wikis / Tailscale / wiki / concepts / exit-nodes.md view as markdown report a mistake
Exit nodes
Definition
An exit node is a device on your tailnet that routes all of another device's public internet traffic, effectively functioning as a VPN server. By default Tailscale is an overlay network: it only routes traffic between Tailscale devices and doesn't touch your public internet traffic. An exit node changes that -- when you route all traffic through it, you use default routes (0.0.0.0/0, ::/0), so your internet traffic appears to come from the exit node's location. This is useful on untrusted Wi-Fi, for reaching services only available in your home country, or to meet compliance needs. Exit nodes are available for all plans. Both the exit node and the devices using it must run Tailscale v1.20 or later.
How It Works
For security, exit node functionality is opt-in at every step: a device must advertise itself as an exit node; an Owner, Admin, or Network admin must allow it for the tailnet; and every device must explicitly opt in to using it. By default, exit nodes capture all network traffic that isn't already directed to a subnet router or app connector. You can still route specific traffic through subnet routers or app connectors.
Setup on Linux requires IP forwarding (same net.ipv4.ip_forward / net.ipv6.conf.all.forwarding sysctl steps as subnet routers), then advertising the device:
sudo tailscale set --advertise-exit-node
In the admin console, open the Machines page, find the device by the Exit Node badge or property:exit-node filter, open Edit route settings, and check Use as exit node. If the authenticating user can approve exit nodes in autoApprovers, approval is automatic.
Each client enables the exit node separately (per operating system). You can verify your traffic is routed by checking your public IP -- the exit node's address should display. Turn it off by selecting None in the Exit Node section.
Key Parameters / Flags
--advertise-exit-node-- advertises the device as an exit node. Run assudo tailscale set --advertise-exit-node.--exit-node=<ID>-- selects a specific exit node to route through. Run astailscale set --exit-node=<ID>.--exit-node-allow-lan-access-- lets the connecting device still reach its local network while routing through the exit node. Pass totailscale uportailscale set. (By default a device connecting to an exit node loses access to its local network; you can also enableAllow Local Network Accessin the client's Exit Nodes section.)
Grant access to use an exit node
By default, any user in your tailnet can use a configured exit node -- no grants or ACLs needed. This changes once you customize the access control policy. To permit exit node use, add a grant or ACL whose dst is autogroup:internet. This grants permission to route internet traffic through any configured exit node -- it is NOT the same as adding the exit node device itself as the destination, which only permits connecting to the device (such as SSH), not using it as an internet gateway. If a policy never grants access to autogroup:internet, Tailscale has no permission to route internet traffic through the exit node.
Recommended (suggested) exit nodes
A recommended exit node (also called a suggested exit node) is an exit node or Mullvad exit node that Tailscale selects automatically based on client information such as location and latency. Available for Standard, Premium, and Enterprise plans, or customers with the Mullvad add-on. Tailscale prefers non-Mullvad exit nodes: if any standard exit nodes are available it recommends them first, using latency and performance data; for Mullvad exit nodes (no performance data) it selects based on location.
From the CLI, view the suggestion and then apply it:
tailscale exit-node suggest
The command returns the suggested exit node's ID. Accept it with:
tailscale set --exit-node=<ID>
Mandatory exit nodes
Mandatory exit nodes let you require an always-on exit node via mobile device management (MDM) system policies. Available for Premium and Enterprise plans, or customers with the Mullvad add-on. Requires Tailscale client v1.69.3 or later. Useful in hybrid/remote environments where employees must route traffic through corporate or branch offices.
- To require a single always-on exit node, configure the
ExitNodeIDpolicy to that node's ID. - To require a fleet of regionally-routed exit nodes, set
ExitNodeIDtoauto:anyand optionally list permitted nodes in theAllowedSuggestedExitNodespolicy. IfAllowedSuggestedExitNodesis unset, all exit nodes are allowed; if set but empty, no exit nodes are allowed.
Risks & Pitfalls
- A common point of confusion is adding the exit node device as the grant
dst-- that permits connecting to the device, not using it as an internet gateway. Useautogroup:internet. - Mandating always-on exit nodes can cause service disruptions when exit nodes lose connectivity or during captive portal workflows; use caution combining with a policy that prevents disconnecting the client.
- Running an exit node on Android is not performant (userspace routing only) and may be too slow for most cases; keep the device powered.
- Expired connector keys keep advertised routes configured but unreachable ("fail close"); disable key expiry or configure high availability.
- Destination logging is disabled by default for privacy; Enterprise tailnets can enable it (requires log streaming) for visibility in Network flow logs.
Related Concepts
- Subnet routers -- route to specific private subnets instead of all internet traffic
- App connectors -- route to applications by domain
- MagicDNS and DNS -- by default a device using an exit node also uses it as a DNS resolver
- Tailscale vs VPN
- Routing mechanisms compared
Sources
Based on Tailscale's official documentation for using exit nodes, exit nodes (route all traffic), recommended exit nodes, and mandatory exit nodes.
