Verified Commands

From Mac:

ssh -o BatchMode=yes root@100.119.202.114 'echo rg-tail-ok'

From Pi:

ssh mehdifarah@100.120.38.37 \
  "ssh -o BatchMode=yes root@100.119.202.114 'echo rg-tail-ok'"

Pi-to-RG deploy primitives:

ssh mehdifarah@100.120.38.37 \
  "scp -o BatchMode=yes /etc/hostname root@100.119.202.114:/tmp/pi-to-rg-scp-test"

Repair Commands

If browser-gated SSH returns, first replace any check rule covering the RG with a narrow accept rule. If that is not immediately possible, use a temporary known-good access path to the RG and run:

tailscale set --ssh=false

Then clear stale host keys on deploy hosts:

ssh-keygen -f ~/.ssh/known_hosts -R 100.119.202.114
ssh-keygen -f ~/.ssh/known_hosts -R knulli-1.tail347b6c.ts.net

Finally rerun:

scripts/check_rg_tailnet_access.sh