↼ My Two Cents

Cover image for How to Secure SSH with Tailscale on a Linux VPS

How to Secure SSH with Tailscale on a Linux VPS

#Tailscale #Linux #VPS #SSH #Security #ZeroTrust

Your Linux VPS is probably one of your most exposed assets. It’s constantly scanned, probed, and targeted by bots running brute force attacks on port 22. In this guide, I’ll show you how to restrict SSH on your Linux VPS so it’s only accessible via Tailscale — keeping port 22 closed to the public internet.

🧰 What You’ll Need

  • A Linux VPS running Ubuntu, Debian, or AlmaLinux/Rocky
  • Tailscale installed on your VPS
  • SSH access to your VPS
  • Another device with Tailscale to test the connection

⚙️ Step 1: Install Tailscale on Your VPS

Ubuntu/Debian

curl -fsSL https://tailscale.com/install.sh | sh

AlmaLinux/Rocky

curl -fsSL https://tailscale.com/install.sh | sh

Start Tailscale

tailscale up

Log in with your Tailscale account when prompted. Once connected, your VPS has a Tailscale IP address (typically in the 100.64.0.0/10 range).

⚙️ Step 2: Enable Auto-Start and Updates

Enable SystemD Service

systemctl enable --now tailscaled

Schedule Daily Updates

# Create a daily cron job
echo "0 3 * * * root /usr/bin/tailscale update --yes" | tee /etc/cron.d/tailscale-update

This runs tailscale update --yes daily at 3 AM to keep your installation current.

⚙️ Step 3: Configure the Firewall

Now the key step — restrict SSH to only accept connections from Tailscale.

Using UFW (Ubuntu/Debian)

# Allow SSH from Tailscale only
ufw allow from 100.64.0.0/10 to any port 22

# Deny SSH from anywhere else
ufw deny 22

# Enable UFW if not already
ufw enable

Using firewalld (AlmaLinux/Rich)

# Allow SSH from Tailscale only
firewall-cmd --permanent --add-source=100.64.0.0/10
firewall-cmd --permanent --add-port=22/tcp
firewall-cmd --permanent --remove-service=ssh

# Reload to apply
firewall-cmd --reload

Using iptables (Alternative)

# Allow SSH from Tailscale only
iptables -A INPUT -s 100.64.0.0/10 -p tcp --dport 22 -j ACCEPT

# Drop all other SSH connections
iptables -A INPUT -p tcp --dport 22 -j DROP

# Save rules (Ubuntu)
iptables-save > /etc/iptables/rules.v4

⚙️ Step 4: Test the Lockdown

  1. Disconnect Tailscale from your test device
  2. Try to SSH to your VPS’s public IP — should fail or timeout
  3. Connect Tailscale on your test device
  4. SSH to your VPS’s Tailscale IP — should succeed

Your VPS’s Tailscale IP is shown in the Tailscale admin panel (usually something like 100.x.x.x).

🔐 Why This Matters

  • No exposed ports: Port 22 is never open to the internet
  • Zero Trust: Only devices authenticated in your tailnet can SSH
  • No brute force attacks: Attackers can’t even reach your SSH port
  • Still accessible: You can SSH from anywhere via Tailscale

✅ Wrap Up

Your VPS SSH is now locked down to Tailscale only. This is a huge security improvement — your server is invisible to the internet, but still accessible from your devices.

For more security hardening, consider:

  • Disabling root login
  • Using key-based authentication only
  • Changing the default SSH port

If this guide helped you secure your VPS, consider buying me a coffee:

👉 https://ko-fi.com/alwynsoh

Every tip helps me keep testing, writing, and sharing guides like this. Appreciate the support!

← How to Set Up OpenClaw — Your …
How to Secure SSH with … →