I set out to replace my traditional Azure site to site VPN with something lighter and easier to manage (plus Microsoft is effectively retiring the Basic S2S VPN SKU on January 31, 2026). The idea was simple: run Tailscale on my Unifi Dream Machine Pro, advertise my home LAN into the tailnet, and let Azure see it. No expensive gateways, no $138.70/month upgraded S2S VPN SKUs from Azure, no headaches. Easy, right? Yeah...some slight headaches, but I "vibe coded" my way through the trickier spots.

Why put Tailscale on a UDM Pro?

The UDM Pro is the gatekeeper for my home network. If I can make it act as a subnet router, I only need Tailscale there, not on every laptop, Raspberry Pi, or fridge that somehow has a WiFi chip these days. In theory, once the UDM is in the tailnet, my whole 192.168.1.0/24 world becomes reachable. The theory was sound. The reality involved a few error messages, some swearing, and the realization that Unifi’s Debian repos were a hot mess.

Step 1: Enable SSH so you can actually touch the thing

There is no “click here to install Tailscale” button in the Unifi portal (if only). To get anywhere, you need SSH access. Go into the Unifi controller, head to Settings → System → Advanced → Device SSH Authentication, and flip it on. Pick a username and password, then hop in from your terminal:

ssh [email protected]

If you get in, congrats. You’re officially backstage at the UDM concert.

Step 2: Deal with broken Debian repos

I figured apt update would just work. Instead I was greeted with errors like:

E: The repository 'https://deb.debian.org/debian bullseye-backports Release' no longer has a Release file.

Translation: the UDM is living in a past life and the default repos are gone. The fix was pointing at archive.debian.org and telling apt to stop being so picky about dates. Here’s the magic combo:

cat <<EOF >/etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb http://archive.debian.org/debian-security bullseye-security main contrib non-free
EOF

echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99ignore-check-valid-until
apt update

After this, apt update stopped complaining. Progress.

Step 3: Install Tailscale like a normal human

Finally, the part that just works:

curl -fsSL https://tailscale.com/install.sh | sh

No weird errors here. For once, something went as planned. Huzzah!

Step 4: Generate a reusable auth key

Pro tip: don’t use an ephemeral key unless you enjoy logging back in every reboot. Go to the Tailscale Admin → Keys and create a reusable key in your Tailscale portal. Copy it somewhere safe. It’ll look like tskey-auth-.... Without this, your UDM will ghost you the second it restarts.

Step 5: Enable IP forwarding

Tailscale will sit there looking smug until you tell Linux it’s allowed to forward packets. Here's what you do:

sysctl net.ipv4.ip_forward

If you get 0, that’s a problem. Fix it with:

mkdir -p /etc/sysctl.d
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-tailscale.conf
sysctl -p /etc/sysctl.d/99-tailscale.conf

Now the UDM can actually route traffic instead of just admiring packets as they pass by.

Step 6: Bring it online

Now for the big moment. Replace the auth key with your own (I didn't post mine in as that's not exactly smart, is it?):

sudo tailscale up --reset \
  --authkey tskey-auth-YOURKEYHERE \
  --advertise-routes=192.168.1.0/24 \
  --hostname udm-dream-machine

Check status:

tailscale status

You should see your UDM listed with:

subnets: 192.168.1.0/24

If you don’t, something’s off. Either the route isn’t approved in the Tailscale admin, or IP forwarding isn’t really on. Expect a few retries here. I had to approve the route in the admin portal before things actually lit up (you'll just do this in the Tailscale portal).

Step 7: Celebrate… cautiously

At this point the UDM is in your tailnet, it’s advertising your home LAN, and remote peers can route traffic through it. Cue the happy dance. Just remember, you’ll still need to make your Azure side behave (that’s Part 2). And yes, there will be more snags and more colorful language along the way. Know also, there will be a part 3, which will be about getting another S2S VPN going in a separate region.

Lessons learned

• The UDM doesn’t play nice out of the box. Be ready to edit sources.list.

• Don’t skip IP forwarding or subnet routing will silently fail.

• Always use a reusable auth key or you’ll end up in login purgatory.

• Tailscale is amazing once it’s running, but the UDM definitely made me earn it.