I am toying with the idea of using one of my Tailscale instances as traditional VPN, using the exit node features. I think I have that part down to a note as far as what has to be done in order for this to happen.
My question is if there are any security risks or security provisions that need to be made to keep the envelope secure. I am the only user of my Tailscale network, so I don’t have to worry about another user jacking things up. However, I am concerned about the implications of the visibility of the exit node I would be connecting to.


I loved Tailscale for about a year but am moving away from it because having multiple exit nodes with each redirecting traffic via commercial VPNs with DNS-based ad blocking and App Connectors grew way too complex.
I’m not saying you’re doing all this but if you do get to a point where you’re directing traffic to multiple countries Tailscale turns into nightmare to manage.
What are you moving away to? I’m assuming you’re still keeping your VPNs and DNS ad-blockers etc?
I’m just using WireGuard on a VPS with multiple interfaces. I’m still doing heavy ad/tracking blocking via DNS too.
As for App Connectors I’m working on a script (compiled program hopefully down the road) that can query a specific hostname using a specific interface (say, a US-only website using DNS over a US-based VPN) then create a virtual IP address that directs to that same IP using the correct tunnel.
My reasoning for the virtual IP address is that I don’t want to redirect every website on the host to the other tunnel—lots of servers have an array of websites on them.
What I found disappointing about Tailscale is I had to do a lot of “hacks” to make things work—DNS on each exit node had to match perfectly (despite using different exit tunnels)—then the shit would only work like 20% of the time. One day traffic for the US tunnel worked, the next day it was going out of the exit node. I also never got it working correctly in Docker so I was running multiple VPS servers.
If I remember correctly with App Connectors your client would query the App Connector for the domain, then it would return an IP address. The IP address would be set up to always go through the defined exit node. So if your DNS was off or you were accessing another website on the same server you were screwed. On top of that, it just didn’t work.