Tagged nodes no longer need key renewal, which means it's easier than ever to manage servers

Photo of Maisem Ali
Maisem Ali on

Devices you add to your Tailscale network will periodically expire their node keys and force users to reauthenticate, to ensure the devices are still meant to be on your network.

In Tailscale, ACL tags provide a way to assign an identity to a device, which replaces the prior user approval on that device. So, node key expiry might be surprising behavior for tagged devices, such as servers, which do not have a user associated with them.

Starting today, tagged devices will have key expiry disabled by default.

What’s changing?

You can also enable or disable key expiry on a device via the admin console and via API.

Setting up a server on Tailscale, the easy way

If you’re managing your servers on Tailscale, this is now even easier, thanks to several features we’ve launched in the past few months:

  1. Create a new ACL tag in your tailnet, and write an ACL to give the tag the permissions you want.
    • If you’re provisioning a subnet router or exit node, make the tag an auto approver.
  2. Generate an auth key for authenticating your server. Since you’re authenticating a shared device, use a tagged key.
    • If you’re authenticating more than one server, use a reusable auth key.
    • If you’re authenticating ephemeral workloads like containers or functions, use an ephemeral key.
    • If your tailnet has device approval enabled, and you only intend to use that for end-user devices, use a pre-authorized auth key.
  3. Authenticate the server using the auth key you created, via CLI.

The server will automatically be added to your tailnet (with the device and routes approved, if applicable), with the right permissions, and without requiring you to re-authenticate it to keep it connected. Easy to set up and easy to maintain.

Happy automation!

Share via

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter