Tutorial: Tailscale on AWS with Terraform

Tailscale for internal VPN

At MediaMachine.io we use Tailscale for sharing both our internal development environment as well as the internal tooling network layer. For example, we run Nomad and expose the UI on our internal network. Tailscale makes it super easy to isolate our internal resources from our external facing network. We also use tailscale to quickly share our locally running dev servers which is especially useful for our remote team setup.

Use Terraform to manage your Tailscale nodes

Running bespoke, hand-crafted infrastructure is not the same as hand-made furniture from your local artists. Infrastructure-as-code has a lot of benefits:

• Quick disaster recovery
• Easy to on-board new team members
• Source control helps keep track changes

We wanted to share our terraform script to easily set up a tailscale node.

Let's start with the Security group

resource "aws_security_group" "tailscale" {

name = "tailscale-sg"

description = "Allow tailscale relay vpc inbound traffic"

vpc_id = <choose your vpc id>

# Allow egress to the internet

egress {

from_port = 0

to_port = 0

protocol = "-1"

cidr_blocks = ["0.0.0.0/0"]

}

tags = {

# Good idea to tag your resources

Name = "tailscale-relay"

}

}

Now that we have the security group setup, let's create the tailscale node

Tailscale EC2 instance

resource "aws_instance" "tailscale-relay" {

ami = <choose your ami>

instance_type = "t3.nano"

# Refer to the security group we just created

vpc_security_group_ids = [aws_security_group.tailscale.id]

subnet_id = <choose your subnet>

user_data = templatefile("tailscale-relay-init.sh.tpl", {

subnets_to_advertise = [<list of subnet cidr blocks>]

# <pre-configure an auth key>

# https://tailscale.com/kb/1085/auth-keys/ or use data block to fetch from consul (see details below)

tailscale_auth_key = data.consul_keys.tailscale_relaynode_authkey.var.key

vpc_ip_cidr = <your vpc cidr>

internal_domain = <your internal domain like internal.example.com>

}

)

lifecycle {

create_before_destroy = true

}

/*

In case you need to manually ssh for recovery, you will need to enable a key for ssh access.

Normally we are running the instance without any key since we don't need ssh access

Uncomment key_name to apply a key if needed

key_name = <your key>

*/

tags = {

Name = "tailscale-relay"

}

}

Tailscale startup script

We use this script on instance startup to install and configure tailscale. Terraform lets us attach this script via the user_data field. This script leverages terraform templates function https://www.terraform.io/docs/language/functions/templatefile.html.

#!/bin/bash

# instructions:: https://tailscale.com/kb/1021/install-aws?q=ec2

##### For ubuntu #####

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add -

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list

apt-get update

apt-get install tailscale

systemctl enable --now tailscaled

# enable ip forwarding for advertising subnets

# https://tailscale.com/kb/1023/troubleshooting#why-do-i-get-an-error-about-ip-forwarding-when-using-advertise-routes

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf

sysctl -p /etc/sysctl.conf

# https://tailscale.com/kb/1019/subnets

sudo resolvectl dns tailscale0 ${vpc_ip_cidr}

sudo resolvectl domain tailscale0 ${internal_domain}

sudo resolvectl default-route tailscale0 no

tailscale up --authkey=${tailscale_auth_key} --advertise-routes=${subnets_to_advertise}

Bonus: if you want to store auth keys on Consul

You can fetch secrets from consul at terraform run time. See https://registry.terraform.io/providers/hashicorp/consul/latest/docs/resources/keys

/*

Generate keys from https://login.tailscale.com/admin/authkeys

*/

data "consul_keys" "tailscale_relaynode_authkey" {

datacenter = "us-east-2"

key {

name = "key"

# Path on consul

path = "secrets/tailscale_relaynode_authkey"

}

}

That's it! A simple tailscale relay node setup via Terraform.