Access Google Compute Engine VMs privately using Tailscale

Google Cloud provides Linux virtual machines, to which Tailscale can be used to provide secure connectivity.


Before you begin this guide, you’ll need a Tailscale network set up and configured with at least one existing device. Read our getting started guide if you need help with this.

Step 1: Set up the Tailscale client for the VM

First, create a Virtual Machine in the GCE Console.

When creating the instance click on Management, security, disks, networking, sole tenancy, select Networking, and click on the Network Interface. Because we’re later going to enable subnet routing on this VM, we want to turn IP Forwarding to On.

Enable IP Forwarding for the Network Interface

Once the VM has been created, ssh to the system and follow the steps to install Tailscale on Linux.

Step 2: Allow UDP port 41641

If at least one side of a tunnel has “easy NAT,” where Tailscale can determine the UDP port number on the far side of the NAT device, then it will make direct connections to minimize latency. We ensure that GCE nodes can make direct connections by allowing UDP port 41641 to ingress through the firewall.

In VPC Network > Firewall we add two rules:

  1. an ingress rule to allow for UDP port 41641 to all instances
  2. an ingress rule to allow ::/0 for UDP port 41641 to all instances
Allow ports 41641

Step 3: Advertise routes from the VM

For the benefit of the other nodes in the tailnet we’ll set up split DNS to allow use of the same DNS names as are used inside of GCE. The Google Compute Engine DNS server is, and supports hostnames of the form vm-name.gce-project-name.internal

We’ll have our VM advertise routes for both the subnet it sits on as well as the GCE DNS server. For example if the subnet address range is, the command would be:

tailscale up --advertise-routes=, --accept-dns=false
For GCE VMs it is generally best to let Google handle the DNS configuration, not have Tailscale override it, so we added --accept-dns=false.

Step 4: Add GCE DNS for your tailnet

In the admin console DNS section we add a nameserver restricted to the .internal domain, pointing to the GCE DNS server which we made available through our VM.

Adding a Split DNS resolver for .internal

Now the same hostnames which work between nodes running within GCE will also be available to all nodes on our tailnet.

Step 5: Remove public SSH access

As we can now ssh to the system over the private Tailscale network, there is no reason to leave the SSH port open on a public IP address. The default-allow-ssh rule can be deleted from VPC network > Firewall.

Disable public SSH port.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms