diff --git a/CLAUDE.md b/CLAUDE.md
index 7bb4010..4da1666 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -70,6 +70,7 @@ nc -zw1 10.10.10.150 22000 && echo "Windows Syncthing: UP" || echo "Windows Sync
 | High CPU on TrueNAS | Syncthing rescan? KSM? | Check rescan intervals, disable KSM |
 | VM won't start | Storage available? RAM free? | `ssh pve 'qm start VMID'`, check logs |
 | Tailscale offline | `tailscale status` | `tailscale up` or restart service |
+| Tailscale no subnet access | Check subnet routers | Verify pve or ucg-fiber advertising routes |
 | Sync stuck at X% | Folder errors? Conflicts? | Check `rest/folder/errors?folder=NAME` |
 | Server running hot | Check KSM, check CPU processes | Disable KSM, identify runaway process |
 | Storage enclosure loud | Check fan speed via SES | See [EMC-ENCLOSURE.md](EMC-ENCLOSURE.md) |
@@ -357,6 +358,46 @@ qm set VMID --net1 virtio,bridge=vmbr3
 
 - MTU 9000 (jumbo frames) on all bridges
 
+### Tailscale VPN
+
+Tailscale provides secure remote access to the homelab from anywhere.
+
+**Subnet Routers (HA Failover)**
+
+Two devices advertise the `10.10.10.0/24` subnet for redundancy:
+
+| Device | Tailscale IP | Role | Notes |
+|--------|--------------|------|-------|
+| pve | 100.113.177.80 | Primary | Proxmox host |
+| ucg-fiber | 100.94.246.32 | Failover | UniFi router (always on) |
+
+If Proxmox goes down, Tailscale automatically fails over to the router (~10-30 sec).
+
+**Router Tailscale Setup (UCG-Fiber)**
+- Installed via: `curl -fsSL https://tailscale.com/install.sh | sh`
+- Config: `tailscale up --advertise-routes=10.10.10.0/24 --accept-routes`
+- Survives reboots (systemd service)
+- Routes must be approved in [Tailscale Admin Console](https://login.tailscale.com/admin/machines)
+
+**Tailscale IPs Quick Reference**
+
+| Device | Tailscale IP | Local IP |
+|--------|--------------|----------|
+| Mac Mini | 100.108.89.58 | 10.10.10.125 |
+| PVE | 100.113.177.80 | 10.10.10.120 |
+| UCG-Fiber | 100.94.246.32 | 10.10.10.1 |
+| TrueNAS | 100.100.94.71 | 10.10.10.200 |
+| Pi-hole | 100.112.59.128 | 10.10.10.10 |
+
+**Check Tailscale Status**
+```bash
+# From Mac Mini
+/Applications/Tailscale.app/Contents/MacOS/Tailscale status
+
+# From router
+expect -c 'spawn ssh root@10.10.10.1 "tailscale status"; expect "Password:"; send "GrilledCh33s3#\r"; expect eof'
+```
+
 ## Common Commands
 ```bash
 # Check VM status