Local Zone VPN-as-a-Service (VPNaaS) with Tailscale Integration

Learn the steps to integrate Tailscale into your OVHcloud Local Zone Public Cloud instances, providing a VPN-as-a-Service (VPNaaS) solution. Tailscale allows you to create a secure, peer-to-peer mesh network between your servers in different geographical locations.

Suppose you have Public Cloud instances in different OVHcloud Local Zones, such as Miami and Denver, and you need to securely connect them. Instead of setting up a complex VPN infrastructure, you can use Tailscale, which leverages WireGuard, to easily create an encrypted mesh network between your instances. This is particularly useful for developers, distributed systems, or secure cross-region communications.

This feature allows you to:

• Set up a VPN mesh network for secure connections between Public Cloud instances in different OVHcloud Local Zones.
• Easily connect and manage your instances via Tailscale.
• Enable ephemeral (short-lived) nodes so that temporary instances are automatically removed from the Tailscale network when they are deleted.
• Use Tailscale’s Access Control Lists (ACLs) to manage network permissions.

Requirements

• An OVHcloud account
• Two Public Cloud instances deployed in different OVHcloud Local Zones (we will use Miami and Denver for this example)
• SSH access to your OVHcloud Local Zone Public Cloud Instances
• A Tailscale account with admin access
• A Tailscale Auth Key (which you will generate from the Tailscale admin panel)
• Familiarity with SSH and basic terminal commands. For more information on SSH, read our guide on how to create and use SSH keys for Public Cloud instances

Instructions

Step 1 - Create two instances in OVHcloud Local Zones

Create two instances in different OVHcloud Local Zones, like Miami and Denver.

Ensure that public networking is enabled for both instances.

Step 2 - Log in to Tailscale

1. Log in to your Tailscale account at Tailscale.
2. Go to the Devices tab and click Add Device.
3. Select Linux server as the device type.

   

4. Enable ephemeral nodes to ensure that nodes are automatically removed from the network when their corresponding server is deleted.

   

5. Copy the provided install script for later use.

Step 3 - Install Tailscale on the Miami instance

1. SSH into the Miami instance:

   ssh root@$MIAMI_IP -i ~/.ssh/tailscale-test

   Copy

2. Install Tailscale on the instance by running the following command:

   curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=$TAILSCALE-KEY

   Copy

3. Log in to the Tailscale admin panel to approve the new node by visiting the Tailscale login page.

4. Approve the node using the menu on the right (with the more options ... button).

   

5. Once approved, you will see a success message in the terminal:

   Installation complete! Log in to start using Tailscale by running:
   tailscale up

Step 4 - Install Tailscale on the Denver instance

1. SSH into the Denver instance:

   ssh root@$DENVER_IP -i ~/.ssh/tailscale-test

   Copy

2. Repeat the Tailscale installation process on the Denver instance:

   curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=$TAILSCALE-KEY

   Copy

3. Approve the Node in the Admin Panel:

   Like with the Miami instance, a prompt will appear asking you to approve the Denver node. The installation will remain pending until approval. Visit the Tailscale login page and approve the new node.

4. After approval, the installation will finish, and you will see the following success message in the terminal:

   Installation complete! Log in to start using Tailscale by running:
   tailscale up

Step 5 - Verify the Tailscale network

To check the status of the Tailscale network, log in to one of your instances (e.g., the Miami instance) and run the following command:

tailscale status

The output should look like this, showing the connection between the two nodes:

100.X.X.X   tailscale-node-miami john.doe@ linux   -
100.X.X.X   tailscale-node-denver john.doe@ linux   -

Step 6 - Test the Connection Between Nodes

Now, test the connection between the two nodes using Tailscale’s ping command.

On the Miami instance, run:

tailscale ping tailscale-node-denver

On the Denver instance, run:

tailscale ping tailscale-node-miami

You should see a pong response indicating successful communication between the two instances, similar to this:

pong from tailscale-node-denver (100.X.X.X) via [X:X:X:X:X:X:X]:41641 in 34ms

Step 7 - Manage Key Expiry

Tailscale nodes are assigned keys, and these keys can expire. If your nodes are expected to remain in the network for a longer period, you may want to disable key expiry. You can do this in the Tailscale admin panel, depending on your security and access requirements.

Step 8 - Access Control

Tailscale creates a mesh network, meaning all nodes can communicate with each other by default. If you need more granular control, use Tailscale's Access Control Lists (ACLs) to specify which devices can communicate with others.

You can read more about ACLs here: Tailscale ACL Documentation.

Go further

For more information and tutorials, please see our other Public Cloud support guides or explore the guides for other OVHcloud products and services.

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.