1 00:00:00,001 --> 00:00:04,000 Welcome in to another episode of Tailscale Explained, I'm Alex. 2 00:00:04,000 --> 00:00:08,000 This is the playlist where we tell you everything you ever wanted to know about Tailscale. 3 00:00:08,000 --> 00:00:12,000 Things like subnet routers, Tailscale SSH and ACLs. 4 00:00:12,000 --> 00:00:16,000 In today's video we're going to cover exit nodes. 5 00:00:16,000 --> 00:00:22,000 Now what is an exit node? Well, simply put, it's a way for you to route all of the traffic from your client device, 6 00:00:22,000 --> 00:00:29,000 that could be something like a phone or a laptop, and have it exit onto the public internet via Tailscale 7 00:00:29,000 --> 00:00:33,000 at a specific geographic point on the internet. 8 00:00:33,000 --> 00:00:37,000 So let's say you want to do some online banking whilst you're on holiday. 9 00:00:37,000 --> 00:00:42,000 This happened to me this summer actually, I wanted to access my US bank account whilst I was in England. 10 00:00:42,000 --> 00:00:49,000 However, my bank decided that accessing their banking app from another country was a huge security risk. 11 00:00:49,000 --> 00:00:56,000 So what I did was I flipped on the exit node functionality so that my phone sent all of its traffic over Tailscale 12 00:00:56,000 --> 00:01:00,000 as an exit node to this house here in North Carolina. 13 00:01:00,000 --> 00:01:06,000 Suddenly my bank had no idea that my traffic was any different than if I was physically in this building. 14 00:01:06,000 --> 00:01:10,000 You might be familiar with this concept from the more traditional privacy VPNs such as Molvad, 15 00:01:10,000 --> 00:01:13,000 who we have a partnership with by the way. 16 00:01:13,000 --> 00:01:19,000 These privacy VPNs are very good at making you appear as if you're in a different physical geographic location 17 00:01:19,000 --> 00:01:24,000 for all sorts of interesting reasons. But Tailscale is about so much more than that. 18 00:01:24,000 --> 00:01:28,000 Yes, you can do that too and emulate that functionality with exit nodes, 19 00:01:28,000 --> 00:01:32,000 but Tailscale is great for companies and self-hosters alike. 20 00:01:32,000 --> 00:01:34,000 So let's dig into exit nodes. 21 00:01:34,000 --> 00:01:38,000 By default, Tailscale acts as an overlay network. 22 00:01:38,000 --> 00:01:44,000 It only routes traffic between devices running Tailscale and doesn't touch your public internet traffic, 23 00:01:44,000 --> 00:01:48,000 such as when you visit Google or Hacker News for example. 24 00:01:48,000 --> 00:01:55,000 The overlay network configuration is ideal for most people who need secure communication between sensitive devices, 25 00:01:55,000 --> 00:02:01,000 such as company servers or home computers, but don't need or want the extra layers of encryption 26 00:02:01,000 --> 00:02:04,000 or latency for their public internet connection. 27 00:02:04,000 --> 00:02:10,000 But what about if you're on an untrusted Wi-Fi network such as a coffee shop or perhaps something at an airport? 28 00:02:10,000 --> 00:02:14,000 Or maybe you want to have a way to quickly test a different network's view of the world 29 00:02:14,000 --> 00:02:18,000 to see if it's your local DNS implementation playing up perhaps. 30 00:02:18,000 --> 00:02:21,000 That's where an exit node really comes in handy. 31 00:02:21,000 --> 00:02:23,000 Setting one up is straightforward. 32 00:02:23,000 --> 00:02:30,000 Many devices can be used as exit nodes, ranging from a Linux system to a Windows or Mac computer to an Apple TV. 33 00:02:30,000 --> 00:02:33,000 Yes, really, an Apple TV. 34 00:02:33,000 --> 00:02:38,000 If you're running a DIY firewall like OpenSense, you can even install Tailscale directly there 35 00:02:38,000 --> 00:02:43,000 and use that single device that's presumably already on all the time in your network 36 00:02:43,000 --> 00:02:46,000 as an exit node and subnet router as well. 37 00:02:46,000 --> 00:02:49,000 Here's a card to the Tailscale Explained subnet router video for you. 38 00:02:49,000 --> 00:02:54,000 The type of device you pick as an exit node doesn't really matter too much. 39 00:02:54,000 --> 00:03:00,000 They're all likely going to be fast enough and bottlenecked by your internet speed at the location of the exit node itself. 40 00:03:00,000 --> 00:03:06,000 But my personal pick for an always-on low-power device that you could ask a friend or a relative to host for you 41 00:03:06,000 --> 00:03:10,000 with little to no fuss might be something like an Apple TV, 42 00:03:10,000 --> 00:03:13,000 which consumes less than 1W in standby mode, 43 00:03:13,000 --> 00:03:20,000 and yes, exit node and subnet routing functionality still works in this low-power sleep state, 44 00:03:20,000 --> 00:03:23,000 or the humble Raspberry Pi. 45 00:03:23,000 --> 00:03:28,000 You might also consider running Tailscale on a cloud VPS somewhere like Hetzner or Linode. 46 00:03:28,000 --> 00:03:34,000 You can do this to use it as an easy way to pick a different geographic location for your traffic. 47 00:03:34,000 --> 00:03:37,000 However, it comes with a potential downside. 48 00:03:37,000 --> 00:03:42,000 Routing consumer-level traffic, like browsing, via a data center IP block, 49 00:03:42,000 --> 00:03:46,000 because remember you will now appear as if you're sat inside that data center, 50 00:03:46,000 --> 00:03:51,000 is that captures and things that aren't used to seeing that type of traffic from a commercial IP block 51 00:03:51,000 --> 00:03:53,000 will get a bit upset with you, 52 00:03:53,000 --> 00:03:58,000 so you're much more likely to get those annoying puzzles if you do this long-term. 53 00:03:58,000 --> 00:04:07,000 On Linux, enabling exit node functionality is as simple as a Tailscale set --advertise exit node command on the CLI. 54 00:04:07,000 --> 00:04:14,000 On Mac and Windows, you can simply select to allow this node to act as an exit node from the client settings. 55 00:04:14,000 --> 00:04:21,000 Now, you will need to manually approve each node that requests this functionality in your Tailscale admin console. 56 00:04:21,000 --> 00:04:24,000 This only takes a couple of clicks, but if you'd like, 57 00:04:24,000 --> 00:04:33,000 we can set up an ACL rule to automatically approve exit node requests using the auto-approvers features in your ACLs. 58 00:04:33,000 --> 00:04:35,000 I'll put a snippet up on screen right now, 59 00:04:35,000 --> 00:04:40,000 and as you can see, it's just a couple of lines of code that you paste into your admin console. 60 00:04:40,000 --> 00:04:46,000 The auto-approver of a root or exit node can be a user's full login email address, 61 00:04:46,000 --> 00:04:50,000 a group name, an auto-group, or a tag owner. 62 00:04:50,000 --> 00:04:53,000 Once configured, anytime you turn on exit node functionality, 63 00:04:53,000 --> 00:04:57,000 it will automatically approve itself onto your tailnet. 64 00:04:57,000 --> 00:05:03,000 One final configuration setting I'd like to touch on is the allow LAN access setting. 65 00:05:03,000 --> 00:05:09,000 Enabling this will allow direct access to your local network when routing traffic through an exit node. 66 00:05:09,000 --> 00:05:18,000 In other words, the network the exit node is physically connected to will not be reachable by clients using this exit node unless you enable this feature. 67 00:05:18,000 --> 00:05:23,000 It's very much the same idea as a subnet router, only with a little less fine-grained control. 68 00:05:23,000 --> 00:05:28,000 If you'd like to be explicit about what is, or is not, allowed, 69 00:05:28,000 --> 00:05:33,000 then you should turn on subnet routing for the specific subnet ranges you're interested in instead. 70 00:05:33,000 --> 00:05:36,000 Before we get out of here, a couple of caveats. 71 00:05:36,000 --> 00:05:44,000 On Android, Mac OS, and Windows, the exit node feature is still undergoing performance optimisation as it runs in user space. 72 00:05:44,000 --> 00:05:49,000 If you'd like the absolute best experience, we recommend that you use Linux. 73 00:05:49,000 --> 00:05:57,000 It can be as a VM, or on top of that Raspberry Pi sat in one of your drawers that you swore one day you'd find a perfectly good use case for it. 74 00:05:57,000 --> 00:05:59,000 Well, this may well be it. 75 00:05:59,000 --> 00:06:02,000 So I think that about covers exit nodes. 76 00:06:02,000 --> 00:06:08,000 Don't forget to check out the links in the description down below to all of our live streams and all of the other Tailscale explained playlists. 77 00:06:08,000 --> 00:06:13,000 As always, thank you so much for watching, and until next time, I've been Alex from Tailscale. 78 00:06:14,000 --> 00:06:15,000 Bye!