diff --git a/install.sh b/install.sh
new file mode 100644
index 0000000..59a297a
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -e
+
+# Simple Tailscale LXC bootstrap for Debian/Ubuntu
+# - Updates packages
+# - Enables IPv4/IPv6 forwarding
+# - Installs Tailscale via official installer
+# - Starts tailscaled
+# - Runs 'tailscale up' with optional subnet routing
+
+SUBNET_CIDR="${SUBNET_CIDR:-192.168.1.0/24}"
+EXTRA_TS_FLAGS="${EXTRA_TS_FLAGS:-}"
+
+echo "[*] Updating packages..."
+apt-get update -y && apt-get upgrade -y
+
+echo "[*] Installing curl if missing..."
+apt-get install -y curl
+
+echo "[*] Enabling IP forwarding..."
+grep -q 'net.ipv4.ip_forward' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
+grep -q 'net.ipv6.conf.all.forwarding' /etc/sysctl.conf || echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
+
+echo "[*] Installing Tailscale..."
+curl -fsSL https://tailscale.com/install.sh | sh
+
+echo "[*] Enabling and starting tailscaled..."
+systemctl enable --now tailscaled
+
+echo "[*] Running 'tailscale up'..."
+tailscale up --advertise-routes="${SUBNET_CIDR}" ${EXTRA_TS_FLAGS}
+
+echo
+echo "[*] Done. Follow the URL above to authenticate this node."
+echo "    After that, approve subnet routes in the Tailscale admin console if you used --advertise-routes."