Skip to content

Architecture Overview & Decision Matrix

Physical Setup

[Your home machine] --tailscale--> [Brother's Win11 PC]
                                     |
                                     +-- Tailscale (Windows app, already installed)
                                     +-- WSL2 Ubuntu (user: admin)
                                     +-- RTX 4060 16GB

The Two Approaches

You --> Tailscale --> Win11 Tailscale IP (100.x.x.x)
                        |
                        +-- port 22 forwarded --> WSL2 sshd
  • Tailscale runs only on Windows host (already set up).
  • SSH traffic arrives at the Windows Tailscale IP.
  • Port forwarding (mirrored mode or netsh portproxy) routes it into WSL2.

Pros: Official recommendation. No MTU/DNS conflicts. Single Tailscale node. Cons: Depends on Windows host Tailscale staying up. Requires port forwarding config.

Approach B: Tailscale Inside WSL2

You --> Tailscale --> WSL2 Tailscale IP (100.x.x.x)
                        |
                        +-- sshd listens directly
  • Tailscale runs inside WSL2 as a separate tailnet node.
  • WSL2 gets its own Tailscale IP.
  • SSH connects directly to WSL2's Tailscale IP, no port forwarding.

Pros: Direct connection to WSL2. No Windows networking dependency. Cons: Officially discouraged. MTU problems (WSL2 default MTU 1280, Tailscale needs 1340+). DNS conflicts (Tailscale modifies /etc/wsl.conf and breaks resolv.conf). Cannot run simultaneously with Windows Tailscale (double-encapsulated packets fail). See wsl2-native-approach.md for full details.

Decision Matrix

Factor Approach A (Win TS) Approach B (WSL2 TS)
Official support Yes Discouraged
Setup complexity Medium High
Port forwarding needed Yes (unless mirrored) No
DNS stability Good Fragile
MTU issues None Known problems
Dual Tailscale nodes No (1 node) Yes (2 nodes / or disable Win TS)
Survives Win TS restart Reconnects Independent
Tailscale SSH feature (no OpenSSH) Not on Windows Not on Windows

Recommendation

Use Approach A with mirrored networking (see networking.md). Your Windows Tailscale is already working. Mirrored mode eliminates the portproxy dance. If mirrored mode proves unstable, fall back to NAT + netsh portproxy.

Approach B is viable only if you disable Windows Tailscale entirely and treat the WSL2 instance as the sole Tailscale node on that machine. This is an advanced config and you lose Windows-side Tailscale features.