Exit Nodes (route all traffic)

Exit nodes capture all your network traffic, which is often not what you want. To configure Tailscale to only route certain subnets (the more common configuration), read about subnet routers instead.

The exit node feature lets you route all non-Tailscale internet traffic through a specific device on your Tailscale network (known as a tailnet). The device routing your traffic is called an “exit node.”

Exit nodes are available for all plans.

By default, Tailscale acts as an overlay network: it only routes traffic between devices running Tailscale, but doesn’t touch your public internet traffic, such as when you visit Google or Twitter. This is ideal for most people, who need secure communication between sensitive devices (company servers, home computers), but don’t need extra layers of encryption or latency for their public internet connection.

A diagram showing four devices in a Tailscale overlay network. A laptop is making a direct connection to google.com.

However, there may be times when you do want Tailscale to route your public internet traffic: in a cafe with untrusted Wi-Fi, or when traveling overseas and needing access to an online service (such as banking) only available in your home country.

A diagram showing four devices in a Tailscale overlay network where one is highlighted in blue and designated as an exit node. The laptop makes its connection to google.com through the Desktop device designated as an exit node.

By setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like a consumer VPN.

If you’ve ever used default routes (0.0.0.0/0, ::/0) with other VPNs or native WireGuard®, exit nodes are Tailscale’s equivalent. Exit nodes use default routes under the hood.

Configuring an exit node

Let’s walk through how to configure an exit node for your network. For security purposes, every device must explicitly opt in to using the exit node:

  • A device must advertise that it’s willing to be an exit node.
  • An Owner, Admin, or Network admin must allow it to be an exit node for the network.
  • And then other devices on your network can use that exit node as they’d like.

Prerequisites

  1. Before you begin this guide, you’ll need a Tailscale network, called a tailnet, set up. Read our getting started guide if you need help with this.

  2. Ensure both the exit node and devices using the exit node will run Tailscale v1.20 or later.

  3. Ensure your exit node is a Linux, macOS, Windows, or Android device.

  4. If your tailnet is using the default ACL, users of your tailnet already have access to any exit nodes that you configure. If you have modified your ACL, ensure you have created an access rule that grants access to autogroup:internet to users who you wish to use exit nodes. They do not need access to the exit node itself in order to use the exit node. Here’s an example line to add to your ACL that allows all users access to the internet through an exit node:

    // All users can use exit nodes
    // If you are using the default ACL, this rule is not needed because the
    // default ACL allows all users access to the internet through an exit node
    { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:internet:*"] },
    

Step 1: Install the Tailscale client

Android

Download and install Tailscale onto your exit node machine.

Linux

Download and install Tailscale onto your exit node machine. We offer instructions for a variety of Linux distros.

macOS

Download and install Tailscale onto your exit node machine. Each of the three macOS variants is supported for running an exit node.

tvOS

Download and install Tailscale onto your Apple TV.

Windows

Download and install Tailscale onto your exit node machine.

Step 2: Advertise a device as an exit node

Android

From the device you’d like to use as an exit node, in the Tailscale client, select the Run exit node menu item.

Linux
This feature requires IP forwarding to be enabled.
Enable IP forwarding

If your Linux system has a /etc/sysctl.d directory, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Otherwise, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

If your Linux node uses firewalld, you may need to also allow masquerading due to a known issue. As a workaround, you can allow masquerading with this command:

firewall-cmd --permanent --add-masquerade

Other distros may require different steps.

When enabling IP forwarding, ensure your firewall is set up to deny traffic forwarding by default. This is a default setting for common firewalls like ufw and firewalld, and ensures your device doesn’t route traffic you don’t intend.

From the device you’d like to use as an exit node, re-run tailscale up with the --advertise-exit-node flag, along with any other flags you normally use:

sudo tailscale up --advertise-exit-node
macOS
There are three ways to run Tailscale on macOS. This document only applies to the macOS App Store and Standalone (GUI) versions. If you use tailscaled on macOS, the instructions are the same as Linux.

From the device you’d like to use as an exit node, in the Tailscale client, select the Run Exit Node menu item under the Exit Node submenu.

tvOS

To use your Apple TV as an exit node in your tailnet, see Install Tailscale on an Apple TV.

Windows

From the device you’d like to use as an exit node, in the Tailscale client, select the Run exit node menu item under the Exit node submenu.

If the device is authenticated by a user who can approve exit nodes in autoApprovers, then the exit node will automatically be approved.

Step 3: Allow the exit node from the admin console

This step is not required if using autoApprovers.

An admin in your network must now allow this device to be used as an exit node.

Open the Machines page of the admin console, and locate the exit node device. You can look for the Exit Node badge in the machines list, or use the property:exit-node filter to see all devices claiming to be exit nodes.

The route settings panel in the admin console. Near the bottom is a section titled 'exit node' with a single toggle.

Look for the ’exit node’ badge to see devices advertising as exit nodes.

Once you’ve found the machine, from the ellipsis icon menu, open the Edit route settings panel, and enable the Use as exit node option.

The route settings panel in the admin console. Near the bottom is a section titled 'exit node' with a single toggle.

Step 4: Use the exit node

You can now use the exit node from devices in your network. Each device must enable the exit node separately.

Instructions differ depending on the OS:

Android

You can use an exit node from the ellipsis icon menu in the top-right of the screen.

The Tailscale menu on Android, with focus on 'Use exit node'

From this menu, select Use exit node and then choose the exit node you’d like to use. If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow LAN access. You can also select None to disable use of an exit node.

iOS

You can use an exit node from top of the screen.

The Tailscale menu on iOS, with focus on 'Use exit node'

Select the exit node that you want to use. To stop using an exit node, disable the one you are currently using or select None from the Exit Node drop-down list.

Linux

Re-run tailscale up with the --exit-node= flag, passing the Tailscale 100.x.y.z IP address of the exit node.

sudo tailscale up --exit-node=<exit-node-ip>

You can find the IP address for the device from the admin console, or by running tailscale status.

Alternatively, set --exit-node-allow-lan-access to true to allow direct access to your local network when traffic is routed via an exit node.

sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true
macOS

You can use an exit node from the menu bar. Open the Tailscale menu and select Exit Nodes. (If you are running a Tailscale client version earlier than v1.60.0, the menu string to select is Use exit node.) From here you can select the exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow Local Network Access.

tvOS

To allow your Apple TV to use another device in your tailnet as an exit node, see Install Tailscale on an Apple TV.

Windows

You can use an exit node from the system tray menu. Click on Tailscale icon and navigate to Use exit node. From here you can select the exit node device you’d like to use by its machine name.

The Tailscale menu on Windows, opened to 'Use exit node'

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access.

The option to use an exit node will only display if there is an available exit node in your tailnet.

Step 5: Done!

You can verify that your traffic is routed by another device by checking your public IP address using online tools. You should see the exit node’s public IP rather than your local device’s IP.

You can disable routing through the exit node at any time by selecting None from the same menu used in step 4.

Caveats

Android

Tailscale support for running exit nodes on Android is new and still being optimized. The device should be plugged in if it will be used as an exit node for an extended period of time. Android exit nodes are limited to userspace routing.

Running an exit node on an Android device is not performant—it may be too slow for most cases.

Userspace

On Android, the exit node is implemented in userspace, which differs from the default Linux exit node implementation and is not as mature or fully optimized. For details, see Kernel vs. netstack subnet routing & exit nodes.

macOS

Tailscale support for running exit nodes on macOS is new and still being optimized. macOS exit nodes are limited to userspace routing and require you to prevent your device from sleeping to maintain a connection.

Userspace

On macOS, the exit node is implemented in userspace, which differs from the default Linux exit node implementation and is not as mature or fully optimized. For details, see Kernel vs. netstack subnet routing & exit nodes.

Sleeping

When running an exit node, you currently need to prevent the computer from going to sleep if you want the exit node to remain available.

In macOS System Preferences, under Energy Saver, select Prevent computer from sleeping automatically when the display is off.

tvOS

Sleeping

The most common reason your Apple TV cannot be accessed when asleep is that it’s not configured as a home hub. Typically, during the initial setup of an Apple TV, it is automatically set as a home hub. However, this feature can become disabled if you move your Apple TV to a different physical location or make significant configuration changes to your network. For more details, see Install Tailscale on an Apple TV.

Windows

Tailscale support for running exit nodes on Windows is new and still being optimized. Windows exit nodes are limited to userspace routing, require DNS in a system thread, and require you to prevent your device from sleeping to maintain a connection.

Userspace

On Windows, the exit node is implemented in userspace, which differs from the default Linux exit node implementation and is not as mature or fully optimized. For details, see Kernel vs. netstack subnet routing & exit nodes.

DNS

When Tailscale is operating as an exit node, it also runs a DNS server for peers behind the exit node to use as their DNS server.

Tailscale’s DNS server implementation on Windows currently occupies a system thread (and thus system memory) for each ongoing DNS query. For low numbers of concurrent queries, this is fine, but it might be problematic for heavily used exit nodes.

Sleeping

When running an exit node, you’ll probably want to check “Run Unattended”, so Tailscale continues to run even after you log out (or the machine reboots, such as for Windows updates).

You also currently need to prevent the computer from going to sleep if you want the exit node to remain available.