Assumption: Both machines have tailscale already setup and logged in.
On Ubuntu, install SSH if it is not already
1sudo systemctl status ssh # is sshd
2sudo apt install openssh-server # install if missing
3sudo systemctl enable --now ssh
4sudo ss -tlnp | grep :22 # confirm it's listening
Then from the client:
1tailscale status # confirm peer is online, get its tailscale IP/MagicDNS name
2ssh user@<machine-name> # or use the 100.x.y.z IP
Tailscale creates a new interface called tailscale0. It is better to allow incoming only on the tailscale0 interface instead of using a custom SSH port and opening it to the world. Any tailscale connection is encrypted by default
Set up ufw as firewall, block all incoming so that no-one can connect, allow all outgoing so that you are still able to use internet, and allow incoming connections only on tailscale0
1sudo ufw default deny incoming # deny all incoming
2sudo ufw default allow outgoing # allow all outgoing
3sudo ufw allow in on tailscale0 # allow incoming only on tailscale0
4sudo ufw enable
5sudo ufw status verbose