SSH into a Linux VM

This topic provides details about making an SSH session to a Linux VM on your Tailscale network (known as a tailnet).

Prerequisites

You need a Tailscale account
You need a Linux VM. The following topics provide details for setting up a Linux VM using common cloud providers:
You need Tailscale installed on your Linux VM
You need Tailscale installed on your local machine

Configure Tailscale SSH

Start by accessing your VM to install Tailscale.

This will most likely be the cloud-provided SSH mechanism and may require you to temporarily open up port 22 on that VM to your corporate network or the internet.
In a terminal window on the VM, run the tailscale up command to advertise SSH for that VM:
```
tailscale up --ssh
```

Open the Access Controls page of the Tailscale admin console and add the following lines to your tailnet policy file to allow network connectivity to the VM:

"acls": [
           { "action": "accept",
             "src": ["your tailscale username"],
             "dst": ["your vm’s tailscale ip address:22"]
           }
        ],

You can find your VM’s Tailscale IP address on the Machines page of the admin console, and you can find your Tailscale username on the Users page. You don’t need to replace existing Access Control List (ACL) rules if you have any, just add this new rule. Here’s an example:

"acls": [
           { "action": "accept",
             "src": ["john.doe@domain.com"],
             "dst": ["100.64.65.66:22"]
           }
        ],

In the same Edit ACLs tab, add the following rules to the SSH section of your tailnet policy file to allow SSH access to the VM:

"ssh": [
           { "action": "accept",
             "src": ["your tailscale username"],
             "dst": ["autogroup:self"],
             "users": ["root","autogroup:nonroot", "<your-local-username>"]
           }
       ],

If you have a local username (such as local-user) defined on the VM, you should add it to the users array in the ssh section. You don’t need to replace existing SSH ACL rules if you have any, just add this new rule. Here’s an example:

"ssh": [
           { "action": "accept",
             "src": ["john.doe@example.com"],
             "dst": ["autogroup:self"],
             "users": ["root","autogroup:nonroot", "local-user"]
           }
        ],

Use Tailscale SSH

In a terminal window on your local machine, SSH to your VM:
```
ssh <your-vm-ip-address>
```
If you need to use your local account just reference it before the IP address (user@IP) when running the SSH command. You can also use the MagicDNS hostname of the machine. For example:
```
ssh local-user@100.64.65.66
```
If you haven’t already, you can close the SSH port on your cloud VM and re-run the Tailscale SSH command to verify it is working.

We strongly recommend that you do not keep the SSH port exposed for prolonged periods of time especially to the internet. If you need to open this port for this test, after you are done testing, make sure you close the port or delete your test VM.

Last updated Aug 13, 2024