eresendez.com
Back to the garden index
/ 2 min read / Workflow / Seed

Tailscale + Termius for safer SSH access

Use a private Tailscale network and SSH profiles in Termius to reduce exposure when managing local machines and cloud droplets.

Context

Remote access to development machines usually starts with public SSH on a VPS, then grows into ad-hoc habits across local devices and cloud hosts.

That default works, but it increases attack surface and makes session stability a daily reliability problem.

A safer baseline is to keep both local-machine and droplet access inside a private mesh and treat the remote shell as disposable.

Decision / Insight

Use Tailscale as the private network layer and Termius as the operator-facing SSH client.

The important shift is to connect through Tailscale node IPs instead of exposing public SSH whenever possible, both for local hosts and droplets.

For AI coding tools, avoid running opencode directly on the VPS. Run it locally and use SSH only for bounded remote operations.

Breakdown

Local machine connection

  • Join laptop/desktop and any home lab machine to the same Tailscale tailnet.
  • Use Termius profiles that target each host’s Tailscale IP or MagicDNS name.
  • Disable unnecessary inbound port-forwarding rules from the public internet.

Droplet connection

  • Install Tailscale on the droplet and keep SSH bound to private access paths.
  • Prefer connecting from Termius to the droplet’s Tailscale address, not its public IPv4.
  • Keep cloud firewall rules strict even when Tailscale is in place.

Security boundary for opencode

  • Avoid running opencode directly inside the VPS session.
  • Keep the agent runtime local so credentials, workspace controls, and audit context remain on the trusted machine.
  • Use the droplet as an execution target, not as the primary autonomous agent host.

Reliability tip: tmux + alias for unstable SSH links

Long-running remote work can break when the SSH transport drops. Use tmux as the persistent session layer and start tools through a stable alias.

Example shell pattern:

alias oc='tmux new-session -A -s opencode "opencode"'

With this pattern, reconnecting via Termius restores the same tmux session instead of losing active context after transient disconnections.

Reusable Takeaway

A practical remote baseline for solo builders is:

  1. private network first (Tailscale),
  2. consistent SSH client profiles (Termius),
  3. no autonomous coding runtime on public VPS shells,
  4. tmux-wrapped command aliases for reconnect-safe sessions.

This keeps remote access safer without making day-to-day operations slower.

Tags

  • tailscale
  • termius
  • ssh
  • droplet
  • remote-access
  • tmux