Skip to main content
Knowledge Base

Switching from OpenVPN to Tailscale

Answer

Is there any documentation out yet for switching from OpenVPN to Tailscale? --- <ins datetime="2022-06-07T18:52:04Z"> <p><a href="https://support.gruntwork.io/hc/requests/108723">Tracked in ticket #108723</a></p> </ins>

There is no documentation for switching to Tailscale, as you can use both in parallel. To use Tailscale, you need to deploy the [tailscale-subnet-router](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/master/modules/mgmt/tailscale-subnet-router) module. The steps to deploy it are: - Sign up for a Tailscale account if you haven't already. - Create a [tailscale ACL tag](https://tailscale.com/kb/1068/acl-tags/) for each environment (`dev`, `stage`, `prod`). Note that you will need to update the Tailscale ACL to assign owners for each tag. - Add an `autoApprovers` rule in the Tailscale ACL to auto approve subnet routers for each tag. Example: ``` // Allow servers to automatically expose default VPC routes "autoApprovers": { "routes": { "10.2.0.0/18": ["tag:dev"], "10.4.0.0/18": ["tag:stage"], "10.0.0.0/18": ["tag:prod"] }, }, ``` - Add ACL rule to allow your users to access the tags. See https://tailscale.com/kb/1018/acls/ for more info. - Follow [this docs entry](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/master/modules/mgmt/tailscale-subnet-router#how-do-i-authenticate-the-server-to-tailscale) to create an Tailscale auth key for each environment. - Upload the auth key to Secrets Manager in each environment. Record the ARN, as this will need to be provided as the input variable `auth_key_secrets_manager_arn`. - Create a new `build_tailscale_subnet_router.sh` script in `shared/REGION/_regional/amis` that follows the same patterns as the other scripts to build the AMI using packer with [the tailscale-subnet-router-ubuntu.pkr.hcl template](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/modules/mgmt/tailscale-subnet-router/tailscale-subnet-router-ubuntu.pkr.hcl). - Run the script while authenticating to the `shared` account to build the AMI. - Once you have the AMI, create a new `terragrunt.hcl` config for deploying the `tailscale-subnet-router` module. You can use https://github.com/gruntwork-io/knowledge-base/discussions/360#discussioncomment-2570548 as a template.