Get started
Login
© 2024

Subnet routers

Subnet routers are available for all plans.

Tailscale works best when you install the Tailscale client on every device in your organization. This enforces end-to-end traffic encryption without additional configuration.

However, there are situations where you can't or don't want to install the Tailscale client on each device. For example, some devices, like printers, might not allow installing the Tailscale client. Additionally, installing the Tailscale client on every device might not make sense. This is true when connecting many devices, like an entire AWS VPC, or gradually deploying Tailscale to a legacy network.

In these cases, you can set up a subnet router (previously called a relay node) to access these devices from your Tailscale network (known as a tailnet). Subnet routers act as a gateway, relaying traffic from your tailnet to a physical subnet. They also respect features like access control policies.

Devices behind a subnet router do not count toward your pricing plan's device limit. However, installing Tailscale directly on devices, where possible, is better. It has better performance, security, and a zero-configuration setup.

How subnet routers work

A subnet router connects subnets, which are parts of a larger network. In Tailscale, a subnet router is a device in your tailnet that you use as a gateway to advertise routes to other devices. This allows devices to connect to your tailnet without installing the Tailscale client.

Any device that uses the subnet router as a gateway is considered behind the subnet router. Subnet routers use SNAT by default. So, traffic from a device behind a subnet router appears to come from the router, not the device. You can preserve the original device’s IP address in the traffic packets by disabling SNAT.

Set up a subnet router

You can use almost any device that runs the Tailscale client as a subnet router. To configure a device to run as a subnet router, use the instructions below or refer to the quick start guide.

  1. Install the Tailscale client.
  2. Connect to Tailscale as a subnet router.
  3. Enable subnet routes from the admin console.
  4. Add access rules for advertised subnet routes.
  5. Verify your connection.
  6. Use your subnet routes from other devices.

Install the Tailscale client

Download and install Tailscale onto the device you plan to use as a subnet router.

Connect to Tailscale as a subnet router

After the installation completes, start (or restart) Tailscale as a subnet router:

To use a Linux device as a subnet router:

  1. Enable IP forwarding.
  2. Advertise subnet routes.

Enable IP forwarding

When enabling IP forwarding, ensure your firewall denies traffic forwarding by default. This is the default setting for standard firewalls like ufw and firewalld. Blocking traffic forwarding by default prevents unintended routing of traffic.

IP forwarding is required to use a Linux device as a subnet router. The process for enabling IP forwarding varies between Linux distributions. However, the following instructions work in most cases.

If your Linux system has a /etc/sysctl.d directory, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Otherwise, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

If your Linux node uses firewalld, you might need to allow masquerading due to a known issue. As a workaround, you can allow masquerading with this command:

firewall-cmd --permanent --add-masquerade

After you enable IP forwarding, run tailscale up with the --advertise-routes flag. It accepts a comma-separated list of subnet routes.

sudo tailscale up --advertise-routes=192.0.2.0/24,198.51.100.0/24

Make sure to replace the subnets in the example above with the correct ones for your network. All platforms except Apple TV support both IPv4 and IPv6 subnets. Apple TV only supports IPv4 subnets.

If the device is authenticated by a user who can advertise the specified route in autoApprovers, the subnet router's routes will automatically be approved. You can also advertise any subset of the routes allowed by autoApprovers in the tailnet policy file. If you'd like to expose default routes (0.0.0.0/0 and ::/0), consider using exit nodes instead.

Enable subnet routes from the admin console

You can skip this step if you use autoApprovers.

  1. Open the Machines page of the admin console.
  2. Locate the Subnets badge in the devices list or use the property:subnet filter to list all devices advertising subnet routes.
  3. Select a device with the subnet property, then navigate to the Routing Settings section.
  4. Select Edit. This opens the Edit route settings.
  5. Under Subnet routes, select the routes to approve, then select Save.

You can disable key expiry on your server to avoid having to periodically reauthenticate. If you use tags, key expiry is disabled by default.

Add access rules for the advertised subnet routes

You can skip this step if you already have rules that allow access to your advertised subnet routes.

  1. Open the Access Controls page of the admin console to update your tailnet policy file.
  2. Create an access rule that allows access to the advertised subnet.

The following example tailnet policy configuration ensures members of group:dev can access devices in the subnets 192.0.2.0/24 and 198.51.100.0/24 and ensures the subnet 192.0.2.0/24 can access the subnet 198.51.100.0/24 and vice versa, if subnet route masquerading is disabled.

{
  "groups": {
    "group:dev": ["alice@example.com", "bob@example.com"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:dev","192.0.2.0/24", "198.51.100.0/24"],
      "dst": ["192.0.2.0/24:*", "198.51.100.0/24:*"]
    }
  ]
}

Verify your connection

Check that you can ping the Tailscale IP address of your new subnet routers from a tailnet device (such as a Linux, macOS, or Windows device). You can find the Tailscale IP in the admin console or by running the following command on the subnet router.

tailscale ip -4

Use your subnet routes from other devices

Android, iOS, macOS, tvOS, and Windows automatically pick up your new subnet routes.

By default, Linux devices only discover Tailscale IP addresses. To enable automatic discovery of new subnet routes on Linux devices, use the --accept-routes flag when you start Tailscale:

sudo tailscale up --accept-routes

Update subnet routes

To update subnet routes:

  1. Connect to Tailscale as a subnet router.
  2. Enable subnet routes from the admin console.
  3. Add access rules for advertised subnet routes.
  4. Verify your connection.
  5. Use your subnet routes from other devices.

You can exclude any routes to prevent the subnet router from advertising them.

Use advanced subnet routing

After you set up a subnet router, you might consider:

Route DNS lookups to an internal DNS server

You can add Tailscale IP addresses to public DNS records because Tailscale IP addresses are only accessible to authenticated users of your network. You can use an internal DNS server on your subnet by configuring split DNS in the DNS page of the admin console.

Set up high availability

You can set up high availability to ensure your network is connectable even if one subnet router goes offline. For more information, refer to our article on high availability failover.

Disable SNAT

By default, when you advertise subnet routes, Tailscale uses source network address translation (SNAT) (also called masquerading). You can disable SNAT by using the --snat-subnet-routes=false flag with the tailscale up command. Disabling SNAT preserves the source IP addresses of the hosts behind the subnet router.

tailscale up --snat-subnet-routes=false

The --snat-subnet-routes flag only works with Linux subnet routers.

Last updated Nov 4, 2024