Using a DigitalOcean Droplet as an SSH Jump Host

· wim's blog

How to use a cheap VPS as a proxy to reach your Tailscale mesh when a VPN client is blocked on your work machine

Using a DigitalOcean Droplet as an SSH Jump Host #

Sometimes you lose access to a VPN client on your work machine — MDM policies, security software conflicts, or corporate restrictions can pull the rug out from under you (which is exactly what happened to me yesterday). I tried to fight the system, but this time the sysadmins were stronger and Tailscale refused to rise again on my work MacBook. Well, it was sad news, but as a software engineer I am entitled to fix things that other engineers broke. I recalled that I have a cheap droplet on DigitalOcean, which I'm constantly forgetting to shut down, and that was it. I'm going to install Tailscale on the droplet and use it as a proxy for machines on my network without needing a VPN client at all.

Prerequisites #

1. Rebuild the Droplet (if needed) #

My droplet was running an EOL Ubuntu version (I had been ignoring it for a really long time), so I had to rebuild it:

  1. DO dashboard → your droplet → Settings tab → Rebuild
  2. Choose Ubuntu 24.04 LTS
  3. Wait ~2 minutes

Your droplet IP stays the same after a rebuild. I also had to reset root password after rebuild, it's the same Settings tab.

2. Install Tailscale on the Droplet #

1curl -fsSL https://tailscale.com/install.sh | sh
2systemctl enable --now tailscaled

For headless servers, skip the interactive login and use an auth key instead:

  1. Go to login.tailscale.com/admin/settings/keys
  2. Generate a one-time auth key
  3. Run:
1tailscale up --auth-key=tskey-auth-xxxxx

Verify it joined your mesh:

1tailscale status

Note: I had to skipped interactive login because tailscale login simply didn't work for me, but maybe it was just my bad luck. You should try it anyway.

3. Copy Your SSH Key to the Droplet #

To avoid being asked for a password on every connection:

1ssh-copy-id -i ~/.ssh/id_ed25519.pub root@your.droplet.ip

Note: I have a couple of SSH keys (don't ask, I have a rich and diverse private life), which is why I specified the preferred key with -i.

4. Configure SSH Jump Host on Your Local Machine #

Edit ~/.ssh/config:

Host tunnel
 HostName your.droplet.ip
 User root
 IdentityFile ~/.ssh/id_ed25519

Host machine-a
 HostName 100.x.x.x
 User youruser
 ProxyJump tunnel

Host machine-b
 HostName 100.x.x.x
 User youruser
 ProxyJump tunnel

Replace the 100.x.x.x addresses with your Tailscale IPs (tailscale ip on each machine).

5. Connect #

1ssh youruser@machine-a

The connection routes transparently through the droplet into your Tailscale mesh. The droplet hop is passwordless thanks to the key; you only authenticate to the target machine.

How It Works #

Local machine → droplet (public IP) → target machine (Tailscale IP)

The droplet acts as a relay — it has a public IP reachable from anywhere, and a Tailscale IP that can reach all your private machines. No VPN client needed on your local machine.

Conclusion #

That's it, my Tailscale network is back with me. No one can stand between me and SSH access to my pet projects during working hours.

  1. Tailscale is a zero-config VPN built on WireGuard. It creates a private mesh network between your devices — each gets a stable IP, and they can reach each other securely regardless of where they are. Think of it as your own private internet for your machines. ↩︎

#blog #ssh #tailscale #devops
last updated: