Setting up Tailscale VPN
This is optional. You only need to consider this section if you run a node at home and would like to connect to it from outside of your home network.
Tailscale requires the use of an SSO identity provider, ensure you are aware of and are comfortable with the additional risks associated with this before proceeding. For details, visit their SSO Page ↗.
If you would like to log into your home network remotely, such as while on vacation or on a business trip, the most common route is to use a Virtual Private Network server. This will allow you to connect to your node via SSH and view your monitoring dashboards from anywhere in the world, all without exposing your SSH port to the internet.
Many node operators use Tailscale ↗ as their VPN server of choice for this. Tailscale is an open-source P2P VPN tunnel and hosted endpoint discovery service. It takes care of authentication, publication, and the NAT traversal required to establish an end-to-end encrypted path between your machine and your node without sending any sensitive traffic to a centralized server. It is a very powerful tool.
It is recommended that you enable 2FA (Two Factor Authentication) on whichever identity provider you choose for added security.
Next, follow their onboarding guide ↗ to install Tailscale on your client - the machine you want to connect to your network with. For example, this could be a laptop or your phone. Note that it is not your validator node!
Tailscale dashboard showing the client machine.
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
Now, install Tailscale on your node:
sudo apt-get update
sudo apt-get install tailscale
Finally, authenticate and connect your machine to your Tailscale network on your node:
sudo tailscale up
You’re connected! You can find your Tailscale IPv4 address by running:
tailscale ip -4
Tailscale dashboard showing the client and node machines.
You should now be able to
exitthe SSH session to your node on your client, and SSH into your node again through Tailscale using
ssh <user>@<node-name> -p <ssh-port>.
The following steps will modify your firewall rules. You must have at least 2 SSH sessions open to your node machine before proceeding - one for modifying the configuration and testing it afterward, and one that will stay logged in as a backup in case your changes break SSH so you can revert them!
Run these commands on the node machine.
Allow access to all incoming ssh connections over Tailscale.
sudo ufw allow in on tailscale0
You may also remove access to the SSH port to completely lock down your node. Note that you will not be able to log in from the local network as Tailscale will become the only way to log in. Only run the following command if you are okay with this.
sudo ufw delete "22/tcp"
Once you’ve set up firewall rules to restrict all non-Tailscale connections, restart UFW and SSH:
sudo ufw reload
sudo service ssh restart
Now, confirm that everything is working as expected.
exitfrom one of your current SSH sessions (but remember to keep the second one open as a backup). Next, connect to the node machine via SSH using the Tailscale IP address or hostname:
ssh <user>@<node-name> -p <ssh-port>
If it works, you did everything right and can now safely log into your home network while abroad!
If you've previously port-forwarded your node's SSH port in your router, you can now remove it.