Account blocked after using Tailscale in CI job for SSH deployment (possible false positive?)

Deployments
, ,
1

Hello everyone,

I’m currently unable to log in to my CircleCI account due to a “login-abusive” restriction. I would really appreciate some guidance or clarification regarding what might have triggered this.

I was working on setting up CI/CD for my team’s internal portal project. The production server is located in the Republic of Korea, and I attempted to securely access it from a CircleCI job using Tailscale in order to perform SSH-based deployment.

This is purely for internal deployment purposes — I did not attempt to proxy traffic, mine cryptocurrency, bypass restrictions, or abuse CircleCI resources in any way. I am still learning CI/CD and networking, so it is possible that my configuration unintentionally triggered an automated detection system.

What my pipeline does

1. Build and Push

  • Build Docker images for api and web

  • Push images to GitHub Container Registry (GHCR)

2. Deploy via SSH over Tailscale

Inside the deploy job, I:

  • Install Tailscale

  • Start tailscaled using userspace networking

  • Bring up the node with an auth key

  • SSH into my server over the Tailscale network

  • Run docker compose pull && docker compose up -d

Here is the relevant part of my configuration:


jobs:
  build-and-push:
    docker:
      - image: cimg/node:22.12
  steps:
    - run:
        name: Install and start Tailscale
        command: |
          curl -fsSL https://tailscale.com/install.sh | sh
            sudo tailscaled --tun=userspace-networking --socks5-server=localhost:1055 & until tailscale up --authkey=${TS_AUTHKEY} --hostname=circleci-deployer --accept-routes; do
              sleep 1
            done

Then I connect via SSH:

ssh $SSH_USER@$DESKTOP_TAILSCALE_IP

I suspect that either:

  • Running tailscaled inside a CI job

  • Enabling a SOCKS5 server

  • Using --accept-routes

  • Or establishing a private network tunnel

may have been flagged as suspicious behavior.

Again, this was not intended for proxy services or any form of misuse — only to securely reach my own server for deployment.

Questions

  1. Is running Tailscale inside a CircleCI cloud executor allowed?

  2. Are options like --socks5-server or --accept-routes considered violations?

  3. Would using a self-hosted CircleCI runner inside my private network be the recommended approach instead?

If this was a false positive, I would greatly appreciate reinstatement and guidance on how to restructure my deployment pipeline in a compliant way.

Thank you very much for your time and support.

I have already submitted Ticktes, but since at that time when I was blocked, I was a free planned user, so my tickets are still open and not handled…

Thank you and have a nice day