Ever since I’ve tried Tailscale for my homelab, it had some pitfalls that eventually made me migrate to another solution and file them a bug report, but I’ve been absolutely in love with their SSH feature.
– EXPLANATION IF YOU’RE NOT FAMILIAR, SKIP IF YOU WANT —
You just boot up the VPN client and connect in whatever OS you want, use regular old OpenSSH, PuTTY or any SSH client and launch a shell a node that has it enabled, and a session just… Opens. No password, just the authentication needed to connect to the VPN with an identity provider is enough. No extra CLI tools, no “tailscale ssh alice@bob” or “something ssh alice@bob”… just plain “ssh alice@bob”. And if you correctly configure ACLs (as you should) to lower permissiveness and restrict access, it can even ask you to follow a link and authenticate again with your IdP to confirm it’s really you, with any 2FA the IdP might offer, and that’s it. All of it with any SSH client, no modifications needed.
— END OF EXPLANATION —
I’ve since migrated to Netbird, as it allows for self hosting, using your own IdP (which I do), uses kernel mode WG instead of Userland WG… And they do in fact offer SSH with managed keys like Tailscale, but you need to use their CLI tool (netbird ssh) and it doesn’t support any ACLs or similar feature regarding SSH, it’s just either on or off, for everyone, at the same time.
Do you know about any tool that would do the same as Tailscale does, with no additional client-side software needed as well? And yes, I’ve checked out Smallstep, and they require additional software on the client, so that is ruled out.
Thank you to everyone!
edit: improved clarity. Writing this at 00:00 might not have been the best idea
Disclaimer: I’m not a Tailscale user myself, but I just read the documentation of their SSH implementation. So please feel free to correct me if I’m wrong somewhere.
Basic scenario (no re-authentication):
This should be pretty easy to replicate. According to the documentation what Tailscale does is set the SSH authentication type to none, but only for connections to the Tailscale interface. So you could either bind an sshd instance to your Tailscale interface with none-auth enabled or configure sshd to whitelist only certain IPs for none-auth. I guess here, they assume that IP spoofing is not possible with Tailscale. Which it probably isn’t with regular WireGuard as well, as long as you set AllowedIPs correctly? And well, IP spoofing is very tricky to pull off for TCP in general, anyways.
Complex scenario (with re-authentication):
This is where it gets a bit more tricky. From some brief googling I haven’t found a straightforward solution (although things like Guacamole still exist, but I’m not sure whether this would fulfill your “no additional software on the client” requirement). But basically what you want is SSH with SSO (plus, again binding to the Tailscal interface and/or an IP whitelist, but that’s trivial). There are several threads that discuss this (for example here and here), as well this blog post by smallstep (which for the solution presented there, at first glance doesn’t seem to require any additional software). Probably the easiest thing would be to use some PAM module that integrates with your IdP (see for example here, but there might also be others)?
Although not really a complete answer, I hope this helps somewhat and I hope you’ll come up with something!
Am I missing something? Once your device is registered (or log in from the device to tailscale), you can ssh to the tailscale IP, no? Without having to tailscale ssh, but only ssh [email protected]?
For ssh, I’m using teleport by gravitational. Self hosting the “central” part in a geographically logical region of hetzner cloud at the moment, previously hosted on DO and Vultr. Usually a VM costing no more than $10/month(doing other things too).
Simplest use is their ssh tool, so “tsh ssh”. But there’s also a web console ssh client, and you can configure regular ssh to “use” tsh, turning connection commands into simple “ssh”. I use this feature to run Ansible or other things over it. You can configure how long the sessions are valid for and it’s prompts for relogin when stale no matter how you use it.
It also has “app forwarding”, so it can forward some web consoles for you. Like if you are hosting traefik and have the dashboard on 127.0.0.1:9000, it can forward that for you at the central site behind its auth.
The downside is the free version only supports its user database or GitHub as the IDP, support for all other IDP provider options requires an enterprise license.
I have no tips for putty though, I run Linux as a daily driver, so I’m always using cli ssh anyway.
Edit: and yes it has various RBAC options, like limiting users to specific nodes based on their reported tags, or even “dynamic user generation” with configurable passwordless sudo
Um I do nothing special, I use self hosted wg and my home subnet is included. Heck even if there were multiple networks they could be included in the wireguard, tougher to do but possible.
I ssh to my server on the wg identical to the lan. On both my laptop and phone. No login I use ssh keys. I can VNC, do whatever I want, even futz at the router if I’m feeling extra adventurous. I have full control over who has ssh. poor parent gets no ssh and is not allowed to play with the router or the pi.
This post is confusing to me.
I get the ooo no re authentication but uh my keys do that. I could do all this extra work or use keys since it’s simply smart.
I know, but it’s just the TURN server for Nat traversal, public key exchange and the sort. The Tailscale client is still the same, and it connects using userland wireguard baked into the tailcaled binary, and not kernel level Wireguard. Trust me, for my use case it does make a difference. Even so, thank you very much for your answer
Yes, it “kind of” works that way, but with some additional checks as well. It checks things like the user you’re authenticated with on your Tailscale client, the user and host you’re trying to connect to, any ACLs (like firewall rules) you might’ve set up like "only this group of users on a device meeting this set of requirements can SSH to this set of machines on every user but root, and for this specific user I need them to re-authenticate to establish a shell (see check mode on tailscale SSH ACLs).
I’ve also read the Smallstep article you are citing, and it indeed does appear with how it is written that no additional software is required on the client. However, they have a YouTube video with almost no views showcasing the solution they talk about in the article, and you do indeed need to install additional software: the Smallstep CLI to be precise. With it you authenticate, and it sets up SSH keys valid for 24 hours for you. Then you can connect using regular SSH, so it is half of what I’m looking for, half not. And for the PAM module suggestion, it would work, and I’ll definitely look into it!
And lastly, I totally forgot that Guacamole exists lol, that should be on me. Even if it’s not, strictly speaking, e x a c t l y what I’m asking for, a browser is something that is installed by default on almost every OS with a GUI, and I could integrate it with my own IdP. Thank you for the suggestion!! I’ve seen many condescending comments but people like you and others who try to help always make the community better
Yes, exactly! That is what I’m looking for, without Tailscale. Obviously not with the public interface, but being able to just SSH without any key or password after authenticating and connecting to a VPN. I could just remove authentication for any incoming connections on the VPN network interface, but it is not what tailscale does, Tailscale checks a lot of things like the device you are connecting from, what user you have logged in with in Tailscale, what user you’re trying to open a shell to, and lots of more before giving you access (or not!). And you can configure rules for it as well, so it’s not just black and white “if you connect from this set of IPs no authentication is required”.
Yes, that’s an option, but what’s interesting about Tailscale’s ssh is that it handles the keys for you and you just need to authenticate to connect to your VPN and that’s it. But yes, doing it manually is definitely a way
Tried it. JSON config got corrupted very easily in one of my nodes (granted, it randomly rebooted sometimes, it doesn’t anymore), and I needed to reinstall the entire client all together very frequently. Also, it is VERY undocumented. I think it has potential though, but it needs a few more years of work
SSH with an identity provider, two factor authentication and public key exchange without any additional software? I’m not so sure. And if you’re talking about just a wireguard VPN then yes, you absolutely could and I already know how to, I work as a systems administrator. But try to make a peer-to-peer mesh VPN that way and not a hub and spoke and you’ll realize how exponentially hard it gets to add nodes without a way of handling and exchanging keys between nodes.
