A tsnet application letting Tailscale nodes access databases from anywhere using their Tailscale identity to authenticate.
This is a POC.
Note: setup from scratch in a new environment not tested yet. These steps likely made assumptions about pre-existing requirements.
-
Build the binary.
GOOS=linux GOARCH=amd64 go build -o ./cmd/ts-db-relay.exe ./...
-
(Optional) Start your custom Tailscale control server if not using https://login.tailscale.com/
./path/to/local/tailscale/server
-
Set the
TS_SERVERenvironment variable to point to your Tailscale control server for future steps.export TS_SERVER=https://login.tailscale.com # http://localhost:31544 for local control
-
Connect your workstation to your Tailscale control server.
tailscale up --login-server=$TS_SERVER -
Configure the ts-db-relay capability in your tailnet policy file. ($TS_SERVER/admin/acls/file)
{ "tagOwners": {"tag:db-postgres": ["autogroup:admin"]}, "grants": [ { "src": ["*"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432", "tcp:80"], "app": { "tailscale.test/cap/ts-db-relay": [ { "postgres": { "impersonate": { "databases": ["testdb"], "users": ["test"], }, }, }, ], }, }, ], } -
Create an authkey so the ts-db-relay node can join your tailnet. ($TS_SERVER/admin/settings/keys)
-
Set the
TS_AUTHKEYenvironment variable with the authkey you created for future steps.export TS_AUTHKEY=tskey-auth-x-x # reusable ephemeral key is recommended for quick iterations
-
(Optional) If using a custom local control server, update the
TS_SERVERenvironment variable for container access.export TS_SERVER=http://host.docker.internal:31544 -
Run docker compose to start a container with your local ts-db-relay binary and a Postgres database.
docker compose -f test-setup/compose.yml up --build
-
Connect to the database over Tailscale, works from anywhere without credentials.
psql "host=postgres-db port=5432 user=test dbname=testdb"
