Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

deploying-tailscale-for-zero-trust-vpn

Sterne6

Forks2

Aktualisiert16. März 2026 um 00:59

Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, ACLs, and exit nodes for secure peer-to-peer connectivity.

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

autohandai

autohandai/community-skills

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

Netzwerk- und ComputersystemadministratorenInformatik- und Mathematikberufe·SOC 15-1244

Datei-Explorer

8 Dateien

SKILL.md

readonly

Mehr aus diesem Repository

gleiches Repository

triaging-vulnerabilities-with-ssvc-framework

autohandai/community-skills

Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.

2026-03-186

performing-soc-2-type-ii-audit-preparation

autohandai/community-skills

SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe

2026-03-186

userinterface-wiki

autohandai/community-skills

UI/UX best practices for web interfaces. Use when reviewing animations, CSS, audio, typography, UX patterns, prefetching, or icon implementations. Covers 11 categories from animation principles to typography. Outputs file:line findings.

2026-03-186

configuring-aws-verified-access-for-ztna

autohandai/community-skills

Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language.

2026-03-166

configuring-identity-aware-proxy-with-google-iap

autohandai/community-skills

Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.

2026-03-166

configuring-zscaler-private-access-for-ztna

autohandai/community-skills

Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.

2026-03-166

name	deploying-tailscale-for-zero-trust-vpn
description	Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, ACLs, and exit nodes for secure peer-to-peer connectivity.
domain	cybersecurity
subdomain	zero-trust-architecture
tags	["zero-trust","tailscale","wireguard","mesh-vpn","ztna","peer-to-peer","acl","identity-aware","headscale"]
version	1.0
author	mahipal
license	Apache-2.0

Deploying Tailscale for Zero Trust VPN

Overview

Tailscale is a zero trust mesh VPN built on WireGuard that creates encrypted peer-to-peer connections between devices without requiring traditional VPN servers or complex network configuration. Every connection in a Tailscale network (tailnet) is end-to-end encrypted using WireGuard's Noise protocol framework with Curve25519 key exchange. Tailscale implements zero trust networking by authenticating every connection request through identity providers, enforcing granular Access Control Lists (ACLs), and supporting features like exit nodes, subnet routers, MagicDNS, and Tailscale SSH. For organizations preferring self-hosted infrastructure, Headscale provides an open-source implementation of the Tailscale control server.

Prerequisites

Identity provider (Okta, Azure AD, Google Workspace, GitHub, or OIDC-compatible)
Devices running supported OS (Linux, Windows, macOS, iOS, Android, FreeBSD)
Administrative access to configure DNS and firewall rules
Understanding of WireGuard protocol fundamentals
Network planning documentation for subnet routing requirements

Architecture

                    Tailscale Coordination Server
                    (or self-hosted Headscale)
                           |
                    Key Distribution
                    & NAT Traversal
                           |
         +-----------------+-----------------+
         |                 |                 |
    +----+----+      +----+----+      +----+----+
    | Node A  |<---->| Node B  |<---->| Node C  |
    | (Linux) |      | (macOS) |      |(Windows)|
    +---------+      +---------+      +---------+
    WireGuard         WireGuard        WireGuard
    Encrypted         Encrypted        Encrypted
    P2P Tunnel        P2P Tunnel       P2P Tunnel

    Each node connects directly to every other node.
    DERP relay servers used only when direct P2P fails.

Installation and Setup

Linux Installation

# Add Tailscale repository and install
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale and authenticate
sudo tailscale up

# Check connection status
tailscale status

# View assigned IP address
tailscale ip -4
tailscale ip -6

Windows / macOS Installation

# Windows: Download from https://tailscale.com/download/windows
# macOS: Install via Homebrew
brew install --cask tailscale

# Or download from https://tailscale.com/download/mac

Docker Deployment

# docker-compose.yml for Tailscale sidecar
version: '3.8'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: my-service
    environment:
      - TS_AUTHKEY=tskey-auth-xxxxx  # Pre-auth key
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-tags=tag:container
    volumes:
      - tailscale-state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    restart: unless-stopped

volumes:
  tailscale-state:

Kubernetes Deployment

# Tailscale operator for Kubernetes
apiVersion: v1
kind: Secret
metadata:
  name: tailscale-auth
  namespace: tailscale
type: Opaque
stringData:
  TS_AUTHKEY: "tskey-auth-xxxxx"
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: tailscale
  namespace: tailscale
spec:
  selector:
    matchLabels:
      app: tailscale
  template:
    metadata:
      labels:
        app: tailscale
    spec:
      containers:
      - name: tailscale
        image: tailscale/tailscale:latest
        env:
        - name: TS_AUTHKEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: TS_AUTHKEY
        - name: TS_KUBE_SECRET
          value: tailscale-state
        - name: TS_USERSPACE
          value: "true"
        securityContext:
          capabilities:
            add: ["NET_ADMIN"]

Access Control Lists (ACLs)

Tailscale ACLs define who can access what within your tailnet using a declarative JSON format. The default policy is deny-all, making it zero trust by design.

{
  "acls": [
    // Engineering team can access development servers
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev-server:*"]
    },
    // SRE team can access production infrastructure
    {
      "action": "accept",
      "src": ["group:sre"],
      "dst": ["tag:production:22,443,8080"]
    },
    // Database access restricted to backend services
    {
      "action": "accept",
      "src": ["tag:backend"],
      "dst": ["tag:database:5432,3306,27017"]
    },
    // All employees can access internal tools
    {
      "action": "accept",
      "src": ["group:employees"],
      "dst": ["tag:internal-tools:443"]
    }
  ],

  "groups": {
    "group:engineering": ["user@company.com", "dev@company.com"],
    "group:sre": ["sre@company.com", "oncall@company.com"],
    "group:employees": ["autogroup:members"]
  },

  "tagOwners": {
    "tag:dev-server": ["group:engineering"],
    "tag:production": ["group:sre"],
    "tag:backend": ["group:sre"],
    "tag:database": ["group:sre"],
    "tag:internal-tools": ["group:sre"],
    "tag:container": ["group:sre"]
  },

  "ssh": [
    {
      "action": "check",
      "src": ["group:sre"],
      "dst": ["tag:production"],
      "users": ["root", "admin"]
    },
    {
      "action": "accept",
      "src": ["group:engineering"],
      "dst": ["tag:dev-server"],
      "users": ["autogroup:nonroot"]
    }
  ],

  "nodeAttrs": [
    {
      "target": ["autogroup:members"],
      "attr": ["funnel:deny"]
    }
  ]
}

Exit Nodes and Subnet Routing

Configure Exit Node

# On the exit node machine
sudo tailscale up --advertise-exit-node

# On the client machine, use the exit node
sudo tailscale up --exit-node=<exit-node-ip>

# Verify exit node routing
curl ifconfig.me  # Should show exit node's public IP

Subnet Router Configuration

# Advertise local subnets through Tailscale
sudo tailscale up --advertise-routes=10.0.0.0/24,192.168.1.0/24

# Enable IP forwarding on Linux
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Accept routes on client
sudo tailscale up --accept-routes

Tailscale SSH (Zero Trust SSH)

Tailscale SSH replaces traditional SSH key management with identity-based access.

# Enable Tailscale SSH on a server
sudo tailscale up --ssh

# Connect using Tailscale SSH (no SSH keys needed)
ssh user@hostname  # Authenticates via Tailscale identity

# Session recording (audit logging)
# Configure in ACL policy:
# "ssh": [{"action": "check", "src": [...], "dst": [...], "users": [...]}]
# "check" action requires re-authentication and records sessions

MagicDNS Configuration

# MagicDNS is enabled by default in new tailnets
# Access devices by hostname instead of IP
ping my-server  # Resolves via MagicDNS

# Custom DNS configuration via admin console
# Split DNS: route specific domains to internal DNS servers
# Global nameservers: override default DNS resolution

Self-Hosted with Headscale

# Install Headscale (open-source Tailscale control server)
wget https://github.com/juanfont/headscale/releases/latest/download/headscale_linux_amd64
chmod +x headscale_linux_amd64
sudo mv headscale_linux_amd64 /usr/local/bin/headscale

# Create configuration
sudo mkdir -p /etc/headscale
sudo headscale generate config > /etc/headscale/config.yaml

# Edit config for your environment
# Key settings:
#   server_url: https://headscale.example.com
#   listen_addr: 0.0.0.0:8080
#   private_key_path: /etc/headscale/private.key
#   db_type: sqlite3
#   db_path: /var/lib/headscale/db.sqlite

# Start Headscale
sudo headscale serve

# Create user and pre-auth key
headscale users create myorg
headscale preauthkeys create --user myorg --reusable --expiration 24h

# Connect Tailscale client to Headscale
tailscale up --login-server https://headscale.example.com

Security Hardening

Key Expiry and Rotation

# Set key expiry in admin console (default: 180 days)
# Force re-authentication periodically

# Disable key expiry for servers (use auth keys instead)
sudo tailscale up --authkey=tskey-auth-xxxxx

# Pre-auth keys for automated deployment
# Create ephemeral, single-use keys for CI/CD

Device Authorization

{
  "nodeAttrs": [
    {
      "target": ["autogroup:members"],
      "attr": [
        "mullvad:deny",
        "funnel:deny"
      ]
    }
  ],
  "autoApprovers": {
    "routes": {
      "10.0.0.0/24": ["group:sre"],
      "192.168.0.0/16": ["group:sre"]
    },
    "exitNode": ["group:sre"]
  }
}

Network Lock (Tailnet Lock)

# Initialize network lock with signing keys
tailscale lock init

# Add trusted signing keys
tailscale lock add nodekey:xxxxx

# All new nodes require signing before joining
# Prevents unauthorized nodes from joining the tailnet

Monitoring and Observability

# View network status
tailscale status --json | jq '.Peer | to_entries[] | {name: .value.HostName, online: .value.Online, os: .value.OS}'

# Check connection quality
tailscale ping <peer-ip>

# View network map
tailscale netcheck

# Audit logs available in Tailscale admin console
# Integration with SIEM via webhook or API

Integration Patterns

Service Mesh Integration

# Tailscale as sidecar for service-to-service communication
# Each service gets a Tailscale identity
# ACLs enforce service-to-service access policies

# Example: API service can only reach database service
# ACL: tag:api -> tag:database:5432

CI/CD Pipeline Integration

# Use ephemeral auth keys in CI/CD
export TS_AUTHKEY=tskey-auth-xxxxx-ephemeral
tailscale up --authkey=$TS_AUTHKEY --hostname=ci-runner-$CI_JOB_ID

# Access internal resources during build/deploy
# Node automatically removed when container stops

deploying-tailscale-for-zero-trust-vpn

Mehr aus diesem Repository

Mehr aus diesem Repository

Deploying Tailscale for Zero Trust VPN

Overview

Prerequisites

Architecture

Installation and Setup

Linux Installation

Windows / macOS Installation

Docker Deployment

Kubernetes Deployment

Access Control Lists (ACLs)

Exit Nodes and Subnet Routing

Configure Exit Node

Subnet Router Configuration

Tailscale SSH (Zero Trust SSH)

MagicDNS Configuration

Self-Hosted with Headscale

Security Hardening

Key Expiry and Rotation

Device Authorization

Network Lock (Tailnet Lock)

Monitoring and Observability

Integration Patterns

Service Mesh Integration

CI/CD Pipeline Integration

References

Deploying Tailscale for Zero Trust VPN

Overview

Prerequisites

Architecture

Installation and Setup

Linux Installation

Windows / macOS Installation

Docker Deployment

Kubernetes Deployment

Access Control Lists (ACLs)

Exit Nodes and Subnet Routing

Configure Exit Node

Subnet Router Configuration

Tailscale SSH (Zero Trust SSH)

MagicDNS Configuration

Self-Hosted with Headscale

Security Hardening

Key Expiry and Rotation

Device Authorization

Network Lock (Tailnet Lock)

Monitoring and Observability

Integration Patterns

Service Mesh Integration

CI/CD Pipeline Integration

References