# VPN Tunnel ### Connect self-hosted software via VPN tunnel Allow Violet to connect directly to your self-hosted software tools by establishing a Virtual Private Network (VPN) tunnel. This provides a secure, encrypted point-to-point connection that masks your IP address. {% hint style="warning" %} The instructions below are specific to [Tailscale](https://tailscale.com/), our recommended VPN solution. Tailscale uses a mesh network topology and the WireGuard protocol to provide secure, fully encrypted network connections. If you prefer a site-to-site / IPsec solution, continue on to the [next page](https://docs.violetlabs.com/resources/administrative/connect-self-hosted-software/site-to-site-vpn-tunnel). We are happy to support other solutions as well - just let us know. {% endhint %} #### **Setting up a Tailscale VPN** [Tailscale](https://tailscale.com/) is a VPN solution that simplifies the setup of secure networks for accessing your on-premises applications. It uses WireGuard for its network traffic encryption and supports various devices like Linux, macOS, Windows and even cloud servers. Here’s how to set up Tailscale to connect on-premises applications to Violet securely. #### **Prerequisites** 1. A server or machine that can act as your Tailscale VPN gateway for your on-premises applications (AWS EC2, Azure VM, Google Compute Engine, etc.) 2. Administrator privileges on all devices that will be part of the VPN network 3. Internet access for installing Tailscale on the target machine *** #### **Step 1: Set up your Tailscale account** 1. **Sign up** for a Tailscale account at [tailscale.com](https://tailscale.com/) using your preferred method (Google, Microsoft or GitHub authentication). 2. After signing up, you’ll be able to access the Tailscale admin console at `https://login.tailscale.com/admin`. *** #### **Step 2: Install Tailscale on your gateway server** 1. **Choose a machine** inside your network to act as a gateway (e.g. a server or dedicated VM). 2. **Install Tailscale** on your Linux gateway machine: ```bash curl -fsSL | sh ``` 3. **Authenticate** the machine by running the following command: ```bash sudo tailscale up ``` * This will open a browser for you to log in and authenticate the device to your Tailscale account. * Once authenticated, the machine will appear in your Tailscale admin console under **Machines**. *** #### **Step 3: Enable subnet routing on the gateway** Subnet routing allows devices outside your on-premise network to access internal resources via the gateway machine. 1. **Identify the subnet** you want to route (e.g., ``). 2. On the gateway machine, run the following command: ```bash sudo tailscale up --advertise-routes= ``` Replace `` with the appropriate subnet of your network. 3. After enabling subnet routing, go to the Tailscale admin console and **approve the route**: * Navigate to the **Machines** page. * Find the gateway machine and click on the gear icon next to it. * Under **Route settings**, approve the advertised route. *** #### **Step 4: Install Tailscale on your client device(s)** 1. Install Tailscale on any device that will connect to your VPN (e.g., laptops, remote servers). * Follow the [installation guide](https://tailscale.com/kb/1347/installation) for your specific platform (Linux, Windows, macOS). 2. **Authenticate** each client device to your Tailscale account using: ```bash sudo tailscale up ``` 3. Once the client devices are authenticated, they’ll appear in your admin console as part of your Tailscale network. *** #### **Step 5: Access applications** Now that the Tailscale VPN is set up, any device on your Tailscale network can access the on-premises resources through the gateway machine. 1. **Ping test**: From a client device, you can try pinging an internal IP address within your on-premises network to ensure connectivity: ```shellscript ping ``` 2. **Access your applications**: If you have a web application running on a server within your on-premises network, simply access it using the internal IP (e.g., `http:/:8080`). *** #### Step 6: Create and share an Auth key 1. Create an Auth key for Violet to use to connect to your new VPN. You can follow Tailscale's instructions [here](https://tailscale.com/kb/1085/auth-keys). 1. Ensure the auth key is **reusable**, not one-off. 2. Ensure the auth key is **tagged** (e.g. `tag:violet-connector`), which enables device authentication using a persistent identity and does not require periodic re-authentication (more information [here](https://tailscale.com/kb/1085/auth-keys#key-expiry-for-tagged-devices)). 3. Alternatively, ensure that you've [disabled the key expiry](https://tailscale.com/kb/1028/key-expiry). This is important to reduce maintenance overhead and avoid outages. 1. If you disable the key expiry, you can consider adding [network flow logs](https://tailscale.com/kb/1219/network-flow-logs) that enable continuous and historical access monitoring. 2. If your security policy requires a key expiry, make sure to note the expiration date when you create the key. 2. Share this key, the expiration date (if applicable), and an IP address or domain on your private network that we can ping to test the connection. We will provide a 1Password vault for secure credential sharing. 1. **IMPORTANT**: Reusable Tailscale auth keys are **sensitive**. Please do not share over insecure forms of communication (slack, email, etc.). 2. If Violet receives a key over an insecure form of communication, we will ask you to invalidate the existing API key and send us a new one. *** ### **Troubleshooting tips** * **Check device connectivity**: Ensure that your devices are visible on the Tailscale admin console and are connected to the same network. * **Firewall issues**: Ensure that your on-premise server's firewall allows incoming connections from the Tailscale subnet. * **Routes not appearing**: Ensure the gateway machine advertises routes correctly using `sudo tailscale up --advertise-routes=`. *** ### Additional resources We recommend referencing [Tailscale Quickstart](https://tailscale.com/kb/1017/install) for more detailed information.