Teevio

  • Log
  • E-Ink
    • Screensavers
    • Templates
  • Training Plans
    • All
    • 5k
    • 10k
    • Half-Marathon
    • Marathon
    • 50k
    • 50 mile
    • 100k
    • 100 mile
  • About
  • Archives

Securely Connect to Your Digitalocean Database With a Droplet and Tailscale Subnet

February 16, 2024 by Stephen Hallgren in nonfractional, Technology

Updated July 8, 2024 - Fixed instructions that have since not worked related to Nameservers

I’m today years old when I learned about Tailscale and I hope you find yourself in the same position as well†. In the life of every SaaS product there comes a time when you have to release your infrastructure into the real world. It goes without saying that security is paramount here. Depending on the knowledge and size of the team, it’s possible that some things like security might get put off. Security by obscurity is the name of the game 🤫

Everyone knows they should be using a VPN to connect to the database, but VPNs are notoriously complicated and annoying to set up for everyone involved. It’s so much easier to connect directly to the database and let the infrastructure person fix the problem whenever they are hired, someday. This is where Tailscale shines. While I could write a lot about Tailscale, this article is going to focus on a very specific use-case. Setting up a VPN-esque connection from your computer to your database. I’d encourage you to read their articles to get up to speed on what they are all about and how Tailscale differs from a traditional VPN solution:

  • How Tailscale Works

  • Why It’s Time To Replace Your Traditional VPN Solution

End Goal

In order to make a database rock solid in security, it’s important to prevent it from being accessible to the world. This means that anything connecting to it is using the private versus the public network. In the scenario of setting up a traditional VPN, this requires a VPN server to be created. The computer connects to the VPN server using a VPN application and the VPN server is able to connect to database over the private network.

The VPN server is the “bridge” between the user’s computer and the database. Tailscale is similar in nature, but instead of a VPN server, we will be setting up a Tailscale server and connecting to the server with the Tailscale app on the computer.

Since this article is not about why this is the best setup, I’m not going to go into any details about that or what’s happening under the hood. Definitely read the articles linked above if you are of the curious type.

Setting Things Up

Create a Tailscale account
The first step to making this all work is creating your Tailscale account. All the features we’ll be using are free and you can create a free account. In the signup process I connected Tailscale with my GitHub account as the login interface. This gives me the added benefit of being able to use GitHub Organizations.

Download the Tailscale app
Once you have created your Tailscale account, you will need to download and install the Tailscale app on your computer. All major operating systems are supported, macOS, iOS, Windows, Linux and Android, so choose whatever flavor is running on your computer: https://tailscale.com/download

Create a DigitalOcean Droplet
As mentioned earlier we will be creating a Tailscale server. To do this we will need to create a server where Tailscale can be installed. This server needs to have private network access to the database it will be interfacing with. In the DigitalOcean dashboard you will want to create a Droplet (server) that exists in the same region and account as the database you set up. My database was created in SFO-3, therefore I created my Droplet in SFO-3. You can use whatever size Droplet you want, but the smallest and cheapest with at least 1GB RAM should be sufficient.

Install Tailscale and authenticate Droplet
To install Tailscale on the Droplet you will either need to gain SSH access through the command line or by using the DO Console interface. I will be walking you through Tailscale’s official installation instructions which is a single line and will install everything you need. You could also do the manual install if you are brave. From the command line in your DO Droplet run the following command:

curl -fsSL https://tailscale.com/install.sh | sh

Once the installation has completed, run the following command to connect the Droplet to the Tailscale network:

sudo tailscale up

Running this command will output a URL that you will copy and paste into your browser to authenticate your Tailscale network with your Tailscale account. Go through the Tailscale authentication process using the account that you signed up with in the first step.

Setup Tailscale subnet routing
At this point, your computer is connected to your Droplet through Tailscale on what they call the “Tailnet.” This lets you SSH into your server through the Tailscale network. But to be able to connect directly to the database we need to set up subnet routing. Subnet routing will allow you to connect to the VPC of your DigitalOcean server therefore allow a private connection directly to your database.

To set up subnet routing you will first need to enable IP forwarding on your Droplet. Run the following commands from the command line of the DO Droplet:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Once you have set up IP forwarding it is now time to create the subnet routing. To do this you will need to find your VPC network’s IP range from the DigitalOcean dashboard. You can do this one of two ways, either by looking at your database or your Droplet. Regardless, both IP ranges should be the same. If they are not, you have not set up your database or Droplet on the same network in DigitalOcean and nothing after this sentence will work.

To find your database’s VPC IP range, visit your database’s Overview page and scroll down to the VPC Network section. Mine is 10.124.0.0/20 and I am using it in the command below, but you should replace it with yours.

Once you have identified your IP range you will run the follow line from the command line of your DO Droplet:

sudo tailscale up --advertise-routes=10.124.0.0/20 --accept-dns=false --accept-routes=true

Authenticate subnet in Tailscale account
At this point you're all done with the command line! But you need to authenticate your subnet with your Tailscale account before it can be accessed. To do this you will visit the Machines section of your Tailscale account. Find the machine that you just added, click the “• • •” and then click “Edit Route Settings.” You will see a modal listing your VPC IP range. Check the box to approve it and then click save.

Add DNS record for private database URL (Removed July 8, 2024)
DigitalOcean never gives the actual private IP of your database. Theoretically this IP could change at any given time. Instead DO gives a host URL that will map to the database IP. To be able to use this host URL a Tailscale Nameserver needs to be set up. In the Tailscale Dashboard navigate to the DNS area. Under the Nameserver section click “Add Nameserver” and select “Custom.” For the Nameserver IP input the IP used before, but without the range.

After you have inputted the IP you will want to click the “Restrict to Domain” option and input the VPC network host for the DigitalOcean database credentials. Click save and you should be all set with the nameservers.

Enable global nameservers and overrided local DNS (Added July 8, 2024)
DigitalOcean never gives the actual private IP of your database. Theoretically this IP could change at any given time. Instead DO gives a host URL that will map to the database IP. To be able to use this host URL the Tailscale Nameserver settings need to modified. In the Tailscale Dashboard navigate to the DNS area. Under the Nameserver section click “Add Nameserver” and select Google Public DNS, Quad 9 Public DNS and Cloudflare Public DNS. Once you have added these global nameservers, toggle the “Override local DNS” to be enabled.

Lock down Droplet with a firewall
The final step in the whole process is to lock everything down, because security! In DigitalOcean you will want to create a Firewall and apply it to your Droplet. I’ve removed SSH access (note: this also disables DO console access) and I am only allowing the UPD port 41641 inbound with all TCP allowed outbound.

Test the database connection
Ensure that your computer’s Tailscale app is running. Using the DigitalOcean VPC network connection details for your database you should be able to connect to it directly with your favorite database app.

Celebrate

Assuming everything went as planned it’s time to celebrate 🥳 If you run into issues or have questions post a comment below!

† Thanks Dan Misener for the recommendation 💁‍♂️🎩

February 16, 2024 /Stephen Hallgren
Tailscale, Tailnet, DigitalOcean, Database, PostgreSQL, Droplet, VPN
nonfractional, Technology
  • Newer
  • Older


Proud member of the Weird Wide Webring
Previous / Next / Random / Join / List