From 77517736faba1796177caae0489e1236e2355c21 Mon Sep 17 00:00:00 2001
From: Guillaume Dedrie <guillaume.dedrie@gmail.com>
Date: Wed, 27 Dec 2023 16:09:38 +0100
Subject: [PATCH] feat(firewall): add Tailscale configuration

---
 files/etc_nftables.conf.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/files/etc_nftables.conf.j2 b/files/etc_nftables.conf.j2
index 9ff6ef7..37ceb2d 100644
--- a/files/etc_nftables.conf.j2
+++ b/files/etc_nftables.conf.j2
@@ -68,6 +68,10 @@ table inet firewall {
         # UPnP
         ip daddr 239.255.255.250 udp dport 1900 counter accept comment "Accept UPnP"
 
+        # Tailscale, see: https://tailscale.com/kb/1082/firewall-ports
+        udp sport 41641 counter accept comment "Allow Tailscale Direct Wireguard tunnels"
+        udp dport 3478 counter accept comment "Allow STUN protocol behind NAT"
+
         log prefix "[nftables] Output Denied: " counter reject
     }