Docs / Admin

Subnet routers and traffic relay nodes

Tailscale works best when you install Tailscale on every client, server, or VM in your organization. That way, traffic is end-to-end encrypted, and no configuration is needed to move machines between physical locations.

However, you may have machines you don’t want to, or cannot, install Tailscale on directly. In those cases, you can set up a Tailscale “subnet router” (previously called a relay node or relaynode) to advertise whole subnets at once. Subnet routers relay all traffic from the Tailscale network onto your physical subnet. This makes it easy to incrementally deploy Tailscale, even on legacy networks, without installing Tailscale on every individual device.

A diagram showing how subnet routers relay traffic between a subnet (eg. your local network) and Tailscale, connecting devices that can't install Tailscale.

For example, you can set up a subnet router to share an entire AWS VPC with your team, including uncontrolled devices, like RDS servers. You can then set access controls for the VPC by using Access Control Lists (ACLs).

Currently, we only support Linux devices as subnet routers. We plan to support this feature on Windows and macOS in the future.

To activate a subnet router on a fresh Linux machine, follow these steps:

Step 1: Install the Tailscale client

Download and install Tailscale onto your subnet router machine. We offer instructions for a variety of Linux distros.

Step 2: Connect to Tailscale as a subnet router

Once installed, you can start (or restart) Tailscale as a subnet router:

sudo tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24

Replace the subnets in the example above with the right ones for your network. Both IPv4 and IPv6 subnets are supported.

If you’d like to expose default routes (0.0.0.0/0 and ::/0), consider using exit nodes instead.

This feature requires IP forwarding to be enabled. If you get an error about IP forwarding, learn how to fix it.

Step 3: Enable subnet routes from the admin panel

Visit the admin panel, navigate to the machines page, locate your subnet router and using the ellipsis icon icon at the end of the table, select “Review subnet routes…” This will open up the Subnet settings.

Click “Enable” on your routes so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network.

The subnet settings modal
You may prefer to disable key expiry on your server to avoid having to periodically reauthenticate. See key expiry for more information about machine keys and how to disable their expiry.

Step 4: Verify your connection

Check that you can ping your new subnet routers’s Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin panel, or by running this command on the subnet router.

sudo ip addr show tailscale0

Step 5: Use your subnet routes from other machines

Clients on Windows, macOS, iOS, and Android will automatically pick up your new subnet routes.

For Linux clients, only those using --accept-routes flag will discover the new routes, since the default is to use only the Tailscale 100.x addresses. Enable this by running:

sudo tailscale up --accept-routes

Updating subnet routes

To later update subnet routes, follow steps 2 to 5 with the new routes.

During step 3 from the admin panel, previously enabled routes that you no longer included in step 2 will now show up with a Not advertised status. You can choose to remove the routes completely, or keep them enabled if you plan to re-advertise them in the future.

The subnet settings modal

Optional: Route DNS lookups to an internal DNS server

You may add Tailscale IPs to public DNS records, since Tailscale IPs are only accessible to authenticated users of your network. However, if you’d prefer to use an internal DNS server on your subnet, you can do so by configuring nodes to use your DNS server on the tailscale0 interface.

For example, on newer versions of Ubuntu, you may use systemd-resolved to route example.private and dev.example.private DNS lookups to your DNS server at 10.1.1.1 like so:

sudo resolvectl dns tailscale0 10.1.1.1
sudo resolvectl domain tailscale0 example.private dev.example.private
sudo resolvectl default-route tailscale0 no

These instructions will vary from distro to distro and platform to platform.

Optional: Set up subnet router failover

On some pricing plans, you may be eligible to set up subnet router failover (also called high-availability subnet routers), to ensure your network is connectable even if one router goes offline. For more information, see our article on subnet router failover.

Last updated