diff --git a/src/guides/node/securing-your-node.md b/src/guides/node/securing-your-node.md index c271c27e..f899de3c 100644 --- a/src/guides/node/securing-your-node.md +++ b/src/guides/node/securing-your-node.md @@ -650,5 +650,96 @@ Finally, restart the service: sudo systemctl restart fail2ban ``` + +## (Optional) Install Tailscale + +::: Warning NOTE + Consider this section only if you intend to connect to you **node machine** remotely. +::: + +Tailscale is an open source p2p VPN tunnel and hosted endpoint discovery service ([how it works](https://tailscale.com/blog/how-tailscale-works/)). This facilitates all the NAT traversal required to establish an end-to-end encrypted path between your machine and your node without sending any sensitive traffic to a centralized server. + +In short, you will be able to SSH securely into your node **and** monitor your Graphana dashboard from anywhere in the world and without exposing your SSH port to the internet. + +First, create a free account on [Tailscale](https://tailscale.com/). For extra protection you may consider using a Google Account with [Advanced Protection](https://landing.google.com/advancedprotection/) enabled. + +Follow their onboarding to install Tailscale on your **client**. You should see your computer as 'connected' on the [Tailscale dashboard](https://login.tailscale.com/admin/machines). + +Now it's the time to install Taiscale on your node ([source](https://tailscale.com/kb/1039/install-ubuntu-2004/), [source](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/)). **Run these on the node machine.** + +Add Tailscale’s package signing key and repository: + +```shell +curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add - +curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list +``` +Install Tailscale: + +```shell +sudo apt-get update +sudo apt-get install tailscale +``` +Authenticate and connect your machine to your Tailscale network: + +```shell +sudo tailscale up +``` + +You’re connected! You can find your Tailscale IPv4 address by running: + +```shell +tailscale ip -4 +``` +You should now see your node machine added to the on the [Tailscale dashboard](https://login.tailscale.com/admin/machines). +You may also change the name of the **node machine** through the dashboard, e.g. to `rocketnode`. + +It is suggested to [disable key expiry](https://tailscale.com/kb/1028/key-expiry) to prevent the need to periodically re-authenticate. + +You should now be able to `exit` the session and ssh again into the **node machine** through Tailscale using `ssh your.user@rocketnode`. + +::: Warning NOTE +In case you modified the ssh port of the **node machine** by editing `/etc/ssh/sshd_config` you should either make it `22` again or use `ssh your.user@rocketnode -p your.port` +::: + +You can now also visit `rocketnode:3001`in your web browser to access your Grafana dashboard from your **client**. + +In case the connection is working, you can now set a rule to accept any incoming ssh connections over Tailscale. **Run these on the node machine.** + +```shell +sudo ufw allow in on tailscale0 comment 'Allow Tailscale' +sudo ufw allow 41641/udp comment '(Optional) Extra Tailscale port in case of difficult networks' +``` +Remove the ssh port added before from the firewall: + +```shell +sudo ufw delete "22/tcp" comment 'Allow SSH' +``` +Once you’ve set up firewall rules to restrict all non-Tailscale connections, restart ufw and ssh: + +```shell +sudo ufw reload +sudo service ssh restart +``` +Let's make sure that everything is working as expected. +First, let’s `exit` the existing ssh session (remember to keep one backup ssh session). + +Then, let’s try to connect to the **node machine** with its public address. You should see that we’re not able to connect, and the operation times out: + +```shell +ssh your.user@server.public.ip + +ssh: connect to host port 22: Operation timed out +``` +Now, let’s try to ssh in using the Tailscale IP address: + +```shell +ssh your.user@rocketnode +``` + +If it works, you did everything right! + +Feel free to remove the port forwarding in the router for the ssh connection as well. + + And with that, you've just greatly improved the security posture of your node. Congratulations!