
Leaving SSH (22) or RDP (3389) open to the public internet creates constant noise from scanners and brute-force attempts.
Tailscale gives you a private network between your devices and your server, so you can connect directly without keeping those ports public.
This guide walks through setup and lock-down steps for both Linux and Windows workflows.
Install Tailscale on the computer or phone you use to connect.
Do this first, so you can test connectivity as soon as the server joins your tailnet.
For Ubuntu or Debian:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh
Check status and grab the private IP:
tailscale status
tailscale ip -4
You should see an address in the CGNAT range (100.x.x.x) and your node marked online.
tailscale ip -4
tailscale status
You now have a private Tailscale IP for RDP, in addition to any public IP.
ssh [email protected]
mstsc /v:100.88.12.34:3389
You can also use MagicDNS hostnames if enabled in your tailnet settings.
After private access works, tighten exposure.
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow app traffic you need publicly
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Allow all traffic from Tailscale interface
sudo ufw allow in on tailscale0
sudo ufw enable
sudo ufw status verbose
At this point, SSH can remain reachable through Tailscale without leaving port 22 open globally.
For "Remote Desktop - User Mode (TCP-In)", limit allowed remote IPs to your private network range (100.64.0.0/10) or specific Tailscale device IPs.
If multiple people share the same Tailscale account organization, use ACLs and tags so only authorized users/devices can access critical nodes.
This prevents "everyone on the tailnet can reach everything" sprawl over time.
If connection fails:
tailscale status on both devices and confirm both are onlineIf you can connect via provider console but not Tailscale, the issue is usually firewall policy or an offline Tailscale daemon.
That setup usually gives you the biggest security improvement with minimal operational overhead.
If you also use Windows RDP, pair this with our RDP hardening checklist.