# VPN Tunnel

### Connect self-hosted software via VPN tunnel

Allow Violet to connect directly to your self-hosted software tools by establishing a Virtual Private Network (VPN) tunnel. This provides a secure, encrypted point-to-point connection that masks your IP address. 

{% hint style="warning" %}
The instructions below are specific to [Tailscale](https://tailscale.com/), our recommended VPN solution. Tailscale uses a mesh network topology and the WireGuard protocol to provide secure, fully encrypted network connections.

If you prefer a site-to-site / IPsec solution, continue on to the [next page](/resources/administrative/connect-self-hosted-software/site-to-site-vpn-tunnel.md).

We are happy to support other solutions as well - just let us know.
{% endhint %}

#### **Setting up a Tailscale VPN**

[Tailscale](https://tailscale.com/) is a VPN solution that simplifies the setup of secure networks for accessing your on-premises applications. It uses WireGuard for its network traffic encryption and supports various devices like Linux, macOS, Windows and even cloud servers. 

Here’s how to set up Tailscale to connect on-premises applications to Violet securely.

#### **Prerequisites**

1. A server or machine that can act as your Tailscale VPN gateway for your on-premises applications (AWS EC2, Azure VM, Google Compute Engine, etc.)
2. Administrator privileges on all devices that will be part of the VPN network
3. Internet access for installing Tailscale on the target machine

***

#### **Step 1: Set up your Tailscale account**

1. **Sign up** for a Tailscale account at [tailscale.com](https://tailscale.com/) using your preferred method (Google, Microsoft or GitHub authentication).
2. After signing up, you’ll be able to access the Tailscale admin console at `https://login.tailscale.com/admin`.

***

#### **Step 2: Install Tailscale on your gateway server**

1. **Choose a machine** inside your network to act as a gateway (e.g. a server or dedicated VM).
2. **Install Tailscale** on your Linux gateway machine:

   ```bash
   curl -fsSL <https://tailscale.com/install.sh> | sh
   ```
3. **Authenticate** the machine by running the following command:

   ```bash
   sudo tailscale up
   ```

   * This will open a browser for you to log in and authenticate the device to your Tailscale account.
   * Once authenticated, the machine will appear in your Tailscale admin console under **Machines**.

***

#### **Step 3: Enable subnet routing on the gateway**

Subnet routing allows devices outside your on-premise network to access internal resources via the gateway machine.

1. **Identify the subnet** you want to route (e.g., `<subnet-to-route>`).
2. On the gateway machine, run the following command:

   ```bash
   sudo tailscale up --advertise-routes=<subnet-to-route>
   ```

   Replace `<subnet-to-route>` with the appropriate subnet of your network.
3. After enabling subnet routing, go to the Tailscale admin console and **approve the route**:
   * Navigate to the **Machines** page.
   * Find the gateway machine and click on the gear icon next to it.
   * Under **Route settings**, approve the advertised route.

***

#### **Step 4: Install Tailscale on your client device(s)**

1. Install Tailscale on any device that will connect to your VPN (e.g., laptops, remote servers).
   * Follow the [installation guide](https://tailscale.com/kb/1347/installation) for your specific platform (Linux, Windows, macOS).
2. **Authenticate** each client device to your Tailscale account using:

   ```bash
   sudo tailscale up
   ```
3. Once the client devices are authenticated, they’ll appear in your admin console as part of your Tailscale network.

***

#### **Step 5: Access applications**

Now that the Tailscale VPN is set up, any device on your Tailscale network can access the on-premises resources through the gateway machine.

1. **Ping test**: From a client device, you can try pinging an internal IP address within your on-premises network to ensure connectivity:

   ```shellscript
   ping <internal-ip-address>
   ```
2. **Access your applications**: If you have a web application running on a server within your on-premises network, simply access it using the internal IP (e.g., `http:/<internal-ip-addr>:8080`).

***

#### Step 6: Configure authentication

To enable persistent authentication, we recommend turning on OAuth for the Tailscale connection.

To do this:

1. Login to your tailnet as an administrator (<https://login.tailscale.com/welcome>)
2. Go to Trust Credentials <https://login.tailscale.com/admin/settings/trust-credentials>
3. Create a new **Credential**. Select **OAuth** as the type
4. For Scopes, enable `Devices: Core : Write` and `Keys : Auth Keys : Write`
   1. Note: You will be required to select a Tag for these scopes. If you don't have any tags, create a new one called `violet` in Access Controls: <https://login.tailscale.com/admin/acls/visual/tags>
5. Click **Generate Credentials**
6. Securely share the Client ID and Client Secret with the Violet team via the **Credentials** page in your Violet environment.

Alternatively, you can utilize a simple Auth key for authentication, but we will require you to generate a unique key every 90 days. Follow Tailscale's instructions [here](https://tailscale.com/kb/1085/auth-keys) to generate one, ensuring the auth key is **reusable**, not one-off.

It may also be helpful to share an IP address or domain on your private network that Violet can ping to test the connection.

***

### **Troubleshooting tips**

* **Check device connectivity**: Ensure that your devices are visible on the Tailscale admin console and are connected to the same network.
* **Firewall issues**: Ensure that your on-premise server's firewall allows incoming connections from the Tailscale subnet.
* **Routes not appearing**: Ensure the gateway machine advertises routes correctly using `sudo tailscale up --advertise-routes=<your-subnet>`.
* **Too many old devices in Tailscale:** If hosts are frequently restarted/replaced, switch to OAuth-issued ephemeral keys for those nodes so inactive machines are auto-pruned.

***

### Additional resources

We recommend referencing [Tailscale Quickstart](https://tailscale.com/kb/1017/install) for more detailed information.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.violetlabs.com/resources/administrative/connect-self-hosted-software/vpn-tunnel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.