  • On SSH server, set up Tailscale to use SSH: sudo tailscale up --ssh
  • Get the IP address of the SSH server machine from client machine or Tailscale website
  • SSH into the machine:
    • ssh username@$IP_ADDRESS
    • If you have Cloudflare WARP: You need to disable it, because that prevented me connecting to my local machines using Tailscale - even though I could still use e.g. ssh [email protected] -i ~/.ssh/raspberrypi though.
  • Optional: shorten SSH command into ssh pi
    • On Tailscale’s DNS admin page,
      • select a global nameserver and
      • enable MagicDNS

DNS admin page

  • To SSH into your machine using fewer keystrokes, e.g. ssh pi, go into Tailscale’s Machines admin page, and “edit machine name”. Disable “auto-generate from OS hostname” and set the machine name.

Machines admin page

Benefits 🤙

  • No machine passwords or SSH keys needed. Everything is replaced by your Tailscale account or SSO. I can move between laptops by just installing and logging into Tailscale.
  • No SSH configuration needed (e.g. ~/.ssh/config and /etc/ssh/sshd_config)
  • The configuration is so easy, that we can save time and avoid frustration at work. I work at a company with quite a few test devices, and each new person or test device would mean more configuration/setup time. We can:
    • see a list of available test devices on the Tailscale website,
    • setup developer machines to access these devices using SSO, and
    • setup new test devices with 2 commands (install and launch Tailscale).
    • We would do all of that whilst avoiding the poor experience with using VPNs and password managers.

Conclusion 🏁

Overall, I think I’m going to stick to Tailscale instead of Cloudflare Tunnel for accessing machines on my home network when away.

Question: what would you do? 😇