Provision the VPS
Buy a Hetzner VPS and SSH into it using the public IP they give you:
ssh user@<hetzner-vm-public-ip>
Set up the VM
First thing on a fresh machine, run the setup script:
curl -fsSL https://raw.githubusercontent.com/rohoswagger/dotfile/main/setup.sh | bash
Set up Tailscale
Install:
curl -fsSL https://tailscale.com/install.sh | sh
Bring it up:
sudo tailscale up
This should print a login link in the terminal. If it doesn't, try:
sudo tailscale login
If that hangs or never returns a link, use an auth key instead (generate one at tailscale.com → Settings → Keys):
sudo tailscale up --authkey=<your-auth-key>
Enable Tailscale SSH:
sudo tailscale set --ssh
Verify:
tailscale status
tailscale ip
You should see this node and all your other Tailnet devices listed. Note your Tailscale IP (a 100.x.x.x address) — you'll need it at the end.
Lock it down with UFW
Install UFW:
sudo apt-get update
sudo apt-get install ufw -y
Deny all incoming, allow all outgoing:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Allow SSH only on the Tailscale interface:
sudo ufw allow in on tailscale0 to any port 22
Check the rules — there should be exactly one:
sudo ufw status numbered
If there are any other entries from a previous UFW config, delete them:
sudo ufw delete <number>
Enable:
sudo ufw enable
sudo ufw reload
Verify everything works
SSH to the public IP — this should hang or fail:
ssh user@<hetzner-vm-public-ip> # ✗ should not work
SSH to the Tailscale IP from any device on your Tailnet — this should work:
ssh user@<tailscale-ip> # ✓ should work
If public SSH is dead and Tailscale SSH is alive, you're done. The machine is now invisible to the public internet and only reachable through your Tailnet.