GoKawiilA practical deep dive into Tailscale exit nodes: route changes, traceroute evidence, DERP fallback, trust boundaries, and why this model can be free.
I set up Tailscale years ago but only used it for “reach my own devices” use cases. This week I finally set up a proper home exit node: a tiny dedicated LXC on my Proxmox box (1 vCPU, 512 MB RAM, basically just Tailscale).
To verify it worked, I pinged my home servers and they worked. But I wanted to understand this deeper, so I turned to traceroute .
1 2 3 4 5 6 7 8 9 traceroute github.com traceroute to github.com (<destination-ip-redacted>), 64 hops max, 40 byte packets 1 tailscale-gw (100.x.y.z) ~7 ms 2 192.168.x.1 ~7 ms 3 10.x.x.1 ~9-177 ms 4 * * * 5 * * * 6 * * * 7 home-isp-edge.example (<home-public-ip>) ~11-14 ms
The 7th hop is where the cogs in my brain began turning. That’s my home ISP. So this is like a VPN, right? Or is it different?
What is an exit node for?#
Without an exit node, Tailscale sends traffic to my Tailscale devices, but normal web traffic goes out through my local network or ISP (exit nodes docs).
With an exit node enabled, my device changes its default internet path to a chosen device, which then sends traffic to the internet for me.
For internet traffic, an exit node behaves like a traditional VPN gateway, with a caveat: Tailscale isn’t always a VPN tunnel for all traffic, but the exit-node mode is.
Without an exit node, we just have discoverability for services that we have exposed on Tailscale. With an exit node, our device is effectively in a full-tunnel VPN mode for internet traffic.
... continue reading