Subnet Router questions

I’m a little confused by the subnet router option.
Does the subnet router require two interfaces?
Are devices behind the subnet router using it as their default gateway?
Can devices behind the subnet router initiate connections to other tailscale networks, or is it only inbound?


  1. No. The Tailscale VPN link is a second ‘interface’ itself.
  2. That’s up to you, if you want those devices to be able to talk to the nodes on the VPN then they will need (at least) a host route that goes through the subnet router, if not something broader. They would not use the subnet router as their default gateway unless that router is already their default gateway.
  3. Yes, they can, but bear in mind that the default configuration for subnet routing in Tailscale is designed for the other direction, and uses SNAT to ‘hide’ the remote nodes from the routed subnet, so that all of the other nodes on the subnet do not need to have a route back through the subnet router. That can be turned off, but that leads to the requirement in #2.

Essentially, if you want to use subnet routing for any purpose beyond ‘remote nodes access services on a LAN via the VPN’, you’ll have to decide how to setup the routing tables on all of the non-remote nodes.

Great, thanks for the detailed response.
Just to be clear, if I have devices (like cameras, thermostats, etc.) to which I cannot alter their routing table, I can just put a tailscale in subnet router mode on the same subnet, and I’ll be able to access those devices remotely?

Yes, because connections made from remote devices to those devices will appear to be coming from the subnet router, not from the remote devices.

Got it, thanks for the info!