Get started
© 2024

Subnet routers and traffic relay nodes

Tailscale works best when the client app is installed directly on every client, server, and VM in your organization. That way, traffic is end-to-end encrypted, and no configuration is needed to move machines between physical locations.

However, in some situations, you can't or don't want to install Tailscale on each device:

  • With embedded devices, like printers, which don't run external software
  • When connecting large quantities of devices, like an entire AWS VPC
  • When incrementally deploying Tailscale (eg. on legacy networks)

In these cases, you can set up a "subnet router" (previously called a relay node or relaynode) to access these devices from Tailscale. Subnet routers act as a gateway, relaying traffic from your Tailscale network onto your physical subnet. Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device.

A diagram showing how subnet routers relay traffic between a subnet (eg. your local network) and Tailscale, connecting devices that can't install Tailscale.

Devices behind a subnet router do not count toward your pricing plan's device limit. However, we encourage you to install Tailscale directly on devices wherever possible, for better performance, security, and a zero-configuration setup.

Subnet routers are available for all plans.

Setting up a subnet router

To activate a subnet router on a Linux, macOS, tvOS, or Windows machine, follow these steps:

Step 1: Install the Tailscale client

Download and install Tailscale onto your subnet router machine. We offer instructions for a variety of Linux distros.

Step 2: Connect to Tailscale as a subnet router

Once installed, you can start (or restart) Tailscale as a subnet router:

This feature requires IP forwarding to be enabled.

Enable IP forwarding

If your Linux system has a /etc/sysctl.d directory, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Otherwise, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

If your Linux node uses firewalld, you may need to also allow masquerading due to a known issue. As a workaround, you can allow masquerading with this command:

firewall-cmd --permanent --add-masquerade

Other distros may require different steps.

When enabling IP forwarding, ensure your firewall is set up to deny traffic forwarding by default. This is a default setting for common firewalls like ufw and firewalld, and ensures your device doesn't route traffic you don't intend.

sudo tailscale up --advertise-routes=,

Replace the subnets in the example above with the right ones for your network. Both IPv4 and IPv6 subnets are supported.

If the device is authenticated by a user who can advertise the specified route in autoApprovers, then the subnet router's routes will automatically be approved. You can also advertise any subset of the routes allowed by autoApprovers in the tailnet policy file.

If you'd like to expose default routes ( and ::/0), consider using exit nodes instead.

Step 3: Enable subnet routes from the admin console

This step is not required if using autoApprovers.

Open the Machines page of the admin console, and locate the device that advertised subnet routes. You can look for the Subnets badge in the machines list, or use the property:subnet filter to see all devices advertising subnet routes. Using the ellipsis icon menu at the end of the table, select Edit route settings. This will open up the Edit route settings panel.

Click Approve all on your routes so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network. Alternatively, you can approve each route individually by clicking the toggle to the left of the route.

The subnet settings modal

You may prefer to disable key expiry on your server to avoid having to periodically reauthenticate. See key expiry for more information about machine keys and how to disable their expiry. If you are using ACL tags, key expiry is disabled by default.

Step 4: Add access rules for the advertised subnet routes

This step is not required if you already have rules that allow access to your advertised subnet routes.

Open the Access Controls page of the admin console to update your tailnet policy file, and create an access rule that allows access to the advertised subnet.

What this access rule does:

  • Members of the development team group:dev can access devices in the subnets and
  • The subnet can access the subnet and vice versa, if subnet route masquerading is disabled.
  "groups": {
    "group:dev": ["", ""]
  "acls": [
    // Users in group:dev and devices in subnets and
    // can access devices in subnets and
    { "action": "accept",
      "src": ["group:dev","", ""],
      "dst": ["*", "*"]

Click Save on your tailnet policy file so the Tailscale coordination server distributes the updated policy to the nodes in your tailnet.

Step 5: Verify your connection

Check that you can ping your new subnet routers's Tailscale IP address from your personal Tailscale machine such as Linux, macOS, and Windows. You can find the Tailscale IP in the admin console, or by running this command on the subnet router.

tailscale ip -4

Step 6: Use your subnet routes from other machines

Clients on Android, iOS, macOS, tvOS, and Windows will automatically pick up your new subnet routes.

For Linux clients, only those using --accept-routes flag will discover the new routes, since the default is to use only the Tailscale 100.x addresses. Enable this by running:

sudo tailscale up --accept-routes

Updating subnet routes

To later update subnet routes, follow steps 2 to 5 with the new routes.

During step 3 from the admin console, previously enabled routes that you no longer included in step 2 will no longer appear as advertised, noted by the icon to the right of the route. You can choose to remove the routes completely, or keep them enabled if you plan to re-advertise them in the future.

The subnet settings modal

Optional: Route DNS lookups to an internal DNS server

You may add Tailscale IPs to public DNS records, since Tailscale IPs are only accessible to authenticated users of your network. However, if you'd prefer to use an internal DNS server on your subnet, you can do so by configuring split DNS in the DNS page of the admin console.

Optional: Set up high availability

You can set up high availability to ensure your network is connectable even if one subnet router goes offline. For more information, see our article on high availability failover.