Tailscale Exit Node

Exclude Routes

To exclude routes from exit node on Tailscale’s route table, run the following command.

ip route add throw 10.42.0.0/16 table 52

This could be added to ExecStartPost override in systemd unit files. ip route fails if the rule is a duplicate, so you should add - to ignore errors.

[Unit]
After=network-online.target tailscaled.service
BindsTo=tailscaled.service

[Service]
ExecStartPost=-ip route add throw 10.42.0.0/16 table 52

Alternatively, add a rule to specify the lookup table with higher preference. Tailscale uses 5270 for fallback after rules for marked packets, so pick a number between 5250 and 5270.

ip rule add to 10.42.0.0/16 pref 5251 lookup main

Reverse-Path Forwarding

To use an exit node on Linux, use Loose RPF on the interface used to connect to other Tailscale nodes, especially the exit node. Otherwise, the asymmetric path packets will be filtered.

net.ipv4.conf.<public interface>.rp_filter = 2

References

https://github.com/tailscale/tailscale/blob/7ba8f0393670bd9006f56dabea162cfc0f6d0309/util/linuxfw/linuxfw.go#L72-L90
https://github.com/tailscale/tailscale/issues/3310

🪴 Zero's Garden

Explorer

Tailscale Exit Node

Exclude Routes

Reverse-Path Forwarding

References

Graph View

Table of Contents

Backlinks