diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix
index bb1c1d5..ed77cb7 100644
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@@ -38,6 +38,7 @@ in {
     ./keycloak.nix
     ./lezzo.nix
     ./runas.nix
+    ./tailscale.nix
   ];
 
   time.timeZone = "Europe/Rome";
diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index 119658f..b98a972 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -15,7 +15,7 @@ let
   # UDP services
   dns_udp = 53;
   wireguard_udp = 1194;
-  
+    
   # TCP/UDP services
   torrent_a = 51413;
   torrent_b = 51414;
@@ -35,6 +35,7 @@ let
     wireguard_udp
     torrent_a
     torrent_b
+    config.services.tailscale.port
   ];
   open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
     ssh_tcp
@@ -86,6 +87,7 @@ in {
                       lib.concatStringsSep "," towan-wg
                     }} masquerade
                     oifname ${wan-if} ip saddr ${docker-net} masquerade
+                    oifname ${wan-if} ip saddr ${tailscale-net} masquerade
                   }
                 }
 
@@ -101,6 +103,7 @@ in {
                     iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
                     iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
                     iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
+                    iifname ${tailscale-if} ip saddr ${tailscale-net} accept
                     iifname "lo" accept comment "bind any ip to intf lo"
                     jump mangle_drop
                   }
@@ -154,11 +157,12 @@ in {
                     ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
                     ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
                     ip saddr ${lan-net} accept comment "lan > local"
-        	          ip saddr ${proxy-wg} accept comment "proxy > local"
                     ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
 
                     iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
                     iifname ${wan-if} udp dport {${open_udp_ports}} accept
+                    iifname ${tailscale-if} tcp dport {${open_tcp_ports_vpn}} accept
+                    iifname ${tailscale-if} udp dport {${open_udp_ports_vpn}} accept
                     iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
                     iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
                     iifname ${vpn-if} icmp type echo-request accept
@@ -189,6 +193,7 @@ in {
                     }} accept
                     
                     oifname ${wan-if} ip saddr ${docker-net} accept
+                    oifname ${wan-if} ip saddr ${tailscale-net} accept
                     
                     jump filter_drop
                   }
diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix
index 99a8901..1047dc0 100644
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@@ -51,6 +51,7 @@ in
   networking.extraHosts = ''
     ${network.architect-lan} ${domain}
     ${network.architect-wg} ${domain}
+    ${network.architect-ts} ${domain}
   '';
 
   users.groups.media.members = [ "jellyfin" ];
diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix
index 4607e18..a157887 100644
--- a/hosts/architect/keycloak.nix
+++ b/hosts/architect/keycloak.nix
@@ -74,5 +74,6 @@ in {
   networking.extraHosts = ''
     ${network.architect-lan} ${domain}
     ${network.architect-wg} ${domain}
+    ${network.architect-ts} ${domain}
   '';
 }
diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix
index fadd76c..15b9467 100644
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@@ -4,6 +4,7 @@ rec {
   vpn-if = "wg0";
   proxy-if = "proxy";
   docker-if = "docker0";
+  tailscale-if = "ts0";
 
   # nets
   lan-net = "10.0.0.0/24";
@@ -11,13 +12,13 @@ rec {
   proxy-net = "10.4.0.0/24";
   external_lan-net = "192.168.1.0/24";
   docker-net = "172.17.0.0/16";
+  tailscale-net = "100.64.0.0/10";
 
   # ips
   dvr-lan = "10.0.0.2";
   nas-lan = "10.0.0.3";
   architect-lan = "10.0.0.250";
 
-  proxy-wg = "10.4.0.1";
   architect-wg = "10.3.0.1";
   giuliopc-wg = "10.3.0.2";
   giuliophone-wg = "10.3.0.3";
@@ -54,6 +55,8 @@ rec {
   hotpottino-wg = "10.3.0.201";
   dodino-wg = "10.3.0.202";
 
+  architect-ts = "100.67.205.28";
+  
   # groups
   gdevices-wg =
     [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix
new file mode 100644
index 0000000..052359e
--- /dev/null
+++ b/hosts/architect/tailscale.nix
@@ -0,0 +1,18 @@
+{ lib, ... }:
+
+let
+  network = import ./network.nix;
+  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  ifname = "ts0";
+in rec {
+  services = {
+    tailscale = {
+      enable = true;
+      interfaceName = ifname;
+    };
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-ts} architect.devs.giugl.io
+  '';
+}
\ No newline at end of file