SECURITY RUNBOOK / 01
Private MidTerm access over Tailscale.
A direct field manual for exposing the browser workspace to a tailnet without publishing port 2000 to the internet or confusing network admission with application security.
By Johannes G. E. Schmidt · Published July 14, 2026
BOUNDARY / 02
Three controls. Keep all three.
Tailscale protects the route. The host controls exposure. MidTerm authenticates the operator.
Browser device
A signed-in tailnet device opens the host's private 100.x address.
WireGuard path
Tailscale uses a direct peer connection when possible; otherwise it can use an end-to-end encrypted peer relay or DERP relay.
MidTerm HTTPS
MidTerm, its PTYs, agents, files, and credentials remain on the host.
| Bind | MidTerm defaults to 0.0.0.0:2000: all host interfaces, not only Tailscale. A LAN route may therefore remain reachable. |
|---|---|
| Firewall | The host firewall remains your responsibility. Scope inbound TCP 2000 to the Tailscale interface or intended private sources if the service must be tailnet-only. |
| Authentication | Keep MidTerm's HTTPS and password enabled. Tailnet membership is an additional boundary, not a replacement for application authentication. |
| Internet edge | Do not create a router port forward for TCP 2000. Tailscale supplies the private path without publishing the service on the public internet. |
RUNBOOK / 03
Direct private-IP setup
- Install MidTerm natively on the host, then install Tailscale on the host and every browser device.
- Sign the devices into the same tailnet. On the host, run
tailscale statusandtailscale ip -4; record the host's100.xaddress. - Review the host firewall. If tailnet-only access is the goal, remove or replace any broad inbound TCP 2000 rule that also accepts LAN traffic.
- Keep MidTerm password authentication enabled and use a long, unique password. Do not treat possession of a tailnet identity as a MidTerm login.
- Connect Tailscale before MidTerm generates its certificate. Then open
https://100.x.y.z:2000from the client. - Verify the certificate fingerprint out of band and trust the generated certificate on each client instead of repeatedly bypassing the browser warning.
Transport detail: Tailscale attempts a direct WireGuard connection. When NAT or a firewall prevents it, traffic can use a peer relay and then fall back to DERP. All three connection types remain end-to-end encrypted; neither relay terminates MidTerm HTTPS or decrypts the payload. See Tailscale connection types and encryption.
Once the route is secure, the agent-control CLI and API reference shows how agents address exact sessions, inspect evidence, and publish explicit work state.
POLICY / 04
Grant one identity one port
A new tailnet commonly starts with an allow-all ACL. Tailscale policy rules are additive: adding a narrow grant does not cancel an existing wildcard allow rule. Remove or replace the default allow-all rule before relying on a least-privilege grant.
{
"grants": [
{
"src": ["you@example.com"],
"dst": ["100.101.102.103"],
"ip": ["tcp:2000"]
}
]
}
Replace the example identity and host IP. Merge the grant into the tailnet policy, save it, and confirm no broader ACL or grant still permits the same destination. Use the official grants syntax, policy selectors, and default ACL examples as the source of truth.
VERIFY / 05
Prove the boundary.
Test the intended route and the routes that should fail.
| Tailnet | Run tailscale ping 100.101.102.103 from the intended client. Confirm the host and expected route in tailscale status. |
|---|---|
| Browser | Open the private HTTPS address, confirm the certificate fingerprint, sign in to MidTerm, and exercise a terminal, upload, history, and reconnect. |
| Negative test | From an identity excluded by policy, TCP 2000 should fail. If tailnet-only access is intended, the host's LAN address on port 2000 should also fail. |
| Certificate | MidTerm snapshots active interface IPs into the certificate SANs at generation time. Regenerate after Tailscale is active if the 100.x address is missing. |
| DNS name | A Tailscale MagicDNS name is not automatically a MidTerm certificate SAN. Use a covered address or deploy a certificate that covers the chosen name. |
LIMITS / 06
What this setup does not solve.
Private transport narrows exposure; it does not administer the host for you.
| Host state | The computer must remain powered, patched, and running MidTerm. Local users and software retain whatever host access the operating system gives them. |
|---|---|
| Other interfaces | Tailscale policy cannot block traffic that arrives over Ethernet, Wi-Fi, another VPN, or a public interface. Bind and firewall those paths deliberately. |
| Serve | Tailscale Serve can publish a loopback backend only inside the tailnet. It is not yet a verified MidTerm topology: smoke-test WebSockets, uploads, history, and reconnect before using it operationally. |
| Funnel | Tailscale Funnel is public internet exposure. Do not substitute it for Serve or direct tailnet access in this runbook. |
FAQ / 07
Exact answers
Does Tailscale replace MidTerm authentication?
No. Tailscale controls the network path; MidTerm still controls application access. Keep MidTerm HTTPS and its password enabled, and restrict the tailnet policy to the intended identities and host.
Should I forward port 2000 on my router?
No. Do not expose MidTerm through a public router port forward. Reach the host through its private Tailscale address; direct, peer-relayed, and DERP-relayed Tailscale paths remain end-to-end encrypted.
Why can the browser still warn about the certificate?
MidTerm uses a locally generated certificate whose SANs reflect interfaces present when it was generated. Connect Tailscale first, regenerate if needed, verify the fingerprint out of band, and trust the certificate on each client. A MagicDNS name may not be in the certificate.
Can I put MidTerm behind Tailscale Serve?
Possibly, but treat it as experimental for MidTerm. Tailscale Serve is tailnet-only, yet MidTerm's WebSocket, upload, and history flows have not been verified end to end through this topology. Direct MidTerm HTTPS over the Tailscale address is the documented baseline.
PRIMARY SOURCES / 08