Exit nodes (route all traffic)
By default, Tailscale acts as an overlay network: it only routes traffic between devices running Tailscale, but doesn't touch your public internet traffic, such as when you visit Google or Twitter. The overlay network configuration is ideal for most people who need secure communication between sensitive devices (such as company servers or home computers), but don't need extra layers of encryption or latency for their public internet connection.
However, there might be times when you want Tailscale to route your public internet traffic. For example, you might want to route all your public internet traffic if:
- You're in a coffee shop with untrusted Wi-Fi.
- You're traveling overseas and need access to an online service (such as banking) only available in your home country.
You can route all your public internet traffic by setting a device on your network as an exit node. When you route all traffic through an exit node, you're effectively using default routes (0.0.0.0/0
, ::/0
), similar to how you would if you were using a typical VPN.
Benefits
- Secure all traffic—exit nodes secure all traffic, including traffic to internet sites and applications
- Scale globally—deploy exit nodes around the globe to meet your scale and geographical needs
- Increase visibility—destination logging provides increased visibility of traffic across the tailnet and forensic analysis during security incidents
Use cases
- Traveling workforce—ensure all internet traffic is secured for your traveling workforce regardless of the physical network they're using
- Testing from different geos—test your applications from different geographies by deploying and selecting exit nodes around the globe
- Meet compliance needs—if you have regulatory or compliance needs that require your workforce to use a VPN, exit nodes can help
How it works
The exit node feature lets you route all traffic through a specific device on your Tailscale network (known as a tailnet). The device routing your traffic is called an exit node. There are many ways to use exit nodes in a tailnet. For example, you can:
- Route all non-Tailscale traffic through an exit node.
- Use suggested exit nodes to automatically use the best exit node based on client information, such as location and latency.
- Force devices to use an exit node based on system policies, which you can deploy using mobile device management (MDM) solutions.
For security purposes, you must opt in to exit node functionality. For example:
- Every device must explicitly opt in to using an exit node.
- A device must advertise itself as an exit node.
- An Owner, Admin, or Network admin must allow a device to be an exit node for the tailnet.
By default, exit nodes capture all your network traffic . You can customize the type of traffic to pass through your exit nodes using subnet routers, app connectors, or app-based split tunneling on Android.
Local network access
By default, exit nodes don't have access to a connecting device's local network. If you want to allow direct access to your local network when routing traffic through an exit node, enable exit node local network access.
You can enable the Allow Local Network Access setting from the Exit Nodes section of your Tailscale client. You can also enable this setting by passing --exit-node-allow-lan-access
to tailscale up
or tailscale set
.
Get started
See the Use exit nodes quick start guide for basic instructions on how to configure and use exit nodes.
To get started with exit nodes:
- Understand the prerequisites.
- Configure a device to act as an exit node.
- Allow the exit node from the admin console.
- Configure other devices to use the exit node.
Prerequisites
Before you can configure an exit node, you must:
- Set up a Tailscale network (known as a tailnet).
- Ensure both the exit node and devices using the exit node run Tailscale v1.20 or later.
- Ensure the exit node is a Linux, macOS, Windows, or Android device.
- Ensure you allow (intended) users to use the exit node.
Check your tailnet's ACLs and grants.
If your tailnet is using the default ACL, users of your tailnet already have access to any exit nodes that you configure. If you have modified your ACL, ensure you create an access rule that includes exit node uses in the autogroup:internet
. They do not need access to the exit node itself to use the exit node.
The following example ACL allows all users access to the internet through an exit node:
// All users can use exit nodes
// If you are using the default ACL, this rule is not needed because the
// default ACL allows all users access to the internet through an exit node
{ "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:internet:*"] },
Configure an exit node
Use the following steps to configure an exit node:
- Install the Tailscale client.
- Advertise the device as an exit node.
- Allow the exit node.
- Use the exit node.
You can also get a suggested exit node.
Install the Tailscale client
Download and install Tailscale onto the Linux device you plan to use as an exit node.
Advertise a device as an exit node
You must enable IP forwarding to advertise a Linux device as an exit node.
You must enable IP forwarding to advertise a Linux device as an exit node.
Expand for instruction to enable IP forwarding on Linux:
If your Linux system has a /etc/sysctl.d
directory, use:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
Otherwise, use:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
If your Linux node uses firewalld
, you might need to allow masquerading as a workaround due to a known issue. You can allow masquerading with the following command:
firewall-cmd --permanent --add-masquerade
Other Linux distributions might require different steps.
When you enable IP forwarding, ensure your firewall denies traffic forwarding by default. Many Linux firewalls (like ufw
and firewalld
) use this configuration by default to prevent routing unintended traffic.
From the device you plan to use as an exit node, use the --advertise-exit-node
flag when you run tailscale set
or tailscale up
:
sudo tailscale up --advertise-exit-node
If you pass the --advertise-exit-node
flag to the tailscale set
command, you must run tailscale up
afterward.
sudo tailscale set --advertise-exit-node
sudo tailscale up
Allow the exit node from the admin console
You must be an Admin to allow a device to be an exit node.
If the device is authenticated by a user who can approve exit nodes in autoApprovers
, the exit node will automatically be approved.
- Open the Machines page of the admin console and locate the exit node.
- Locate the Exit Node badge in the machines list or use the
property:exit-node
filter to list all devices advertised as exit nodes.
From the menu of the exit node, open the Edit route settings panel, and enable Use as exit node.
Use the exit node
Each device must enable the exit node separately. The instructions for enabling an exit node vary depending on the device's operating system.
Run tailscale set
with the --exit-node=
flag, passing the Tailscale IP address of the exit node.
sudo tailscale set --exit-node=<exit-node-ip>
You can find the IP address for the device from the admin console or by running tailscale status
.
Alternatively, set --exit-node-allow-lan-access
to true
to allow direct access to your local network when routing traffic through an exit node.
sudo tailscale set --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true
To stop using an exit node, run the --exit-node
flag without passing in an IP address.
sudo tailscale up --exit-node=
The option to use an exit node only displays if there's an available exit node in your tailnet.
You can verify that your traffic is routed by another device by checking your public IP address using online tools. You should see the exit node's public address rather than your local device's IP address.
You can turn off routing through an exit node by selecting None from the Exit Node drop-down.
Destination logging in network flow logs
By default, destination logging is disabled for traffic flowing through an exit node across all tailnets, for privacy, abuse, and security purposes. Tailnets on the Enterprise plan can, however, enable destination logging across the tailnet for increased visibility of traffic across the tailnet and forensic analysis during security incidents. Destinations are logged in Network flow logs.
You must enable log streaming before using exit node destination logging.
To enable destination logging for exit nodes:
- Navigate to the Logs page in the admin console.
- Select Network flow logs.
- Select the Logging Actions menu, then select Enable exit node destination logging.
To disable destination logging for exit nodes:
- Navigate to the Logs page in the admin console.
- Select Network flow logs.
- Select the Logging Actions menu, then select Disable exit node destination logging.