How I Use Tailscale to SSH into My Pi Cluster Remotely

Introduction

I have a home cluster with six Raspberry Pi devices and need to SSH into them from anywhere. Instead of dealing with the complexity of port forwarding or setting up a VPN, I simplify the process while keeping it secure by using Tailscale. Here's how I do it.

Prerequisites

• A Tailscale account.
• One or more Raspberry Pi devices.

Step-by-step Guide

1. Define the policy specifying which SSH devices users can access:

   Since I am the sole administrator of these devices, I will create an admin group and grant it access to SSH devices tagged with tag:pi. I navigated to the Tailscale Dashboard → Access Controls and applied the following policy.

   {
   	// Define admin group
   	"groups": {
   		"group:admin": ["[email protected]"],
   	},
   
   	// Define the tagg
   	"tagOwners": {
   		"tag:pi": ["autogroup:admin"],
   	},
   
   	"acls": [
   		// Allow users in "group:admin" to access everything
   		{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
   	],
   
   	// Define users and devices that can use Tailscale SSH.
   	"ssh": [
   		// Allow all "group:admin" to SSH into the devices tagged with "tag:pi" and with the "harry" user.
   		{
   			"action": "check",
   			"src":    ["group:admin"],
   			"dst":    ["tag:pi"],
   			"users":  ["harry"],
   		},
   	],,
   }
   

2. Connect the Raspberry Pi devices to the Tailscale network:

   I clicked the "Add device" button and selected "Linux server" to generate the installation script. I assigned the tag:pi so my devices would be automatically tagged. Additionally, I enabled the "Reusable" authentication key, allowing me to use the same installation script for all six devices without needing to regenerate it each time.

   

3. Install Tailscale on the devices:

   I SSHed into each of my Raspberry Pi devices, ran the installation script, and configured Tailscale to manage SSH connections.

   curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=tskey-auth-qaWSedRFTGYH-zaXScdVFbgNHMJXDGFHsretysddfgh
   sudo tailscale up --ssh
   

   I can see all my devices listed in the Tailscale Dashboard.

   

4. Install the Tailscale client on my MacBook:

   To SSH into these devices remotely, I downloaded and installed the Tailscale client on my MacBook and signed in with my account.

5. Testing

   I used my iPhone's 5G hotspot to simulate a remote network. Thanks to Tailnet, I can SSH into any of my devices using their hostname (e.g., pi1) without needing to remember their IP addresses.

   ssh harry@pi1
   The authenticity of host 'pi1 (100.70.76.77)' can't be established.
   ED25519 key fingerprint is SHA256:KRe5RHU6qTKRe5RHU6qTKRe5RHU6qTKRe5RHU6qT.
   This key is not known by any other names.
   Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
   Warning: Permanently added 'pi1' (ED25519) to the list of known hosts.
   Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1018-raspi aarch64)
   
   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/pro
   
   System information as of Sat Feb 15 08:56:08 UTC 2025
   
   	System load:           0.38
   	Usage of /:            1.6% of 938.70GB
   	Memory usage:          10%
   	Swap usage:            0%
   	Temperature:           39.4 C
   	Processes:             182
   	Users logged in:       1
   	IPv4 address for eth0: 192.168.88.88
   	IPv6 address for eth0: 2001:999:999:999:da3a:da3a:da3a:da3a
   
   * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   	just raised the bar for easy, resilient and secure K8s cluster deployment.
   
   	https://ubuntu.com/engage/secure-kubernetes-at-the-edge
   
   Expanded Security Maintenance for Applications is not enabled.
   
   16 updates can be applied immediately.
   To see these additional updates run: apt list --upgradable
   
   Enable ESM Apps to receive additional future security updates.
   See https://ubuntu.com/esm or run: sudo pro status
   
   
   harry@pi1:~$     
   

   I can't use the root account because my policy restricts SSH access to only my designated username.

   ssh root@pi1 
   root@pi1: Permission denied (tailscale).
   

Conclusion

With Tailscale, I can effortlessly access my Raspberry Pi devices from anywhere at any time. The free plan supports up to 3 users and 100 devices, which is more than enough for my needs. I hope this article helps you achieve a similar setup for your own use case.

References

• Tailscale SSH

Comments