How can I exit node to a hotspot on Android?

Hi folks,
So I just recently learned about tail scale, we are a small not for profit company that support a larger nonprofit org that uses android handhelds used by survey takers across the country.

We have been looking at elegant solutions and I truly believe that tail scale could be our holy grail, but all tests have been unsuccessful.

Here is what we are trying to do. The test android devices can only connect to a wifi that can see services that are only visible to the org. The ip from the wifi should be one from the organization.

So currently since we are in another office we are trying to do the following:

  1. Install tailscale server on a local server, and enable exit node.
  2. Use an android device to connect to a WIFI and then connect to the tailscale server, and enable exit node. All is perfect.
  3. We try the IP and all is perfect we can see the same IP that is on the tailscale server.
  4. When we hotspot from that same device so that the org phones can connect, the IPs that the phones get are the IPs from the cellphone provider(Tmobile in our case). Thus the org production phones are inoperable.

We are testing geolocation services and have to be mobile and can’t be carrying around servers and are looking to basically bring two devices - one android to connect to the tailscale server, and then use that same device to broadcast that internet to a hotstop to another production org device. Sadly when we start the hotspot, the internet provided is that of the mobile tower. Test failed.
I have tried a number of things and configurations but nothing worked. Why isn’t there such an easy option to be included in tailscale is beyond me, this would be a very requested feature no? Why did they not think of a function like that?

Or perhaps I missed that? Anyone have any insights on how we can do that? If we can do that, we are definitely buying a larger plan with them. It just works, except that scenario.

In the Android app you need to select Use exit node and then select the host with your exit node.
Mind you though, this menu entry only appears when there actually is an exit node in the tailnet.
Just mentioning that in case you didn’t see that entry before setting up your exit node and thought that the Android app would automatically use an exit node.^^

Here are more details how to use it (the link should automatically switch to the Android tab):

Thanks bluefish that works but it does not route the ip when i start the hotspot on that device. This is what I am trying to do:

Server(Has tailscale server) → Phone 1(Has tailscale client) → Phone 2 (Cannot install any third party app but would need access to the Server)
Phone 1 has a hotspot on, that Phone 2 connects to. That part works. Phone 1 connects to the Server via Tmobile network and when checking the IP locally it shows the server IP, and Phone 1 can access all Server resources.
Maybe I should have mentioned that Phone 2 is locked, and only has three client applications installed on it. We cannot install any applications on it. Thus what we try to do here…

However Phone 2, shows connected to Tmobile network, and has a Tmobile ip and has no connection to any of the services. Its as if the tailscale client on Phone 1 ONLY works when working on that device but when trying to share that connection via hotspot to other devices, all that tailscale does is ignored…
So nothing installed on the phone works. So this is what I am trying to solve.

Oh, I totally misunderstood you then, my bad!
I thought you somehow started a hotspot from the server (there are WiFi sticks, so I didn’t think anything was off) and tried to connect a phone to it that also had tailscale installed.

But I see now that you meant connecting from a non-tailscale phone via hotspot to another phone that is actively using a tailscale exit-node.

Hmm, with this particular scenario I unfortunately can’t say for sure if it could work or how.
The way it works is that Android on phone 1 is connected to your tailnet via VPN.
Phone 2 is using the Wifi of phone 1, sure. But it isn’t using the VPN that phone 1 uses, so it’s requests go directly into the internet.

You could theoratically set up a VPN server on your premises that you could then add via phone 2’s native settings menu (or is even that locked?), but that kind of defeats the purpose of using tailscale, or course. :sweat_smile:

But I’m not as familiar with hotspots between phones, maybe it’s somehow possible to force phone 2 to use phone 1’s VPN. That’s outside of my scope of knowledge though. ¯_(ツ)_/¯

that’s the thing. Phone 2 is locked and no settings can be changed. We can only mess around with settings on Phone 1.
I saw that the phone has to be rooted which is not a problem, I just wish that tailscale had that functionality, as this is a real world application that could be very useful…

Oh well, I thought tailscale was our saving grace but I guess not, the search continues…