Menu
Enable, configure, and troubleshoot Tailscale VPN — ships pre-installed on Bluefin.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | tailscale |
| description | Enable, configure, and troubleshoot Tailscale VPN — ships pre-installed on Bluefin. |
| domain | sysadmin |
Tailscale is a zero-config WireGuard-based VPN. Bluefin ships tailscaled pre-installed
but disabled by default. Enable it when you want secure, private networking between
your Bluefin machine and other devices on your tailnet.
Load with: point your agent at this file.
Tailscale is pre-installed but the daemon is not enabled by default:
# Enable and start the Tailscale daemon
sudo systemctl enable --now tailscaled
# Verify it is running
systemctl status tailscaled
# Log in (opens browser for auth)
tailscale up
# Log in with specific options (e.g., advertise as exit node)
tailscale up --advertise-exit-node
# Log in with SSH enabled (allows other tailnet machines to SSH in)
tailscale up --ssh
# Show your Tailscale IP and connected peers
tailscale status
# Show detailed info about this device
tailscale status --self
# Show your Tailscale IP address only
tailscale ip
If you don't use Tailscale, disable it to avoid unnecessary background service:
sudo systemctl disable --now tailscaled
Route all traffic through another tailnet device:
# List available exit nodes
tailscale exit-node list
# Use a specific exit node
tailscale set --exit-node=<node-name-or-ip>
# Stop using exit node
tailscale set --exit-node=
Expose a local subnet to the tailnet:
# Advertise a subnet route (allows tailnet peers to reach your LAN)
tailscale up --advertise-routes=192.168.1.0/24
# Accept routes advertised by other tailnet peers
tailscale up --accept-routes
# SSH into another tailnet machine by hostname or Tailscale IP
tailscale ssh <hostname>
# Or use standard SSH with Tailscale IP
ssh user@100.x.y.z
To allow SSH into this machine from the tailnet, run: tailscale up --ssh
(This uses Tailscale's auth, not SSH keys, for tailnet peers.)
Bluefin ships a Tailscale system tray applet. It appears in the GNOME top bar when
tailscaled is running. Use it to toggle connection, switch exit nodes, and view status.
# View Tailscale daemon logs
journalctl -u tailscaled -f
# Re-authenticate (token expired)
tailscale up --force-reauth
# Check connectivity to a peer
tailscale ping <peer-hostname-or-ip>
# Full diagnostic report (useful for bug reports)
tailscale bugreport
Tailscale not connecting: Check that tailscaled is running (systemctl status tailscaled)
and that the machine has internet access (ping 1.1.1.1).
"Peer unreachable": Try tailscale ping to diagnose. NAT traversal may fail on
some networks — use a DERP relay or exit node as a workaround.
Create, enter, and manage Distrobox containers for mutable package installation on Bluefin.
ZFS administration on Bluefin — pools, datasets, snapshots, and delivery options for an immutable host that does not ship ZFS kernel modules.
Run, build, and manage OCI containers rootlessly on Bluefin — including Quadlets for persistent systemd-managed services.
Run self-hosted services on Bluefin DX using Podman Quadlets and linuxserver.io containers — persistent, auto-updating, systemd-managed.
Install and manage CLI tools with Homebrew — the primary CLI package manager on Bluefin.
Manage GNOME extensions, gsettings, and desktop customizations on Bluefin — including which settings Bluefin owns vs. which are safe to change.