In today’s interconnected world, secure remote access to networks and the ability to route traffic through specific geographic locations has become essential for businesses and developers alike. Tailscale provides an elegant solution by creating a secure mesh VPN that simplifies network connectivity across devices and locations.
Setting up a Tailscale exit node allows you to route your internet traffic through a specific server, providing benefits like accessing geo-restricted content, enhanced privacy, and consistent IP addresses. Meanwhile, a subnet router enables you to access resources on a remote network through your Tailscale connection. This tutorial will guide you through configuring both features on an Ubuntu 24.04 LTS VPS.
Prerequisites
Before we begin, ensure you have the following:
- An Ubuntu 24.04 LTS VPS with at least 1GB RAM and 1 CPU core
- Root or sudo access to the server
- A Tailscale account (free tier available)
- Basic familiarity with Linux command line
- SSH access to your VPS
For this tutorial, we’ll assume you’re using a fresh Ubuntu 24.04 LTS installation. The commands provided work for both root and non-root users with sudo privileges.
Step-by-Step Tutorial
Step 1: Update System Packages
First, ensure your system is up to date:
sudo apt update && sudo apt upgrade -yStep 2: Install Tailscale
Install Tailscale using the official installation script:
curl -fsSL https://tailscale.com/install.sh | shThis script automatically detects your distribution and installs the appropriate Tailscale package. For Ubuntu 24.04, it will install the latest stable version from Tailscale’s APT repository.
Step 3: Authenticate Tailscale
Start Tailscale and authenticate your device:
sudo tailscale upThis command will generate an authentication URL. Copy and paste it into your browser to authenticate with your Tailscale account. Once authenticated, your VPS will appear in your Tailscale admin console.
Step 4: Enable IP Forwarding
For both exit node and subnet routing functionality, enable IP forwarding:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pVerify the settings are applied:
sudo sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwardingStep 5: Configure Exit Node
Enable your VPS as an exit node by running:
sudo tailscale up --advertise-exit-nodeThis command configures your VPS to advertise itself as an exit node to other devices in your tailnet (Tailscale network).
Step 6: Configure Subnet Router (Optional)
If you want to route traffic to specific subnets through your VPS, configure subnet routing. First, identify the subnets you want to advertise:
ip route | grep -E "(eth0|ens|enp)"
ip -6 route | grep -E "(eth0|ens|enp)"Then advertise the subnets (replace with your actual subnet ranges):
sudo tailscale up --advertise-exit-node --advertise-routes=192.168.1.0/24,10.0.0.0/24Step 7: Approve Routes in Admin Console
Navigate to your Tailscale Admin Console and:
- Locate your VPS in the machines list
- Click the three dots menu next to your VPS
- Select “Edit route settings”
- Approve the exit node and/or subnet routes
- Optionally, disable key expiry for unattended operation
Step 8: Configure Firewall
If using UFW (Ubuntu’s default firewall), configure it to allow Tailscale traffic:
sudo ufw allow in on tailscale0
sudo ufw allow 41641/udpFor iptables users, ensure forwarding rules are properly configured:
sudo iptables -A FORWARD -i tailscale0 -j ACCEPT
sudo iptables -A FORWARD -o tailscale0 -j ACCEPTStep 9: Test Configuration
From another device in your tailnet, test the exit node functionality:
# Check your current IP
curl ifconfig.me
# Enable exit node on client device
tailscale up --exit-node=YOUR_VPS_TAILSCALE_IP
# Verify IP has changed
curl ifconfig.meFor subnet routing, test connectivity to resources within the advertised subnets using their private IP addresses.
Best Practices
Security Considerations
Warning: Running an exit node means other devices can route their traffic through your VPS. Only enable this for trusted users within your organization.
- Regularly update your VPS and Tailscale client
- Use access control lists (ACLs) in Tailscale to restrict which devices can use exit nodes
- Monitor bandwidth usage and set up alerts for unusual traffic patterns
- Keep logs of exit node usage for security auditing
Performance Optimization
- For high-traffic scenarios, consider VPS instances with more CPU cores and bandwidth
- Enable BBR congestion control for improved network performance:
echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pMonitoring and Maintenance
- Set up monitoring for Tailscale service status
- Regularly check Tailscale logs:
sudo journalctl -u tailscaled - Implement automated updates for security patches
- Configure log rotation to prevent disk space issues
Conclusion
You’ve successfully configured a Tailscale exit node and subnet router on Ubuntu 24.04 LTS. This setup provides secure, encrypted access to your remote networks and enables routing internet traffic through your VPS location. The combination of WireGuard-based encryption, easy device management, and flexible routing policies makes Tailscale an excellent choice for modern networking needs.
Whether you’re accessing geo-restricted content, securing connections on public Wi-Fi, or providing remote access to internal resources, this configuration offers the flexibility and security needed for professional deployments. For optimal performance and reliability in production environments, consider using high-performance VPS instances with robust networking capabilities to ensure smooth operation of your Tailscale infrastructure.
