Securing SSH with Tailscale for Pangolin VPS

Overview

This guide explains how to secure SSH access on your Pangolin VPS using Tailscale and includes instructions for both OpenSSH and PuTTY users. The setup script creates a secure user, disables password authentication, and binds SSH to your Tailscale network.

Prerequisites

• A running Pangolin VPS
• Tailscale installed and authenticated on your VPS
• Root access to your VPS
• Tailscale installed on your local machine
• (For Windows users) PuTTY installed

Important Security Notes

1. This script will disable password authentication completely
2. SSH will only be accessible through your Tailscale network
3. A new secure user will be created with limited sudo privileges
4. The original SSH configuration will be backed up
5. Recovery requires access to either:
   • An existing SSH session
   • VPS provider’s console access
   • The backup SSH configuration

Step-by-Step Implementation Guide

1. Preparation (CRITICAL)

Before running the script:

1. Ensure you have an active terminal session to your VPS
2. Keep the terminal session open until verification is complete
3. Verify Tailscale is running: tailscale status
4. Note your current SSH access method for emergency recovery

2. Tailscale Authentication

When you first run the script, it will check if Tailscale is authenticated. If not:

1. The script will present a Tailscale authentication link
2. Open this link in your browser
3. Log in to your Tailscale account
4. Authorize the machine
5. Wait for the script to confirm the authentication

3. Running the Script

# Download the script
wget -O bind-ssh-tailscale.sh https://gist.githubusercontent.com/hhftechnology/5949d566fdb5377d21b49d39a82de36f/raw/3637a8a9fa66c7af88592f17d191233429a1ed3a/bind-ssh-tailscale.sh

# Make it executable
chmod +x bind-ssh-tailscale.sh

# Run the script
sudo ./bind-ssh-tailscale.sh

4. During Script Execution

1. The script will create a new secure user
2. CRITICAL: When the SSH private key is displayed:
   • Copy it immediately
   • Store it securely (password manager recommended)
   • Verify you have copied it correctly before proceeding
   • The script will wait for your confirmation

5. SSH Key Setup Based on Your Client

For OpenSSH Users (Linux/Mac/Windows with OpenSSH)

1. Save the private key to a file (e.g., ~/.ssh/pangolin_key)
2. Set correct permissions:

   chmod 600 ~/.ssh/pangolin_key
   

3. Test connection:

   ssh -i ~/.ssh/pangolin_key secureuser@YOUR_TAILSCALE_IP
   

For PuTTY Users (Windows)

1. Converting the Key to PPK Format

   Using PuTTYgen GUI:

   1. Open PuTTYgen
   2. Click “Load”
   3. Change file filter to “All Files (.)”
   4. Select your private key file
   5. Click “Save private key”
   6. Choose “Yes” when asked about saving without a passphrase (though adding one is recommended)
   7. Save the file with a .ppk extension

   Using Command Line:

   # If you haven't installed PuTTY tools:
   sudo apt-get install putty-tools
   
   # Convert the key
   puttygen private_key -o converted_key.ppk
   

2. Connecting with PuTTY:

   1. Open PuTTY
   2. Go to Connection → SSH → Auth → Credentials
   3. Browse and select your .ppk file under “Private key file for authentication”
   4. Set the connection details:
      • Host Name: Your Tailscale IP
      • Port: 22
      • Username: secureuser
   5. (Optional) Save the session for quick access

6. Verification Steps

After the script completes:

1. Keep your original SSH session open
2. Open a new terminal/PuTTY window
3. Test SSH access using Tailscale IP
4. Only close original session after successful connection test

7. Emergency Recovery

If you lose access:

1. Use your original SSH session to revert changes:

# Find the backup file
ls -l /etc/ssh/sshd_config.backup.*

# Restore the backup
sudo cp /etc/ssh/sshd_config.backup.[TIMESTAMP] /etc/ssh/sshd_config

# Restart SSH
sudo systemctl restart sshd

Security Features Implemented

• SSH bound to Tailscale IP only
• Password authentication disabled
• Root login restricted to key-based authentication
• Secure user created with limited sudo access
• Custom SSH configuration with security enhancements:
  • Protocol 2 only
  • Empty passwords prohibited
  • Maximum 3 authentication attempts
  • Client alive interval: 300 seconds
  • X11 forwarding enabled only for secure user

Best Practices

1. Regular key rotation
2. Keep Tailscale and system updated
3. Monitor SSH access logs
4. Maintain backup access method (e.g., VPS provider’s console)
5. Document recovery procedures
6. Test access regularly
7. Store SSH keys securely:
   • Use a password manager for private keys
   • Keep backup copies in secure locations
   • Consider using hardware security keys

Troubleshooting

General Issues

1. Verify Tailscale status on both machines
2. Check SSH key permissions (should be 600)
3. Verify SSH service is running
4. Check firewall rules
5. Verify correct Tailscale IP

PuTTY-Specific Issues

1. Ensure key is properly converted to .ppk format
2. Check PuTTY event log for connection issues
3. Verify username is set correctly in PuTTY configuration
4. Confirm Tailscale IP is correct
5. If using a passphrase, ensure it’s entered correctly

Common Error Messages

• “Server refused our key”: Check if the key was properly copied and converted
• “No supported authentication methods available”: Ensure password authentication is not being attempted
• “Network error: Connection timed out”: Check Tailscale connectivity
• “Host key verification failed”: May need to clear known_hosts entry

Regular Maintenance

1. Check SSH logs periodically: sudo journalctl -u sshd
2. Monitor failed login attempts
3. Update SSH keys every 6-12 months
4. Keep backup recovery procedures updated
5. Test recovery procedures quarterly

Remember: This setup significantly enhances security but requires careful implementation. Always maintain a backup access method and thoroughly test the new configuration before closing your original SSH session.

Perfect for my new instances thanks