First of all, congrats for making Tailscale so easy to use. Setting it up has been painless, the issue I’m having is quite minor and I imagine it’s a corner case.
I’m having some trouble setting up Tailscale on a few of my devices. Here’s what I have and what I’m trying to achieve.
I have Tailscale installed on my Macbook and on my iPhone → no problems here
I installed Tailscale on a remove VM and started it as an exit node. → all ok
If I configure Tailscale on my Macbook or iPhone to use the VM as an exit node, all is ok. I can see the VMs IP as my external IP. I had to define 1.1.1.1 as DNS server, though.
My domain name is associated with the VM, which is also serving a website with nginx. Here is where I’m having problems. I’m not able to access the domain from either the Macbook nor the iPhone when they are configured to use the VM as exit node. I can’t ping the machine neither through its domain name nor its IP. The site is accessible from devices outside the Tailscale VPN.
This is running into a design decision around exit nodes: Tailscale clients are supposed to behave as though they teleport to the location of the exit node and use its Internet connection. This means they don’t get access to the LAN of the exit node, and they don’t get access to the local IP addresses on the exit node. They can only reach the Internet.
This should be fixable by advertising a route on the exit node. For example if its WAN IP address is 1.2.3.4, it would be: tailscale up --exit-node --advertise-routes=1.2.3.4/32
You’ll need to approve those routes in https://login.tailscale.com/
For any Linux clients, make sure to use tailscale up --accept-routes
MacOS / Windows / iOS / etc clients accept routes by default.