RSS

Show HN: Using Tailscale with an OrbStack VM on macOS

highpost1 pts1 comments

GitHub - highpost/tailscale-macos-vm: Using Tailscale with an OrbStack VM on macOS · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

highpost

tailscale-macos-vm

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>1 Commit<br>1 Commit

README.md

README.md

build.sh

build.sh

cleanup.sh

cleanup.sh

dev-server.yml

dev-server.yml

run.sh

run.sh

store-ts-key-keychain.sh

store-ts-key-keychain.sh

View all files

Repository files navigation

Using Tailscale with an OrbStack VM on macOS

This repository demonstrates how to use OrbStack on macOS to provision an Ubuntu virtual machine (VM), and then add it to your tailnet.

Unlike minimal container runtimes that lack native kernel modules, OrbStack provides a fully capable Linux kernel environment. This allows Tailscale to leverage standard kernel networking (/dev/net/tun) rather than relying on userspace-networking workarounds.

OrbStack first spins up a temporary VM instance which allows cloud-init to pull its configuration from dev-server.yml and then stops the VM. Then OrbStack wakes up the pre-configured VM, adds it to your tailnet using an auth key and enables Tailscale SSH. You can then SSH to your VM from anywhere, without exposing host ports.

This example also demonstrates a macOS-specific method for securely storing your Tailscale auth key in Apple Keychain. Due to macOS security sandbox restrictions, the guest VM cannot directly execute security find-generic-password to pull secrets from the host. Instead, the credential must be injected from the host macOS environment during provisioning, as shown in run.sh.

Modify access controls

Before launching the VM, configure your Tailscale Access Control Lists (ACLs) to handle the automated registration and permissions.

Create a tag

Go to Access controls > Tags and define a server tag:

Tag name: myservers

Tag owners: your-email@example.com

Modify the Tailscale SSH access controls

Go to Access controls > Tailscale SSH and ensure your policy permits access to the tagged servers and specified users:

"action": "accept",<br>"src": ["autogroup:admin"],<br>"dst": ["tag:myservers"],<br>"users": ["player1", "player2"]

Add your new tag ("myservers") to the Destination (dst) array.

Add the Linux usernames defined in your cloud-config ("player1", "player2") to the Destination users (users) array.

Change "action" from "check" to "accept" for seamless SSH access.

Create a Tailscale auth key

Generate an auth key via the Tailscale Admin Keys panel with these configurations:

Reusable: Enabled

Pre-authorized: Enabled

Tags: Choose the newly created tag: tag:myservers

Store the newly created auth key in Keychain:

./store-ts-key-keychain.sh

(Note: This creates an entry named tailscale-auth-key-dev-server in your Keychain).

Build and provision the VM

./build.sh

Start the VM and add it to your tailnet

./run.sh

Connect to the VM

Once run.sh finishes authenticating the machine, you can connect directly over your tailnet using Tailscale SSH or jump straight into the machine locally via OrbStack:

MagicDNS name: ssh player1@dev-server

built-in local SSH proxy: ssh player1@dev-server@orb

CLI: orb -m dev-server

Example: git

Once Tailscale SSH is setup correctly, it's simple to use git remotely. Let's<br>assume that we have a git repo on dev-server. We can simply clone it directly without any extra authentication:

git clone player1@dev-server:~/my-proj

Files

dev-server.yml: A cloud-init recipe that specifies environment configurations, system locales, default development packages, user access profiles and installation tasks for the Tailscale engine.

build.sh: Builds and provisions an Ubuntu 25.10 environment using the cloud.init configuration in dev-server.yml.

run.sh: Pulls the auth key from Keychain and brings up the Tailscale interface (tailscale up) inside the VM with SSH enabled.

cleanup.sh: Fully tears down the setup. It logs out the VM from your tailnet, destroys the OrbStack instance, and wipes the auth...

tailscale server orbstack macos auth access

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.