diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml
index dcffea9..19cd384 100644
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@@ -20,3 +20,5 @@ roles:
     version: v2022.10.17
   - src: geerlingguy.certbot
     version: 5.1.0
+  - src: artis3n.tailscale
+    version: v4.4.1
diff --git a/ansible/group_vars/all/tailscale.yml b/ansible/group_vars/all/tailscale.yml
new file mode 100644
index 0000000..0a954c9
--- /dev/null
+++ b/ansible/group_vars/all/tailscale.yml
@@ -0,0 +1,6 @@
+# Just install for now, don't configure
+tailscale_up_skip: true
+
+tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+
+tailscale_port: 41641
diff --git a/ansible/main.yml b/ansible/main.yml
index 11dfa84..5335a83 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -16,6 +16,7 @@
     - headscale
     - fail2ban_ssh
     - restic
+    - artis3n.tailscale
 
 - hosts:
     - pve
@@ -79,6 +80,7 @@
     - nginx
     - ingress
     - nebula
+    - artis3n.tailscale
 
 - hosts: pve
   roles:
@@ -114,6 +116,7 @@
     - commento
     - website
     - remark42
+    - artis3n.tailscale
 
 - hosts: jellyfin
   roles:
diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf
index bc5119f..9b348c1 100644
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@@ -19,6 +19,9 @@ table inet filter {
 
         # Allow nebula
         udp dport {{ nebula_listen_port }} accept;
+
+        # Allow Tailscale
+        udp dport {{ tailscale_port }} accept;
     }
 
     chain POSTROUTING {
@@ -27,6 +30,7 @@ table inet filter {
 
         # NAT - because the proxmox machines may not have routes back
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
     }
 
     chain FORWARD {
@@ -39,5 +43,9 @@ table inet filter {
 
         # Allow monitoring of nebula network
         ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
+
+        # Allow traffic from Tailscale to proxmox network
+        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
     }
 }
diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf
index 4e412ce..f03e941 100644
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@@ -91,6 +91,15 @@ resource "linode_firewall" "casey" {
     ipv4     = ["0.0.0.0/0"]
     ipv6     = ["::/0"]
   }
+
+  inbound {
+    label    = "allow-inbound-tailscale"
+    action   = "ACCEPT"
+    protocol = "UDP"
+    ports    = "41641"
+    ipv4     = ["0.0.0.0/0"]
+    ipv6     = ["::/0"]
+  }
 }
 
 resource "linode_rdns" "casey_reverse_ipv4" {
diff --git a/terraform/walker_vps.tf b/terraform/walker_vps.tf
index d5fb40a..5a79b91 100644
--- a/terraform/walker_vps.tf
+++ b/terraform/walker_vps.tf
@@ -4,7 +4,8 @@ module "walker_firewall" {
   description = "walker"
   ports = [
     "80/tcp",
-    "443/tcp"
+    "443/tcp",
+    "41641/udp"
   ]
 }