Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Get started - it's free!
Login
WireGuard is a registered trademark of Jason A. Donenfeld.
Terms of ServicePrivacy Policy
© 2025 Tailscale Inc. All rights reserved. Tailscale is a registered trademark of Tailscale Inc.
Go back

Tailscale SSH: Remote Collaboration Securely Working Together across Networks

Securely use Tailscale SSH to connect to devices in remote working scenarios with a defense-in-depth approach to protect your connections.

SSH Secure Shell is a networking protocol that permits secure access to remote systems. Administrators rely on SSH to obtain shell connections to servers, edge devices, and infrastructure components without the need for bastion hosts to manage, allowing them to continue their work seamlessly.

SSH uses cryptography to authenticate connections. Data exchanges are encrypted to prevent data exposure so third parties can’t intercept communications. However, this doesn’t mean that plain SSH is automatically safe to use as is within your environment. Real-world scenarios require robust access controls, auditing capabilities, and key rotations to integrate SSH into your existing business and security processes.

In this article, you’ll learn how to securely use SSH to connect to devices in remote working scenarios. Because this ultimately requires devices to communicate across separate physical networks, it’s imperative that you take a defense-in-depth approach to protect your connections.

Why Is SSH So Important?

SSH is a ubiquitous connection protocol that’s become the default way to establish shell sessions on remote devices. It’s a tool administrators instinctively reach for when remote access is required.

Unlike predecessors such as Telnet, SSH is specifically designed to facilitate secure connections. It achieves this through the inclusion of built-in authentication and encryption capabilities. Several different cryptographic methods are supported, including RSA, DSA, and ECDSA.

SSH can do more than just initiate remote shell sessions too. It also supports file transfers, typically initialized using scp, and port forwarding. The latter allows you to locally access network applications running on remote hosts. Additionally, you can SSH into any device without bastion hosts, which helps manage public exposure and addresses issues related to high latency in automated SSH key management.

What is Tailscale SSH?

Tailscale SSH is a secure and automated SSH key management solution designed to simplify and enhance secure connections to devices without the need for bastion hosts. By eliminating the complexities of manual SSH management, Tailscale SSH significantly reduces the risk of security breaches.

This video explains what is Tailscale SSH, ACL tags, web console and more.

It prevents public exposure, minimizing potential attack vectors. With Tailscale SSH, you stay secure by default, as it prevents SSH keys from being reused with access that is clearly defined and controlled. This automated approach not only streamlines your workflow but also fortifies your security posture.

Securing SSH Access for Remote Workforces

Remote work brings unique operational challenges. Historically, servers were usually on the same physical network as an administrator's workstation. Now, they're often on a completely different network that's hundreds or thousands of miles away—either in a public cloud such as AWS or Azure or in your own private data center with users connecting from home.

Standard SSH implementations of which OpenSSH is the most popular for Linux systems can still support this scenario—after all, SSH is specifically designed to facilitate secure remote access.

But for a simpler user experience as well as further enhanced security, your remote teams can benefit from alternative solutions that are fully integrated with your private network layers.

Using Tailscale to Secure SSH Access

Tailscale is a mesh-capable business VPN provider that connects your devices into a private network using the WireGuard protocol. The service has integrated SSH support that allows you to access the devices within your network, eliminating the need for hosts to manage public exposure and reducing latency.

Tailscale replaces your existing SSH server, removing the need to run OpenSSH on the machines you’ll be connecting to. Your devices can be directly accessed on your Tailscale tailnet without having to expose them to the internet. This simplifies connections and enables powerful Tailscale-managed functionality such as access control lists and key rotation, which we’ll explore below.

Tailscale is quick and easy to deploy. It supports Windows, macOS, Linux, iOS, and Android, as well as integrations with major cloud providers and container orchestrators. Once you’ve set it up and enabled SSH, remote workers on any platform can seamlessly access the devices and endpoints that are part of your Tailscale network (tailnet).

Here’s how Tailscale supports simple and secure SSH for remote workers.

Access Control Lists

Managing SSH access is hard: you need to fiddle with Unix user accounts and key exchanges to set up new users and grant them access to your hosts. Similarly, you must remember to deauthorize users if they leave your organization or no longer require access.

Tailscale SSH removes all this complexity. You can centrally manage SSH access policies using Tailscale access control lists, which precisely identify the users with SSH access into a particular host. You can modify policies on the fly without manually reconfiguring any of your devices.

To remove a user's access, you need only clear their ACL rules or suspend their Tailscale account. This eliminates the risk of users silently retaining access long after they should have been deprovisioned.

Use Your Existing Identity Provider with Multi Factor Authentication

Tailscale uses your existing identity provider for authentication. This means that all the constraints you've enabled on the authentication platform, such as mandatory 2FA, need to be met before users can access your network. Tailscale natively supports Apple, Google, GitHub, Microsoft, Okta, and OneLogin logins, and this list can be extended with custom OIDC integrations.

Furthermore, Tailscale lets you require reauthentication before SSH access is granted to a user. You can enable this capability using an option in your SSH ACLs. It can be mandated for every SSH invocation or after a specified time period elapses.

Reauthentication lets you assert that users were still allowed access to the target device at the point they initiated a connection. Even if an attacker gains access to your Tailscale network, they'll be prevented from gaining SSH access to your devices without first reauthenticating with your identity provider.

Automated SSH Key Management

Using Tailscale for SSH ends the clunky process of managing and distributing SSH keys. Unlike regular SSH workflows—which require administrator intervention whenever a new device or user must be onboarded—Tailscale automatically sets up encrypted access between the devices in your network. You can forget about running ssh-keygen and copying id_rsa.pub files around.

Tailscale also supports regular rotation of keys that secure your private network. Even if attackers manage to acquire a valid key pair, they will lose access to your devices when a rotation occurs.

Tailscale automatically generates new keys for any new devices on your tailnet, and distributes the new key to your other network devices.

End-to-End Encryption with WireGuard

Tailscale encrypts all network communications using the industry-leading WireGuard protocol. It's open source, modern, and custom-built to secure private VPNs.

As Tailscale SSH traffic passes through your Tailscale network, it's end-to-end encrypted with WireGuard in addition to the standard encryption applied by the SSH protocol. This provides an extra layer of protection and tamper resistance.

Access Servers Without Public SSH Server Exposure

Using Tailscale for remote access means you don't have to publicly expose an SSH server on your devices. This reduces your attack surface and prevents you from becoming the subject of speculative port scanning attacks.

Instead of installing OpenSSH, exposing it on a public port, generating key pairs, and distributing them to clients, you can simply install Tailscale on each of your devices and run the ssh command to connect to other machines in your tailnet.

Use Session Recording to Capture Audit Data

SSH connections are convenient, but they can pose compliance headaches. It's difficult to obtain oversight of who's connected to each host and which commands they've run.

Tailscale includes built-in SSH session recording that allows you to capture all terminal input and output. You can enforce session recording using a flag in your ACL policies.

Recordings are an invaluable source of audit data. You could use your recordings to support security investigations or simply review the past actions that remote workers have applied to a host. Recordings are stored in asciicinema format so you can inspect their text, replay them in your terminal, and convert them to videos.

SSH Everywhere

Although SSH is ubiquitous on desktop devices, it's less accessible on mobile operating systems. These platforms lack built-in SSH clients, and it's often cumbersome to import keys into third-party clients.

Tailscale SSH works on all your devices, regardless of operating system. Once you're connected to your Tailscale network, you can SSH into the remote hosts you've been granted access to—without having to manually copy private keys or learn the target host's IP address.

This flexibility lets remote workers securely bring their own devices, even if they prefer a different platform. It also accommodates workflows where individuals sometimes require field access from their mobile devices. Tailscale offers the same combination of convenience and security everywhere you work.

How Tailscale SSH Works

Tailscale SSH automates the entire process of managing SSH keys, removing the need for manual key rotation and reducing latency with direct point-to-point connections. It seamlessly integrates with your existing identity provider, allowing you to keep your existing identity and authentication mechanisms intact. This integration supports multi-factor authentication, adding an extra layer of security to your SSH connections. By leveraging your current identity provider, Tailscale SSH enforces all authentication constraints, such as mandatory 2FA, providing robust security without additional complexity.

Use Cases for Tailscale SSH

Tailscale SSH is ideal for individuals and teams who need to manage access to multiple devices and servers without relying on bastion hosts.

It’s particularly useful for:

  • Developers: Access multiple servers and devices for testing and deployment with ease.
  • IT Teams: Manage access to servers and devices for maintenance and troubleshooting efficiently.
  • Organizations: Provide secure access to sensitive data and systems, maintaining high security standards.

By addressing these diverse needs, Tailscale SSH provides a versatile solution that enhances security and simplifies access management across various scenarios.

Pricing and Plans

Tailscale offers a flexible pricing plan that caters to teams of all sizes, at every stage of their networking journey or VPN migration.

View pricing plans at this page.

Tailscale: Secure SSH Access for Remote Workers

SSH is venerable, but it's no longer sufficient to support modern remote working on its own. Yes, SSH supports key rotation, private certificates, and hardware keys, but in practice, organizations rarely use these features because they add operational overheads.

Even when SSH is correctly hardened for security, its lack of centralization means it's relatively difficult to administer. You don't have easy oversight of who can access which device, nor is there a straightforward way to manage key distribution.

Tailscale SSH addresses these problems by providing an SSH experience that allows remote workers to securely connect between devices with zero configuration. Simultaneously, Tailscale SSH enhances security by letting administrators use central ACLs to control access, manage key rotations, and enforce reauthentication before connections to sensitive endpoints are allowed. It achieves this within a private, end-to-end encrypted network that's opaque to the outside world.

Try it out today by downloading Tailscale for free and configuring the SSH feature.

Try Tailscale for free

Get started
Schedule a demo
Contact sales
cta phone
mercury
instacrt
Retool
duolingo
Hugging Face