All articles
TutorialsFeb 18, 2026 · 6 min read

Access Your VPS Privately with Tailscale (RDP + SSH)

Access Your VPS Privately with Tailscale (RDP + SSH)

Leaving SSH (22) or RDP (3389) open to the public internet creates constant noise from scanners and brute-force attempts.

Tailscale gives you a private network between your devices and your server, so you can connect directly without keeping those ports public.

This guide walks through setup and lock-down steps for both Linux and Windows workflows.

Before tightening firewall rules, keep your provider console/VNC open as a fallback so you do not lock yourself out.

What You Will Set Up

  • Tailscale on your VPS
  • Tailscale on your laptop/desktop/phone
  • Private access to SSH and RDP over the Tailscale network
  • Firewall rules that only allow management access from private network addresses

Prerequisites

  • A VPS with root or admin access
  • A Tailscale account
  • One device you normally connect from (Mac, Windows, Linux, iOS, or Android)

Step 1: Install Tailscale on Your Device

Install Tailscale on the computer or phone you use to connect.

  • Download from tailscale.com/download
  • Sign in with your account
  • Confirm your device appears as "connected" in the Tailscale admin panel

Do this first, so you can test connectivity as soon as the server joins your tailnet.

Step 2: Install Tailscale on a Linux VPS (SSH)

For Ubuntu or Debian:

curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up --ssh

Check status and grab the private IP:

tailscale status tailscale ip -4

You should see an address in the CGNAT range (100.x.x.x) and your node marked online.

Step 3: Install Tailscale on a Windows VPS (RDP)

  1. Download and install Tailscale on the Windows server.
  2. Sign in with your account.
  3. Open PowerShell and verify:
tailscale ip -4 tailscale status

You now have a private Tailscale IP for RDP, in addition to any public IP.

Step 4: Connect Over the Private Address

SSH Example

ssh [email protected]

RDP Example (Windows client)

mstsc /v:100.88.12.34:3389

You can also use MagicDNS hostnames if enabled in your tailnet settings.

Step 5: Lock Down Public Management Ports

After private access works, tighten exposure.

Linux + UFW (example)

sudo ufw default deny incoming sudo ufw default allow outgoing # Allow app traffic you need publicly sudo ufw allow 80/tcp sudo ufw allow 443/tcp # Allow all traffic from Tailscale interface sudo ufw allow in on tailscale0 sudo ufw enable sudo ufw status verbose

At this point, SSH can remain reachable through Tailscale without leaving port 22 open globally.

Windows Firewall Scope (RDP)

For "Remote Desktop - User Mode (TCP-In)", limit allowed remote IPs to your private network range (100.64.0.0/10) or specific Tailscale device IPs.

Optional: Restrict Who Can Reach Production Servers

If multiple people share the same Tailscale account organization, use ACLs and tags so only authorized users/devices can access critical nodes.

This prevents "everyone on the tailnet can reach everything" sprawl over time.

Troubleshooting

If connection fails:

  • Run tailscale status on both devices and confirm both are online
  • Check server firewall rules after enabling them
  • Confirm the RDP or SSH service is running locally on the server
  • Try connecting by Tailscale IP first, then MagicDNS name

If you can connect via provider console but not Tailscale, the issue is usually firewall policy or an offline Tailscale daemon.

Final Checklist

  • Tailscale installed on server and client
  • Verified SSH/RDP over private IP
  • Public management ports restricted
  • Fallback access path confirmed (provider console/VNC)

That setup usually gives you the biggest security improvement with minimal operational overhead.

If you also use Windows RDP, pair this with our RDP hardening checklist.