Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Exit Node

Overview

An exit node is any device in your Tailscale/Headscale network that routes internet traffic for other devices. When you connect through an exit node, your internet traffic appears to come from that device’s location.

┌─────────────────┐
│  Headscale      │  (Coordination server only)
│  Control Server │  (Does NOT route traffic)
└─────────────────┘
         │
         │ (coordinates)
         │
    ┌────┴────┐
    │         │
    ▼         ▼
┌─────────┐ ┌─────────────┐
│ Laptop  │ │ VPS         │
│         │ │ (Exit Node) │
└─────────┘ └──────┬──────┘
    │              │
    │              ▼
    └──► routes ──► Internet
        traffic     (appears from VPS IP)

Key concepts:

  • Headscale server: Coordinates the network, doesn’t route traffic
  • Exit node: Any device in your network configured to route traffic
  • Client device: Any device using the exit node for internet access

Exit nodes can run on:

  • Your VPS (common setup for stable IP)
  • Home server (useful for accessing local network)
  • Any other machine in your Tailscale network

Prerequisites

  • Headscale setup completed (see Headscale Setup)
  • Tailscale client installed on exit node machine (see Tailscale Client)
  • A machine where you want to configure as exit node

Enable IP Forwarding

The machine must forward packets between its network interface and the Tailscale interface:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

This tells the kernel to route traffic between interfaces instead of dropping it.

Configure Firewall

Allow traffic on the Tailscale interface.

If using UFW (see UFW Setup):

sudo ufw allow in on tailscale0
sudo ufw route allow in on tailscale0

The first rule allows incoming connections on the Tailscale interface. The second allows routing/forwarding traffic through it.

Connect to Headscale as Exit Node

Generate a pre-authentication key on your Headscale server:

headscale preauthkeys create --user <username> --expiration 1h

On the exit node machine, connect to Headscale with the --advertise-exit-node flag:

sudo tailscale up --login-server https://<headscale-domain> --advertise-exit-node --authkey <key>

This registers the machine with Headscale and advertises it as an exit node.

Verify the node is connected:

headscale nodes list

You should see your exit node listed with its Tailscale IP address.

Use the Exit Node from Client Devices

On any other device in your Headscale network, route traffic through the exit node:

tailscale up --exit-node=<exit-node-tailscale-ip>

Find the exit node’s Tailscale IP with headscale nodes list on the Headscale server.

All internet traffic from that device now goes through the exit node.

Verify Exit Node is Working

Check your public IP from the client device:

curl ifconfig.me

This should show the exit node’s public IP address, not the client’s original IP.

Stop Using Exit Node

To stop routing through the exit node:

tailscale up --exit-node=

The device will resume using its own internet connection.

Notes

  • Headscale vs Exit Node: Headscale coordinates the network but doesn’t route traffic. Exit nodes do the actual traffic routing.
  • Multiple exit nodes: You can have multiple exit nodes in your network. Choose which one to use on a per-device basis.
  • Performance: Traffic goes directly from client → exit node → internet (not through Headscale server).
  • Location flexibility: Exit nodes can be anywhere - your VPS for a stable IP, home server for LAN access, etc.