VPN Tunnel

Connect self-hosted software via VPN tunnel

Allow Violet to connect directly to your self-hosted software tools by establishing a Virtual Private Network (VPN) tunnel. This provides a secure, encrypted point-to-point connection that masks your IP address.

The instructions below are specific to Tailscale, our recommended VPN solution. Tailscale uses a mesh network topology and the WireGuard protocol to provide secure, fully encrypted network connections.

If you prefer a site-to-site / IPsec solution, continue on to the next page.

We are happy to support other solutions as well - just let us know.

Setting up a Tailscale VPN

Tailscale is a VPN solution that simplifies the setup of secure networks for accessing your on-premises applications. It uses WireGuard for its network traffic encryption and supports various devices like Linux, macOS, Windows and even cloud servers.

Here’s how to set up Tailscale to connect on-premises applications to Violet securely.

Prerequisites

  1. A server or machine that can act as your Tailscale VPN gateway for your on-premises applications (AWS EC2, Azure VM, Google Compute Engine, etc.)

  2. Administrator privileges on all devices that will be part of the VPN network

  3. Internet access for installing Tailscale on the target machine

Step 1: Set up your Tailscale account

  1. Sign up for a Tailscale account at tailscale.com using your preferred method (Google, Microsoft or GitHub authentication).

  2. After signing up, you’ll be able to access the Tailscale admin console at https://login.tailscale.com/admin.

Step 2: Install Tailscale on your gateway server

  1. Choose a machine inside your network to act as a gateway (e.g. a server or dedicated VM).

  2. Install Tailscale on your Linux gateway machine:

  3. Authenticate the machine by running the following command:

    • This will open a browser for you to log in and authenticate the device to your Tailscale account.

    • Once authenticated, the machine will appear in your Tailscale admin console under Machines.

Step 3: Enable subnet routing on the gateway

Subnet routing allows devices outside your on-premise network to access internal resources via the gateway machine.

  1. Identify the subnet you want to route (e.g., <subnet-to-route>).

  2. On the gateway machine, run the following command:

    Replace <subnet-to-route> with the appropriate subnet of your network.

  3. After enabling subnet routing, go to the Tailscale admin console and approve the route:

    • Navigate to the Machines page.

    • Find the gateway machine and click on the gear icon next to it.

    • Under Route settings, approve the advertised route.

Step 4: Install Tailscale on your client device(s)

  1. Install Tailscale on any device that will connect to your VPN (e.g., laptops, remote servers).

  2. Authenticate each client device to your Tailscale account using:

  3. Once the client devices are authenticated, they’ll appear in your admin console as part of your Tailscale network.

Step 5: Access applications

Now that the Tailscale VPN is set up, any device on your Tailscale network can access the on-premises resources through the gateway machine.

  1. Ping test: From a client device, you can try pinging an internal IP address within your on-premises network to ensure connectivity:

  2. Access your applications: If you have a web application running on a server within your on-premises network, simply access it using the internal IP (e.g., http:/<internal-ip-addr>:8080).

Step 6: Create and share an Auth key

  1. Create an Auth key for Violet to use to connect to your new VPN. You can follow Tailscale's instructions here.

    1. Ensure the auth key is reusable, not one-off.

    2. Ensure the auth key is tagged (e.g. tag:violet-connector), which enables device authentication using a persistent identity and does not require periodic re-authentication (more information here).

    3. Alternatively, ensure that you've disabled the key expiry. This is important to reduce maintenance overhead and avoid outages.

      1. If you disable the key expiry, you can consider adding network flow logs that enable continuous and historical access monitoring.

      2. If your security policy requires a key expiry, make sure to note the expiration date when you create the key.

  2. Share this key, the expiration date (if applicable), and an IP address or domain on your private network that we can ping to test the connection. We will provide a 1Password vault for secure credential sharing.

    1. IMPORTANT: Reusable Tailscale auth keys are sensitive. Please do not share over insecure forms of communication (slack, email, etc.).

    2. If Violet receives a key over an insecure form of communication, we will ask you to invalidate the existing API key and send us a new one.

Troubleshooting tips

  • Check device connectivity: Ensure that your devices are visible on the Tailscale admin console and are connected to the same network.

  • Firewall issues: Ensure that your on-premise server's firewall allows incoming connections from the Tailscale subnet.

  • Routes not appearing: Ensure the gateway machine advertises routes correctly using sudo tailscale up --advertise-routes=<your-subnet>.

Additional resources

We recommend referencing Tailscale Quickstart for more detailed information.

PreviousIP Allow ListNextSite-to-Site VPN Tunnel

Last updated

Was this helpful?