Hardening a VPS with Tailscale

• June 08, 2026 at 08:58 IST
• 3 min read
• hetzner

I recently hardened this Hetzner VPS after realizing that keeping admin panels open to the whole internet is just unnecessary risk. And honestly, @levelsio gave me the idea to use Tailscale from a few posts he made about this on X.

On this VPS, I still have a few WordPress sites hosted through a control panel, and I wanted to make the server safer without deleting websites, moving data, or breaking normal access.

The main idea was simple: websites stay public, admin access becomes private. Ports 80 and 443 stay open because visitors need them. DNS, public web traffic, nothing changes from the outside.

But the control panel on its admin port, the web server admin panel, and SSH don't need to be open to every random scanner on the internet. Those are management interfaces, not public website features.

Tailscale gives the VPS a private network address that only approved devices can reach. So I can open the control panel from my computer through the Tailscale IP, but someone scanning the public VPS IP cannot hit the login page anymore.

The important part is the order. Don't close public SSH first – that's how you lock yourself out.

The safe order I followed:

1. take a snapshot first
2. then install Tailscale on the VPS and add it to your account (disable key expiry)
3. install Tailscale on your local machine
4. test that the control panel, web server admin, and SSH all work through the Tailscale IP
5. disable anything unused like FTP
6. restrict the admin ports
7. and only after all of that, restrict public SSH

For Tailscale, I used --accept-dns=false because I didn't want it changing DNS behavior on the VPS. This server hosts websites and mail, so the change needed to be narrow: add private access, don't surprise anything else.

Before changing any firewall rules, test everything over the Tailscale IP first. Confirm SSH, the control panel, and the web server admin all work. Once that's solid, allow those ports from Tailscale's private IP ranges and remove the public access rules for them.

For SSH, I used a rollback safety net: a systemd timer that automatically reopens public SSH after 3 minutes if I got locked out. After removing public SSH, I immediately tested both Tailscale SSH (should work) and public SSH (should fail). Only after confirming Tailscale SSH works, cancel the rollback timer.

A few things to remember: keep cloud console/rescue access available as a backdoor, keep Tailscale running on your machine before trying SSH or admin panels, firewall rules aren't active until you reload, and always test websites after any firewall change.

This isn't the same as rebuilding a compromised server. It's a practical hardening pass. But for a VPS that needs to keep running websites, it's a big improvement: keep the public web public, and make the sensitive admin stuff reachable only from your own devices.