How to Turn Your Raspberry Pi into a VPN Exit Node with Tailscale

You want to access your home network securely from a coffee shop? Or perhaps you need to browse the internet from abroad as if you were sitting in your living room? In this guide, we will set up a Tailscale Exit Node on a Raspberry Pi. This routes your internet traffic through your home connection, providing privacy and access to local devices without the headache of port forwarding.

Prerequisites

• A Raspberry Pi (Pi 3 or newer recommended).
• A MicroSD card.
• An Ethernet cable (RJ45) connecting the Pi to your router.
• A Tailscale Account.

A foreword: Tailscale and Wireguard

Tailscale is built entirely on top of WireGuard, a modern, open-source VPN protocol widely praised for its simplicity and blazing-fast performance. Unlike legacy protocols such as OpenVPN or IPsec, which can be code-heavy and slower to negotiate connections, WireGuard operates with a remarkably lightweight codebase and uses state-of-the-art cryptography. Tailscale essentially functions as a control plane for WireGuard: it handles the complex key exchange, mesh networking, and NAT traversal automatically, allowing you to benefit from WireGuard’s raw speed and security without the headache of manual configuration files. However, if you’re still curious about Wireguard (and you should!), here is a blogpost on Securing external traffic on a budget with Wireguard.

Step 1: Prepare the Raspberry Pi (Headless Setup)

First, we need to install the Operating System. We will set this up “headless” (without a monitor), so we need to configure SSH access manually on the SD card.

1. Flash the OS

Install the Raspberry Pi Imager on your computer:

sudo apt install rpi-imager
sudo rpi-imager

In the Imager settings:

• Device: Select your model (e.g., Raspberry Pi 3).
• OS: Choose Raspberry Pi OS (Other) > Raspberry Pi OS Lite (64-bit).
• Storage: Select your SD card.
• Next: Click Next, go through the last questions and wait for it to finish.

2. Configure SSH & User Manually

Once the write is finished, re-insert the SD card into your computer so you can edit the files. Navigate to the bootfs partition (usually mounted at /media/<user>/bootfs, otherwise mount it).

• Enable SSH: Create an empty file named ssh (no extension) in the root of the drive.
• Create a User: Create a file named userconf in the root of the drive. It needs a single line containing username:encrypted-password.

To generate the encrypted password, run this in your terminal:

openssl passwd -5

Enter your desired password when prompted. Copy the output.

Inside the userconf file, format the text like this:

pi:your-encrypted-string-here

(Replace pi with your preferred username if desired).

3. Boot

Insert the SD card into the Raspberry Pi, connect the Ethernet cable, and power it on.

Step 2: Install and Configure Tailscale on the Server

SSH into your Raspberry Pi. Once logged in, perform the following steps.

1. Install Tailscale

Update your system and run the installation script.

sudo apt update && sudo apt upgrade -y
curl -fsSL https://tailscale.com/install.sh | sh

The script will generate a login link. Copy/paste it into your browser to authenticate the Raspberry Pi.

2. Enable Packet Forwarding

For the Pi to act as a router (Exit Node), it needs to forward IP packets (and make it persistent across reboots).

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.d/99-forwarding.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.d/99-forwarding.conf
sudo sysctl --system

3. Advertise the Exit Node

Start Tailscale again, this time telling it to advertise itself as an exit node.

sudo tailscale up --advertise-exit-node

4. Enable Persistence

Ensure Tailscale starts automatically if the Pi reboots.

sudo systemctl enable tailscaled

Step 3: Approve the Exit Node in the Admin Console

Even though the Pi is advertising itself, you must approve it in the Tailscale dashboard.

1. Go to the Tailscale Admin Console.
2. Find your Raspberry Pi in the list.
3. Click the … (menu) icon > Edit route settings.
4. Toggle on Use as exit node.
5. Click Save.

Step 4: Connect the Client

Now, switch to the computer (Client) you want to connect to the VPN.

1. Install Tailscale

Note: The command below uses the automatic script, which detects your specific Linux version (Ubuntu, Debian, Fedora, etc.) to avoid repository errors. Also, installation steps may vary depending on your OS (Linux, MacOS, Windows…)

curl -fsSL https://tailscale.com/install.sh | sh

2. Connect to the Exit Node

You need the Tailscale IP of your Raspberry Pi (this starts with 100.x.y.z, NOT 192.168.x.x). You can find this IP in the Admin Console next to the Pi.

Run the following command:

# Reset previous connections
sudo tailscale logout

# Connect using the specific exit node IP
sudo tailscale up --exit-node=<EXIT-NODE-IP> --exit-node-allow-lan-access

• --exit-node: Routes your internet traffic through the Pi.
• --exit-node-allow-lan-access: Ensures you can still access local printers/servers on your current network while connected to the VPN.

The script will also generate a login link. Copy/paste it into your browser to authenticate the Client.

3. Verify Connection

Check if your public IP address has changed to match your home network’s IP:

curl ifconfig.me

How to see all the connected devices (from either the Server or the Client)? By fetching the status:

tailscale status # Needs 'tailscale up' to be run beforehand

How do I disconnect? To stop using the VPN and return to normal networking:

sudo tailscale down

How do I remove a device permanently?

1. Navigate to the Admin Console.
2. Click … next to the machine > Remove.

Conclusion

Congratulations! Your Raspberry Pi is now a fully functional Tailscale Exit Node. Whether you are traveling or using untrusted public Wi-Fi, you can now browse the internet securely through your encrypted home connection.

This blog post is licensed under CC BY-SA 4.0