Subnet routes and relay nodes

The simplest way to install Tailscale is to run a copy on every client and server machine or VM in your organization. That way, traffic is end-to-end encrypted, and you can migrate machines between physical locations without changing their IP addresses or causing disruption.

However, in many cases, you’ll have a subnet full of machines that you don’t yet want to, or cannot, install Tailscale on directly. In those cases, you can set up a Tailscale “relay node” to advertise the entire subnet at once. The relay node routes all traffic from the Tailscale network onto your physical subnet. This allows for easier incremental deployment, or deployment onto legacy networks.

In particular, you can deploy to an AWS VPC to share the entire VPC with your team. You can then restrict access to particular users or devices by using Tailscale Access Control Lists (ACLs).

To activate a subnet relay node on a fresh Linux machine, follow these steps:

Step 1: Install the Tailscale client

Download and install Tailscale onto your relay node machine. We offer instructions for a variety of Linux distros.

Step 2: Connect to Tailscale as a relay node

Once installed, you can start (or restart) Tailscale as a relay node:

sudo tailscale up --advertise-routes=,


Replace the subnets in the example above with the right ones for your network. Default routes,, are not currently supported.

This feature requires IP forwarding to be enabled. If you get an error about /proc/sys/net/ipv4/ip_forward, you can enable IP forwarding by editing /etc/sysctl.conf:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

Step 3: Authorize the machine in the admin console

Visit the admin console, navigate to the machines page, locate your relay node and using the ellipsis icon icon at the end of the table, perform the following actions:

  1. Disable key expiry” for this machine so that you don’t need to reauthenticate the server periodically.
  2. “Enable subnet routes” on the machine, so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network.

Step 4: Verify your connection

Check that you can ping your new relay node’s Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin console, or by running this command on the relay node.

sudo ip addr show tailscale0

Step 5: Use your subnet routes from other machines

For Windows, macOS, iOS, and Android, clients will automatically pick up your new subnet routes.

For Linux clients, only those using --accept-routes flag will discover the new routes, since the default is to use only the Tailscale 100.x addresses. Enable this by running:

sudo tailscale up --accept-routes

Optional: Route DNS lookups to an internal DNS server

You may add Tailscale IPs to public DNS records, since Tailscale IPs are only accessible to authenticated users of your network. However, if you’d prefer to use an internal DNS server on your subnet, you can do so by configuring nodes to use your DNS server on the tailscale0 interface.

For example, on newer versions of Ubuntu, you may use systemd-resolved to route example.private and dev.example.private DNS lookups to your DNS server at like so:

sudo resolvectl dns tailscale0
sudo resolvectl domain tailscale0 example.private dev.example.private
sudo resolvectl default-route tailscale0 no

These instructions will vary from distro to distro and platform to platform.

Last updated