Skip to content

VPN Setup

This guide walks you through installing and configuring the Synderys VPN client so you can securely access internal services from any location.

Before You Begin

You will need:

  • Your Synderys username, password, and enrolled MFA device
  • Administrator access on your computer to install software
  • An internet connection

How the VPN Works

Synderys uses Tailscale as the VPN client, connected to a Headscale coordination server. When you connect, your device joins the Synderys private network and can reach internal services that are not accessible from the public internet.

Authentication is handled through Authentik — the same credentials you use for all other Synderys services.

Installation Steps

Step 1: Install Tailscale

Download and install the Tailscale client for your operating system:

Download Tailscale from the Mac App Store, or visit https://tailscale.com/download/mac.

Download the installer from https://tailscale.com/download/windows and run it.

Visit https://tailscale.com/download/linux and follow the instructions for your distribution.

Step 2: Connect to the Synderys Network

  1. Open the Tailscale application on your machine.

  2. Instead of using the default Tailscale login, you will connect to the Synderys Headscale server. Open your terminal and run:

    tailscale up --login-server https://headscale.synderys.com

  3. A browser window will open and redirect you to the Authentik login page.

  4. Enter your username and password, then complete the MFA challenge.

  5. After authentication, the browser will display a confirmation message. Return to your terminal or Tailscale app.

Step 3: Verify Your Connection

  1. Check that Tailscale shows a Connected status in the system tray or menu bar.

  2. Verify connectivity by opening an internal service in your browser (your team lead will provide specific URLs during onboarding).

What to expect

After connecting, your device is part of the Synderys private network. Internal services like dashboards, monitoring tools, and development environments will be reachable from your machine. The VPN runs quietly in the background and reconnects automatically when your network changes.

Next step: SSH access

If you need SSH access to internal servers (GitLab, databases, etc.), set up the SSH jumpbox next. See SSH Jumpbox Access.

Staying Connected

Tailscale runs in the background and reconnects automatically when you switch networks (such as moving from home Wi-Fi to a coffee shop). You do not need to manually reconnect in most cases.

Your VPN session requires periodic re-authentication. When your session expires, Tailscale will prompt you to sign in again through Authentik.

Disconnecting

To temporarily disconnect from the VPN:

  • macOS/Windows: Click the Tailscale icon in your system tray and toggle the connection off.
  • Linux: Run tailscale down in your terminal.

You can reconnect at any time by toggling the connection back on or running tailscale up.

Troubleshooting FAQ

Q: Tailscale says "Connected" but I cannot reach internal services. : See VPN Troubleshooting for solutions to common connectivity issues.

Q: The browser does not open when I run the login command. : Copy the URL displayed in the terminal and open it manually in your browser. Complete the sign-in process there.

Q: I get "login server not available" or a connection timeout. : Check your internet connection. If your internet is working but the VPN server is unreachable, contact IT — the Headscale server may be undergoing maintenance.

Q: I need to re-authenticate but Tailscale is not prompting me. : Run tailscale up --login-server https://headscale.synderys.com again in your terminal to force a re-authentication.

Q: Can I use the VPN on my phone or tablet? : Yes. Install the Tailscale app from the App Store or Google Play and follow the same connection steps. Contact IT for mobile-specific instructions.