Hiddenden/Knowledge-Base
2
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
27965301ad12e169b21ae8ab4c4d013705ce0704
Knowledge-Base/40 - Guides/networking/tailscale-exit-nodes.md

125 lines
3.6 KiB
Markdown
Raw Blame History

---
title: Tailscale Exit Nodes
description: Guide to publishing and using Tailscale exit nodes for internet-bound traffic
tags:
- networking
- tailscale
- vpn
category: networking
created: 2026-03-14
updated: 2026-03-14
---
# Tailscale Exit Nodes
## Introduction
An exit node is a Tailscale device that forwards a client's default route. When enabled, internet-bound traffic leaves through that node instead of the client's local network.
## Purpose
Exit nodes are commonly used for:
- Secure browsing on untrusted networks
- Reaching the internet through a trusted home or lab connection
- Testing geo-dependent behavior from another site
- Concentrating egress through a monitored network path
## Architecture Overview
With an exit node, the selected client sends default-route traffic through Tailscale to the exit node, which then forwards it to the public internet.
```text
Client -> Tailscale tunnel -> Exit node -> Internet
```
Important implications:
- The exit node becomes part of the trust boundary
- Bandwidth, DNS behavior, and logging depend on the exit node's network
- Local LAN access on the client may need explicit allowance
## Step-by-Step Guide
### 1. Prepare the exit node host
Choose a stable host with sufficient upstream bandwidth and a network path you trust. Typical choices are a home server, small VPS, or a utility VM.
### 2. Advertise the node as an exit node
On the node:
```bash
sudo tailscale up --advertise-exit-node
```
You can combine this with tags:
```bash
sudo tailscale up --advertise-exit-node --advertise-tags=tag:exit-node
```
### 3. Approve or review the role
Approve the exit node in the admin console if required by policy. Restrict who can use it with ACLs or grants.
### 4. Select the exit node on a client
From a client, choose the exit node in the Tailscale UI or configure it from the CLI:
```bash
sudo tailscale up --exit-node=<exit-node-name-or-ip>
```
If the client still needs to reach the local LAN directly, enable local LAN access in the client configuration or UI.
## Configuration Example
Example for a dedicated Linux exit node:
```bash
sudo tailscale up \
--advertise-exit-node \
--advertise-tags=tag:exit-node
```
Client-side example:
```bash
sudo tailscale up --exit-node=home-gateway
curl https://ifconfig.me
```
## Troubleshooting Tips
### Internet access stops after selecting the exit node
- Confirm the exit node is online in `tailscale status`
- Verify the exit node host itself has working internet access
- Check the exit node's local firewall and forwarding configuration
### Local printers or NAS become unreachable
- Enable local LAN access on the client if that behavior is required
- Split administrative traffic from internet egress if the use case is mixed
### Performance is poor
- Verify the client is using a nearby and healthy exit node
- Check the exit node's CPU, uplink bandwidth, and packet loss
- Avoid placing an exit node behind overloaded or unstable consumer hardware
## Best Practices
- Use exit nodes for specific trust and egress requirements, not as a default for every device
- Restrict usage to approved groups or devices
- Keep exit nodes patched because they handle broad traffic scopes
- Log and monitor egress hosts like any other shared network gateway
- Separate personal browsing, admin traffic, and production service egress when the risk model requires it
## References
- [Tailscale: Exit nodes](https://tailscale.com/kb/1103/exit-nodes)
- [Tailscale: What is Tailscale?](https://tailscale.com/kb/1151/what-is-tailscale)
- [Tailscale: Access controls](https://tailscale.com/kb/1018/acls)
Reference in New Issue View Git Blame Copy Permalink