Docs / Guides

Access Hetzner Servers privately using Tailscale

Hetzner provides Linux virtual machines from several datacenters in Europe. We can use Tailscale to securely access these servers.

Prerequisites

Before you begin this guide, you’ll need a Tailscale network set up and configured with at least one existing device. Read our getting started guide if you need help with this.

Step 1: Set up the Tailscale client for the VM

First, create a Virtual Machine in the Hetzner Cloud Console.

ssh to the system and install the Tailscale client:

# curl -fsSL https://tailscale.com/install.sh | sh
# tailscale up

In the next step we’ll remove ssh access from the public IP address, so:

  1. Find the tailscale IP address using tailscale ip
  2. exit from the ssh session to the public IP address
  3. make a new SSH session to the Tailscale IP address

Step 2: Allow UDP port 41641

If at least one side of a tunnel has “easy NAT,” where Tailscale can determine the UDP port number on the far side of the NAT device, then it will make direct connections to minimize latency. We ensure that Hetzner nodes can make direct connections by allowing UDP port 41641 to ingress through the firewall.

In the Firewall tab of the Hetzner Cloud Console click the Create Firewall button. Delete the SSH and ICMP rules and add a rule allowing UDP port 41641.

Firewall rule for UDP port 41641

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms