--- title: Tailscale Exit Nodes description: Guide to publishing and using Tailscale exit nodes for internet-bound traffic tags: - networking - tailscale - vpn category: networking created: 2026-03-14 updated: 2026-03-14 --- # Tailscale Exit Nodes ## Introduction An exit node is a Tailscale device that forwards a client's default route. When enabled, internet-bound traffic leaves through that node instead of the client's local network. ## Purpose Exit nodes are commonly used for: - Secure browsing on untrusted networks - Reaching the internet through a trusted home or lab connection - Testing geo-dependent behavior from another site - Concentrating egress through a monitored network path ## Architecture Overview With an exit node, the selected client sends default-route traffic through Tailscale to the exit node, which then forwards it to the public internet. ```text Client -> Tailscale tunnel -> Exit node -> Internet ``` Important implications: - The exit node becomes part of the trust boundary - Bandwidth, DNS behavior, and logging depend on the exit node's network - Local LAN access on the client may need explicit allowance ## Step-by-Step Guide ### 1. Prepare the exit node host Choose a stable host with sufficient upstream bandwidth and a network path you trust. Typical choices are a home server, small VPS, or a utility VM. ### 2. Advertise the node as an exit node On the node: ```bash sudo tailscale up --advertise-exit-node ``` You can combine this with tags: ```bash sudo tailscale up --advertise-exit-node --advertise-tags=tag:exit-node ``` ### 3. Approve or review the role Approve the exit node in the admin console if required by policy. Restrict who can use it with ACLs or grants. ### 4. Select the exit node on a client From a client, choose the exit node in the Tailscale UI or configure it from the CLI: ```bash sudo tailscale up --exit-node= ``` If the client still needs to reach the local LAN directly, enable local LAN access in the client configuration or UI. ## Configuration Example Example for a dedicated Linux exit node: ```bash sudo tailscale up \ --advertise-exit-node \ --advertise-tags=tag:exit-node ``` Client-side example: ```bash sudo tailscale up --exit-node=home-gateway curl https://ifconfig.me ``` ## Troubleshooting Tips ### Internet access stops after selecting the exit node - Confirm the exit node is online in `tailscale status` - Verify the exit node host itself has working internet access - Check the exit node's local firewall and forwarding configuration ### Local printers or NAS become unreachable - Enable local LAN access on the client if that behavior is required - Split administrative traffic from internet egress if the use case is mixed ### Performance is poor - Verify the client is using a nearby and healthy exit node - Check the exit node's CPU, uplink bandwidth, and packet loss - Avoid placing an exit node behind overloaded or unstable consumer hardware ## Best Practices - Use exit nodes for specific trust and egress requirements, not as a default for every device - Restrict usage to approved groups or devices - Keep exit nodes patched because they handle broad traffic scopes - Log and monitor egress hosts like any other shared network gateway - Separate personal browsing, admin traffic, and production service egress when the risk model requires it ## References - [Tailscale: Exit nodes](https://tailscale.com/kb/1103/exit-nodes) - [Tailscale: What is Tailscale?](https://tailscale.com/kb/1151/what-is-tailscale) - [Tailscale: Access controls](https://tailscale.com/kb/1018/acls)