Restrict PostgreSQL Remote Access to your Tailnet

I'm a convert to Tailscale. The user experience is fantastic and having all of my devices and servers protected by a Wireguard virtual network gives me peace of mind.

I'm progressively locking down all of my servers and services to only talk over my Tailscale network. Here's how I have done it for PostgreSQL. As with any configuration to something as important as a database please make sure you've read and understood the relevant documentation before taking the word of a random person on the internet.

First, the machine that your PostgreSQL database is running on needs to be connected to your Tailscale network - usually called your 'tailnet'.

To allow access to your PostgreSQL database from other machines on the same tailnet you need to amend 2 configuration files; postgresql.conf and pg_hba.conf.

In postgresql.conf you define which network interfaces the server will listen on, the recommendation here is to allow the server to listen on every interface the server has defined by adding a line that looks like this;

listen_addresses = '*'

It may be possible to further lock down our server by restricting this to just the Tailscale network interface, but I haven't figured out how to do that yet.

The second part is to allow remote access via the tailnet in pga_hba.conf. This is done by adding a line to the bottom of that file that looks like this;

host    all         all       md5

This will allow connection to any local database by any user as long as they come from a Tailscale IP address. specifies the set of IP addresses that Tailscale uses. For details of the IP range that Tailscale uses check out their FAQ.

The final step is to restart your PostgreSQL server. Once this is done any client device connected to the same tailnet will be able to access your PostgreSQL database.