If you’re setting up servers on Tailscale, and want to use Tailscale SSH to access them, we recommend you use an auth key to provision the server, and an ACL tag to restrict its access.

Here’s how to set up a server in Tailscale SSH:

1. Create a new ACL tag in your tailnet for the type of shared resource you are managing. For example, you can use the tag server for your servers, prod or test for your environments, and front-end for grouping of other resources that you maintain.

   To create a tag, modify the tailnet policy file to specify the owner of the tag, which is the team or user who can use that tag. You can use an existing tag for all servers but we recommend setting up a new tag specifically for SSH server access.

   {
     "tagOwners": {
       "tag:server": ["alice@example.com"]
     }
   }
   

2. Write ACL rules in the tailnet policy file which:

   • Allow the desired sources to reach the tagged resources
   • If you’re also setting up Tailscale SSH, allow the desired sources to reach the tagged resources using Tailscale SSH

   {
     "acls": [
       {
         "action": "accept",
         "src": ["group:sre"],
         "dst": ["tag:server:*"]
       }
     ],
     "ssh": [
       {
         "action": "accept",
         "src": ["group:sre"],
         "dst": ["tag:server"],
         "users": ["ubuntu", "root"]
       }
     ]
   }
   

3. Generate an authentication key to automatically connect servers to your network. Select the tag or tags you wish to use for your servers as part of this auth key.

   • If you’re authenticating more than one server, use a reusable auth key. Or, for long-lived auth keys, set up an OAuth client with the scope devices.
   • If you’re authenticating ephemeral workloads like containers or functions, use an ephemeral key.
   • If your tailnet has device approval enabled, and you only intend to use that to approve end-user devices, use a pre-authorized auth key.

   

   Currently, if your client node is provisioned with an authentication key, you cannot use [check mode][check-mode] when establishing a Tailscale SSH connection using the node as a source.

4. When you provision a new server, install and connect to Tailscale manually or as part of your automation tooling. Make sure to specify the auth key including the tags you want, and to enable Tailscale SSH.

   tailscale up --authkey=$TS_AUTHKEY --ssh
   

   If you want to specify a particular machine name for your server to use with MagicDNS, then also specify --hostname:

   tailscale up --authkey=$TS_AUTHKEY --ssh --hostname=$TS_HOSTNAME
   

   If the auth key was not generated with tags, then also specify --advertise-tags:

   tailscale up --authkey=$TS_AUTHKEY --advertise-tags=<tags> --ssh
   

5. SSH to your servers over Tailscale using Tailscale SSH, or from the admin console using Tailscale SSH Console. For instructions, see Tailscale SSH and Tailscale SSH Console.