Tailscale Exit Nodes

Guide to publishing and using Tailscale exit nodes for internet-bound traffic

created: Sat Mar 14 2026 00:00:00 GMT+0000 (Coordinated Universal Time) updated: Sat Mar 14 2026 00:00:00 GMT+0000 (Coordinated Universal Time) #networking#tailscale#vpn

Introduction

An exit node is a Tailscale device that forwards a client's default route. When enabled, internet-bound traffic leaves through that node instead of the client's local network.

Purpose

Exit nodes are commonly used for:

  • Secure browsing on untrusted networks
  • Reaching the internet through a trusted home or lab connection
  • Testing geo-dependent behavior from another site
  • Concentrating egress through a monitored network path

Architecture Overview

With an exit node, the selected client sends default-route traffic through Tailscale to the exit node, which then forwards it to the public internet.

Client -> Tailscale tunnel -> Exit node -> Internet

Important implications:

  • The exit node becomes part of the trust boundary
  • Bandwidth, DNS behavior, and logging depend on the exit node's network
  • Local LAN access on the client may need explicit allowance

Step-by-Step Guide

1. Prepare the exit node host

Choose a stable host with sufficient upstream bandwidth and a network path you trust. Typical choices are a home server, small VPS, or a utility VM.

2. Advertise the node as an exit node

On the node:

sudo tailscale up --advertise-exit-node

You can combine this with tags:

sudo tailscale up --advertise-exit-node --advertise-tags=tag:exit-node

3. Approve or review the role

Approve the exit node in the admin console if required by policy. Restrict who can use it with ACLs or grants.

4. Select the exit node on a client

From a client, choose the exit node in the Tailscale UI or configure it from the CLI:

sudo tailscale up --exit-node=<exit-node-name-or-ip>

If the client still needs to reach the local LAN directly, enable local LAN access in the client configuration or UI.

Configuration Example

Example for a dedicated Linux exit node:

sudo tailscale up \
  --advertise-exit-node \
  --advertise-tags=tag:exit-node

Client-side example:

sudo tailscale up --exit-node=home-gateway
curl https://ifconfig.me

Troubleshooting Tips

Internet access stops after selecting the exit node

  • Confirm the exit node is online in tailscale status
  • Verify the exit node host itself has working internet access
  • Check the exit node's local firewall and forwarding configuration

Local printers or NAS become unreachable

  • Enable local LAN access on the client if that behavior is required
  • Split administrative traffic from internet egress if the use case is mixed

Performance is poor

  • Verify the client is using a nearby and healthy exit node
  • Check the exit node's CPU, uplink bandwidth, and packet loss
  • Avoid placing an exit node behind overloaded or unstable consumer hardware

Best Practices

  • Use exit nodes for specific trust and egress requirements, not as a default for every device
  • Restrict usage to approved groups or devices
  • Keep exit nodes patched because they handle broad traffic scopes
  • Log and monitor egress hosts like any other shared network gateway
  • Separate personal browsing, admin traffic, and production service egress when the risk model requires it

References