Configuring Tailscale for your Microsoft Azure Virtual Machine

What is secure tunneling?

Secure tunneling refers to the process of creating a protected pathway for data to travel over the internet, ensuring that the information remains confidential and secure from unauthorized access. Tailscale is a specific implementation of this concept, using the WireGuard protocol to create a mesh VPN that allows devices to connect securely without the need for complex configurations.

Why Tailscale First?

Tailscale can be used instead of SSH in order to manage the other services that we will be installing (Wazuh, Snipe-IT). This also removes the need for a public IP address after setup. Tailscale is zero-trust, meaning that only authorized devices can access your applications. Additionally, the free version of Tailscale can actually save about $3–$5/month after setup when you remove the public IP address on Azure.

Install Tailscale

On your Azure VM:

# Install Tailscale in one command
curl -fsSL https://tailscale.com/install.sh | sh

# Verify installation
tailscale version

Expected output:

1.xx.x

Authenticate Tailscale

Start Tailscale and generate authentication URL:

sudo tailscale up

You'll see output like:

To authenticate, visit:

  https://login.tailscale.com/a/abc123def456

Complete authentication:

Copy the URL from the terminal
Open it in your web browser (on your laptop/desktop)
Sign in or create a Tailscale account:
- Use Google, Microsoft, GitHub, or email
- Free tier includes up to 100 devices
Approve the device: Click "Connect" when prompted
Name the device (optional): "azure-security-stack"

Back in your SSH session, verify connection:

# Check Tailscale status
tailscale status

# Get your Tailscale IP address
tailscale ip -4

Expected output:

100.x.x.x  homelab-vm  user@  linux  -

Save this IP — you'll use it to access all your services!

Install Tailscale on Your Local Machine

On your laptop/desktop:

Download Tailscale: https://tailscale.com/download
- Windows: Download and run installer
- Mac: Download and install DMG
- Linux: Follow instructions for your distribution
Sign in with the same account you used for the VM
Verify you can see your Azure VM in the network:
```
# On your local machine
tailscale status
```
You should see your Azure VM listed!

100.x.x.x  laptop       user@  linux  -
100.x.x.x  homelab-vm   user@  linux  -

Test Tailscale Connection

From your local machine, SSH using Tailscale IP:

# Replace 100.x.x.x with your actual Tailscale IP
ssh azureuser@100.x.x.x

If this works, Tailscale is configured correctly!

Enable Subnet Routing (Optional but Recommended)

This allows your laptop to access the entire Azure VNet through Tailscale.

On the Azure VM:

# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Advertise your Azure subnet
sudo tailscale up --advertise-routes=10.0.0.0/16 --accept-routes

In Tailscale Admin Console:

Go to: https://login.tailscale.com/admin/machines
Find your homelab-vm machine
Click the three dots (⋮) → Edit route settings...
Enable the route for 10.0.0.0/16
Click Save

Test from your local machine:

# Try to ping the Azure VM's private IP
ping 10.0.1.4  # Your VM's private IP (check in Azure Portal)

Security Hardening

Disable key expiry (optional, for learning environment):

# On the Azure VM
sudo tailscale up --advertise-routes=10.0.0.0/16 --accept-routes --auth-key-expiry=false

Set up ACLs in Tailscale admin (recommended):

Go to: https://login.tailscale.com/admin/acls

Add access control rules (example):

{
  "acls": [
    {
      "action": "accept",
      "src": ["autogroup:member"],
      "dst": ["*:22", "*:443", "*:8080", "*:55000"]
    }
  ]
}

This allows all your devices to access SSH (22), HTTPS (443), Snipe-IT (8080), and Wazuh (55000).

Troubleshoot DNS issues & subnet routing:

sudo tailscale up --accept-routes --accept-dns=false --ssh

What's Next

In the next guide we will setup Snipe-IT for ITAM (I.T. Asset Management).