Docs / Admin

Exit Nodes (route all traffic)

Exit nodes capture all your network traffic, which is often not what you want. To configure Tailscale to only route certain subnets (the more common configuration), read about subnet routers instead.

The exit node feature lets you route all non-Tailscale internet traffic through a specific device on your network. The device routing your traffic is called an “exit node."

By default, Tailscale acts as an overlay network: it only routes traffic between devices running Tailscale, but doesn’t touch your public internet traffic, such as when you visit Google or Twitter. This is ideal for most people, who need secure communication between sensitive devices (company servers, home computers), but don’t need extra layers of encryption or latency for their public internet connection.

A diagram showing four devices in a Tailscale overlay network. A laptop is making a direct connection to google.com.

However, there may be times when you do want Tailscale to route your public internet traffic: in a cafe with untrusted Wi-Fi, or when traveling overseas and needing access to an online service (such as banking) only available in your home country.

A diagram showing four devices in a Tailscale overlay network where one is highlighted in blue and designated as an exit node. The laptop makes its connection to google.com through the Desktop device designated as an exit node.

By setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like a consumer VPN.

If you’ve ever used default routes (0.0.0.0/0, ::/0) with other VPNs or native WireGuard®, exit nodes are Tailscale’s equivalent. Exit nodes use default routes under the hood.

Configuring an exit node

Let’s walk through how to configure an exit node for your network. For security purposes, every device must explicitly opt in to using the exit node:

  1. A device must advertise that it’s willing to be an exit node.
  2. Network admins must allow it to be an exit node for the network.
  3. And then other devices on your network can use that exit node as they’d like.

Prerequisites

Before you begin this guide, you’ll need a Tailscale network set up and configured with at least two devices. Read our getting started guide if you need help with this.

Ensure both the exit node and devices using the exit node are running Tailscale v1.6 or greater.

Ensure your exit node is a Linux device. Currently, only Linux devices may act as exit nodes. We plan to allow Windows and macOS devices to advertise as exit nodes in the future.

Step 1: Advertise a device as an exit node

From the device you’d like to use as an exit node, re-run tailscale up with the --advertise-exit-node flag, along with any other flags you normally use:

sudo tailscale up --advertise-exit-node
This feature requires IP forwarding to be enabled. If you get an error about IP forwarding, learn how to fix it.

Step 2: Allow the exit node from the admin console

An admin in your network must now allow this device to be used as an exit node.

Open the machines page in the admin console, and locate the exit node device. You can look for the “exit node” badge in the machines list, or use the is:exit-node filter in the search bar to see all devices claiming to be exit nodes.

The route settings panel in the admin console. Near the bottom is a section titled 'exit node' with a single toggle.

Look for the ‘exit node’ badge to see devices advertising as exit nodes.

Once you’ve found the machine, from the ellipsis icon menu, open the “Review route settings…” panel, and enable the “Use as exit node” option.

The route settings panel in the admin console. Near the bottom is a section titled 'exit node' with a single toggle.

Step 3: Use the exit node

You can now use the exit node from devices in your network. Each device must enable the exit node separately.

Instructions differ depending on the OS:

For Linux, re-run tailscale up with the --exit-node= flag, passing the Tailscale 100.x.y.z IP address of the exit node.

sudo tailscale up --exit-node=<exit-node-ip>

You can find the IP address for the device from the admin console, or by running tailscale status.

For macOS, you can use an exit node from the menu bar. Open the Tailscale menu and navigate to “Use exit node” From here you can select the exit node device you’d like to use by its machine name.

The Tailscale menu on macOS, opened to 'Use exit node'

For Windows, you can use an exit node from the system tray menu. Click on Tailscale icon and navigate to “Use exit node” From here you can select the exit node device you’d like to use by its machine name.

The Tailscale menu on Windows, opened to 'Use exit node'

For iOS and Android, you can use an exit node from the ellipsis icon menu in the top-right of the screen.

The Tailscale menu on iOS, opened to 'Use exit node'

From this menu, select “Use exit node” and then choose the exit node you’d like to use. You can also select “None” to disable use of an exit node.

If the “Use exit node” option is missing from the menu, you are either on a version older than v1.6, or there are no exit nodes on your network. Ensure you’re on the correct version, and that steps 1 and 2 were successful.

Step 4: Done!

You can verify that your traffic is routed by another device by checking your public IP address using online tools. You should see the exit node’s public IP rather than your local device’s IP.

You can disable routing through the exit node at any time by selecting “None” from the same menu used in step 3.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2021 Tailscale Inc.

Privacy & Terms