Using exit nodes but ignore certain routes

I want to accept default routes from an exit node, except for a subnet 10.8.0.0/16 that I route via openvpn, this works fine with TS off, however when I turn TS on it seems to take priority over the openvpn that is only used for that /16

How can I configure TS to use an exit node for everything except 10.8.0.0/16

Currently, we do not have this feature where you can mark the exception for the specific network using exit-node. Please feel free to create a feature request Issues · tailscale/tailscale · GitHub for the same.

Hi @darshinimashar

Done. Using exit nodes but ignore certain routes · Issue #1916 · tailscale/tailscale · GitHub

How does Tailscale current grab all traffic on the client? Perhaps there some iptables rules I can temporarily run to workaround this after running tailscale up?

Thanks

Hi, are you sure you want exit nodes for this? You could instead advertise only the routes you want using tailscale’s --advertise-routes feature.

Pretty sure, this is definitely personal/hobby rather than commercial though, but I guess this is what leads people to push Tailscale in the enterprise.

I want most of my traffic to go via an exit-node as I find in many countries the ISPs transit is crap or oversubscribed (SE Asia especially), where as their capacity to regional peering fabrics usually seems fine, so if I spin up a nearby Linode/DigitalOcean/Vultr/Lightsail that has connectivity to one of the peering fabrics the ISP is connected to I get a much more pleasant internet experience.

If i’m downloading a movie though I’ll use mullvad socks5 proxy or direct… :wink: just incase I havent completely understood the licensing rights of said material and potentially risk my infra due to DMCA

Oh, that’s interesting. I’ve seen these sorts of peering problems before. For example, when I was living in NYC, one of my ISPs decided to have a dispute with Netflix and had mysteriously bad problems viewing Netflix content, but if I VPNed into a nearby datacenter, the problems went away.

One thing you could try would be to set up a tailscale node that advertises 10.8.0.0/16 (with --accept-routes=false) and routes to that subnet via openvpn.

Or, as you suggested, you can try to play tricks with ‘ip rule’. If you can get openvpn to tag its packets with the special fwmark that tailscale uses, you can make it not send its traffic over tailscale. Or you should be able to add an extra ‘ip rule’ table above tailscale’s table that lets you do whatever you want. I’m not 100% sure, but I don’t think iptables will be the problem so much as the routes.

1 Like