Tailscale makes secure networking easy

Achieve point-to-point network connectivity that enforces least privilege

Full Guide Here

About this Tutorial

This tutorial will help you connect to your database via the private network without you having to use public endpoints.

1. Getting an Auth Key

The Auth key will authenticate the Tailscale machine that we'll deploy into our Railway project in a later step.

• Head over to the Keys page located within the settings menu on the Tailscale dashboard.

• Click Generate auth key.

  Put in a description and leave all other settings as the default.

• Click Generate key.

  Tailscale will now show you the newly generated auth key, be sure to copy it down.

• Click Done.

2. Configure Split DNS

Properly configuring our nameserver in Tailscale is essential for enabling local DNS lookups for our private domains.

• Open the DNS page.

• Under the Nameservers Header, click Add Nameserver → Click Custom.

  This is where we'll tell Tailscale how to route the DNS lookups for our railway.internal domains.

• Enter fd12::10 as the Nameserver.

  This DNS nameserver is used across all private networks in every environment and will handle our DNS queries for private domains.

• Enable the Restrict to domain option, AKA Split DNS.

• Enter in railway.internal as our domain.

  This makes sure only DNS lookups for our private domain are forwarded to the private DNS resolver.

• Click Save.

3. Deploy the Tailscale Subnet Router

This will be the gateway into our environment's private network.

• Open the project that contains the services you want to access privately.

  For this tutorial, we will deploy the Subnet Router into a project with a Postgres database service.

• In the top right of the project canvas, click Create → Choose Template.

• Search for the Tailscale Subnet Router template.

  Choose the result that is published by Railway Templates.

• A ghost service will appear, Paste in your Auth Key from earlier.

• Click Deploy Template

This template will start to deploy and once deployed it will register itself as a machine in your tailnet with the name automatically derived from the project's name and environment name.

4. Approve the Subnet

Our subnet router will advertise the private network's CIDR range but we will need to manually approve it.

• Head back over to our Machines dashboard.

You will see your newly deployed machine with its name that was previously derived from the project and environment.

• Click on the machine's 3-dot menu → Edit route settings.

• Click the radio button on the fd12::/16 to accept it.

  This route covers the entire private networking range allowing us to access all services within the project.

• Click Save.

That is it for all the configurations needed, you can now call any service via its private domain and port just as if you were another service within the private network!