I Traced My Traffic Through a Home Tailscale Exit Node
6 hours ago
- #exit-node
- #tailscale
- #vpn
- Tailscale exit nodes enable full-tunnel VPN mode for internet traffic, routing encrypted traffic through a selected device to hide the local network's IP and exit via the node's public IP.
- Tailscale operates as a mesh network with a control plane on top of WireGuard, facilitating peer discovery, NAT traversal, and encrypted connections, reducing the need for manual port forwarding or dynamic DNS.
- Compared to commercial VPNs or self-hosted OpenVPN, Tailscale exit nodes offer control without infrastructure costs (using your own ISP bandwidth) and simplify setup by handling authentication, certificates, and NAT traversal automatically.
- Traffic typically goes peer-to-peer directly between client and exit node, with DERP relay as a fallback for restricted networks, minimizing Tailscale's bandwidth expenses and enabling a free tier.
- Exit nodes require IP forwarding and NAT configuration on the node, and use policy routing on clients to steer traffic through the Tailscale interface while avoiding loops.
- Trust shifts from the local network to the exit node operator, which can see destination metadata and unencrypted traffic, making it crucial to use a controlled and minimal exit node setup.
- DNS can be managed separately via split DNS, allowing internal domains to resolve through home resolvers like AdGuard for ad-blocking and local service access, even when using an exit node.