Using Tailscale to limit access to websites hosted on a cloud VPS
Tailscale has become one of the most beloved tools in my network administration arsenal recently.
A Tailscale exit node is a host on the Tailscale network (tailnet) that can route all Internet traffic of other nodes in the tailnet through it. There are multiple situations where this can be super useful. For example, you can run a Tailscale exit node on one of your home computers and connect to it when you are traveling so that your public IP always remains that of your home network. Here I am going to document how a Tailscale exit node can be used to limit the access to a website that is hosted publicly on a cloud VPS.
Suppose you have an application that you have hosted on a cloud VPS. You have hosted it publicly on the internet so that you can access it from anywhere. But at the same time you don't want anyone else to access it! How do we go about this?
You can configure this with an NGINX reverse proxy. If you use the Nginx proxy manager (NPM), you can do it via NPM's webui. Go to the "Access Lists" tab in NPM and add the public IPs from which the services may be accessed. Add "deny all" after this so that access from any other IP address will be blocked.
You can add your home or offices's public IPs in the allow list. But this approach has the following limitations- You may not have or even want a static IP for your home. Neither can you access these websites if you are outside your home network or if your primary internet connection goes down and if you switch to your cellular backup connection.
Here is a very simple way you can use Tailscale to circumvent these limitations if your cloud VPS has a static public IP.
Add your VPS server's public IP as the only allowed IP for access and run a Tailscale exit node on this server. For running a Tailscale exit node, you have to set up the IP forwarding and firewall rules on the machine (the instructions are on Tailscale's website) and then start Tailscale with
sudo tailscale up --advertise-exit-nodeOnce you do this, you should also go to Tailscale's webui and approve the exit node. Then for the client machine you can set your server as the exit node in Tailscale's menu. On MacOS, you can do this by right-clicking on the Tailscale icon on your system status bar and choosing "Exit node" from the menu. After this your public IP for this client will be the server's IP and you should be able to access the websites without any issue.
If you want to take this one step further and do not want to run a Tailscale node on your main server itself, you can run a dedicated Tailscale node on another VPS host with a static IP and set it up as your exit node and allow access from only that IP in your NGINX reverse proxy settings.