Home
Company News
Linux Tutorials
Product News
Tutorials
Windows Tutorials
Using Tailscale/Headscale as a traditional VPN

In this guide, we will teach you how you can use Tailscale or Headscale(self-hosted Tailscale control server) as a traditional VPN.

How that works is instead of connecting through tunnels you can set a tailnet device as an Exit Node which will make it so all your traffic will be routed through that tailnet device.
We will use a dedicated tailnet device on a VPS for this tutorial

If you want more information on what Tailscale/Headscale is you can check our other guides here -
Hosting Headscale In a Container With Docker

Prerequisites

  • If using Headscale you need Docker to be installed if you intend to host the control server on the same VPS as the exit node
  • A VPS
You can take a look at our special VPN server plans starting from €2.49 here

Setup

First, we have to make sure that all the devices are connected to the tailnet which can be done by running this command:

tailscale status

If this returns Logged out. You will need to log in.
To do this run:

### If using headscale
sudo tailscale up --login-server https://headscale.example.com --authkey <key>
### Or if you don't have auth key
sudo tailscale up --login-server https://headscale.example.com

### If using tailscale
sudo tailscale up

After that, we have to enable IP forwarding which is required to use a Linux device as a subnet router. The process for enabling IP forwarding varies between Linux distributions. However, the following instructions work in most cases.

If your Linux system has a /etc/sysctl.d directory, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Otherwise, use:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

After that is done you can proceed with the Exit Node setup

Exit Node setup

Headscale

Node side:

Register the node and make it advertise itself as an exit node:

sudo tailscale up --login-server https://headscale.example.com --advertise-exit-node

If the node is already registered, it can advertise exit capabilities like this:

sudo tailscale set --advertise-exit-node

Allowing the exit node from the control server:

$ # list nodes
$ headscale routes list
ID | Node   | Prefix    | Advertised | Enabled | Primary
1  | server | 0.0.0.0/0 | true       | false   | -
2  | server | ::/0      | true       | false   | -
3  |        | 0.0.0.0/0 | false      | false   | -
4  |        | ::/0      | false      | false   | -

$ # enable routes for server
$ headscale routes enable -r 1
$ headscale routes enable -r 2

$ # Check node list again. The routes are now enabled.
$ headscale routes list
ID | Node   | Prefix    | Advertised | Enabled | Primary
1  | server | 0.0.0.0/0 | true       | true    | -
2  | server | ::/0      | true       | true    | -
3  |        | 0.0.0.0/0 | false      | false   | -
4  |        | ::/0      | false      | false   | -

Client side:

The exit node can now be used on Linux by running:

Run tailscale set with the --exit-node= flag, passing the name of the exit node.

sudo tailscale set --exit-node=server

Alternatively, set --exit-node-allow-lan-access to true to allow direct access to your local network when routing traffic through an exit node.

sudo tailscale set --exit-node=server --exit-node-allow-lan-access=true

To stop using an exit node, run the --exit-node flag without passing in a name.

sudo tailscale up --exit-node=

To use it on Android you have to do the following:

  1. Open the Tailscale app on the Android device and go to the Exit Node section.
  2. Select the exit node that you want to use. If you want to allow direct access to your local network when routing traffic through an exit node, toggle Allow LAN access on.
  3. On the app home screen, confirm that the selected device displays in the Exit Node section. When an exit node is being used for the device, the section will turn blue.

To stop a device from using an exit node, go to the Exit Node section and select None.

To use it on Windows you can run the Linux command through Powershell or do the following:

Select the Tailscale icon and navigate to Use exit node. Then, select the machine name of the exit node to use.

If you want to allow direct access to your local network when routing traffic through an exit node, select Allow local network access.

Tailscale

Node side:

Register the node and make it advertise itself as an exit node:

sudo tailscale up --advertise-exit-node

If the node is already registered, it can advertise exit capabilities like this:

sudo tailscale set --advertise-exit-node

Allowing the exit node from the admin console:

You must be an Admin to allow a device to be an exit node.

If the device is authenticated by a user who can approve exit nodes in autoApprovers, the exit node will automatically be approved.

  1. Open the Machines page of the admin console and locate the exit node.
  2. Locate the Exit Node badge in the machines list or use the property:exit-node filter to list all devices advertised as exit nodes.

From the three-dot menu of the exit node, open the Edit route settings panel, and enable Use as an exit node.

Client side:

The exit node can now be used on Linux by running:

Run tailscale set with the --exit-node= flag, passing the name of the exit node.

sudo tailscale set --exit-node=server

Alternatively, set --exit-node-allow-lan-access to true to allow direct access to your local network when routing traffic through an exit node.

sudo tailscale set --exit-node=server --exit-node-allow-lan-access=true

To stop using an exit node, run the --exit-node flag without passing in an IP address.

sudo tailscale up --exit-node=

To use it on Android you have to do the following:

  1. Open the Tailscale app on the Android device and go to the Exit Node section.
  2. Select the exit node that you want to use. If you want to allow direct access to your local network when routing traffic through an exit node, toggle Allow LAN access on.
  3. On the app home screen, confirm that the selected device displays in the Exit Node section. When an exit node is being used for the device, the section will turn blue.

To stop a device from using an exit node, go to the Exit Node section and select None.

To use it on Windows you can run the Linux command through Powershell or do the following:

Select the Tailscale icon and navigate to Use exit node. Then, select the machine name of the exit node to use.

If you want to allow direct access to your local network when routing traffic through an exit node, select Allow local network access.

Conclusion

And that should be it!
Now you have a fully working Exit Node which you can use as a traditional VPN.

Asen Velchov

5 min read