
A Tailscale exit node and a Tailscale subnet router solve different routing problems. An exit node sends a client’s general internet traffic through another device; a subnet router lets tailnet clients reach a specific private subnet such as an office LAN, home lab, or cloud VPC.
Mixing these up leads to bad access design. If you want “my laptop reaches the office NAS,” think subnet router. If you want “my laptop’s web traffic leaves through my home server,” think exit node.
What is a Tailscale exit node?
An exit node is a device in your tailnet that can route other devices’ public internet traffic. Tailscale describes this as routing traffic through default routes, similar to a traditional VPN path.
Use an exit node when the client’s internet egress location matters. Common examples include working on untrusted Wi-Fi, testing how a service looks from another location, or sending traffic through a known network.
An exit node is not primarily a way to expose an office subnet. It changes where the client’s outbound internet traffic goes.
What is a Tailscale subnet router?
A subnet router is a Tailscale device that advertises routes to non-Tailscale devices on a private subnet. Tailscale’s docs describe it as a gateway between your tailnet and devices that cannot or do not run the Tailscale client.
Use a subnet router when you need tailnet users to reach private IPs behind a router:
- printers or cameras that cannot run Tailscale;
- a NAS on a home or office LAN;
- a cloud VPC subnet;
- a legacy app server with no client installed.
Subnet routers extend access. That makes route scope and access-control policy important.
The simple decision rule
Choose based on the destination, not the feature name.
| Need | Better fit | Why |
|---|---|---|
| Route a laptop’s internet traffic through another device | Exit node | It handles default-route style egress |
| Reach a private LAN from Tailscale devices | Subnet router | It advertises private subnet routes |
| Give users SSH to a Linux server running Tailscale | Direct Tailscale node access | No subnet routing needed if the server runs Tailscale |
| Reach a printer that cannot run Tailscale | Subnet router | The router bridges the tailnet to the LAN |
| Make a public web app available | Usually not either by itself | Consider Cloudflare Tunnel, reverse proxy, or public hosting policy |
This also explains why subnet routers are powerful. They can make many non-Tailscale devices reachable through one approved node.
What are the security mistakes?
The biggest mistake is advertising too much network. “Whole LAN” routing is convenient, but it can grant access to devices that were never meant to be part of the remote-access plan.
Better defaults:
- advertise the smallest useful subnet;
- use Tailscale access controls instead of relying on trust by presence;
- keep connector device keys from expiring unexpectedly if the router is production-critical;
- monitor whether routes are reachable;
- avoid combining routing roles casually.
Tailscale notes that subnet routers use source NAT by default, and that disabling it on Linux changes return-routing requirements. That is an advanced design choice, not a first-day checkbox.
Where does this fit with SSH and small teams?
If your target is a Linux server that can run Tailscale, do not overbuild. Install Tailscale on the server and let authorized tailnet users reach that node directly.
A subnet router is for the devices behind the server or gateway. An exit node is for routing client internet traffic. Tailscale SSH is a separate access model for SSH authorization and policy.
For a small-team access model, compare this page with Tailscale for Linux servers, Tailscale SSH vs SSH keys, and the secure remote access decision hub.
FAQ
Can one device be both an exit node and a subnet router?
Technically, designs can overlap, but do not combine roles unless you understand the routing and policy consequences. Keep the first design simple.
Does a subnet router expose my LAN to the public internet?
Not by itself. It makes the subnet reachable to permitted tailnet clients according to your Tailscale configuration and access controls.
Should I install Tailscale on every device instead?
When possible, direct Tailscale installation is usually simpler and more precise. Subnet routers are for devices or networks where direct installation is not practical.
Sources
- Tailscale Docs: Subnet routers
- Tailscale Docs: Exit nodes
- Tailscale Docs: Access control and key expiry concepts