azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(wiki): SMB files+printer over Tailscale (Windows) + Wolkin scope

Browse Source 
Robert Wolkin use case is RSW-Laptop accessing file shares + a shared
printer on front. Add a reusable Windows files/printer section to the
pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface
gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS
FQDN, Point-and-Print via RMM, Taildrive alternative). Record the
concrete per-host post-connect config and the printer-type open item in
the client doc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-06 15:41:14 -07:00
parent 32e71a1300
commit f75405506e
2 changed files with 65 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
wiki/patterns/tailscale-client-management.md
View File

@@ -102,6 +102,41 @@ With **MagicDNS** on, the two boxes reach each other by name (e.g. `front-desk`,
---
## Accessing files + a printer on a host node (Windows)
When one node needs SMB file shares and/or a shared printer that live on another Windows
node (e.g. laptop -> front-desk PC):
- **It runs over plain SMB to the host's Tailscale address - no subnet router needed**
when the files/printer are *on a node*. (A subnet router is only needed if the printer is
a SEPARATE LAN device the host prints to - then advertise that LAN subnet from the host.)
- **The #1 gotcha: Windows Firewall blocks SMB (TCP 445) on the Tailscale interface.**
Windows classifies the Tailscale adapter as Public, where File & Printer Sharing is off.
Fix on the HOST with a rule scoped to the Tailscale CGNAT range, so SMB is reachable only
over the tailnet (not the local LAN / Public networks):
```powershell
New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound `
-Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10
```
- **Auth:** Windows 11 Home machines aren't domain-joined, and Windows disables insecure
guest SMB by default - so the client must authenticate as a **real local account on the
host**. Create/confirm a local user on the host, grant it share + NTFS permissions, and
save the credential on the client (Credential Manager / `cmdkey /add`).
- **Address by MagicDNS FQDN or 100.x IP**, not the bare `\\host` short name (Windows SMB
name resolution is unreliable for the short MagicDNS name):
`\\front.<tailnet>.ts.net\Share` or `\\100.x.y.z\Share`.
- **Shared printer:** add as `\\<host-fqdn>\<printershare>`. Post-PrintNightmare
Point-and-Print restrictions often require admin to install the driver - push the
driver/printer install from **GuruRMM** (agent runs as SYSTEM) rather than walking a
non-technical user through it. USB-attached printer -> SMB print sharing is the only
option; a network printer -> install by IP on the client instead.
- **Alternative (files only): Taildrive** - Tailscale's built-in WebDAV share
(`100.100.100.100:8080`), enabled via `nodeAttrs`. Avoids opening SMB/445 entirely, but
it's a WebDAV mount (less familiar than a mapped drive) and does NOT cover printing - so
if a shared printer is in scope you're on SMB anyway.
ACL note: the `tag:<client>` "see each other" ACL already permits 445; no extra grant needed.
## Offboarding
Delete the client's tailnet, or revoke your admin seat and rotate the auth keys. Because the