Subnet routers and traffic relay nodes
Tailscale works best when the client app is installed directly on every client, server, and VM in your organization. That way, traffic is end-to-end encrypted, and no configuration is needed to move machines between physical locations.
However, in some situations, you can’t or don’t want to install Tailscale on each device:
- With embedded devices, like printers, which don’t run external software
- When connecting large quantities of devices, like an entire AWS VPC
- When incrementally deploying Tailscale (eg. on legacy networks)
In these cases, you can set up a “subnet router” (previously called a relay node or relaynode) to access these devices from Tailscale. Subnet routers act as a gateway, relaying traffic from your Tailscale network onto your physical subnet. Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device.
Devices behind a subnet router do not count toward your pricing plan’s device limit. However, we encourage you to install Tailscale directly on devices wherever possible, for better performance, security, and a zero-configuration setup.
Setting up a subnet router
To activate a subnet router on a fresh Linux machine, follow these steps:
Step 1: Install the Tailscale client
Download and install Tailscale onto your subnet router machine. We offer instructions for a variety of Linux distros.
Step 2: Connect to Tailscale as a subnet router
Once installed, you can start (or restart) Tailscale as a subnet router:
sudo tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24
Replace the subnets in the example above with the right ones for your network. Both IPv4 and IPv6 subnets are supported.
If you’d like to expose default routes (0.0.0.0/0 and ::/0), consider using exit nodes instead.
Step 3: Enable subnet routes from the admin console
Visit the admin console, navigate to the machines page, locate your subnet router and using the icon at the end of the table, select “Review subnet routes…” This will open up the Subnet settings.
Click “Enable” on your routes so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network.
Step 4: Verify your connection
Check that you can ping your new subnet routers’s Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin console, or by running this command on the subnet router.
tailscale ip -4
Step 5: Use your subnet routes from other machines
Clients on Windows, macOS, iOS, and Android will automatically pick up your new subnet routes.
For Linux clients, only those using
--accept-routes flag will discover the
new routes, since the default is to use only the Tailscale 100.x addresses.
Enable this by running:
sudo tailscale up --accept-routes
Updating subnet routes
To later update subnet routes, follow steps 2 to 5 with the new routes.
During step 3 from the admin console, previously enabled routes that you
no longer included in step 2 will now show up with a
Not advertised status. You
can choose to remove the routes completely, or keep them enabled if you plan to
re-advertise them in the future.
Optional: Route DNS lookups to an internal DNS server
You may add Tailscale IPs to public DNS records, since Tailscale IPs are
only accessible to authenticated users of your network. However, if you’d prefer
to use an internal DNS server on your subnet, you can do so by configuring nodes
to use your DNS server on the
For example, on newer versions of Ubuntu, you may use systemd-resolved to route
dev.example.private DNS lookups to your DNS server at
10.1.1.1 like so:
sudo resolvectl dns tailscale0 10.1.1.1 sudo resolvectl domain tailscale0 example.private dev.example.private sudo resolvectl default-route tailscale0 no
These instructions will vary from distro to distro and platform to platform.
Optional: Set up subnet router failover
On some pricing plans, you may be eligible to set up subnet router failover (also called high-availability subnet routers), to ensure your network is connectable even if one router goes offline. For more information, see our article on subnet router failover.