diff --git a/hosts/modules/roles/work/tailscale.nix b/hosts/modules/roles/work/tailscale.nix
index 202a36d24..958074bd2 100644
--- a/hosts/modules/roles/work/tailscale.nix
+++ b/hosts/modules/roles/work/tailscale.nix
@@ -32,6 +32,34 @@ let
   # - provide `--accept-routes`
   # - override the `ip` tool such that tailscale doesn't actually modify the routing table.
   # - explicitly configure the range of routes i actually want.
+  routableSubnets = [
+    # linux routing is "most specific wins".
+    # but overlapping routes are still problematic,
+    # because during interface bringup a packet might temporarily be routed to a place it wouldn't during nominal operations
+    #
+    # tailscale networks seem to mostly use these IPv4 reserved address ranges:
+    # 0.0.0.0/8
+    # 10.0.0.0/8
+    # 100.64.0.0/10
+    #
+    # "10.0.0.0/8"
+    # "10.1.0.0/16"   # - 10.1.255.255
+    "10.2.0.0/15"   # - 10.3.255.255
+    "10.4.0.0/14"   # - 10.7.255.255
+    "10.8.0.0/13"   # - 10.15.255.255
+    "10.16.0.0/12"  # - 10.31.255.255
+    "10.32.0.0/11"  # - 10.63.255.255
+    "10.64.0.0/13"  # - 10.71.255.255
+    "10.72.0.0/14"  # - 10.75.255.255
+    "10.76.0.0/15"  # - 10.77.255.255
+    # XXX: 10.78.0.0 - 10.78.255.255 gap for my home network
+    # "10.79.0.0/16"  # - 10.79.255.255
+    "10.80.0.0/13"  # - 10.87.255.255
+    "10.88.0.0/13"  # - 10.95.255.255
+    "10.96.0.0/11"  # - 10.127.255.255
+    "10.128.0.0/9"  # - 10.255.255.255
+    "100.64.0.0/10"
+  ];
   tailscale = let
     iproute2' = pkgs.callPackage ./tailscale-iproute2 { };
     # tailscale package wraps binaries with `--prefix PATH ${iproute2}/bin`.
@@ -94,13 +122,15 @@ in
           echo "tailscale not ready"
           sleep 2
         done
-        ${ip} route add table main 10.0.0.0/8 dev tailscale0 scope global
-        ${ip} route add table main 100.64.0.0/10 dev tailscale0 scope global
+        for addr in ${lib.concatStringsSep " " routableSubnets}; do
+          ${ip} route add table main "$addr" dev tailscale0 scope global
+        done
       '')
     ];
     systemd.services.tailscaled.preStop = ''
-      ${ip} route del table main 10.0.0.0/8 dev tailscale0 scope global || true
-      ${ip} route del table main 100.64.0.0/10 dev tailscale0 scope global || true
+      for addr in ${lib.concatStringsSep " " routableSubnets}; do
+        ${ip} route del table main "$addr" dev tailscale0 scope global || true
+      done
     '';
     # systemd.network.networks."50-tailscale" = {
     #   # see: `man 5 systemd.network`