Tailscale VPN — Clawdie Docs

Tailscale creates a WireGuard-encrypted mesh network between all your devices. No port forwarding, no exposed SSH, no firewall gymnastics. Clawdie uses it to connect the brain server (domedog) to the browser server (clawd) and the operator's laptop — securely.

Context

Why Tailscale

⚠

Without Tailscale

SSH on port 22 exposed to the internet. Brute-force attempts. Complex firewall rules. Port forwarding for every service. VPN setup that takes hours.

⚡

With Tailscale

No public ports except 80/443. SSH only over VPN. Instant device authentication. Works across NAT. 5-minute setup. Free for personal use.

Our network

domedog (brain server) — 100.103.x.y

clawd (browser server) — 100.108.x.y

operator laptop — 100.x.x.z

All connected via Tailscale mesh. SSH only over this network.

Step 1

Installation on FreeBSD

1.1 Install from packages

# Install Tailscale
pkg install -y tailscale

# Enable the service
sysrc tailscaled_enable="YES"

# Start the daemon
service tailscaled start

1.2 Authenticate

# This will print a URL — open it in your browser to authenticate
tailscale up

# Verify connection
tailscale status

You'll see your device appear in the Tailscale admin console.

1.3 Set a stable hostname

# Give the machine a memorable name in the tailnet
tailscale set --hostname=domedog

Step 2

SSH over Tailscale

Once Tailscale is running on both the server and your laptop, SSH works over the encrypted mesh — no public port needed.

2.1 SSH config

Add to ~/.ssh/config on your laptop:

Host clawdie
    HostName 100.103.x.y    # Tailscale IP of domedog
    User clawdie
    IdentityFile ~/.ssh/clawdie
    ServerAliveInterval 60

2.2 Generate SSH key

ssh-keygen -t ed25519 -C "clawdie@$(hostname)" -f ~/.ssh/clawdie
ssh-copy-id -i ~/.ssh/clawdie.pub clawdie@100.103.x.y

2.3 Connect

# Simple SSH
ssh clawdie

# Attach to tmux glass-pane directly
ssh clawdie -t "tmux attach -t clawdie"

Result

Port 22 is not exposed to the internet. SSH only works over the Tailscale network. Zero brute-force exposure.

Step 3

Multi-server setup

Clawdie's two-server architecture relies on Tailscale for secure inter-node communication.

3.1 domedog to clawd connection

# On domedog — verify clawd is reachable
tailscale ping clawd

# Test Chrome DevTools Protocol connectivity
curl http://100.108.x.y:9223/json/version

3.2 Playwright CDP configuration

# In Clawdie's config — connect to Chrome on clawd via Tailscale
BROWSER_CDP_URL=http://100.108.x.y:9223

# Playwright connects over the encrypted mesh
# No port exposed to the public internet

3.3 Network topology

┌──────────────────────────────┐
│  Operator laptop             │
│  100.x.x.z                   │
│  SSH → tmux glass-pane       │
└──────────├───────────────────┐
           │ Tailscale mesh
    ┌─────┴─────┐
    │             │
┌───┼────┐   ┌───┼────┐
│domedog │   │ clawd  │
│100.103 │←──│100.108 │
│ Brain  │CDP│ Eyes   │
│        │   │Chrome  │
└────────┐   └────────┐

Step 4

PF firewall integration

Tailscale creates a tailscale0 interface on FreeBSD. PF rules should treat it as a trusted internal network.

# In /etc/pf.conf
ext_if="vtnet0"
tailscale_if="tailscale0"

# Block everything by default
block all
pass out all keep state

# SSH — only via Tailscale (not public internet)
pass in quick on $tailscale_if proto tcp to port 22 keep state

# Web traffic — public (for Let's Encrypt and HTTPS)
pass in quick on $ext_if inet proto tcp to port {80,443} keep state
pass in quick on $ext_if inet6 proto tcp to port {80,443} keep state

# Tailscale WireGuard — must be allowed on public interface
pass in quick on $ext_if inet proto udp to port 41641 keep state
pass in quick on $ext_if inet6 proto udp to port 41641 keep state

Port 41641

Tailscale uses UDP port 41641 for WireGuard traffic. This must be open on the public interface for direct connections. Without it, traffic relays through Tailscale's DERP servers (slower).

Reference

Useful commands

Command	Purpose
`tailscale status`	Show all connected devices
`tailscale ping <host>`	Test connectivity to a device
`tailscale ip`	Show your Tailscale IP
`tailscale netcheck`	Network diagnostics
`tailscale up --ssh`	Enable Tailscale SSH (optional)
`tailscale down`	Disconnect from tailnet
`tailscale logout`	Deauthenticate device
`service tailscaled restart`	Restart daemon

Free tier

Tailscale's personal plan supports up to 100 devices for free. More than enough for a personal AI assistant setup.