| title | excerpt | updated |
|---|---|---|
Local Zone VPN-as-a-Service (VPNaaS) with Tailscale integration (EN) |
Learn how to integrate Tailscale into your OVHcloud Local Zone instances, providing a VPN-as-a-Service (VPNaaS) solution |
2024-09-24 |
Suppose you have Public Cloud instances in different OVHcloud Local Zones, such as Prague and Madrid, and you need to securely connect them. Instead of setting up a complex VPN infrastructure, you can use Tailscale, which leverages WireGuard, to easily create an encrypted mesh network between your instances. This is particularly useful for developers, distributed systems, or secure cross-region communications.
This feature allows you to:
- Set up a VPN mesh network for secure connections between Public Cloud instances in different OVHcloud Local Zones.
- Easily connect and manage your instances via Tailscale.
- Enable ephemeral nodes so that temporary instances are automatically removed from the Tailscale network when they are deleted.
- Use Tailscale’s Access Control Lists (ACLs) to manage network permissions.
This tutorial will guide you through the steps to integrate Tailscale into your OVHcloud Local Zone Public Cloud instances, providing a VPN-as-a-Service (VPNaaS) solution. Tailscale allows you to create a secure, peer-to-peer mesh network between your servers in different geographical locations.
- An OVHcloud account.
- Two Public Cloud instances deployed in different OVHcloud Local Zones (we will use Prague and Madrid for this example).
- SSH access to your OVHcloud Local Zone Public Cloud Instances.
- A Tailscale account with admin access.
- A Tailscale Auth Key (which you will generate from the Tailscale admin panel).
- Familiarity with SSH and basic terminal commands. For more information on SSH, read our guide on how to create and use SSH keys for Public Cloud instances.
Create two instances in different OVHcloud Local Zones, such as Prague and Madrid.
Ensure that public networking is enabled for both instances.
1. Log into your Tailscale account at Tailscale.
2. Go to the Devices{.action} tab and click Add Device{.action}.
3. Select Linux server as the device type.
{.thumbnail}
4. Enable ephemeral nodes to ensure that nodes are automatically removed from the network when their corresponding server is deleted.
{.thumbnail width="600"}
5. Copy the provided install script for later use.
SSH into the Prague instance:
ssh root@$PRAGUE_IP -i ~/.ssh/tailscale-test1. Install Tailscale on the instance by running the following command:
curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=$TAILSCALE-KEY2. Log in to the Tailscale admin panel to approve the new node by visiting https://login.tailscale.com/admin.
3. Approve the node using the menu on the right (with the ...{.action} button).
{.thumbnail width="600"}
4. Once approved, you will see a success message in the terminal:
Installation complete! Log in to start using Tailscale by running:
tailscale up1. SSH into the Madrid instance:
ssh root@$MADRID_IP -i ~/.ssh/tailscale-test2. Repeat the Tailscale installation process on the Madrid instance:
curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=$TAILSCALE-KEY3. Approve the Node in the Admin Panel:
Like with the Prague instance, a prompt will appear asking you to approve the Madrid node. The installation will remain pending until approval. Visit https://login.tailscale.com/admin and approve the new node.
4. After approval, the installation will finish, and you will see the following success message in the terminal:
Installation complete! Log in to start using Tailscale by running:
tailscale upTo check the status of the Tailscale network, log in to one of your instances (e.g., the Prague instance) and run the following command:
tailscale statusThe output should look like this, showing the connection between the two nodes:
100.X.X.X tailscale-node-prague john.doe@ linux -
100.X.X.X tailscale-node-madrid john.doe@ linux -Now, test the connection between the two nodes using Tailscale’s ping command.
On the Prague instance, run:
tailscale ping tailscale-node-madridOn the Madrid instance, run:
tailscale ping tailscale-node-pragueYou should see a pong response indicating successful communication between the two instances, similar to this:
pong from tailscale-node-madrid (100.X.X.X) via [X:X:X:X:X:X:X]:41641 in 34msTailscale nodes are assigned keys, and these keys can expire. If your nodes are expected to remain in the network for a longer period, you may want to disable key expiry. You can do this in the Tailscale admin panel, depending on your security and access requirements.
{.thumbnail width="600"}
Tailscale creates a mesh network, meaning all nodes can communicate with each other by default. If you need more granular control, use Tailscale's Access Control Lists (ACLs) to specify which devices can communicate with others.
You can read more about ACLs here: Tailscale ACL Documentation.
Please send us your questions, feedback and suggestions to improve the service:
- On the OVHcloud Discord server
If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
Join our community of users.