diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix
index 2dd7370..14bf7e8 100644
--- a/nixos/tailscale.nix
+++ b/nixos/tailscale.nix
@@ -13,5 +13,14 @@
       }
     ];
   }];
-  services.tailscale = { enable = true; };
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    # required to connect to Tailscale exit nodes
+    checkReversePath = "loose";
+  };
 }