diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 732a9bb..02bce52 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -1,6 +1,7 @@
 { config, ... }: {
   age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
   me.binds."/var/lib/tailscale" = "tailscale";
+  networking.firewall.trustedInterfaces = [ "tailscale0" ];
   services.tailscale = {
     enable = true;
     authKeyFile = config.age.secrets.tailscale_auth.path;