The exit node feature lets you route all non-Tailscale internet traffic through a specific device on your network. The device routing your traffic is called an “exit node."
By default, Tailscale acts as an overlay network: it only routes traffic between devices running Tailscale, but doesn’t touch your public internet traffic, such as when you visit Google or Twitter. This is ideal for most people, who need secure communication between sensitive devices (company servers, home computers), but don’t need extra layers of encryption or latency for their public internet connection.
However, there may be times when you do want Tailscale to route your public internet traffic: in a cafe with untrusted Wi-Fi, or when traveling overseas and needing access to an online service (such as banking) only available in your home country.
By setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like a consumer VPN.
If you’ve ever used default routes (0.0.0.0/0, ::/0) with other VPNs or native WireGuard®, exit nodes are Tailscale’s equivalent. Exit nodes use default routes under the hood.
Configuring an exit node
Let’s walk through how to configure an exit node for your network. For security purposes, every device must explicitly opt in to using the exit node:
- A device must advertise that it’s willing to be an exit node.
- Network admins must allow it to be an exit node for the network.
- And then other devices on your network can use that exit node as they’d like.
Before you begin this guide, you’ll need a Tailscale network set up and configured with at least two devices. Read our getting started guide if you need help with this.
Ensure both the exit node and devices using the exit node are running Tailscale v1.6 or greater.
Step 1: Advertise a device as an exit node
From the device you’d like to use as an exit node, re-run tailscale up with
--advertise-exit-node flag, along with any other flags you normally use:
sudo tailscale up --advertise-exit-node
Step 2: Allow the exit node from the admin console
An admin in your network must now allow this device to be used as an exit node.
Open the machines page in the admin console, and locate the
exit node device. You can look for the “exit node” badge in the machines list,
or use the
is:exit-node filter in the search bar
to see all devices claiming to be exit nodes.
Once you’ve found the machine, from the menu, open the “Review route settings…” panel, and enable the “Use as exit node” option.
Step 3: Use the exit node
You can now use the exit node from devices in your network. Each device must enable the exit node separately.
Instructions differ depending on the OS:
For Linux, re-run tailscale up with the
--exit-node= flag, passing
the Tailscale 100.x.y.z IP address of the exit node.
sudo tailscale up --exit-node=<exit-node-ip>
You can find the IP address for the device from the admin console, or by running
For macOS, you can use an exit node from the menu bar. Open the Tailscale menu and navigate to “Use exit node” From here you can select the exit node device you’d like to use by its machine name.
For Windows, you can use an exit node from the system tray menu. Click on Tailscale icon and navigate to “Use exit node” From here you can select the exit node device you’d like to use by its machine name.
For iOS and Android, you can use an exit node from the menu in the top-right of the screen.
From this menu, select “Use exit node” and then choose the exit node you’d like to use. You can also select “None” to disable use of an exit node.
Step 4: Done!
You can verify that your traffic is routed by another device by checking your public IP address using online tools. You should see the exit node’s public IP rather than your local device’s IP.
You can disable routing through the exit node at any time by selecting “None” from the same menu used in step 3.