Does this work with IPv6?

Yes. Tailscale works independently of your public IP, so your /64 network is unaffected.

VPS & Server

Secure your server with Tailscale (no open SSH port)

Instead of exposing SSH to the whole internet, put your server on a private network with Tailscale. Here is how to join it to your tailnet and close the public SSH port.

by Moritz MöllerJune 19, 2026

Secure your server with Tailscale (no open SSH port)

Ready to deploy?

Spin up a high-performance server in under 60 seconds.

View pricing

Keep reading

How to rescue your server with the VNC console

Locked out of your server via SSH? The VNC console in the panel gives you a screen-level connection in the browser so you can fix the problem directly.

How to set up VPS backups (manual and scheduled)

A backup saves you when an update goes wrong or data is lost. Here is how to create manual and scheduled backups of your ComputeBox server, stored off-site.

How to set a reverse DNS (PTR) record

A PTR record is a must for reliable email delivery. Here is how to set reverse DNS for your IPv4 and your IPv6 network right in the ComputeBox panel.

Why Tailscale?#

No open SSH port: what is not reachable cannot be attacked. Brute-force and port scans hit nothing.

Encrypted mesh: Tailscale builds direct, WireGuard-encrypted connections between your devices.

Works anywhere: even behind NAT and other firewalls, with no ports to forward.

MagicDNS: reach your server by name instead of by IP.

Step 3: Connect over Tailscale#

From your device with Tailscale installed, connect over the Tailscale address instead of the public IP:

With MagicDNS enabled, the hostname works too instead of the address.

Test first, then close

Make sure this connection over the 100.x address works before you remove public SSH access in the next step.

Step 4: Close public SSH#

Once the Tailscale connection is up, lock SSH down from the outside. Allow connections over the Tailscale interface and remove the public SSH rule in the firewall:

Leave ports 80 and 443 open if you run a website. Management over SSH is then only reachable through the tailnet. For the firewall basics, see Set up a firewall with ufw.

If you lock yourself out

If something goes wrong while closing the port, get back in through the VNC console in the panel and undo the rule with sudo ufw allow OpenSSH.

Problems?#

Troubleshooting

tailscale up shows no URL

The login URL is in the output, open it manually in your browser. With sudo tailscale up --qr you also get a QR code.

No connection over the 100.x address

Is Tailscale running on both sides and are both in the same tailnet? tailscale status shows your connected devices.

Locked out after the ufw step

FAQ#

Frequently asked questions

Is Tailscale free?

For personal use and small setups there is a free plan that is more than enough for a single server.

Do I still need ufw and Fail2ban?

ufw yes, that is how you control what stays publicly reachable. Fail2ban becomes less important once SSH is no longer reachable from the internet at all.

Does my web server stay public?

Yes. You leave ports 80 and 443 open. Tailscale mainly secures management over SSH and internal services.

Start your own server

VPS on AMD EPYC with NVMe SSD, full control, hosted in Germany.

Configure your VPS