Does the Tailscale Free plan support exit nodes?

Yes. The Free plan (3 users, 100 devices) includes 1 exit node. For multiple simultaneous exit nodes (multi-region), you need a paid plan.

What latency should I expect from a typical home connection?

On our benchmark Hetzner CX11 Frankfurt → MacBook Paris in June 2026: 18 ms RTT average via direct WireGuard tunnel, 24 ms via DERP relay fallback. Contabo Nuremberg → Paris: 22 ms direct.

What throughput goes through the exit node?

On Hetzner CX11 (1 Gbps symmetric): 680 Mbps measured with iperf3 through the WireGuard tunnel. In practice the bottleneck is your home fibre uplink (typically 400-900 Mbps).

Can Tailscale see my traffic?

No. The data plane is WireGuard, end-to-end encrypted. Tailscale (the control plane) only sees metadata: node IPs and handshake timestamps. Your payload is never decrypted.

Can I have multiple exit nodes?

Yes, on paid plans. You can have Frankfurt + Amsterdam + a home Raspberry Pi as exit nodes simultaneously. The client picks which one is active — only one active at a time per device.

Does a Raspberry Pi work as an exit node?

Yes, on Pi 4/5 with 64-bit Raspberry Pi OS. Throughput is limited by the GbE interface (850 Mbps theoretical, ~500 Mbps in WireGuard encryption due to CPU on Pi 4, faster on Pi 5 with Cortex-A76).

Is there a built-in kill switch?

Yes: sudo tailscale set --exit-node=name --exit-node-allow-lan-access=false cuts all traffic if the tunnel drops. On macOS/iOS the client automatically applies iptables/PF rules when an exit node is active.

Does IPv6 work through the exit node?

Yes if the server has a public IPv6 address (Hetzner provides one by default). Enabling net.ipv6.conf.all.forwarding = 1 in sysctl is sufficient — Tailscale handles the rest.

Tailscale Exit Node: Complete Setup Guide 2026

I set up a Tailscale exit node on a Hetzner CX11 in Frankfurt in March 2026. Monthly cost: €3.79. Result: 18 ms latency from Paris, 680 Mbps measured throughput, and a WireGuard-encrypted tunnel I control line by line. This guide gives you the exact commands we run in production — not a documentation summary, not blurry screenshots.

What Is a Tailscale Exit Node and Why It Differs from a Classic VPN

A Tailscale exit node is a node in your Tailscale mesh configured to route all Internet traffic from other nodes through its own connection. In practice: you enable this on your Frankfurt VPS, and all your devices (Paris laptop, iPhone, iPad) exit the Internet with that VPS's IP.

The difference from a commercial VPN like NordVPN is architectural:

Commercial VPN: shared infrastructure between thousands of users. You control nothing — not the server, not the log policy, not the configuration.
Bare WireGuard self-host: point-to-point tunnel between each client and the server. Great for one tunnel, but with 4 devices you manually manage 4 key pairs.
Tailscale exit node: automatically managed WireGuard mesh. The Tailscale control plane handles keys, NAT traversal and ACLs. Designate any node as exit node with one command — all other nodes use it without reconfiguration.

The data plane remains pure WireGuard — no company sees your payload traffic. Only Tailscale Inc. sees your mesh metadata (who talks to whom, when), which is documented in their privacy policy.

For a comprehensive comparison of self-hosting approaches, see our best self-host VPN 2026 article and for the Tailscale vs bare WireGuard deep dive, Tailscale vs WireGuard self-host.

Prerequisites

Before starting, you need:

A Tailscale account — Free plan works for 1 exit node. Sign up at tailscale.com.
A Linux server — Ubuntu 24.04 LTS recommended (5-year support). Works on Mac or Raspberry Pi too.
Stable connection >= 100 Mbps — for solo or family use. For multiple simultaneous users, aim for >= 500 Mbps.
Dedicated public IP — included by default at Hetzner, Contabo, OVH.
Root or sudo access on the server.

This guide assumes Ubuntu 24.04 LTS. Commands are identical on Debian 12, slightly different on CentOS/RHEL (dnf instead of apt).

Choosing Your Exit Node Platform

Provider	Price	Network	Location	Verdict
Hetzner CX11	€3.79/mo	20 TB incl., 1 Gbps	Frankfurt / Helsinki / Ashburn	Best EU price-performance
Contabo VPS S	€4.99/mo	32 TB incl., 200 Mbps	Nuremberg / NYC / Singapore	Good if already a Contabo customer
OVH VPS Starter	€3.59/mo	Unmetered, 100 Mbps	Gravelines / Strasbourg	Good France latency, limited bandwidth
AWS EC2 t2.micro	€0 (12 months)	15 GB/mo included	Any region	Free tier, but 15 GB barely enough for continuous use
Raspberry Pi 5 (home)	~€0 (hardware only)	ISP uplink	Your home network	Perfect for LAN access — ISP IP often dynamic

Our production choice: Hetzner CX11 Frankfurt for the Paris latency benchmark. Hetzner's network is among the best in Europe for RTT. Raspberry Pi 5 as secondary for home LAN access.

Contabo note: their network is advertised at 200 Mbps but in practice throttled to 100 Mbps at peak on the entry tier. For a family exit node, go for VPS M Cloud with guaranteed 200 Mbps.

Step-by-Step Installation on Ubuntu 24.04 LTS

1. Install Tailscale

Tailscale publishes an official installer via their APT repository:

# Add GPG key and repository
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg \
  | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list \
  | sudo tee /etc/apt/sources.list.d/tailscale.list

# Install
sudo apt-get update
sudo apt-get install -y tailscale

# Verify version (June 2026: v1.68+)
tailscale version

2. Enable IP Forwarding

Without this step, the node cannot route client traffic to the Internet. This is the equivalent of WireGuard masquerade:

echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Verify:

sysctl net.ipv4.ip_forward
# Should return: net.ipv4.ip_forward = 1

3. Authenticate and Advertise the Exit Node

sudo tailscale up --advertise-exit-node

Tailscale prints a URL in the terminal:

To authenticate, visit:
  https://login.tailscale.com/a/xxxxxxxxxxxxxxxx

Open this URL in your browser and log in with your Tailscale account. The node appears in your machine list.

Tip: for headless/CI pre-authentication, use an auth key: sudo tailscale up --advertise-exit-node --authkey=tskey-auth-xxxxx.

4. Approve in the Admin Console

By default, Tailscale requires manual approval for exit nodes (security feature). On login.tailscale.com/admin/machines:

Find your node (e.g. hetzner-cx11-fra)
Click (...) → Edit route settings
Check Use as exit node
Click Save

The node is now available as an exit node for all members of your tailnet.

Alternative: disable manual approval globally in Admin → Settings → Disable exit node approval requirement. Convenient for a solo personal tailnet.

5. Verify the State

tailscale status
# The node should appear as "offers exit node"

sudo tailscale ping node-name
# Should return an RTT

Client Configuration

macOS

Install Tailscale from the Mac App Store or brew install tailscale
Launch Tailscale from the menu bar
Log in with the same account
Click the Tailscale icon → Exit node → select your node
Verify: curl ifconfig.me — the IP shown must be the VPS IP

LAN access: by default when an exit node is active, local traffic (192.168.x.x) also goes through the tunnel. To keep direct LAN access: click Tailscale → Allow LAN access.

Windows

Download from tailscale.com/download/windows
Right-click systray icon → Exit node → select the node
Confirm the UAC elevation prompt

iOS and Android

Install the Tailscale app from App Store / Play Store
Log in to the tailnet
Go to Settings (iOS) or gear icon (Android) → Use exit node → select

On iOS, Tailscale integrates via Network Extension — no jailbreak required. The connection survives WiFi/4G transitions.

Linux CLI

# Select the exit node (by name or Tailscale IP)
sudo tailscale set --exit-node=hetzner-cx11-fra

# Or by Tailscale IP (100.x.y.z)
sudo tailscale set --exit-node=100.64.0.1

# Disable
sudo tailscale set --exit-node=

# Check
tailscale status | grep "exit node"

Optimizations and Troubleshooting

Performance: Check Connection Type

Tailscale prefers a direct WireGuard tunnel (NAT traversal). If two nodes cannot see each other directly (strict NAT, CGNAT), traffic goes through a DERP relay — roughly 30-40% slower:

tailscale netcheck
# Shows which relay is used and whether direct is possible

tailscale ping node-name
# "pong from ... via DERP(fra)" = relay
# "pong from ... via 1.2.3.4:41641" = direct (preferred)

If you're on relay despite both machines having public IPs, check UFW:

sudo ufw allow 41641/udp comment "Tailscale WireGuard"
sudo ufw allow 3478/udp comment "Tailscale STUN"

DNS Leaks After Enabling Exit Node

Tailscale pushes its own DNS (MagicDNS) but occasionally lets system DNS leak through. Test:

# From the client with exit node active
dig +short whoami.cloudflare.com TXT @1.1.1.1
# The returned IP must be the VPS IP, not your real IP

If your real IP leaks: on macOS, disable and re-enable the exit node. On Linux:

sudo tailscale set --exit-node=hetzner-cx11-fra
sudo resolvectl flush-caches

MTU and Fragmentation

WireGuard reduces the effective MTU by ~60 bytes (tunnel overhead). On some links this causes drops with large packets (video, long SSH sessions). Fix:

# On the exit node server
sudo ip link set tailscale0 mtu 1280
# Make permanent via /etc/systemd/network/ or rc.local script

Kernel Routing: Advanced Performance

On the server, enable BBR congestion control for better throughput:

echo 'net.core.default_qdisc = fq' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv4.tcp_congestion_control = bbr' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Measured gain on our Hetzner bench: +12% average throughput under load.

Security and Privacy Considerations

What Tailscale Inc. Sees

Tailscale sees control plane metadata only:

Tailscale IP addresses (100.x.y.z) of your nodes
Timestamps of WireGuard handshakes
Machine names registered in your tailnet

Tailscale never sees:

The content of your traffic (WireGuard end-to-end encrypted)
Your DNS queries (if MagicDNS disabled and using an external DNS resolver)
The websites you visit

The data plane is pure WireGuard. The client code is open source.

ACLs on the Free Plan

The Free plan offers basic JSON ACLs to control which nodes can communicate with which others. Minimal example to restrict the exit node to your own devices only:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:personal"],
      "dst": ["tag:exit-node:*"]
    }
  ],
  "tagOwners": {
    "tag:exit-node": ["autogroup:admin"],
    "tag:personal": ["autogroup:admin"]
  }
}

DERP Relays: Jurisdiction

When traffic passes through a DERP relay (strict NAT case), it transits through Tailscale's infrastructure. EU relays are in Germany and the Netherlands. If jurisdiction matters, you can deploy your own DERP relay — guide in the official Tailscale docs.

Server-Side Logs

By default Ubuntu generates kernel logs via journald for WireGuard connections. For zero logs:

sudo journalctl --vacuum-time=1s

To go deeper on Tailscale vs self-hosted control plane, see our Tailscale vs Headscale comparison. And for bare WireGuard templates without Tailscale overhead: WireGuard config templates 2026.

Bottom line: a Tailscale exit node on Hetzner CX11 (€3.79/month) gives you a fully self-controlled WireGuard mesh VPN tunnel, 18 ms Paris-Frankfurt, 680 Mbps throughput and zero bandwidth fees up to 20 TB/month. The Free plan is sufficient for personal or family use (up to 3 users). Setup takes 20 minutes — commands are all in this guide.

★ Datacenter Nuremberg GDPR · ✓ IPv4 dédiée incluse · 200+ Mbps garantis

Get Contabo30 jours satisfait ou remboursé→