I am often away from my home network and my main gaming machine is asleep. I worked around this by installing tailscale + tailscale ssh on my router (yes you can to this!) and using it to send a wake-on-lan packet to my gaming machine.
Some useful fzf code for anyone that wants to get a listing of tailssh machines.
tailscale status --json | jq -r '
.Peer[] |
select(.Tags?[]? | contains("tag:dev")) |
"\(.DNSName)"' |
sed 's/\.$//' |
fzf --ansi --border-label="| Tailscale SSH Hosts |" --height=30% -- border=rounded \
--margin=2,2,2,2 --prompt "Connect to: " --preview-window=top:40% \
--bind "j:down,k:up,ctrl-j:preview-down,ctrl-k:preview-up,ctrl-f:preview-page-down,ctrl-b:preview-page-up"
> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.
Am I misunderstanding what's meant by "taking over" port 22, and it can also still be used by sshd for connections outside of Tailscale, or is the claim that other ssh connections will still work predicated on using a non-default port? If the latter, I'm surprised they don't pick another port instead to use for ssh coming from within Tailscale's network since it seems like they should able to control the port the client-side connects to as well, and then it wouldn't interfere with existing ssh. It would be strange to tout not interfering with existing ssh access if they left probably the biggest way to avoid interference untouched.
As patrakov said above, we don't bind at all with the OS kernel. The packets come in, are Wireguard decrypted (in userspace) and then TCP/IP is also done in userspace (gvisor) before Tailscale SSH takes over, handling the connection (~net.Conn) from gvisor.
Generally speaking, if someone quotes something and asks a clarification, it's because they don't find the wording clear. Repeating it, even with italics, doesn't make the wording any more clear to someone who already doesn't think it's clear.
It literally tells you in the same section what they mean by that sentence and implications for normal SSH. it doesn't imply anything past what reading a few more sentences would say.
> it sounds like it fully takes it over, and "for" sounds like it's just saying why it takes it over, not that it only partially takes control of it
No it doesn't.
> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.
> Tailscale takes over port 22 for SSH connections incoming from the Tailscale network. Tailscale will authenticate and encrypt the connection over WireGuard, using Tailscale node keys. The SSH client and server will still create an encrypted SSH connection, but it will not be further authenticated.
What is hard to understand about this?
> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.
I literally quoted the section about the ssh config files in my original question, so obviously I read further than that one sentence you requoted first.
> No it doesn't.
To you, it doesn't. To me, it does. If you don't think different people can interpret the same words slightly differently in a way that changes the meaning, I'm not sure why you'd bother trying to explain to me what it means.
> What is hard to understand about this?
The exact parts that I asked about and got helpful explanations about from other people in this thread. I read the two parts you quoted (after I had already quoted them before your original response), and I thought that the first part was vague in a way that the second part conflicted with, so I asked a question for clarification.
There are other implementations, such as AWS's Session Manager and Teleport, that implement SSH and allow authentication using IAM and Teleport.
The added features, like SSH session recordings, are great to have.