Get started
© 2024

Exit nodes (route all traffic)

Exit nodes capture all your network traffic. To configure Tailscale to only route specific subnets (the more common configuration), refer to subnet routers instead.

The exit node feature lets you route all non-Tailscale internet traffic through a specific device on your Tailscale network (known as a tailnet). The device routing your traffic is called an exit node.

Exit nodes are available for all plans.

By default, Tailscale acts as an overlay network: it only routes traffic between devices running Tailscale, but doesn't touch your public internet traffic, such as when you visit Google or Twitter. The overlay network configuration is ideal for most people who need secure communication between sensitive devices (such as company servers or home computers), but don't need extra layers of encryption or latency for their public internet connection.

A diagram showing four devices in a Tailscale overlay network. A laptop is making a direct connection to

However, there might be times when you want Tailscale to route your public internet traffic. For example, you might want to route all your public internet traffic if:

  • You're in a cafe with untrusted Wi-Fi.
  • You're traveling overseas and need access to an online service (such as banking) only available in your home country.
A diagram showing four devices in a Tailscale overlay network where one is highlighted in blue and designated as an exit node. The laptop makes its connection to through the Desktop device designated as an exit node.

You can route all your public internet traffic by setting a device on your network as an exit node. When you route all traffic through an exit node, you're effectively using default routes (, ::/0), similar to how you would if you were using a typical VPN.

Configure an exit node

For security purposes, you must opt-in to exit node functionality. For example:

  • Every device must explicitly opt-in to using an exit node.
  • A device must advertise that it's willing to be an exit node.
  • An Owner, Admin, or Network admin must allow a device to be an exit node for the network.


Before you can configure an exit node, you must:

  • Set up a Tailscale network, called a tailnet.
  • Ensure both the exit node and devices using the exit node run Tailscale v1.20 or later.
  • Ensure the exit node is a Linux, macOS, Windows, or Android device.
  • Ensure you allow (intended) users to use the exit node.

If your tailnet is using the default ACL, users of your tailnet already have access to any exit nodes that you configure. If you have modified your ACL, ensure you create an access rule that includes exit node uses in the autogroup:internet. They do not need access to the exit node itself to use the exit node.

The following example configuration to add to your ACL that allows all users access to the internet through an exit node:

// All users can use exit nodes
// If you are using the default ACL, this rule is not needed because the
// default ACL allows all users access to the internet through an exit node
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:internet:*"] },

Install the Tailscale client

This feature requires IP forwarding to be enabled.

Enable IP forwarding

If your Linux system has a /etc/sysctl.d directory, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Otherwise, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

If your Linux node uses firewalld, you might need to allow masquerading due to a known issue. As a workaround, you can allow masquerading with the following command:

firewall-cmd --permanent --add-masquerade

Other Linux distributions may require different steps.

When you enable IP forwarding, ensure your firewall denies traffic forwarding by default. Many Linux firewalls (like ufw and firewalld) use this configuration by default to prevent routing unintended traffic.

From the device you plan to use as an exit node, re-run tailscale up with the --advertise-exit-node flag, along with any other flags you want to use:

sudo tailscale up --advertise-exit-node

If the device is authenticated by a user who can approve exit nodes in autoApprovers, the exit node will automatically be approved.

Allow the exit node from the admin console

This step is not required if using autoApprovers.

You must be an Admin to allow a device to be an exit node.

Open the Machines page of the admin console and locate the exit node device. You can identify the Exit Node badge in the machines list or use the property:exit-node filter to list all devices advertised as exit nodes.

From the ellipsis icon menu of the exit node, open the Edit route settings panel, and enable Use as exit node.

Use the exit node

Each device must enable the exit node separately. The instructions for enabling an exit node vary depending on the device's operating system.

Re-run tailscale up with the --exit-node= flag, passing the Tailscale 100.x.y.z IP address of the exit node.

sudo tailscale up --exit-node=<exit-node-ip>

You can find the IP address for the device from the admin console or by running tailscale status.

Alternatively, set --exit-node-allow-lan-access to true to allow direct access to your local network when routing traffic through an exit node.

sudo tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true

To stop using an exit node, run the --exit-node flag without passing in an IP address.

sudo tailscale up --exit-node=

The option to use an exit node only displays if there's an available exit node in your tailnet.

You can verify that your traffic is routed by another device by checking your public IP address using online tools. You should see the exit node's public IP rather than your local device's IP.

You can turn off routing through an exit node by selecting None from the Exit Node drop-down.