Tailscale setup for PocketNOC

Last updated: 2026-05-24

Reach your SolarWinds Orion server from PocketNOC over Tailscale, without exposing Orion to the public internet or running a corporate VPN.

Overview

Tailscale is a mesh VPN built on WireGuard. Once installed, it puts every device you log in from on the same private network with no port forwarding, no public certificates, and no Orion server exposure to the internet. This guide walks through setting it up so PocketNOC on your phone can reach the SolarWinds Orion SWIS API at https://orion.tailnet.local:17778 (or whatever Tailscale name you choose).

If you already have a corporate VPN that gets your phone to the Orion subnet, use that — it's simpler. Tailscale is the right answer when you don't have one, or when you want a per-device ACL surface that's tighter than "phone is on the LAN."

Prerequisites

• A SolarWinds Orion server you can already reach from your workstation.
• A Tailscale account (free tier is fine for personal / small teams).
• Admin access to the Orion server's OS (Windows in most cases) so you can install the Tailscale client.
• PocketNOC installed on iOS or Android, with a Pro subscription or demo mode for evaluation.

Setup

1. Install Tailscale on the Orion server

On Windows Server hosting Orion, download the MSI from tailscale.com/download and install. Run as a service with a dedicated machine identity rather than a personal user account — Tailscale offers "auth keys" for unattended installs, which is what you want here.

After install:

1. Sign in to Tailscale on the server (browser opens; complete the OAuth flow).
2. Note the device's Tailscale name (e.g. orion-prod.tail1234.ts.net) — you'll point PocketNOC at this hostname.
3. Disable Tailscale's "let other devices send traffic" if you want to keep the server's outbound traffic on its existing path. The default is fine.

2. Install Tailscale on your phone

iOS: search "Tailscale" in the App Store. Sign in with the same account. Android: same flow via Google Play.

After install, the phone gets its own Tailscale name and IP in the same tailnet as the Orion server.

3. Add an ACL that limits the phone's access

By default everything on a tailnet can reach everything else. For a server holding monitoring data, tighten this.

In the Tailscale admin console under Access Controls, replace the default ACL with something like:

{
  "tagOwners": {
    "tag:orion": ["autogroup:admin"],
    "tag:pocketnoc-client": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src":    ["tag:pocketnoc-client"],
      "dst":    ["tag:orion:17778"]
    }
  ]
}

Then tag the Orion server tag:orion and your phone tag:pocketnoc-client from the Machines tab. Phones can only reach the SWIS port (17778), and nothing else on the tailnet.

4. Confirm reachability

On your phone, open Safari/Chrome and visit https://orion-prod.tail1234.ts.net:17778. You should get a TLS warning if you have a self-signed cert (expected — handle in step 5 via PocketNOC's TOFU). If the connection times out, double-check the ACL tags.

5. Point PocketNOC at the Tailscale name

Open PocketNOC, choose Connect to your Orion server, and enter:

• Host: orion-prod.tail1234.ts.net (your Tailscale name)
• Port: 17778 (default SWIS)
• Username / password: a dedicated read-only Orion account (do NOT use your admin account — see "SolarWinds account recommendations" below)

On first connect, PocketNOC shows the server's certificate fingerprint. Compare it against the fingerprint on the Orion server itself (Get-PfxData in PowerShell, or openssl s_client -connect localhost:17778). If it matches, accept. PocketNOC pins the fingerprint — it will warn loudly on future connects if it ever changes.

Firewall requirements

Outbound (from each Tailscale device)

Tailscale uses UDP 41641 outbound to its coordination servers, with NAT traversal fallbacks to 443/tcp if UDP is blocked. Most corporate firewalls already allow these. The Tailscale daemon also reaches their control plane over HTTPS to controlplane.tailscale.com.

Internal (from phone to Orion)

The Tailscale ACL above is the only allow-list you need at the network layer. Once the ACL accepts, the phone can hit the Orion server's 17778/tcp and nothing else.

SolarWinds account recommendations

Create a dedicated Orion account for PocketNOC, regardless of which transport you use. The recommended pattern:

• A local Orion account named something like mobile-readonly-jason@yourcompany.
• Membership in a read-only Orion group, scoped to the views and nodes the user actually needs.
• Active Directory accounts work too — pass them in DOMAIN\username form (down-level) rather than UPN.
• Never reuse the SolarWinds admin account for PocketNOC. The blast radius of a lost phone gets much smaller this way.

Troubleshooting

Connection times out from the phone but works from a laptop. Almost always a Tailscale ACL issue. Check that both devices are in the same tailnet and that the ACL accepts tag:pocketnoc-client → tag:orion:17778.

TLS error on first connect. If the Orion server uses a self-signed cert (common), PocketNOC's TOFU prompt should appear. If you see a hard TLS failure instead, the cert may be misconfigured at the IIS layer — check that https://localhost:17778 works from the server itself.

Login succeeds but no data loads. The Orion account likely lacks read permission on the views PocketNOC queries. Try logging into the Orion Web Console with the same account — if you see empty dashboards there, fix the account's group membership.

Push notifications work intermittently. Tailscale on iOS pauses when the app is fully backgrounded for long periods. Enable "Always-on VPN" in the Tailscale iOS app settings for reliable background notification delivery.

Security considerations

• Tailscale's coordination plane sees device identities but never your packet payloads — the WireGuard layer is end-to-end encrypted between devices.
• Use Tailscale's "key expiry" feature to auto-rotate device keys on a 90-day cadence.
• Set up Tailscale SSH or disable any inbound SSH to the Orion server unless you specifically need it.
• Audit who is in the tailnet. Phones get tagged tag:pocketnoc-client; nothing in the tailnet should be able to reach Orion except via that tag.

Further reading

• Cloudflare Tunnel setup — alternative if you prefer Cloudflare-managed access controls.
• ZeroTier setup — similar mesh-VPN pattern, different vendor.
• WireGuard setup — self-hosted equivalent if you don't want a SaaS coordination plane.