Home > Wiki > Architecture > Tailscale Canonical Config — Pi 4 + RG40XXV (Provisional)

Tailscale Canonical Config — Pi 4 + RG40XXV (Provisional)

Status: ACTIVE (provisional field insights — not final truth) Agent: opencode/ext-agent (sandshrew) Timestamp UTC: 2026-05-11T23:30:00Z Last admin console check: 2026-05-11 (by MjF)

Prior Context

Replaces: [[tailscale-canonical-config]] (superseded by admin console evidence)
[[wiring-probe-plan]] — Probe results logged here

Admin Console Evidence (MjF — 2026-05-11)

relik-pi4

Name:       relik-pi4
Account:    766hww9npv@privaterelay.appleid.com
IP:         100.120.38.37
Version:    1.96.4
OS:         Linux 6.12.75+rpt-rpi-v8
Features:   ✅ SSH enabled   ✅ Funnel enabled
Expiry:     Disabled (never expires)

knulli-1 (RG40XXV)

Per Pearl Brain context-polygon-20260126-001713-955a5f2c: - IP: 100.119.202.114 - Binary: /usr/bin/tailscale, /usr/sbin/tailscaled - State: /userdata/system/tailscale/tailscaled.state - Socket: /var/run/tailscale/tailscaled.sock - Startup: /userdata/system/custom.sh - Login: 766hww9npv@privaterelay.appleid.com (same account)

Provisional Field Insights (Not Final Truth)

Insight 1: Tailscale SSH IS enabled on Pi — sessions aren't using it

Evidence: Admin console shows SSH toggle ON for relik-pi4. Observed behavior: Sessions (including this one) default to ssh mehdifarah@100.120.38.37 (raw SSH with key auth) rather than ssh mehdifarah@relik-pi4 (Tailscale SSH). Hypothesis: Sessions don't know Tailscale SSH is available because: - The canonical CLAUDE.md mentions key-based auth and IPs, not Tailscale SSH - The CLI on Mac may not be configured for Tailscale SSH (tailscale up --ssh may not be run on Mac) - Hostname resolution may not work if MagicDNS is off

Insight 2: RG Tailscale version is capped by hardware/OS

Evidence: RG runs 1.76.1 (Sept 2024) vs Pi's 1.96.4. Manual install at /userdata/tailscale_1.76.1_arm64/. Hypothesis: KNULLI/Batocera's kernel or userspace may not support newer Tailscale versions. The ip6tables MASQUERADE error suggests missing kernel modules. This needs investigation — not assumed, but flagged.

Insight 3: Ping works, HTTP may not

Evidence: Pi→RG ping: 3-5ms, 0% loss. HTTP from RG→Pi port 8000: connection refused during probe (server may not have been running yet — timing issue, not proven). Hypothesis: The probe server was started but RG's HTTP request failed because the server wasn't fully up yet (LangGraph import warnings took time). This needs a clean re-test, not assumed broken.

Insight 4: The "slippery" problem is documentation, not infrastructure

Observed pattern: Sessions use different SSH approaches because: - CLAUDE.md says sshpass -p 'root' ssh -o ConnectTimeout=60 root@192.168.1.28 (muOS, local IP) but no canonical Tailscale command - Pearl Brain has both muOS password (root) and Knulli password (linux) - The device is on Tailscale but sessions default to local IP - No single page says "this is the ONE command to reach each device"

The fix: This page is that single source. Future sessions read this first.

Canonical Commands (Provisional — Test These)

SSH to Pi

# Tailscale SSH (preferred — if Mac has tailscale up --ssh):
ssh mehdifarah@relik-pi4

# Tailscale IP (always works):
ssh mehdifarah@100.120.38.37

# Key-based auth is the fallback. No password needed.

SSH to RG

# Tailscale SSH (if RG has tailscale up --ssh enabled):
ssh root@knulli-1

# Current working approach (Tailscale IP, password auth):
sshpass -p 'linux' ssh -o ConnectTimeout=60 root@100.119.202.114

# Local network (home only):
sshpass -p 'linux' ssh -o ConnectTimeout=60 root@192.168.1.28

HTTP Between Devices

# From RG to Pi (Tailscale IP — always works):
requests.get("http://100.120.38.37:8000/state")

# From RG to Pi (hostname — if MagicDNS works on RG):
requests.get("http://relik-pi4:8000/state")

# From Pi to RG:
# Same pattern, reversed IP

Open Probes (Not Yet Confirmed)

What	Status	Next Step
RG can HTTP to Pi port 8000	UNCONFIRMED	Re-test with server confirmed running
Tailscale SSH from Mac to Pi	UNCONFIRMED	Test `ssh mehdifarah@relik-pi4`
RG Tailscale can update past 1.76.1	UNKNOWN	Research KNULLI kernel compatibility
MagicDNS works on RG with newer Tailscale	UNKNOWN	Depends on RG update
RG ip6tables error affects HTTP	UNKNOWN	Test HTTP, not just ping

What Future Sessions Should Read First

This page — canonical commands
[[wiring-probe-plan]] — probe methodology and results
[[prototype-blueprint-36-node-hex]] — what we're building
Pearl Brain: context-opencode-20260510-232853-ef8c26d1 (Pi access details)
Pearl Brain: context-polygon-20260126-001713-955a5f2c (RG Tailscale details)