← All posts

Setups

The setup that works for me: TermRover + Tailscale

By Anh Trinh · · 5 min read

How I reach my home machines and VPS from my phone over SSH, from anywhere, without ever exposing a port to the public internet. Tailscale + TermRover, end to end.

SetupsTailscaleSSH

I run long jobs on machines that aren’t in front of me: a desktop at home, a couple of VPS boxes, a build server in the corner of the office. The whole reason I built TermRover was to keep an eye on that work from my phone. But there’s a question that comes before any terminal app: how does my phone actually reach those machines?

The answer I’ve landed on, and the one I recommend to everyone who asks, is Tailscale. It’s the missing half of the setup. TermRover is the terminal; Tailscale is the network that gets you to it.

Here’s exactly how I have it wired up.

Why not just open port 22?

The obvious thing is to forward port 22 on your router and point your phone at your home IP. Don’t.

The moment an SSH port is reachable from the public internet, it gets found. Within minutes you’ll see a steady stream of bots trying root/admin/password. Even with key-only auth and fail2ban, you’re now in the business of running a hardened, internet-facing service: patching it, watching the logs, hoping you got every detail right. That’s a lot of ongoing risk for the convenience of reaching one machine from your couch.

The better model is: don’t expose anything. Put your devices on a private network that only you can join, and let your phone be a member of it. That’s exactly what Tailscale does.

What Tailscale actually is

Tailscale builds a WireGuard-based mesh VPN between your devices. You install it on each machine, log in with the same account, and they all get a stable private IP in the 100.x.y.z range (your tailnet). Those IPs work from anywhere (coffee shop, mobile data, another country) because Tailscale handles the NAT traversal for you.

Nothing is exposed to the public internet. Your VPS’s SSH port stays bound to the tailnet. The only thing that can reach it is another device you’ve personally added to your tailnet. No port forwarding, no dynamic DNS, no firewall holes.

It’s free for personal use and the device limit is generous. This isn’t a paid plug. It’s just what I use.

The setup, step by step

1. Install Tailscale on each machine

On a Linux box (home desktop, VPS, build server):

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

It prints a login URL. Open it, authenticate, done. Run tailscale ip -4 and note the 100.x.y.z address. That’s how your phone will reach it.

Do this on every machine you want to reach. They’ll all show up in your Tailscale admin console.

2. Install Tailscale on your phone

Grab the Tailscale app from the App Store or Play Store, sign in with the same account, and toggle it on. Your phone is now a member of the tailnet. That’s the whole trick: your phone can now talk to those 100.x.y.z addresses directly.

3. Add the host in TermRover

Open TermRover and create a new host:

  • Host: the machine’s Tailscale IP, e.g. 100.101.102.103
  • Port: 22
  • User: your normal SSH user
  • Auth: an SSH key (TermRover can generate one for you, or import an existing one)

Connect. You’re in, over an encrypted WireGuard tunnel, from anywhere, with nothing exposed.

Tip: turn on MagicDNS in the Tailscale admin console and you can use names instead of IPs. ssh you@desktop becomes desktop as a hostname: easier to remember, and it survives an IP change.

4. Keep the work alive with tmux

Tailscale gets your packets there; tmux keeps your session alive when they stop. Mobile connections drop. You walk into an elevator, your phone switches from Wi-Fi to cellular, the screen locks. If your shell is a child of the SSH connection, it dies with it.

So I never run anything important in a bare shell. I run it inside tmux:

tmux new -s work     # first time
tmux attach -t work  # every time after

When the connection drops, the work keeps running on the server. Reconnect, tmux attach, and you’re looking at exactly where it left off. TermRover leans hard into this. The row of tmux keys above the keyboard means you’re not fighting Ctrl-B on a touchscreen.

A few details are what make this genuinely workable from a phone, rather than a party trick. The session picker lets me keep an editor in one session and an agent in another and jump between them in a single tap, with no prefix gymnastics. And when I need to read back through what scrolled past, like a stack trace or a build log, mouse mode turns a thumb-swipe into scrollback, so I can move through history instead of fighting the terminal. Those small things are what decide whether you actually reach for your phone or give up and wait until you’re back at a desk.

What this gets me

With this in place, the location of the machine stops mattering. The home desktop behind a residential NAT, the VPS in another country, the laptop that moved from home Wi-Fi to a café: all of them are just names on my tailnet. I open TermRover, pick a host, attach to tmux, and I’m looking at the same work I left this morning.

No exposed ports. No bastion host to maintain. No VPN client to fuss with per-connection. It just works, and it stays out of the way, which is the whole point.

If you’ve been hesitating to reach your machines remotely because exposing SSH felt risky: this is the setup. Tailscale for the network, TermRover for the terminal, tmux so nothing dies when your phone does.