I can’t open the tailscale website on my work mac. The IT team has put in content filters or something to rewrite my DNS queries for tailscale.com to some fail and the browser throws some SSL bad cert error.
But I still can access my tailnet in certain circumstances and I want to document those for you.
It’s nothing fancy or subversive really, but it does highlight the fact that it’s hard to really lock down a laptop. Without resorting to a “deny all outgoing traffic by default” approach, I’m really not sure how you would successfully pull this off.
the problem
Anyway, securing the machine is really none of my concern. But using my identity on a machine to access another machine that knows me is and that’s what the rest of this post will talk about.
The idea of super simple actually: just use SSH with a ProxyJump.
This idea doesn’t even need to involve tailscale, my case just does because that’s the nature of the network I run.
the pre-reqs
The bare minimum you need to apply this solution is that:
- there are 3 machines in play,
ABC
And all of the following are true:
Acan directly connect toBBcan directly connect toCAcannot directly connect toC
When I’m home and can force my work computer to be on the same network as my personal computer, this is a non-issue and will just connect directly.
The problem is when I’m traveling and want to just pack one computer and I’m on call or something so its easier to just pack my work computer.
the solution
Anyway the solution is to use my travel router as my internet access point for the work laptop. This
router runs OpenWRT and allows me to run tailscale on it. Obviously that satisfies the “B can
directly connect to C” piece of the problem, and having the laptop connect to the router satisfies
the “A can directly connect to B” piece.
Then to get home, I just run
ssh -J root@travel-router andy@home-machine
with the right SSH config entries. I’ll leave that as an exercise for the reader to figure out, but email me if you really get stuck on it. It’s not that complicated I promise.
I admit while this solution doesn’t take much to work, it completely depends on having some extra hardware lying around. The router makes it easy in this case because it will already establish the piggyback network connection for me. And then once I am on the same network as it, it’s simple to directly ssh to it.
some reflection
ssh is a powerful tool. It’s sad to me that some people will never experience a fraction of the
power it provides. And it makes finding out that there are small companies other there working in
this space (pico.sh and charm.sh) really exciting.
I’m sure you could have a similar setup with like a Raspberry Pi Zero that you share internet to it over usb. This provides power to run the pi and a linux environment running tailscale to do the same thing I’ve described above. This would be a cooler hacker setup too. I just have to plug in this USB device and then any SSH client can reach my tailnet.
And if you run sshd in the same way as me - with password authentication disabled - this isn’t a
problem either because of melt. melt lets me back up and
restore an SSH key. So long as I add that key to every computer I could want to access from a random
machine, I’m good to copy the bootstrap command from my password manager and run it.