Easily set up Tailscale on Google Cloud with custom Cloudflare hostnames and SSL certificates
I recently wrote about setting up AdGuard on Google Cloud with Tailscale. I've discovered it to be quite useful to be able to access private VMs on GCP, as long as I am connected to my Tailscale network.
Considering the complexity and multiple steps involved in installing Tailscale on a virtual machine and subsequently establishing a secure DNS hostname through Cloudflare, I opted to develop a script that significantly streamlines this procedure. For those interested, the script is straightforward to use.
- SSH into the VM you want to install Tailscale and clone this GitHub repository.
git clone https://github.com/danielraffel/GCPTailWall.git
- Change into the cloned directory.
cd GCPTailWall
- Execute the setup script with sudo privileges.
sudo bash setup.sh
GCPTailWall consists of two parts
What setup.sh
does
The setup script prompts you to enter the following data which is stored in a file called variables.txt
:
- The custom hostnames you want to access your services from and their corresponding TCP port (eg
3000
,4000
, etc.) You can create one or multiple hostnames:example.com
,this.example.com
,that.example.com
, etc. - Your Google Cloud VPC name (default is common so it's used if left blank.)
- Your SSH key username.
- Tailscale API Access Token. How to get from the Tailscale Admin site.
- Cloudflare API Access Token. How to create a Cloudflare API Access Token.
- Cloudflare Zone ID. How to obtain your ZoneID.
- Email address used to sign in to Cloudflare
After setup.sh
finishes, it automatically executes setup_GCPTailWall.sh
with the configurations you provided.
What setup_GCPTailWall.sh
does
- Installs and configures your VM with Tailscale for secure, private networking. You'll be prompted to copy a link to your browser to approve this.
- Locks down the VM with UFW (Uncomplicated Firewall), making it accessible only via the Tailscale network. Port 22 is left open for SSH access.
- Opens necessary firewall rules on GCP to ensure Tailscale and the ports you specified your services are running on can communicate with your hostnames.
- Configures Caddy to proxy requests to your services based on the hostnames and ports you specify. Your configs are written to
/etc/caddy/Caddyfile
- Sets up DNS entries on Cloudflare for your services, using the hostnames you provide and directs to your TailscaleIP. You'll be prompted to copy a link to your browser to approve this
- Creates and renews SSL certs using the Cloudflare module for Caddy.
The GitHub repository offers further project details. Suggestions for enhancements are encouraged. While it's presently tailored for Ubuntu on ARM64, adapting it for different operating systems and architectures is straightforward.
Reminder: Google Cloud offers each account an always free tier VM.