Hi - I have gotten so far with this, just need a little extra help.
I have a secure system I can only access via work, and need to also access at home (I own the company its fine). So I have tailscale setup and running as an exit node on Windows in the company, and at home I run Ubuntu linux, and tailscale 1.22.2.
I want to be able to go to example-dot-com (ip: 22.214.171.124) on my browser at home, and only that traffic be routed via tailscale to work. I don’t want all my other internet browsing to be routed to work.
so currently I have (at home):
sudo tailscale up --advertise-routes "126.96.36.199/24" --advertise-exit-node --exit-node=100.100.100.9 --accept-routes
This works - I can now see example-dot-com at home and it works smoothly (and fast). Yeah. BUT all my browser traffic is also routed to work (which I test with wtfismyip on browser and curl ). I have tried…
sudo tailscale down
sudo tailscale up --advertise-routes "188.8.131.52/24" --advertise-exit-node=false --exit-node=100.100.100.9 --accept-routes=false
… but still routing to work.
How do I set this up??
All traffic is being routed because that is what
--exit-node=100.100.100.9 does. All traffic will be routed to the exit node.
The other arguments to the command are:
--advertise-exit-node which tells other nodes on your home tailnet that they are allowed to use the home node as an exit node.
- I suspect that
--advertise-routes "184.108.40.206/24" doesn’t actually do anything useful in this configuration, because that tells other nodes at home that they can use the home node to reach 220.127.116.11/24. I suspect it is that the exit node 100.100.100.9 at work is being used which results in getting to the example-dot-com website as desired.
I believe what would do what is asked is:
- a device at your work which is joined to your home tailnet and started using
tailscale up --advertise-routes=18.104.22.168/32
- the device at home started with:
tailscale up --accept-routes
ah, so i have this the wrong way around, i need to advertise the routes from the exit-node end. Trouble is that end is Windows, and (i think I am right in saying) the Windows client does not have that option… so think I will have to add exit node from a linux VM at work…
On Windows a tailscale.exe is installed in %PATH% which takes the same arguments as the Linux command does. There isn’t a GUI to advertise routes on Windows, but from a cmd.exe shell you can run
tailscale up --advertise-routes=22.214.171.124/32 and have it work the same way as Linux would.
(for the benefit of others…)
So on the work Windows exit node I have run
c:\Program Files (x86)\Tailscale IPN>tailscale.exe up --reset --advertise-routes=126.96.36.199/24 --unattended
(and I then had to go into the web client, Edit route settings, and click enable on that route)
On the home Linux box I have:
sudo tailscale up --reset --accept-routes
It didn’t work at first, but this was my browser caching the old route presumabely (as it worked in a different browser). And yes, if I do --exit-node=100.100…etc then all traffic is routed via the exit node.
Thanks so much for your help!