Key points
- MagicDNS gives each node a name (
<host>.<tailnet>.ts.net). - Works behind a deny-all-ingress firewall (no public inbound port needed).
- Tailscale SSH (
--ssh) intercepts port 22 with ACL-based auth — but it breaks key-based automation like Ansible, so use plainsshdfor that and leave--sshoff. - Tailscale Funnel can expose a node publicly at
*.ts.net(auto-TLS) with no open ports.
Details
Auth keys (ephemeral, tagged, reusable) let a node join unattended at boot — used here in the broker's startup script.
Related
Sources
Compiled from
wiki/concepts/Tailscale.md · git is the source of truth