swarm-zap/memory/ops/2026-03-03-tailscale-setup.md

# Session: 2026-03-03 03:05:08 UTC

- **Session Key**: agent:main:main
- **Session ID**: 46a933f8-08bc-44c7-9d62-12cadf740ad4
- **Source**: gateway:sessions.reset

## Conversation Summary

user: [Tue 2026-03-03 02:54 UTC] Let's configure tailscale
assistant: I'll quickly check the current Tailscale state on this machine so we can configure it correctly.
assistant: [[reply_to_current]] Good call — I checked this host and:

- Tailscale is **not installed**
- `tailscaled` service is **inactive**
- OS is **Ubuntu 24.04**

I can set it up for you end-to-end.  
I just need one choice from you:

1. **Interactive login** (I install + start, then you open a login URL), or  
2. **Auth key login** (you give me a Tailscale auth key and I do it fully headless)

If you want, I’ll proceed now with option 1 (the usual).
user: [Tue 2026-03-03 02:55 UTC] Yes: 1
assistant: [[reply_to_current]] Perfect — I hit a permission wall here (no elevated sudo access from this webchat session), so please run these on the host terminal:

```bash
# Install Tailscale (Ubuntu 24.04 / noble)
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list >/dev/null
sudo apt-get update
sudo apt-get install -y tailscale

# Start service
sudo systemctl enable --now tailscaled

# Interactive login (this prints a URL)
sudo tailscale up
```

After `sudo tailscale up`, open the URL it gives, approve the device, then send me:

```bash
tailscale status
tailscale ip -4
tailscale ip -6
```

I’ll verify everything and then help you apply any extras (MagicDNS, subnet routes, exit node, SSH, ACL tags, etc.).
user: [Tue 2026-03-03 02:58 UTC] It's up
assistant: [[reply_to_current]] Nice — confirmed, it’s up and healthy.

- **Device:** `claw`
- **Tailscale IPv4:** `100.125.12.39`
- **Tailscale IPv6:** `fd7a:115c:a1e0::aa32:c28`
- **Version:** `1.94.2`

If you want, next I can help you harden/tune it with:
- MagicDNS
- Tailscale SSH
- Exit node setup
- Subnet routing (for LAN access)
- ACL/tag cleanup for this node
user: [Tue 2026-03-03 02:58 UTC] yes
assistant: [[reply_to_current]] Sweet — let’s do a solid baseline first, then optional extras.

### 1) Baseline hardening/tuning (run now)
```bash
# Enable Tailscale SSH on this node
sudo tailscale set --ssh=true
```

You already have good defaults:
- MagicDNS/client DNS: **on** (`CorpDNS: true`)
- Auto-updates: **on**
- Running state: **healthy**

### 2) Verify
```bash
tailscale debug prefs | grep -E '"RunSSH"|"CorpDNS"|"RouteAll"'
tailscale status
```

### 3) Optional next moves (pick what you want)

- **Use this machine as an exit node**  
  ```bash
  sudo tailscale set --advertise-exit-node=true
  ```
  Then approve it in admin console.

- **Expose your LAN subnet through this machine** (example `192.168.153.0/24`)  
  ```bash
  sudo tailscale set --advertise-routes=192.168.153.0/24
  ```
  Then approve routes in admin console.

- **Use an exit node from this machine**  
  ```bash
  tailscale exit-node list
  sudo tailscale set --exit-node=<node-name-or-ip>
  ```

If you want, I can give you the **exact command set** for your specific goal (remote SSH only vs full homelab subnet access vs private VPN exit node).
assistant: active subagents:
-----
(none)

recent subagents (last 30m):
-----
(none)
assistant: Subagents
Usage:
- /subagents list
- /subagents kill <id|#|all>
- /subagents log <id|#> [limit] [tools]
- /subagents info <id|#>
- /subagents send <id|#> <message>
- /subagents steer <id|#> <message>
- /subagents spawn <agentId> <task> [--model <model>] [--thinking <level>]
- /focus <subagent-label|session-key|session-id|session-label>
- /unfocus
- /agents
- /session idle <duration|off>
- /session max-age <duration|off>
- /kill <id|#|all>
- /steer <id|#> <message>
- /tell <id|#> <message>

Ids: use the list index (#), runId/session prefix, label, or full session key.