Tailscale has grown from a relatively simple overlay network to a Swiss Army Knife of tools that can handle far more situations than you might think. The bulk of the features work whether you're using the company's orchestration servers or self-hosting Headscale, and it's one of the easiest ways I've used to deal with complex networking situations spread over multiple sites.

One of those more recent features is exit nodes, which makes Tailscale behave more like a traditional VPN when you route your traffic through one of those nodes. See, normally, Tailscale only handles tailnet traffic, and normal browsing data is unencrypted. But by using an exit node, your traffic is encrypted until it leaves that node, making working from public Wi-Fi just as safe as if you were at home. And with using a VPS, you can roll your own VPN alternative while saving cash.

The VPN industry has a problem

Consolidation has left you with few actual choices

Traditional VPNs have several glaring issues, but one of the biggest is that most major players are owned by the same company, with upper management ties to intelligence services. Now, I'm not sure about you, but I don't want my encrypted data going anywhere near known spooks, and that's getting harder and harder to do.

But there are other big issues, from government pressure to block certain services or IP addresses from being accessed, to how VPN services might securely connect to a specific network but don't protect your device from other threats while on that network.

The software-defined networking industry is moving away from that model and towards Zero Trust, where every device is treated as untrustworthy and given only the permissions it needs for the services and routes it is allowed. Which is a much better model, both for enterprise use and for at home.

Tailscale helps you make your own VPN endpoints

By using a device on your tailnet as an exit node, you essentially set your own VPN service up, but it's more than that. You can connect to your home network just as easily, or that of a family member to help with their tech issues. You can treat containerized services as individual nodes on your tailnet, and set up ACLs so they can access only the parts of the network they need to work, and more.

With a VPS, you can make your own VPN endpoint wherever your server is

Tailscale is for much, much more than connecting your devices together

I've had a VPS from various providers for years now, whether it was running an IRC bouncer to keep my messaging app online when I wasn't, reverse proxies into my self-hosted stack, or other things that I wanted to run without the specter of CGNAT ruining my fun.

Currently, I'm using Racknerd, which is $30 or so for a full year, with a modest VPS on shared hosting. I could pay more for a dedicated server, but I have that at home. The VPS is just for connectivity when I need it and can't connect any other way, and I see no point in paying more for functionality I won't use. The only reason I might upgrade to bare-metal cloud hosting is to run Proxmox or other hypervisors in the cloud, since I can't do that currently.

Tailscale makes setting up an exit node as simple as toggling a few switches and pasting the resulting script into the terminal on your VPS. From the Machines page, you add a Linux server, and the only setting you need to toggle is Use as exit node. I like setting a tag for any exit nodes, because then it stops key expiry for that device, making my exit node as permanent as I can.

That's it, hit the generate install script button, and copy/paste that into your VPS. The new node will appear on your Tailscale management pages in seconds, and clicking it will show that Exit Node is Allowed under the routing settings. That's it, now when you are connected to your tailnet, you can select the exit node from the running applet, and all your traffic will route through it.

It's still in the optimization phases for any operating system other than Linux, but it works well enough in my testing and outperforms some of the paid VPN subscriptions I've had in the past.

Now to check everything is working

It's really simple to verify that the remote VPS functioning as a tail node is working properly. Grab the IP address of the Tailscale node with the following command from the SSH session:

tailscale ip -4

Then it's a matter of running ping [tailscale IP] from any terminal window on your tailnet. If everything is working correctly, you'll see replies from the IP address, and you shouldn't get any lost packets

It's worth remembering the limitations of this exit node

My ISP connection is rarely slow, because I've got symmetrical gigabit fiber. I'm not-so-patiently waiting for 2 gigabit connections to roll out in my area, but I don't always want my internet traffic to originate from my zipcode. Whether it's to get around broadcast blackout restrictions, other needs, or just to test whether my connection is at fault when I have connectivity issues, I like having a VPS with Tailscale set up as an exit node.

It's not a perfect solution, though. My VPS limits bandwidth to a degree, and I get a certain amount per month before I get cut off (or worse, charged more), and speeds are closer to 75 Mbps than the gigabit I'm used to. That's okay, though. Sometimes that's all you need, and it's a good privacy hedge compared to using a commercial VPN that might be keeping records. Sure, Tailscale knows about me, as does my VPS, but neither the VPS nor Tailscale knows what my traffic contains.

Using a VPS as an exit node with Tailscale keeps you more secure

Tailscale is one of the most wonderful software packages I've ever used. Why? Because it does exactly what it says, has tons of features I've only scratched the surface of, and is easy to set up. I went with the cheapest VPS I could find because that's all I need, but plenty of providers let you change your datacenter location and have worldwide options, so you can make a much closer approximation of a commercial VPN, but one that you control.