diff --git a/system/server.nix b/system/server.nix
index 1001014..bdb5894 100644
--- a/system/server.nix
+++ b/system/server.nix
@@ -5,4 +5,22 @@
 
   # use xserver without display manager
   services.xserver.displayManager.startx.enable = true;
+
+  # Allow web server to be accessible when running Tailscale with exit node
+  networking.nftables.enable = true;
+  networking.nftables.ruleset = ''
+    table inet allow-incoming-traffic {
+      chain allow-incoming {
+        type filter hook input priority -100; policy accept;
+        tcp dport {80, 443} meta mark set 0x80000;
+        udp dport {80, 443} meta mark set 0x80000;
+      }
+
+      chain allow-outgoing {
+        type route hook output priority -100; policy accept;
+        tcp sport {80, 443} meta mark set 0x80000;
+        udp sport {80, 443} meta mark set 0x80000;
+      }
+    }
+  '';
 }
diff --git a/system/vpn.nix b/system/vpn.nix
index 22c6928..7ed7e81 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -36,10 +36,11 @@ in {
     ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
 
     ${cfg.package}/bin/tailscale cert ${tailnetHost}
+    chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
   '';
 
   services.nginx.virtualHosts.${tailnetHost} = {
-    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.key";
-    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
   };
 }