Get started
© 2024

Access your VPC

This topic provides details for setting up a Linux subnet router to access your virtual private cloud (VPC). You can also set up a subnet router on Windows or macOS.


Create a Tailscale subnet router

  1. Start by jotting down the IP address of the private resources you want to access and determine the Classless Inter-Domain Routing (CIDR) notation that represents the subnet boundaries for those resources. For example, if you have a VM at and another at, you might consider using CIDR notations and to represent these subnets

    Cloud providers may also provide CIDR address spaces for your VPCs which you can just use out of the box. For example, here is a screenshot for AWS:

    A screenshot of the AWS VPC page showing a CIDR range.

    This is a screenshot for Azure:

    A screenshot of the Azure virtual network page showing a CIDR range.
  2. Start by accessing your VM to start configuring your subnet router.

    This will most likely be the cloud-provided SSH mechanism and may require you to temporarily open up port 22 on that VM to your corporate network or the internet.

  3. In a terminal window, run the following command to see if you have sysctl.d on your system:

    ls /etc | grep sysctl.d
  4. If the command returns an output, it means sysctl.d is on your system, so you can run the following commands to set up IP forwarding on your router:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
    sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

    Otherwise, run these commands to set up IP forwarding on your router:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p /etc/sysctl.conf
  5. If you have firewalld installed on your VM instance, you should also allow masquerading for your subnet router to work:

    firewall-cmd --permanent --add-masquerade

    If this command return an error that means you do not have firewalld installed and can skip to the next step.

  6. Finally, run the tailscale set command to start advertising routes to your subnet (the routes your recorded in step 1):

    sudo tailscale set --advertise-routes=<subnet range 1>,<subnet range 2>,...

    Running this step will cause the VM to authenticate with Tailscale. You will be asked to login with your credentials and add the device to your tailnet. Here’s an example of running the command with the subnet ranges we used in step 1:

    sudo tailscale set --advertise-routes=,
  7. Open the Access Controls page of the Tailscale admin console and add the following lines to your tailnet policy file to allow connectivity via your subnet:

    "acls": [
               { "action": "accept",
                 "src": ["your-tailscale-username"],
                 "dst": ["<subnet-range-1>/24:*","<subnet-range-2>/24:*"]

    This will allow the designated subnets to be reachable by you and to the ports that you designate in the rule. Here’s an example of a rule based on subnets in step 1 which allows access to all ports in the subnet range to the user

    "acls": [
            { "action": "accept",
              "src": [""],
              "dst": ["*","*"]
  8. If you are using a Linux-based local machine (not your subnet router) to connect, you need to run the tailscale set command to accept the advertised routes. If you are not using a Linux-based local machine, you can skip this step.

    sudo tailscale set --accept-routes

Use the subnet router

  1. From step 1 in Create a Tailscale subnet router, find the private IP addresses for the resources or machine that you are trying to reach.

  2. On your local machine, in a terminal window, ping those private IPs.

    ping <your private vm ip address>

    You should see responses from them which indicate that your subnet router is working as expected.

    For example, using private IPs in step 1:

    ping -t 4

    If successful, you should see a response from these private IP addresses similar to:

    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=0.112 ms
    64 bytes from icmp_seq=1 ttl=64 time=0.088 ms
    64 bytes from icmp_seq=2 ttl=64 time=0.175 ms
    64 bytes from icmp_seq=3 ttl=64 time=0.145 ms

Want to see this working in action?

Try now!