feat(issue-17): add Tailscale VPN setup script and documentation

- Add tailscale-setup.sh:
  - Multi-distro support (Debian/Ubuntu, Fedora)
  - Automatic OS detection
  - Systemd integration for tailscaled daemon
  - User choice: AUTHKEY or headless browser login
  - Configurable device name (defaults to hostname)
  - Verification steps after setup

- Update SKILL.md:
  - Add Tailscale VPN section under Remote Access
  - Document benefits and setup commands
  - Link to full documentation

- Update docs/kugetsu-setup.md:
  - Add Tailscale section before Security Notes
  - Compare Tailscale vs port forwarding
  - Document authentication methods
  - Add post-setup usage examples
  - Include uninstall instructions

skills/kugetsu/SKILL.md

@@ -235,6 +235,35 @@ kugetsu continue github.com/shoko/kugetsu#14
 
 See [docs/kugetsu-setup.md](../../docs/kugetsu-setup.md) for full remote access setup including host-side port forwarding and firewall configuration.
 
+### Tailscale VPN (Alternative)
+
+If your host does not have a public IP or you need access across different networks, Tailscale provides a VPN solution.
+
+**Benefits:**
+- No public IP required
+- Each container gets its own unique Tailscale IP
+- Access from anywhere via Tailscale network
+- Normal internet access still works
+
+**Setup:**
+
+```bash
+chmod +x skills/kugetsu/scripts/tailscale-setup.sh
+bash skills/kugetsu/scripts/tailscale-setup.sh <username> <device-name>
+```
+
+The script will:
+1. Install Tailscale (supports Debian/Ubuntu, Fedora)
+2. Start the tailscaled daemon
+3. Prompt for AUTHKEY or browser-based login
+4. Configure device name (defaults to current hostname)
+
+**After Setup:**
+- From any Tailscale device: `ssh <username>@<device-name>`
+- Works across different networks without port forwarding
+
+See [docs/kugetsu-setup.md](../../docs/kugetsu-setup.md) for full Tailscale setup documentation.
+
 ## Without kugetsu
 
 If kugetsu is not available, use opencode directly: