Limiting the routing

Hi - I have gotten so far with this, just need a little extra help.
I have a secure system I can only access via work, and need to also access at home (I own the company its fine). So I have tailscale setup and running as an exit node on Windows in the company, and at home I run Ubuntu linux, and tailscale 1.22.2.

I want to be able to go to example-dot-com (ip: 93.184.216.34) on my browser at home, and only that traffic be routed via tailscale to work. I don’t want all my other internet browsing to be routed to work.

so currently I have (at home):
sudo tailscale up --advertise-routes "93.184.216.0/24" --advertise-exit-node --exit-node=100.100.100.9 --accept-routes

This works - I can now see example-dot-com at home and it works smoothly (and fast). Yeah. BUT all my browser traffic is also routed to work (which I test with wtfismyip on browser and curl ). I have tried…
sudo tailscale down
sudo tailscale up --advertise-routes "93.184.216.0/24" --advertise-exit-node=false --exit-node=100.100.100.9 --accept-routes=false
… but still routing to work.
How do I set this up??

All traffic is being routed because that is what --exit-node=100.100.100.9 does. All traffic will be routed to the exit node.

The other arguments to the command are:

  • --advertise-exit-node which tells other nodes on your home tailnet that they are allowed to use the home node as an exit node.
  • I suspect that --advertise-routes "93.184.216.0/24" doesn’t actually do anything useful in this configuration, because that tells other nodes at home that they can use the home node to reach 93.184.216.0/24. I suspect it is that the exit node 100.100.100.9 at work is being used which results in getting to the example-dot-com website as desired.

I believe what would do what is asked is:

  • a device at your work which is joined to your home tailnet and started using tailscale up --advertise-routes=93.184.216.0/32
  • the device at home started with: tailscale up --accept-routes
1 Like

ah, so i have this the wrong way around, i need to advertise the routes from the exit-node end. Trouble is that end is Windows, and (i think I am right in saying) the Windows client does not have that option… so think I will have to add exit node from a linux VM at work…
(thanks!)

On Windows a tailscale.exe is installed in %PATH% which takes the same arguments as the Linux command does. There isn’t a GUI to advertise routes on Windows, but from a cmd.exe shell you can run tailscale up --advertise-routes=93.184.216.0/32 and have it work the same way as Linux would.

1 Like

Fantastic!

(for the benefit of others…)
So on the work Windows exit node I have run
c:\Program Files (x86)\Tailscale IPN>tailscale.exe up --reset --advertise-routes=93.184.216.0/24 --unattended
(and I then had to go into the web client, Edit route settings, and click enable on that route)

On the home Linux box I have:
sudo tailscale up --reset --accept-routes

It didn’t work at first, but this was my browser caching the old route presumabely (as it worked in a different browser). And yes, if I do --exit-node=100.100…etc then all traffic is routed via the exit node.

Thanks so much for your help!