Tailscale is a mesh VPN built on WireGuard that creates a private, encrypted network between your devices — without opening a single port to the public internet.
Once your ShieldHost server is provisioned, connecting takes three steps:
Download and install Tailscale on your device. Available for macOS, Windows, Linux, iOS, and Android.
tailscale.com/downloadOpen Tailscale, sign in with your account, and connect to your tailnet. Your device and server will be on the same private network.
Open a terminal and connect using your server's Tailscale IP.
ssh ubuntu@<your-server-ip>Traditional VPS providers expose your server to the entire internet. You get a public IP, open SSH on port 22, and hope your firewall rules hold up. Every bot on the planet can find you and start hammering.
Tailscale flips this model. When your ShieldHost server boots, it joins your private Tailscale network (your "tailnet") automatically. From that point, the only way to reach your server is through Tailscale's encrypted tunnel — authenticated by your identity, not by an IP address and password.
Think of it as a private LAN that spans the internet. Your laptop, your phone, and your ShieldHost server are all on the same network — but nobody else can see or reach them.
Every packet is encrypted end-to-end using modern WireGuard cryptography.
No public ports. Access is identity-based, not IP-based.
NAT traversal built in. Works behind firewalls, on cellular, anywhere.
ShieldHost is opinionated. We know not everyone will agree with this choice, and that's fine — but we believe it's the right one.
Most security breaches on VPS instances start the same way: an exposed SSH port, a weak password, a forgotten open service. The standard advice is "harden your server" — but that puts the burden on you, and it only takes one mistake.
By requiring Tailscale on every node, we eliminate the largest attack surface before you even log in. Your server has no public-facing ports. SSH is only reachable through your tailnet. There's nothing for scanners to find, nothing to brute-force, nothing to exploit.
This is a deliberate trade-off. You need a Tailscale account (free for personal use) and you need to generate an auth key during setup. In exchange, you get a server that is invisible to the public internet from the moment it boots.
We get it — requiring a third-party VPN for server access isn't for everyone. If you want a raw VPS with a public IP and full control over your networking stack, there are great providers for that.
ShieldHost exists for developers who want the security done right from the start. We chose Tailscale because it's the best mesh VPN available: it's fast, it's reliable, the free tier is generous, and it integrates seamlessly with our hardened base images.
This is the foundation of everything we build. Every security feature — the locked-down firewall, the SSH hardening, the automatic updates — works better when the network layer is already private. Tailscale makes that possible without complexity.
Setting up Tailscale takes about two minutes. Here's what you need to do before creating your first ShieldHost server:
Sign up at tailscale.com. The personal plan is free and supports up to 100 devices.
Install Tailscale on your laptop or workstation so you can reach your tailnet.
In the Tailscale admin console, create a reusable auth key to paste during server setup.