If, like me, you have a VPS that serves some low traffic websites, you probably have SSH configured so you can perform admin tasks. Hopefully you disable password authentication and use public key authentication instead. That makes things more secure, but It's still annoying to see all the attempted connections in
auth.log and I'm always looking to make things as secure as possible. What if we could disable SSH access from the public Internet altogether?
I've been using the wonderful Tailscale so that I can connect to my home server while on the road. It's brilliant for this - no more exposing ports on my home router.
Tailscale use Wireguard at the core of their service. Wireguard is almost certainly more secure than SSH. Thomas H Ptacek is someone I trust on such matters and you can read what he has to say about Wireguard here.
Tailscale are also one of a few inspiring tech companies that seem to be doing everything right (I'll include fly.io and honeycomb.io here too). They're backed by a top team, include a useful free tier for personal use, and have a sensible business model that means teams will want to pay for their services.
Using and trusting Tailscale made me realise that I now have all the benefits of a secure VPN for all the computers I run, without having to do any complex configuration. How to make the most of this? It took me a while to find the documentation I was looking for. It's titled Use UFW to lock down an Ubuntu server. The advice is more generally useful than the title suggests, so I was inspired to write this blog post in case others were searching for something like: "Disable public ssh access on my server and use a Wireguard VPN".
If you follow the docs linked above you'll be up and running in a few minutes.
A couple of tips that might be useful:
- Tailscale's IP addresses stay the same so you can add a host to your
~/.ssh/configa bit like this for easy access:
Host my-server HostName 100.x.x.x # replace with device tailscale IP address User my-user IdentityFile ~/.ssh/my-key
2. The docs mention disabling key expiry on the server, so don't forget to do that.
3. What happens if Tailscale goes down and I'm locked out of my VPS?Most VPS providers have console access from a web ui in their admin area. So if things go wrong you can use that to regain access.
Wireguard and Jason Donenfield
While I'm here I'll give a shout out to Jason Donenfield who created Wireguard. Years ago I was looking for a photo hosting solution and tried out his Photo Float web app. I was impressed with the various things he'd created including cgit. He went quiet for a while and I thought he'd lost interested in computers. Then all of a sudden he pops up with Wireguard, which eventually made it into the Linux kernel. Wireguard has enabled a whole host of interesting possibilities for the Internet, including enabling companies like Tailscale. Some programmers are just on a another level, not only technically, but also in their approach to stewardship of open source and the community. Kudos to Jason.