I Traced My Traffic Through a Home Tailscale Exit Node

I set up Tailscale years ago but only used it for “reach my own devices” use cases. This week I finally set up a proper home exit node: a tiny dedicated LXC on my Proxmox box (1 vCPU, 512 MB RAM, basically just Tailscale).

To verify it worked, I pinged my home servers and they worked. But I wanted to understand this deeper, so I turned to traceroute.

The 7th hop is where the cogs in my brain began turning. That’s my home ISP. So this is like a VPN, right? Or is it different?

What is an exit node for?

Without an exit node, Tailscale sends traffic to my Tailscale devices, but normal web traffic goes out through my local network or ISP. With an exit node enabled, my device changes its default internet path to a chosen device, which then sends traffic to the internet for me.

For internet traffic, an exit node behaves like a traditional VPN gateway, with a caveat: Tailscale isn’t always a VPN tunnel for all traffic, but the exit-node mode is. Without an exit node, we just have discoverability for services that we have exposed on Tailscale. With an exit node, our device is effectively in a full-tunnel VPN mode for internet traffic.

The traffic to the exit node is encrypted, and websites we access see the exit node’s public IP, not the IP of the ISP we are currently connected to on our device.

Under the hood

Before getting into routing, I want to cover how Tailscale connects devices in the first place. I’ve been comparing it to a VPN, but Tailscale is really a mesh network with a control plane on top of WireGuard. WireGuard by itself is mostly the data plane. Tailscale adds the control plane on top: identity/SSO, peer discovery, NAT traversal coordination, ACL distribution, route distribution, MagicDNS, and fast device revocation.

When two devices connect, the flow looks like this:

• Both devices (client + exit node) authenticate to Tailscale’s control plane.
• Control plane shares each peer’s reachable endpoints and keys.
• Both peers send UDP packets to each other to do NAT hole-punching.
• If punch-through succeeds, they establish a direct WireGuard-encrypted path.
• If direct fails, they fall back to DERP relay (still end-to-end encrypted).

Imagine your phone in a cafe and your home server are both behind routers. NAT is like a front desk that tracks who went out, but does not let random outsiders walk in directly. Hole-punching tries to make both sides “step out” at the same time so their routers allow a path back in. If that timing or mapping fails, DERP acts as a neutral meeting point.

How routing changes on your device

At a route level, enabling an exit node usually does the following:

• Tailscale accepts the exit node’s advertised default routes (0.0.0.0/0 and ::/0).
• It installs policy routes so internet-bound traffic goes to the Tailscale tunnel interface (tailscale0, utun, or Wintun).
• It adds an “escape hatch” route for the exit node’s own public IP via your normal gateway, so the tunnel transport itself doesn’t loop.

On Linux, Tailscale uses kernel policy routing (ip rule + a separate route table) to steer default traffic, while exempting tunnel transport to avoid loops. This differs from OpenVPN, which often rewrites the main routing table using specific subnet masks.

Why Your Traffic Doesn’t Hit Tailscale (And Why This Can Be Free)

Tailscale’s coordination service is primarily control plane, not packet-hauling data plane. It helps devices find each other, but your actual traffic goes directly peer-to-peer whenever possible. For exit nodes, the normal path is: client -> exit node -> internet.

This is why Tailscale can offer a free tier while traditional VPN providers charge for bandwidth. A traditional VPN provider pays for all the bandwidth you use because your traffic routes through their servers. In Tailscale’s model, my home ISP and exit-node machine carry the egress traffic, not Tailscale’s infrastructure.

Compared to commercial VPNs like Nord or Mullvad, you are paying for global exit locations and zero setup. With a Tailscale exit node at home, the bandwidth cost is zero beyond what you already pay your ISP, but you only exit from one location.