Tailscale Exit Node on Debian 13 – VPN without port forwarding

<!doctype html>

Tailscale VPN

Tailscale Exit Node is a simple way to run your own VPN

— without complex router setup or a public IP address. It uses WireGuard encryption and lets you browse securely from anywhere as if you were at home — or even from another country.

What you’ll need and how it works

You don’t need expensive hardware or deep networking knowledge to run a Tailscale Exit Node. You only need:

  • Laptop, desktop PC, mini‑PC, or an older computer — even an older machine you no longer use day‑to‑day will do.
  • Debian 13 (trixie) installed on that machine (it can run headless without a monitor).
  • Internet connection — either via Ethernet port or a Wi‑Fi adapter.
    • If you only want the device to provide internet egress, a single network adapter (Wi‑Fi or Ethernet) is enough.
    • If you want the machine to receive internet from one network and forward it to another, you’ll need two network adapters (e.g., Ethernet + Wi‑Fi).

  • Tailscale account — free at tailscale.com (you can sign in with Google, Microsoft, GitHub, etc.).

How it works:

  1. The Debian machine running Tailscale becomes an Exit Node — a gateway to the internet.
  2. When another device (laptop, phone) connects to it through Tailscale and selects it as the Exit Node, all your traffic flows through that machine.
  3. On public Wi‑Fi (e.g., a hotel), you will appear to be connecting from the Exit Node’s location (e.g., your home or a VPS in another country).
  4. Tailscale connections are encrypted with WireGuard, so even the hotel’s network operator can’t see your traffic contents.

Goal: set up a Tailscale Exit Node on Debian 13 (trixie). When travelling, connect to any trusted Wi‑Fi and route all your traffic through your own machine — no access to the foreign router and no port forwarding needed. Data is encrypted via WireGuard; Tailscale simply helps peers find each other.

What you need

  • Debian 13 (trixie) on the machine that will be the Exit Node (home PC/mini‑PC/RPi/laptop).
  • A Tailscale account (sign in via Google/Microsoft/GitHub, etc.).
  • Tailscale installed on your client device (laptop/phone) as well.
  • No router access and no public IP required.
What is an Exit Node? A device that offers “internet egress” to your whole tailnet. When a client selects it, all its traffic goes through that node (= you obtain its public IP). Full‑tunnel

STEP 1 – Install Tailscale (Debian 13)

The easiest way is the official repository for trixie:


sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list >/dev/null
sudo apt update
sudo apt install tailscale

Alternative (quick script):

curl -fsSL https://tailscale.com/install.sh | sh

STEP 2 – Enable the service


sudo systemctl enable --now tailscaled

# Check status
systemctl status tailscaled --no-pager

STEP 3 – Sign in / activate

The first run prompts you to sign in to Tailscale (it prints a URL):

# Opens a sign‑in URL. Open it in the browser and approve the device.
sudo tailscale up

STEP 4 – Enable IP forwarding (required for Exit Node)

To route client traffic to the internet, enable IPv4 (and optionally IPv6) forwarding:

echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-tailscale-exit.conf
echo 'net.ipv6.conf.all.forwarding=1' | sudo tee -a /etc/sysctl.d/99-tailscale-exit.conf
sudo sysctl --system

STEP 5 – Advertise this machine as an Exit Node

This command lets other devices use this machine for internet egress:

# Offer this machine as an Exit Node
sudo tailscale up --advertise-exit-node

Optional: if you also want Tailscale SSH to this machine, add --ssh:
sudo tailscale up --advertise-exit-node --ssh

STEP 6 – Approve the Exit Node in Tailscale

In the Tailscale admin console, enable “Use as exit node” / “Exit node” for this device and approve it. Without approval, it won’t be offered to clients.

STEP 7 – Connect a client

7.1 Linux (CLI)

# On the client, install tailscale (per your distro) and start the service.
# Sign in:
sudo tailscale up

# Select the exit node (machine name or its Tailscale IP, e.g. 100.x.y.z)
sudo tailscale up --exit-node=<name-or-ip> --exit-node-allow-lan-access=true

Allow LAN access lets the client still see its local network (e.g., a hotel printer) while using the exit node. For a strict full‑tunnel, omit that switch.

7.2 Windows

  1. Install the Tailscale app and sign in.
  2. In the app, open Settings → Exit Node and choose your exit node.
  3. Optional: toggle “Allow LAN access” if you want to keep access to the local network.

7.3 Android / iOS

  1. Install the Tailscale app from Google Play / App Store and sign in.
  2. Open the Exit Node section and select your exit node.
  3. Optional: enable “Allow LAN access”.

Test: public IP change

  1. On the client, check your public IP before enabling the exit node (e.g., search “what is my IP”).
  2. Enable the exit node per Step 7.
  3. Check the public IP again — it should now be your exit node’s IP (e.g., your home connection).

# Quick test in a terminal
curl https://ifconfig.io

Common issues

  • Client won’t use the exit node: It hasn’t been approved in the admin console; on the server, run sudo tailscale up --advertise-exit-node again if needed.
  • No internet via exit node: Forwarding is missing (Step 4); verify sudo sysctl net.ipv4.ip_forward (should be 1).
  • I want to see the client’s local LAN too: Use --exit-node-allow-lan-access=true or the “Allow LAN access” toggle in the app.
  • Diagnostics: tailscale status, tailscale ping <name>, sudo tailscale up --reset.

Tips: LAN access, foreign VPS, Headscale

  • LAN access while using exit node: Turn on “Allow LAN access”, otherwise the local network may be hidden.
  • IP from another country: Run your exit node on an inexpensive VPS (e.g., in Germany) to obtain a foreign IP without touching your home router.
  • Fully self‑hosted control plane: If you want to avoid any third‑party control, consider Headscale (self‑hosted alternative). For beginners, official Tailscale is simpler and very stable.

Quick checklist

  1. Install Tailscale (trixie repo) and enable the service.
  2. sudo tailscale up → sign in.
  3. Forwarding: create /etc/sysctl.d/99-tailscale-exit.confsudo sysctl --system.
  4. sudo tailscale up --advertise-exit-node on the server.
  5. Approve the Exit Node in the admin console.
  6. Client: select the exit node (or --exit-node=<name/IP>) and optionally --exit-node-allow-lan-access=true.
  7. Verify public IP change (curl https://ifconfig.io).

 

Easy VPN for Linux – no complicated setup

If you don’t want to create your own VPN or you’re struggling to configure everything on Linux, here’s a simple solution. Try a ready-to-use VPN for Linux with a clean graphical interface – fast, secure, and hassle-free.

View deals on Amazon →

Tip: Quick installation, user-friendly GUI, no unnecessary complexity.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.