# How to securely access resources via Tailscale

[Tailscale](https://tailscale.com/) is a tool for setting up private end-to-end encrypted networks that securely connect users to services and devices. It is pretty easy to set up, has a very generous free tier (up to 3 users and up to 100 devices), and has excellent cross-platform support (so you can connect devices running Windows, MacOS, Linux, iOS, or Android).

## How I use Tailscale

I mainly use tailscale to `ssh` into my homelab server and access (via browser) applications running on my homelab server. Tailscale does some heavy lifting [under the hood](https://tailscale.com/blog/how-tailscale-works) to make this process nearly frictionless.

Before tailscale, if I wanted to `ssh` into a machine on my home network (ie a homelab) while I was away from home, it was a [complex chore](#manual-ssh) that would involve knowing your home network's public IP address, defending against dynamic IP reassignment (or procuring a static IP address from your ISP), and manually managing ssh hardening.
And if I wanted to use my phone to remotely access a service running on a machine on my home network, I'd have to figure that out (the utility-to-work ratio seemed so bad that I never entertained trying).

With tailscale, after a little setup, to `ssh` into a machine on my home network, I just have to:
1. enter command `tailscale ssh homelab-name` and
2. authenticate with tailscale via returned URL
then I get a shell on my homelab.

To connect to a homelab service from my phone, it's even easier. If the homelab device's name (in tailscale) is `matt-lab` and the service is running on port `8080`, I can access the service via a browser on my phone by going to `matt-lab:8080`.

![accessing from a phone](imgs/accessing_a_homelab_service_from_my_phone.png){fig-align="center" width="50%"}

# Overview of steps to set up a Tailscale Tailnet

* [Create a tailscale account](https://login.tailscale.com/start).
    * Optional: [Invite](https://tailscale.com/kb/1017/install#invite-users) other users to your tailnet.
* Install the tailscale client on each device you want to connect in the network.
    * [Linux (Ubuntu/Debian) install instructions](#linux_install)
    * [MacOS install instructions](#macos_install)
    * [Windows install instructions](#windows_install)
    * [Android install instructions](#android_install)
    * [iOS install instructions](#ios_install)
* Configure your tailnet's ACL (Access Control List) to control which devices users can access.
    * define groups, specify which devices each group should be able to access, and add users to groups.
* Enable incoming `ssh` connections on host machines (ie machines to be ssh'd into)

## Tailscale Client Installation on a Ubuntu/Debian Linux Machine {.linux_install}

```console
curl -fsSL https://tailscale.com/install.sh | sh
```

I read through this shell script in depth [here](/posts/019_setup_tailscale_for_ssh/install_code_security_audit.html), but it does what you'd expect. It determines your machine's Linux distro, version, and package manager, then it determines if that distro-version-package manager combo is supported, then it has the package manager install the correct build.

## Tailscale Client Installation on a MacOS Machine {.macos_install}

To be able to use tailscale ssh from a macOS machine, you have install the open source `tailscaled` variant per [these instructions](https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS).

If `golang` isn't installed, [download](https://go.dev/dl/) and install golang and make sure the `go` binary is in a dir on the system's `PATH`.

Then, run these commands
```console
go install tailscale.com/cmd/tailscale{,d}@main
sudo $HOME/go/bin/tailscaled install-system-daemon
tailscale up
```

## Tailscale Client Installation on a Windows Machine {.windows_install}

I don't have a current Windows device, but I remember it being pretty straightforward. The [official instructions](https://tailscale.com/kb/1022/install-windows) look straightforward (download and run an installer, then log in).

## Tailscale Client Installation on an Android Phone {.android_install}

1. Install the [android tailscale client](https://play.google.com/store/apps/details?id=com.tailscale.ipn) from the Play Store.
2. Launch the app.
    1. click **Get Started**.
    2. approve the prompt to set up a VPN connection.
3. Log in to your tailscale account.
4. Approve the device in the admin console.

| ![First caption](imgs/android_install_1.png){width="100%"} | ![Second caption](imgs/android_install_2.png){width="100%"} |
|:--:|:--:|
| 2.1. **Get Started** | 2.2. Click **OK** to allow a VPN connection |

| ![First caption](imgs/android_install_3.png){width="100%"} | ![Second caption](imgs/android_install_4.png){width="100%"} |
|:--:|:--:|
| 3. **Log in** | 3. via the method used when signing up |

| ![First caption](imgs/android_install_5.png){width="100%"} | ![Second caption](imgs/android_install_6.png){width="100%"} |
|:--:|:--:|
| 4. **Connect** the device | 4. Open up the Admin console |

Then click **Approve** (not pictured, too much to redact).

## Tailscale Client Installation on an iPhone {.ios_install}

The steps should be mostly the same as on Android, except installing from the App Store rather than the Play Store. I don't have an iOS device, so I'll defer to the [official install instructions](https://tailscale.com/kb/1020/install-ios)).

## Setting up ACLs

ToDo


## Configure the ACL to 

```console
tailscale up --ssh
```