Using exit nodes but ignore certain routes

I want to accept default routes from an exit node, except for a subnet that I route via openvpn, this works fine with TS off, however when I turn TS on it seems to take priority over the openvpn that is only used for that /16

How can I configure TS to use an exit node for everything except

Currently, we do not have this feature where you can mark the exception for the specific network using exit-node. Please feel free to create a feature request Issues · tailscale/tailscale · GitHub for the same.

Hi @darshinimashar

Done. Using exit nodes but ignore certain routes · Issue #1916 · tailscale/tailscale · GitHub

How does Tailscale current grab all traffic on the client? Perhaps there some iptables rules I can temporarily run to workaround this after running tailscale up?


Hi, are you sure you want exit nodes for this? You could instead advertise only the routes you want using tailscale’s --advertise-routes feature.

Pretty sure, this is definitely personal/hobby rather than commercial though, but I guess this is what leads people to push Tailscale in the enterprise.

I want most of my traffic to go via an exit-node as I find in many countries the ISPs transit is crap or oversubscribed (SE Asia especially), where as their capacity to regional peering fabrics usually seems fine, so if I spin up a nearby Linode/DigitalOcean/Vultr/Lightsail that has connectivity to one of the peering fabrics the ISP is connected to I get a much more pleasant internet experience.

If i’m downloading a movie though I’ll use mullvad socks5 proxy or direct… :wink: just incase I havent completely understood the licensing rights of said material and potentially risk my infra due to DMCA

Oh, that’s interesting. I’ve seen these sorts of peering problems before. For example, when I was living in NYC, one of my ISPs decided to have a dispute with Netflix and had mysteriously bad problems viewing Netflix content, but if I VPNed into a nearby datacenter, the problems went away.

One thing you could try would be to set up a tailscale node that advertises (with --accept-routes=false) and routes to that subnet via openvpn.

Or, as you suggested, you can try to play tricks with ‘ip rule’. If you can get openvpn to tag its packets with the special fwmark that tailscale uses, you can make it not send its traffic over tailscale. Or you should be able to add an extra ‘ip rule’ table above tailscale’s table that lets you do whatever you want. I’m not 100% sure, but I don’t think iptables will be the problem so much as the routes.

1 Like

Super cool to see you replying here @apenwarr
I had this same need - I had an exit node that I wanted to tunnel all my traffic through, and tailscale ended up sending over all the traffic through the tunnel, including local subnet traffic. My guess is I could have solved this by advertising from the exit node for example, so that the subnet routes which were more specific would have kicked in. I went the ip rule way (don’t ask me why) and did this.

200 avoid_ts add this line to /etc/iproute2/rt_tables

Then sudo ip r add dev wlp4s0 table avoid_ts

and sudo ip rule add from lookup avoid_ts

This worked for me. The rule won’t survive a reboot though, so you will want to take care of that.

There is a --exit-node-allow-lan-access argument which might help with this now:

tailscale up --exit-node=w.x.y.z --exit-node-allow-lan-access

1 Like