TailnetLock on Ops FreeEdge https://ops.freeedge.uk/tags/tailnetlock/ Recent content in TailnetLock on Ops FreeEdge Hugo en-us Fri, 03 Apr 2026 15:20:00 +0000 Tailscale Funnel 与 Tailscale SSH:公网暴露安全实践 https://ops.freeedge.uk/posts/tailscale-funnel-ssh-exposure/ Fri, 03 Apr 2026 15:20:00 +0000 https://ops.freeedge.uk/posts/tailscale-funnel-ssh-exposure/ <h2 id="摘要">摘要</h2> <p>Tailscale Funnel(公网 HTTPS 暴露)和 SSH(<code>ts ssh</code> Tailscale 托管 SSH)是两种核心公网暴露机制。Funnel 通过 <code>--funnel</code> CLI 实现公网反代,自动 Let&rsquo;s Encrypt 证书;SSH 利用 Node Key 绕过传统公钥认证,依赖 ACL/Grants 细粒度控制。零信任原则:默认拒绝,ACL/Grants 显式授权。</p> <h2 id="1-tailscale-funnel公网-https-暴露核心">1. Tailscale Funnel:公网 HTTPS 暴露核心</h2> <p>Funnel (<code>tailscale funnel &lt;target&gt;</code>) 将本地服务/文件暴露至公网 HTTPS,TLS 终止于 Tailscale Daemon。关键约束:</p> <ul> <li><strong>端口限制</strong>:仅 443/8443/10000。</li> <li><strong>Target 类型</strong>:</li> </ul> <table> <thead> <tr> <th>类型</th> <th>示例</th> <th>行为</th> </tr> </thead> <tbody> <tr> <td>HTTP 反代</td> <td><code>tailscale funnel localhost:3000</code></td> <td>公网 → ts.net → 127.0.0.1:3000 (HTTP)</td> </tr> <tr> <td>文件/目录</td> <td><code>tailscale funnel /path/to/dir</code></td> <td>目录列表 + 文件服务</td> </tr> <tr> <td>静态文本</td> <td><code>tailscale funnel 'text:Hello World'</code></td> <td>纯文本响应</td> </tr> <tr> <td>TLS 终止 TCP</td> <td><code>--tls-terminated-tcp=443 localhost:8443</code></td> <td>TCP 转发 + TLS 卸载</td> </tr> </tbody> </table> <ul> <li><strong>CLI 示例</strong>(持久化 <code>--bg</code>): <div class="goat svg-container "> <svg xmlns="http://www.w3.org/2000/svg" font-family="Menlo,Lucida Console,monospace" viewBox="0 0 432 57" > <g transform='translate(8,16)'> <path d='M 176,0 L 184,0' fill='none' stroke='currentColor'></path> <path d='M 216,0 L 224,0' fill='none' stroke='currentColor'></path> <path d='M 240,16 L 248,16' fill='none' stroke='currentColor'></path> <text text-anchor='middle' x='0' y='4' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='0' y='20' fill='currentColor' style='font-size:1em'>#</text> <text text-anchor='middle' x='0' y='36' fill='currentColor' style='font-size:1em'>#</text> <text text-anchor='middle' x='8' y='4' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='16' y='4' fill='currentColor' style='font-size:1em'>d</text> <text text-anchor='middle' x='16' y='20' fill='currentColor' style='font-size:1em'>状</text> <text text-anchor='middle' x='16' y='36' fill='currentColor' style='font-size:1em'>关</text> <text text-anchor='middle' x='24' y='4' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='24' y='20' fill='currentColor' style='font-size:1em'>态</text> <text text-anchor='middle' x='24' y='36' fill='currentColor' style='font-size:1em'>闭</text> <text text-anchor='middle' x='32' y='20' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='32' y='36' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='40' y='4' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='48' y='4' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='48' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='48' y='36' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='56' y='4' fill='currentColor' style='font-size:1em'>i</text> <text text-anchor='middle' x='56' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='56' y='36' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='64' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='64' y='20' fill='currentColor' style='font-size:1em'>i</text> <text text-anchor='middle' x='64' y='36' fill='currentColor' style='font-size:1em'>i</text> <text text-anchor='middle' x='72' y='4' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='72' y='20' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='72' y='36' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='80' y='4' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='80' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='80' y='36' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='88' y='4' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='88' y='20' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='88' y='36' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='96' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='96' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='96' y='36' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='104' y='4' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='104' y='20' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='104' y='36' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='112' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='112' y='36' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='120' y='4' fill='currentColor' style='font-size:1em'>f</text> <text text-anchor='middle' x='128' y='4' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='128' y='20' fill='currentColor' style='font-size:1em'>f</text> <text text-anchor='middle' x='128' y='36' fill='currentColor' style='font-size:1em'>f</text> <text text-anchor='middle' x='136' y='4' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='136' y='20' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='136' y='36' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='144' y='4' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='144' y='20' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='144' y='36' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='152' y='4' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='152' y='20' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='152' y='36' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='160' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='160' y='20' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='160' y='36' fill='currentColor' style='font-size:1em'>e</text> <text text-anchor='middle' x='168' y='20' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='168' y='36' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='184' y='4' fill='currentColor' style='font-size:1em'>-</text> <text text-anchor='middle' x='184' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='184' y='36' fill='currentColor' style='font-size:1em'>4</text> <text text-anchor='middle' x='192' y='4' fill='currentColor' style='font-size:1em'>b</text> <text text-anchor='middle' x='192' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='192' y='36' fill='currentColor' style='font-size:1em'>4</text> <text text-anchor='middle' x='200' y='4' fill='currentColor' style='font-size:1em'>g</text> <text text-anchor='middle' x='200' y='20' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='200' y='36' fill='currentColor' style='font-size:1em'>3</text> <text text-anchor='middle' x='208' y='20' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='216' y='20' fill='currentColor' style='font-size:1em'>u</text> <text text-anchor='middle' x='216' y='36' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='224' y='4' fill='currentColor' style='font-size:1em'>-</text> <text text-anchor='middle' x='224' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='224' y='36' fill='currentColor' style='font-size:1em'>f</text> <text text-anchor='middle' x='232' y='4' fill='currentColor' style='font-size:1em'>h</text> <text text-anchor='middle' x='232' y='36' fill='currentColor' style='font-size:1em'>f</text> <text text-anchor='middle' x='240' y='4' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='248' y='4' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='248' y='20' fill='currentColor' style='font-size:1em'>-</text> <text text-anchor='middle' x='256' y='4' fill='currentColor' style='font-size:1em'>p</text> <text text-anchor='middle' x='256' y='20' fill='currentColor' style='font-size:1em'>j</text> <text text-anchor='middle' x='264' y='4' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='264' y='20' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='272' y='4' fill='currentColor' style='font-size:1em'>=</text> <text text-anchor='middle' x='272' y='20' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='280' y='4' fill='currentColor' style='font-size:1em'>4</text> <text text-anchor='middle' x='280' y='20' fill='currentColor' style='font-size:1em'>n</text> <text text-anchor='middle' x='288' y='4' fill='currentColor' style='font-size:1em'>4</text> <text text-anchor='middle' x='296' y='4' fill='currentColor' style='font-size:1em'>3</text> <text text-anchor='middle' x='312' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='320' y='4' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='328' y='4' fill='currentColor' style='font-size:1em'>c</text> <text text-anchor='middle' x='336' y='4' fill='currentColor' style='font-size:1em'>a</text> <text text-anchor='middle' x='344' y='4' fill='currentColor' style='font-size:1em'>l</text> <text text-anchor='middle' x='352' y='4' fill='currentColor' style='font-size:1em'>h</text> <text text-anchor='middle' x='360' y='4' fill='currentColor' style='font-size:1em'>o</text> <text text-anchor='middle' x='368' y='4' fill='currentColor' style='font-size:1em'>s</text> <text text-anchor='middle' x='376' y='4' fill='currentColor' style='font-size:1em'>t</text> <text text-anchor='middle' x='384' y='4' fill='currentColor' style='font-size:1em'>:</text> <text text-anchor='middle' x='392' y='4' fill='currentColor' style='font-size:1em'>8</text> <text text-anchor='middle' x='400' y='4' fill='currentColor' style='font-size:1em'>0</text> <text text-anchor='middle' x='408' y='4' fill='currentColor' style='font-size:1em'>8</text> <text text-anchor='middle' x='416' y='4' fill='currentColor' style='font-size:1em'>0</text> </g> </svg> </div> </li> <li><strong>DNS</strong>:稳定 <code>node.ts.net</code> 子域,自动 CNAME 管理。</li> <li><strong>PROXY Protocol</strong>:<code>--proxy-protocol=2</code> 保留客户端真实 IP(后端可见原 IP/端口)。</li> </ul> <h2 id="2-tailscale-serve-vs-funnel内部-vs-公网对比">2. Tailscale Serve vs Funnel:内部 vs 公网对比</h2> <table> <thead> <tr> <th>维度</th> <th>Serve (<code>tailscale serve</code>)</th> <th>Funnel (<code>tailscale funnel</code>)</th> </tr> </thead> <tbody> <tr> <td><strong>范围</strong></td> <td>Tailnet 内(MagicDNS/100.x IP)</td> <td>公网(ts.net HTTPS)</td> </tr> <tr> <td><strong>TLS</strong></td> <td>可选 Let&rsquo;s Encrypt</td> <td>强制,Daemon 自动颁发/续期</td> </tr> <tr> <td><strong>端口</strong></td> <td>任意本地端口转发</td> <td>限 443/8443/10000</td> </tr> <tr> <td><strong>用例</strong></td> <td>内网调试/协作</td> <td>临时公网 Demo/Webhook 测试</td> </tr> <tr> <td><strong>风险</strong></td> <td>Tailnet ACL 隔离</td> <td>公网暴露,强制 ACL + Lock</td> </tr> </tbody> </table> <h2 id="3-tailscale-ssh托管-ssh-机制">3. Tailscale SSH:托管 SSH 机制</h2> <p><code>tailscale ssh [user@]host</code> 利用 WireGuard Node Key 双层加密,绕过传统 <code>~/.ssh/authorized_keys</code>:</p>