Use tailscale to provide public IP to node in tailnet


I have a VPS with multiple public IP addresses (e.g.,,
Then I have a laptop that’s connecting to the internet through whatever.
I want my laptop to be reachable through one of the public IP addresses of the VPS (e.g.,, to host random services.

Tailscale is installed on both the VPS and the laptop.
I did tailscale up --advertise-routes --snat-subnet-routes=false on the laptop,
and tailscale up --accept-routes on the VPS.
edit forwarding is enabled on both VPS and laptop, and there’s no firewall. edit

Now, from the VPS, I can ping the laptop at I do see the ICMP echo request/reply on the laptop, the source address is the tailnet IP.

Now I want the internet to access forwarded through tailnet, but pings don’t get through.
I do see the ICMP request on the VPS on tailnet0, but not on the laptop. I do see the tailnet wireguard encapsulated traffic arriving on the tailscale port on the laptop.
But still the echo request and/or reply get eaten somewhere.

Am I missing something? I’m aware that the laptop might choose a different route for its reply, but shouldn’t I at least see the echo request coming in on tailscale0?

(I did use plain wireguard for this, and it worked well. But of course in reality this will get more comlex, and Tailscale is awesome.)

Thanks for any suggestions!