Subnet routes and relay nodes
The simplest way to install Tailscale is to run a copy on every client and server machine or VM in your organization. That way, traffic is end-to-end encrypted, and you can migrate machines between physical locations without changing their IP addresses or causing disruption.
However, in many cases, you’ll have a subnet full of machines that you don’t yet want to, or cannot, install Tailscale on directly. In those cases, you can set up a Tailscale “relay node” to advertise the entire subnet at once. The relay node routes all traffic from the Tailscale network onto your physical subnet. This allows for easier incremental deployment, or deployment onto legacy networks.
To activate a subnet relay node on a fresh Linux machine, follow these steps:
Step 1: Install the Tailscale client
Download and install Tailscale onto your relay node machine. We offer instructions for a variety of Linux distros.
Step 2: Connect to Tailscale as a relay node
Once installed, you can start (or restart) Tailscale as a relay node with a command like:
sudo tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24
You’ll want to replace the subnets with the right ones for your use case. Default routes, 0.0.0.0/0, are not currently supported.
Step 3: Authorize the machine in the admin console
Visit the admin console, navigate to the machines page, locate your relay node and using the icon at the end of the table, perform the following actions:
- “Disable key expiry” for this machine so that you don’t need to reauthenticate the server periodically.
- “Enable subnet routes” on the machine, so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network.
Step 4: Verify your connection
Check that you can ping your new relay node’s Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin console, or by running this command on the relay node.
sudo ip addr show tailscale0
Step 5: Enable packet forwarding
On the relay node, run this command to enable packet forwarding to other machines:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Depending on your Linux distribution, you can make this change permanent by
adding a file to
/etc/sysctl.d. For example, create
Depending on your Linux distribution, you may also need to disable reverse
path filtering for the
tailscale0 interface by running:
echo 0 | sudo tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter
Step 6: Enable packet masquerading
This will allow packets through to your subnet, but the packets will appear to come from Tailscale’s 100.x.y.z addresses, and your subnet machines will not know how to answer them. To solve this problem, we can set up IP masquerading on the relay node. This makes all the Tailscale sessions appear to originate from the relay’s address on the local subnet.
To activate IP masquerading, use a command like this:
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Now that this is done, try pinging or accessing one of the machines on the subnet, from one of your other nodes. As soon as the subnet routes are advertised, your other nodes (Windows, macOS, iOS) should be able to reach the new subnet right away.
If you’re using a Linux client machine, you need to run
sudo tailscale up --accept-routes
to tell it to accept subnet routes. The default on Linux is to use only the Tailscale 100.x addresses.
Optional: Route DNS lookups to an internal DNS server
You may add Tailscale IPs to public DNS records, since Tailscale IPs are
only accessible to authenticated users of your network. However, if you’d prefer
to use an internal DNS server on your subnet, you can do so by configuring nodes
to use your DNS server on the
For example, on newer versions of Ubuntu, you may use systemd-resolved to route
dev.example.private DNS lookups to your DNS server at
10.1.1.1 like so:
sudo resolvectl dns tailscale0 10.1.1.1 sudo resolvectl domain tailscale0 example.private dev.example.private sudo resolvectl default-route tailscale0 no
These instructions will vary from distro to distro and platform to platform.