diff --git a/netlab/install.sh b/netlab/install.sh
index 7605a29..9573ee9 100644
--- a/netlab/install.sh
+++ b/netlab/install.sh
@@ -49,7 +49,7 @@ main() {
 
     log_info "Installing base packages..."
     sudo apt update -qq
-    sudo apt install -y -qq vim ca-certificates curl gnupg lsb-release fail2ban unattended-upgrades > /dev/null
+    sudo apt install -y -qq vim ca-certificates curl gnupg lsb-release fail2ban unattended-upgrades at > /dev/null
 
     log_info "Installing Tailscale..."
     curl -fsSL https://tailscale.com/install.sh | sh
@@ -95,8 +95,18 @@ EOF
     sudo ufw allow ${SSH_PORT}/tcp > /dev/null
     # Allow all traffic on Tailscale interface
     sudo ufw allow in on tailscale0 > /dev/null
+    # Temporarily allow SSH port 22 during setup (safety net)
+    sudo ufw allow 22/tcp > /dev/null
     sudo ufw --force enable > /dev/null
 
+    # Schedule SSH port 22 rule removal in 5 minutes
+    log_warn "SSH port 22 temporarily open for 5 minutes (safety net)."
+    log_warn "Verify Tailscale SSH or custom port ${SSH_PORT} works, then wait or run: sudo ufw delete allow 22/tcp"
+    echo "sudo ufw delete allow 22/tcp && logger 'UFW: SSH port 22 closed by scheduled task'" | sudo at now + 5 minutes 2>/dev/null || {
+        log_warn "Could not schedule automatic SSH cleanup. Run manually after verification:"
+        log_warn "  sudo ufw delete allow 22/tcp"
+    }
+
     # Get Tailscale IP for final message
     TS_IP=$(tailscale ip -4)
 
@@ -116,6 +126,9 @@ EOF
     echo ""
     echo "Note: Log out and back in (or run 'newgrp docker') to use docker without sudo"
     echo ""
+    log_warn "SSH port 22 will be closed in 5 minutes."
+    log_warn "To cancel: sudo atq (list jobs) then sudo atrm <job-number>"
+    echo ""
 }
 
 main "$@"