Subnet routes and relay nodes
The simplest way to install Tailscale is to run a copy on every client and server machine or VM in your organization. That way, traffic is end-to-end encrypted, and you can migrate machines between physical locations without changing their IP addresses or causing disruption.
However, in many cases, you'll have a subnet full of machines that you don't yet want to, or cannot, install Tailscale on directly. In those cases, you can set up a Tailscale "relay node" to advertise the entire subnet at once. The relay node routes all traffic from the Tailscale network onto your physical subnet. This allows for easier incremental deployment, or deployment onto legacy networks.
To activate a subnet relay node on a fresh Linux machine, follow these steps:
Use one of the supported Linux distros.
ssh into the Linux machine and install Tailscale by following the instructions for your distro on pkgs.tailscale.com.
systemctlto enable and start the service:
sudo systemctl enable --now tailscaled
Run a command like
sudo tailscale up -advertise-routes=10.0.0.0/24,10.0.1.0/24to authenticate and connect your relay machine to your Tailscale network. (You will want to replace the subnets with the right ones for your use case. Note that default routes, 0.0.0.0/0, are not currently supported.)
Visit the admin console and perform the following actions:
- Disable key expiry for this machine so that you don't need to reauthenticate the server periodically.
- Authorize subnet routes on the machine, so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network.
Check that you can ping your new relay node's Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin console, or by running
sudo ip addr show tailscale0on the relay node.
On the relay node, run
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forwardto enable it to forward packets to other machines.
- Depending on your Linux distribution, you can make this change
permanent by adding a file to
/etc/sysctl.d. For example, create
- Depending on your Linux distribution, you can make this change permanent by adding a file to
Depending on your Linux distribution, you might need to disable reverse path filtering, by running:
echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/rp_filter
This will allow packets through to your subnet, but the packets will appear to come from Tailscale 100.x.x.x addresses, and your subnet machines will not know how to answer them. To solve this problem, we can set up IP masquerading on the relay node. This makes all the Tailscale sessions appear to originate from the relay's address on the local subnet. To activate IP masquerading, use a command like this:
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Now that this is done, try pinging or accessing one of the machines on the subnet, from one of your other nodes.
As soon as the subnet routes are advertised, your other nodes (Windows, macOS, iOS) should be able to reach the new subnet right away.
Note: If you're using a linux client machine, you need to run
sudo tailscale up
-accept-routes to tell it to accept subnet routes. The default on Linux is
to use only the Tailscale 100.x addresses.