Step 6 of the series: Bypass internet restrictions and protect your privacy on public Wi-Fi
In this part of the series, each step of the setup script from the previous article is explained in detail.
If you’re not interested in the technical background, you can skip this part.
The numbering of the individual points refers to the section in the script.
1. No variables are needed here
2. Enable forwarding in UFW
Open the file /etc/default/ufw and change the DEFAULT_FORWARD_POLICY to ACCEPT.
DEFAULT_FORWARD_POLICY="ACCEPT"3. Enable postrouting for NAT
Edit /etc/ufw/before.rules and insert the following before the first *filter line:
*nat
:POSTROUTING ACCEPT [0:0]
Tailscale NAT (Exit Node)
-A POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE
COMMITHere, ens3 is your external interface (check with ip a).
4. Adjust UFW rules
UFW does not need to explicitly allow Tailscale traffic as long as Tailscale itself is functioning, but to ensure clients are allowed to route through:
# Allow routed traffic from Tailscale to external interface
sudo ufw route allow in on tailscale0 out on ens35. IP Forwarding via sysctl erlauben
To configure the new Tailscale client as an exit node, IP forwarding must be enabled.
Create the file /etc/sysctl.d/90-tailscale.conf with the following content:
sudo nano /etc/sysctl.d/90-tailscale.confContents:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1Then activate the kernel parameters:
sudo sysctl -p /etc/sysctl.d/90-tailscale.conf6. Optimize performance using ethtool
More information about these performance settings can be found in the Tailscale Performance best practices.
By default, networkd-dispatcher is enabled on Ubuntu 24.04. You can verify this with:
sudo systemctl is-enabled networkd-dispatcherOutput
enabledNow create a script that runs every time the server starts and optimizes throughput for Tailscale as an exit node:
printf '#!/bin/sh\n\nethtool -K %s rx-udp-gro-forwarding on rx-gro-list off \n' "$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")" | sudo tee /etc/networkd-dispatcher/routable.d/50-tailscale
sudo chmod 755 /etc/networkd-dispatcher/routable.d/50-tailscaleThe following command sets the kernel parameters and verifies that the script executes without error:
sudo /etc/networkd-dispatcher/routable.d/50-tailscale
test $? -eq 0 || echo 'An error occurred.'7. Restart UFW
Reload UFW to apply all settings:
sudo ufw reload8. Restart Tailscale with the --advertise-exit-node flag
Finally, stop Tailscale and start it again with the --advertise-exit-node option:
sudo tailscale down
sudo tailscale up --advertise-exit-nodeThis completes the configuration of kernel parameters and the firewall, and enables your machine to be used as a Tailscale exit node.
Leave a Reply
You must be logged in to post a comment.