Friday, July 1, 2022

Tailscale ate my network (and I love it)

No matter where you go, there you are

If you're like me, you travel occasionally. Access to your office from home, or from an airport lounge, or from a hotel room is paramount to being productive for most of us now. While I had a fairly simple Tailscale setup that got me into my test machines in the office, what I really wanted was to integrate my AWS production VPC into that system. It's surprisingly simple.

Tailscale AWS instructions

What do you want to do that for?

In the "before tailscale" times, if I needed to test against the production AWS resources or connect dBeaver for database maintenance, I would edit the security group to add my IP address, do my testing, edit the security group to remove myself. This is as error prone as it sounds. I quite often forgot to remove my IP address from the allowed addresses, a major potential security risk when you are travelling.

Tailscale has an extremely nifty way to get around it: if you run up a small ec2 instance, you can use it as a "subnet router", meaning that when you are connected to Tailscale, you are also able to access AWS resources from inside the VPC.

Not only that, you can add your default VPC DNS server to the list of name servers in Tailscale. By telling the tailscale network that you want name resolution for "amazonaws.com" to resolve through the DNS inside your VPC, when connected to Tailscale, using the external resource name automatically resolves to the internal VPC address.

So what

So, I didn't have to change a single configuration anywhere for (say) a local Docker container that used to access the AuroraDB over the public internet, because now it uses the private Tailscale network while still using the external addresses. It's fantastic, much more secure, and I don't have to fiddle with security groups whenever I am debugging something. On linux machines, make sure you run tailscale with the "--accept-routes" option as it doesn't do that by default.

Tailscale is now my entire network

It didn't happen overnight, but it did happen. I have no open ports on my office router (other than http), the security groups on AWS are now much more restricted and all of the important DNS happens via Tailscale, I install the client by default on everything now without giving it a second thought. I don't think I really "got it" at first, thinking Tailscale was simply a zero-conf VPN. Really it's something much bigger and more comprehensive than that: It's a security solution that encompasses everything from remote work to cloud access.



from Hacker News https://ift.tt/tLECwdc

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.