Access Google Compute Engine VMs privately using Tailscale
Google Cloud provides Linux virtual machines, to which Tailscale can be used to provide secure connectivity.
Before you begin this guide, you’ll need a Tailscale network set up and configured with at least one existing device. Read our getting started guide if you need help with this.
Step 1: Set up the Tailscale client for the VM
When creating the instance click on “Management, security, disks, networking, sole tenancy”, select Networking, and click on the Network Interface. Because we’re later going to enable subnet routing on this VM, we want to turn IP Forwarding to On.
Once the VM has been created, ssh to the system and follow the steps to install Tailscale on Linux.
Step 2: Allow UDP port 41641
If at least one side of a tunnel has “easy NAT,” where Tailscale can determine the UDP port number on the far side of the NAT device, then it will make direct connections to minimize latency. We ensure that GCE nodes can make direct connections by allowing UDP port 41641 to ingress through the firewall.
In VPC Network > Firewall we add two rules:
- an ingress rule to allow 0.0.0.0/0 for UDP port 41641 to all instances
- an ingress rule to allow ::/0 for UDP port 41641 to all instances
Step 3: Advertise routes from the VM
For the benefit of the other nodes in the tailnet we’ll set up Split DNS to allow use of the same DNS names as are used inside of GCE. The Google Compute Engine DNS server is 169.254.169.254, and supports hostnames of the form vm-name.gce-project-name.internal
We’ll have our VM advertise routes for both the subnet it sits on as well as the GCE DNS server. For example if the subnet address range is 10.182.0.0/24, the command would be:
tailscale up --advertise-routes=10.182.0.0/24,169.254.169.254/32 --accept-dns=false
Step 4: Add GCE DNS for your tailnet
In the admin console DNS section we add a nameserver
restricted to the
.internal domain, pointing to the GCE DNS server which we
made available through our VM.
Now the same hostnames which work between nodes running within GCE will also be available to all nodes on our tailnet.
Step 5: Remove public SSH access
As we can now ssh to the system over the private Tailscale network, there is no reason to leave
the SSH port open on a public IP address. The
default-allow-ssh rule can be deleted from
VPC network > Firewall.