A hands-on walkthrough of setting up a Tailscale exit node on a minimal Proxmox LXC container and verifying it with traceroute. Covers how Tailscale's control plane sits atop WireGuard, how routing changes on the client when an exit node is enabled, NAT hole-punching and DERP relay fallback, why Tailscale can offer a free tier (traffic bypasses their servers), trust boundaries at the cafe router vs exit node, split DNS with AdGuard for internal domains, and the difference between exit nodes and subnet routers. Includes Proxmox-specific LXC config for /dev/net/tun access and IP forwarding setup.
Table of contents
What is an exit node for? #Under the hood #Why Your Traffic Doesn’t Hit Tailscale (And Why This Can Be Free) #Packet Walk: One Request End to End #How I Verified It on My Setup #Exit Node Internals: Forwarding, NAT, and Return Path #Trust Boundaries #Side Effect I Actually Like: AdGuard Visibility #DNS Behavior with Exit Nodes #Exit Node vs Subnet Route #Conclusion #References #Sort: