diff --git a/ansible/roles/private-access/tasks/main.yml b/ansible/roles/private-access/tasks/main.yml
index 2160eb0..1891c61 100644
--- a/ansible/roles/private-access/tasks/main.yml
+++ b/ansible/roles/private-access/tasks/main.yml
@@ -35,6 +35,18 @@
     unit_local_port: 19001
     unit_remote_port: 9001
 
+- name: Create systemd unit for Rancher private access
+  template:
+    src: kubectl-port-forward.service.j2
+    dest: /etc/systemd/system/k8s-portforward-rancher.service
+    mode: "0644"
+  vars:
+    unit_description: Port-forward Rancher for Tailscale access
+    unit_namespace: cattle-system
+    unit_target: svc/rancher
+    unit_local_port: 19442
+    unit_remote_port: 80
+
 - name: Reload systemd
   systemd:
     daemon_reload: true
@@ -48,11 +60,13 @@
     - k8s-portforward-grafana.service
     - k8s-portforward-prometheus.service
     - k8s-portforward-flux-ui.service
+    - k8s-portforward-rancher.service
 
 - name: Configure Tailscale Serve for private access endpoints
   shell: >-
     tailscale serve reset &&
     tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&
     tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&
-    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001
+    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001 &&
+    tailscale serve --bg --tcp={{ private_access_rancher_port }} tcp://127.0.0.1:19442
   changed_when: true
diff --git a/ansible/site.yml b/ansible/site.yml
index 6d88b7f..34ee49c 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -116,6 +116,7 @@
     private_access_grafana_port: 30080
     private_access_prometheus_port: 30990
     private_access_flux_port: 30901
+    private_access_rancher_port: 9442
 
   roles:
     - private-access
diff --git a/infrastructure/addons/rancher/ingress-rancher.yaml b/infrastructure/addons/rancher/ingress-rancher.yaml
deleted file mode 100644
index 96833c2..0000000
--- a/infrastructure/addons/rancher/ingress-rancher.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: rancher
-  namespace: cattle-system
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: rancher
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: k8s-cluster-cp-1.silverside-gopher.ts.net
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: rancher
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - k8s-cluster-cp-1.silverside-gopher.ts.net
-      secretName: rancher-tls
diff --git a/infrastructure/addons/rancher/kustomization.yaml b/infrastructure/addons/rancher/kustomization.yaml
index b31cb0f..7f586fe 100644
--- a/infrastructure/addons/rancher/kustomization.yaml
+++ b/infrastructure/addons/rancher/kustomization.yaml
@@ -4,5 +4,5 @@ resources:
   - namespace.yaml
   - helmrepository-rancher.yaml
   - helmrelease-rancher.yaml
-  - ingress-rancher.yaml
+  - service-rancher-tailscale.yaml
   - rancher-bootstrap-password-externalsecret.yaml
diff --git a/infrastructure/addons/rancher/service-rancher-tailscale.yaml b/infrastructure/addons/rancher/service-rancher-tailscale.yaml
new file mode 100644
index 0000000..cea5787
--- /dev/null
+++ b/infrastructure/addons/rancher/service-rancher-tailscale.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: rancher-tailscale
+  namespace: cattle-system
+  annotations:
+    tailscale.com/hostname: k8s-cluster-cp-1-rancher
+    tailscale.com/proxy-class: infra-stable
+spec:
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+  selector:
+    app: rancher
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
diff --git a/infrastructure/addons/traefik-config/kustomization.yaml b/infrastructure/addons/traefik-config/kustomization.yaml
index b4e26c3..92aabda 100644
--- a/infrastructure/addons/traefik-config/kustomization.yaml
+++ b/infrastructure/addons/traefik-config/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - helmchartconfig-traefik.yaml
-  - service-traefik-tailscale.yaml
diff --git a/infrastructure/addons/traefik-config/service-traefik-tailscale.yaml b/infrastructure/addons/traefik-config/service-traefik-tailscale.yaml
deleted file mode 100644
index 71d248a..0000000
--- a/infrastructure/addons/traefik-config/service-traefik-tailscale.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-tailscale
-  namespace: kube-system
-  annotations:
-    tailscale.com/hostname: k8s-cluster-cp-1
-    tailscale.com/proxy-class: infra-stable
-spec:
-  type: LoadBalancer
-  loadBalancerClass: tailscale
-  selector:
-    app.kubernetes.io/instance: traefik-kube-system
-    app.kubernetes.io/name: traefik
-  ports:
-    - name: web
-      port: 80
-      protocol: TCP
-      targetPort: web
-    - name: websecure
-      port: 443
-      protocol: TCP
-      targetPort: websecure
-    - name: flux
-      port: 9001
-      protocol: TCP
-      targetPort: 9001
-    - name: rancher
-      port: 9442
-      protocol: TCP
-      targetPort: 9442