Setting up tailscale on Raspberry Pis (debian 12 bookworm)

gistfile1.txt

# Burn debian into sd card
# Follow instructions on tailscale site
# install with one command tailscale
curl -fsSL https://tailscale.com/install.sh | sudo sh

# eventually enable systemd-resolved to prevent fights over who writes /etc/resolv.conf
sudo apt install -y systemd-resolved
# check that /etc/resolv.conf is now a link instead of a file.

# -- For security --
# enable firewall, using ufw

# 1. Enable UFW and Allow SSH from Tailscale
# Tailscale assigns each machine a 100.x.x.x IP address. To allow SSH only from Tailscale:
sudo ufw allow in from 100.0.0.0/8 to any port 22 proto tcp

# Allow Local SSH for Backup Access
# If you also want to allow SSH from your local network (e.g., 192.168.1.x):
# Change 1 to your subnet number
sudo ufw allow in from 192.168.1.0/24 to any port 22 proto tcp

# 2. Tailscale uses the virtual interface tailscale0, 
# so you should allow all traffic over it:
sudo ufw allow in on tailscale0
sudo ufw allow out on tailscale0

# 3. Allow Tailscale's Control Traffic
# Tailscale needs to communicate with its coordination servers. 
# Allow the necessary ports:
sudo ufw allow out to any port 41641 proto udp  # Tailscale direct UDP traffic
sudo ufw allow out to any port 443 proto tcp    # HTTPS for coordination
sudo ufw allow out to any port 3478 proto udp   # STUN for NAT traversal


# 4. After setting the rules, enable ufw:
sudo ufw enable
# Check the status:
sudo ufw status verbose

# 5. Test Connectivity
# After enabling UFW, verify:

# SSH from Tailscale works: Try ssh [email protected]
# Tailscale pings other peers: tailscale ping <peer-ip>