creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/deploying-tailscale-for-zero-trust-vpn/references/workflows.md
T

98 lines
3.3 KiB
Markdown
Raw Blame History

# Workflows: Deploying Tailscale for Zero Trust VPN
## Workflow 1: Initial Tailnet Deployment
```
Step 1: Plan Network Architecture
- Identify all devices and services requiring connectivity
- Map existing network topology and access requirements
- Define user groups and access policies
- Plan subnet routing for legacy network integration
- Determine exit node placement for internet routing
Step 2: Configure Identity Provider
- Enable SSO with organizational identity provider
- Configure MFA enforcement policies
- Map identity provider groups to Tailscale groups
- Set key expiry policy (recommended: 90 days)
Step 3: Deploy Tailscale Nodes
- Install on critical infrastructure first (servers, databases)
- Deploy to user endpoints (laptops, mobile devices)
- Configure subnet routers for non-Tailscale networks
- Set up exit nodes for secure internet access
- Enable MagicDNS for hostname resolution
Step 4: Configure ACLs
- Start with deny-all baseline
- Define groups matching organizational structure
- Create tag-based policies for infrastructure
- Test ACLs in audit mode before enforcement
- Document all ACL rules and their business justification
Step 5: Validate and Monitor
- Test connectivity between all required paths
- Verify ACL enforcement blocks unauthorized access
- Enable audit logging
- Configure alerts for connection anomalies
```
## Workflow 2: ACL Policy Development
```
Step 1: Inventory Access Requirements
- List all user roles and their resource needs
- Map application dependencies (service-to-service)
- Identify privileged access paths
- Document temporary/exception access needs
Step 2: Design Policy Structure
- Define groups (users, teams, roles)
- Define tags (environments, service types, sensitivity)
- Map access rules: group/tag -> destination:ports
- Plan SSH access policies with session recording
Step 3: Implement and Test
- Write ACL JSON configuration
- Deploy in test/staging tailnet first
- Validate each rule with test connections
- Verify deny rules block unauthorized access
- Review with security team before production deployment
Step 4: Maintain and Audit
- Review ACLs quarterly for stale rules
- Audit access logs for policy violations
- Update groups when team membership changes
- Remove deprecated rules and tags
```
## Workflow 3: Headscale Self-Hosted Deployment
```
Step 1: Prepare Infrastructure
- Provision server with public IP and domain
- Configure TLS certificate (Let's Encrypt)
- Set up PostgreSQL or SQLite database
- Configure firewall rules (port 443, DERP relay ports)
Step 2: Install and Configure Headscale
- Download latest Headscale binary
- Generate configuration file
- Configure OIDC provider integration
- Set up DNS records for coordination server
- Configure DERP relay servers
Step 3: Onboard Users and Devices
- Create users/namespaces in Headscale
- Generate pre-auth keys for automated deployment
- Connect client devices to Headscale server
- Configure ACLs via Headscale policy file
Step 4: Operational Maintenance
- Monitor Headscale server health
- Rotate pre-auth keys regularly
- Backup database and configuration
- Update Headscale and client versions
- Review and rotate DERP relay configuration
```
Reference in New Issue View Git Blame Copy Permalink