# How to securely access resources via Tailscale

[Tailscale](https://tailscale.com/) is a tool for setting up private end-to-end encrypted networks that securely connect users to services and devices. It is pretty easy to set up, has a very generous free tier (up to 3 users and up to 100 devices), and has excellent cross-platform support (so you can connect devices running Windows, MacOS, Linux, iOS, or Android).

## How I use Tailscale

I mainly use tailscale to `ssh` into my homelab server and access (via browser) applications running on my homelab server. Tailscale does some heavy lifting [under the hood](https://tailscale.com/blog/how-tailscale-works) to make this process nearly frictionless.

Before tailscale, if I wanted to `ssh` into a machine on my home network (ie a homelab) while I was away from home, it was a [complex chore](#manual-ssh) that would involve knowing your home network's public IP address, defending against dynamic IP reassignment (or procuring a static IP address from your ISP), and manually managing ssh hardening.
And if I wanted to use my phone to remotely access a service running on a machine on my home network, I'd have to figure that out (the utility-to-work ratio seemed so bad that I never entertained trying).

With tailscale, after a little setup, to `ssh` into a machine on my home network, I just have to:
1. enter command `tailscale ssh homelab-name` and
2. authenticate with tailscale via returned URL
then I get a shell on my homelab.

To connect to a homelab service from my phone, it's even easier. If the homelab device's name (in tailscale) is `matt-lab` and the service is running on port `8080`, I can access the service via a browser on my phone by going to `matt-lab:8080`.

![accessing from a phone](imgs/accessing_a_homelab_service_from_my_phone.png){fig-align="center" width="50%"}




## Setting up Tailscale

In [1]:
#| code-fold: true
#| code-summary: Showing tailscale node statuses

# !tailscale status

# Appendix {.appendix}

## Steps to remotely access a home machone via ssh {#manual-ssh}
1. (once per remote device) manually generate an ssh key-pair on the homelab and securely move the private key to the remote device,
2. (once per each homelab machine) manually harden the homelab's `ssh` defenses (e.g. use a non-standard port, configure Fail2Ban, disable password access, disable root access, etc),
3. know the public IP address my ISP assigned to my home network (ideally requesting static IP address so that my ISP wouldn't dynamically reassign my home's IP address),
4. (once per homelab machine) configure my home router to forward a port to the internal IP address of the device I wanted to connect to, and
5. (once per remote device) manually configure an `ssh`-connection profile (in `~/.ssh/config`) on the remote device that points to the right IP addr, port number, identity file, etc, and
6. (every connection session) open a terminal and create the tunnel via `ssh <connection-profile-name>`.

## Steps to set up tailscale

1. (once per user) [create a tailscale account](https://login.tailscale.com/start),
2. (once per user) Add the user to the ACL (Access Control List) config (specifying which machines the user should be able to access),
3. (once per device) install tailscale on the device (easy on Android, Linux, and Windows machines; a little complicated on MacOS machines) and log in to tailscale,
4. (once per device) add the device to the intended network,
5. (every connection session) open a terminal and create the tunnel via `tailscale ssh <tailscale-device-name>`

To connect to a homelab service from my phone:
1. (once) install the tailscale app and log in,
2. (once per network) add the phone to the intended network, I can simply enter the host device's name in tail  access the resource using the 