←back to thread

SSH into private machines from anywhere using Cloudflare Tunnel

(orth.uk)
319 points SpaghettiX | 3 comments | 10 Feb 22 09:18 UTC | HN request time: 0.718s | source
Show context
mmettler ◴[10 Feb 22 11:26 UTC] No.30284777[source]
If you like this, you’re gonna love Tailscale https://tailscale.com/
replies(1): >>30285090 #
beckler ◴[10 Feb 22 12:13 UTC] No.30285090[source]
I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.
replies(1): >>30285351 #
jatone ◴[10 Feb 22 12:54 UTC] No.30285351[source]
what do you mean by public channels? if I was trying to ssh into my machines it works wonderfully for dns resolution.
replies(3): >>30285701 #>>30290509 #>>30290724 #
password4321 ◴[10 Feb 22 13:31 UTC] No.30285701[source]
Cloudflare tunnels expose ports publicly.

Tailscale must be properly configured on your client machine to access machines/ports on their respective private Tailscale network(s), setup of which typically requires administrative intervention. Without bridging to a public network, services exposed to the Tailscale network are not accessible publicly.

Tailscale does offer user-mode clients so it can be used similarly to SSH by those allowed to connect (I don't know how difficult user-mode Tailscale is without admin setup on various operating systems).

replies(1): >>30288044 #
jatone ◴[10 Feb 22 16:00 UTC] No.30288044[source]
not sure where you're getting the idea you need admin intervention for tailscale. I've never needed to do anything beyond authenticate the machine with my account. tailscale has NAT traversal built into it.

If your network firewall is preventing the tunneling process, then that's on you. and if its not on you and its a company decision then its VERY unlikely they'd be okay with cloudflare's publicly exposed ports.

replies(2): >>30290687 #>>30291733 #
1. password4321 ◴[10 Feb 22 20:07 UTC] No.30291733[source]
I'm talking about the one-time initial setup of the Tailscale client software.

Can you download and run Tailscale on a Windows client without Administrative access to install the software (setup the virtual NIC)? An SSH client is just a user-space app.

replies(1): >>30294264 #
2. jatone ◴[10 Feb 22 23:23 UTC] No.30294264[source]
no but you also wouldn't want to allow that. just like you wouldn't want to expose a SSH socket to the world in most cases.
replies(1): >>30300715 #
3. password4321 ◴[11 Feb 22 12:40 UTC] No.30300715[source]
I have explained why I stated that 'setup of [Tailscale] typically requires administrative intervention'.

I appreciate that your approach is the more secure standard practice, yet want to make others aware of the edge cases here on a site called Hacker News rather than something like StackOverflow, where 'this is the way' reigns supreme.