Skip to content

Tailscale Admin Guide

Joey Holliday edited this page Jan 3, 2021 · 3 revisions

VPN administrators should first read the Tailscale User Guide and follow the instructions for installing Tailscale on their machine.

Recommended Additional Reading

  • How Tailscale works
  • How NAT traversal works: Tailscale is smart enough that it will always works but certain scenarios where traffic needs to be relayed or hairpin will significantly increase latency and decrease bandwidth. Understanding NAT traversal can help avoid such situations. This has significant implications for virtual machines which are placed in a NAT by default and create a CGNAT-like scenario for VM to VM communication.
  • Tailscale Documentation

Admin Responsibilities

Administrators can manage the VPN by using the Admin Console. They should login by using the team gmail account.

Issuing Pre-auth Keys

The VPN administrator's primary job is to issue Pre-auth Keys. These keys act as one-time passwords that allow users to join the network without needing to sign-in. An admin should always create a new unique "One-off" key for each user joining the network. This practice removes the need to share the team's gmail login credentials and prevents unauthorized users from joining the network.

  1. Go to the Admin Console: Keys
  2. Click Generate One-off Key
  3. Send the unique key to one user

Managing Devices Connected to the Network

An administrator should make sure that they know what every device is that connected to the network. The Admin Console lists all of the machines and information about them. If a machine has an unrecognized name, they should consider removing it from the network. If a machine has a generic name, such as linux, ubuntu, vagrant, the administrator should encourage the owner to change the hostname to a more meaningful one.

Clone this wiki locally