Howto: securing HestiaCP with Tailscale

serv · January 28, 2023, 11:00am

Hi all!

I found an easy and quite elegant way to secure HestiaCP by using Tailscale and wanted to share it with the community.

Install Tailscale (free) on your server and authenticate. Also connect your local computer to the Tailscale network.
Block all traffic except for port 80 (http) and 443 (https) via the firewall of your cloud provider. Do not block the ports in the HestiaCP firewall.
Use the Tailscale internal IP-address that you will find in Tailscale to connect to the HestiaCP dashboard, SSH and other services.

After following the steps above it is also possible to create a DNS name within Tailscale and issue SSL certificates for it. More about this in the Tailscale documentation: DNS in Tailscale · Tailscale.

Though this might break some of the more advanced functionality, it works perfectly with the basic setup for the few WordPress websites that I run.

Slagroom · January 28, 2023, 1:12pm

Wow, thanks! This is exactly what I needed. Not for the setup situation you have.
It’s perfect for working on a LAN behind a CGNAT. With tailscale I can get on our LAN without having to punch holes in the triple NAT, which is essentially impossible anyway…

serv · January 29, 2023, 9:20am

That’s great! Tailscale is perfect for environments where you can’t open any ports. Glad it was useful.