Exclude Routes
To exclude routes from exit node on Tailscaleās route table, run the following command.
This could be added to ExecStartPost
override in systemd unit files. ip route fails if the rule is a duplicate, so you should add -
to ignore errors.
[Unit]
After=network-online.target tailscaled.service
BindsTo=tailscaled.service
[Service]
ExecStartPost=-ip route add throw 10.42.0.0/16 table 52
Alternatively, add a rule to specify the lookup table with higher preference. Tailscale uses 5270 for fallback after rules for marked packets, so pick a number between 5250 and 5270.
Reverse-Path Forwarding
To use an exit node on Linux, use Loose RPF on the interface used to connect to other Tailscale nodes, especially the exit node. Otherwise, the asymmetric path packets will be filtered.
net.ipv4.conf.<public interface>.rp_filter = 2