ts-db-relay

A tsnet application letting Tailscale nodes access databases from anywhere using their Tailscale identity to authenticate.

This is a POC.

Local setup

Note: setup from scratch in a new environment not tested yet. These steps likely made assumptions about pre-existing requirements.

1. Build the binary

    GOOS=linux GOARCH=amd64 go build -o ./cmd/ts-db-relay.exe ./...

2. Start your self-hosted tailscale server if not using https://login.tailscale.com/

    ./path/to/local/tailscale/server

3. Set the TS_AUTHKEY and TS_SERVER environment variables according to your setup

    export TS_AUTHKEY=tskey-xxxx # reusable ephemeral key is recommended for quick iterations
    export TS_SERVER=http://host.docker.internal:31544 # https://login.tailscale.com/ for the official Tailscale server

4. Connect your workstation to your Tailscale server

    tailscale up --login-server=$TS_SERVER --authkey=$TS_AUTHKEY

5. Run docker compose to start a container with your local binary and a Postgres database

    docker compose -f test-setup/compose.yml up --build

6. Configure the ts-db-relay capability in your tailnet policy file ($TS_SERVER/admin/acls/file)

    {
       "tagOwners": {"tag:db-postgres": ["autogroup:admin"]},
   
       "grants": [
           {
               "src": ["*"],
               "dst": ["tag:db-postgres"],
               "ip":  ["tcp:5432", "tcp:80"],
   
               "app": {
                   "tailscale.test/cap/ts-db-relay": [
                       {
                           "postgres": {
                               "impersonate": {
                                   "databases": ["testdb"],
                                   "users":     ["test"],
                               },
                           },
                       },
                   ],
               },
           },
       ],
    }

7. Connect to the database over Tailscale, works from anywhere without credentials

    psql "host=<ts-db-relay-node-ip> port=5432 user=test dbname=testdb"