{"id":20697433,"url":"https://github.com/epomatti/aws-rds-tailscale-vpc","last_synced_at":"2026-05-05T15:39:47.241Z","repository":{"id":220729984,"uuid":"750558953","full_name":"epomatti/aws-rds-tailscale-vpc","owner":"epomatti","description":"Tailscale subnet router running in AWS","archived":false,"fork":false,"pushed_at":"2024-05-07T06:37:43.000Z","size":139,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-17T18:34:49.742Z","etag":null,"topics":["aws","aws-imagebuilder","image-builder","nat","nat-gateway","rds","tailscale","terraform","ubuntu","vpc"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-30T21:37:38.000Z","updated_at":"2024-07-20T07:32:49.000Z","dependencies_parsed_at":"2024-05-07T07:46:35.640Z","dependency_job_id":null,"html_url":"https://github.com/epomatti/aws-rds-tailscale-vpc","commit_stats":null,"previous_names":["epomatti/aws-rds-tailscale-vpn","epomatti/aws-rds-tailscale-vpc"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-rds-tailscale-vpc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-rds-tailscale-vpc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-rds-tailscale-vpc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-rds-tailscale-vpc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/aws-rds-tailscale-vpc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242961747,"owners_count":20213315,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-imagebuilder","image-builder","nat","nat-gateway","rds","tailscale","terraform","ubuntu","vpc"],"created_at":"2024-11-17T00:18:04.223Z","updated_at":"2025-12-06T15:02:12.940Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tailscale AWS VPC\n\nUsing Tailscale in subnet router mode to access RDS in a VPC.\n\n\u003e [!TIP]\n\u003e This project depends on my repository [epomatti/aws-ec2-imagebuilder][1] to build an optimized image. Or, if you want to configure it manually, use the commands in [ubuntu-tailscale-full.sh](./modules/tailscale/userdata/ubuntu-tailscale-full.sh) to set Tailscale.\n\nCurrent version of this project uses the subnet router for NAT resolution as well, making it a two-purpose single box. Alternatively, this is an example with separate boxes, which can be adapted with existing code.\n\n\u003cimg src=\".assets/tailscale.png\" /\u003e\n\n## Setup\n\nCreate the `.auto.tfvars` from the template and set your variables accordingly.:\n\n```sh\ncp config/template.tfvars .auto.tfvars\n```\n\nCreate the infrastructure:\n\n```sh\nterraform init\nterraform apply -auto-approve\n```\n\nConnect to the Tailscale box using SSM:\n\n```sh\naws ssm start-session --target \u003cinstance\u003e\n```\n\nYou can run some manual checks to verify if everything was installed correctly:\n\n```sh\n# Verify the cloud-init start up\ncloud-init status\ncat /var/log/cloud-init-output.log\n\n# Check the state of the CloudWatch agent\n/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status\n\n# Look if there are any Tailscale erros in crontab\ngrep CRON /var/log/syslog\n```\n\nStart Tailscale and advertise the subnet routes:\n\n```sh\ntailscale up --advertise-routes=10.0.0.0/16 --accept-dns=false\n```\n\nUse the link to accept link to register the device to Tailscale. \n\nNow, add the VPC DNS to the Tailscale namespaces and approve the routes. You can disable key expiry as well.\n\n\u003e [!IMPORTANT]\n\u003e Make sure you approve the routes in the Admin panel.\n\n| IP       | Namespace                   |\n|----------|-----------------------------|\n| 10.0.0.2 | us-east-2.rds.amazonaws.com |\n\n\nCheck the results status of Tailscale:\n\n```sh\ntailscale ip -4\n```\n\nChange the `create_appserver` parameter to `true` and create the private server to test NAT functionality.\n\nYou can install and run a speed test tool to also verify performance:\n\n```sh\nsudo apt install speedtest-cli\nspeedtest-cli --secure\n```\n\n## GitHub Action\n\nA workflow is available based on the [documentation][3].\n\nTo use it, create an OAuth client in Tailscale and set the variables.\n\n## ACLs\n\nExample of a policy to restrict access to personal devices, servers, and environments. More sample [here][2].\n\n```json\n{\n  \"tagOwners\": {\n    \"tag:personal\": [\"some@user.com\"],\n    \"tag:server\":   [\"some@user.com\"],\n    \"tag:stage\":    [\"some@user.com\"],\n    \"tag:prod\":     [\"some@user.com\"],\n  },\n\n  \"acls\": [\n    {\n      \"action\": \"accept\",\n      \"src\":    [\"autogroup:member\"],\n      \"dst\":    [\"autogroup:self:*\"],\n    },\n    {\"action\": \"accept\", \"src\": [\"autogroup:member\"], \"dst\": [\"tag:server:*\"]},\n    {\"action\": \"accept\", \"src\": [\"tag:personal\"], \"dst\": [\"tag:server:*\"]},\n    {\"action\": \"accept\", \"src\": [\"tag:stage\"], \"dst\": [\"tag:stage:*\"]},\n    {\"action\": \"accept\", \"src\": [\"tag:prod\"], \"dst\": [\"tag:prod:*\"]},\n    {\"action\": \"accept\", \"src\": [\"tag:prod\"], \"dst\": [\"tag:prod:*\"]},\n    {\"action\": \"accept\", \"src\": [\"autogroup:owner\"], \"dst\": [\"*:*\"]},\n    {\n      \"action\": \"accept\",\n      \"src\":    [\"some@user.com\"],\n      \"dst\":    [\"tag:server:*\"],\n    },\n  ],\n}\n```\n\n## Sources\n\n```\nhttps://tailscale.com/kb/1141/aws-rds\nhttps://tailscale.com/kb/1174/install-debian-bookworm\nhttps://tailscale.com/kb/1019/subnets?tab=linux\nhttps://tailscale.com/kb/1021/install-aws#step-8-close-off-your-firewall\nhttps://tailscale.com/kb/1235/resolv-conf?q=dns\nhttps://repost.aws/questions/QUlEvYKkbUSNmZCiNJFcMpCA/aws-ec2-ubuntu-22-04-dns-issues-with-tailscale\nhttps://tailscale.com/blog/how-tailscale-works\nhttps://www.devzero.io/docs/how-can-i-connect-to-an-aws-rds-database\n```\n\n[1]: https://github.com/epomatti/aws-ec2-imagebuilder\n[2]: https://tailscale.com/kb/1192/acl-samples\n[3]: https://tailscale.com/kb/1276/tailscale-github-action\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-rds-tailscale-vpc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Faws-rds-tailscale-vpc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-rds-tailscale-vpc/lists"}