Like anything there are a lot of different ways to set it up, and some ways WILL funnel 100% of traffic through a Tailscale exit node, for instance, which would be slower. Sometimes people want to use Exit Nodes for 100% of traffic at cafes, etc, where they don't want the host sniffing their DNS or other traffic.
But you can also set it up that only Tailscale addresses/traffic go through the Tailscale tunnel, and everything else just hits the normal DNS/workflow.
All depends on how you set it up.
EDIT: It is also a really slick way to expose external services to the internet without hosting a reverse proxy, IPS, etc. But that is another more advanced Tailscale topic, and I've already added too much OT info in this thread.
yes i know i have read all the articles but if look closely tailscale is a custom version of wireguard. so those machines that are funneling through tailscale if you choose not to do your whole network will be slowed down somewhat. but that is true with any vpn or hybrid vpn (which tailscale is) solution.
Just saying.
and unfortnatley the things i want to reach wont run tailscale like my apc network card or kasa switches etc. so i would have to redirect the entire network to reach some of my devices..
Sure if a direct connection between the nodes can not be made (common in CGNAT) then the data will flow through a Tailscale server which is slower. But in situations where a direct connection can't be made between the two nodes (again, common in CGNAT) then you have little choice but to broker the connection through something external.
If you have enough control over the network to get direct connections to work in the 1st place, then you likely can configure it to allow Tailscale direct connections, too, and wouldn't have slowdown.
For things that you can't install Tailscale on, you just setup a Tailscale Exit Node on your network. Then you can get to anything on your internal network whether it is directly running Tailscale or not. For example, I only have 1 node running Tailscale on my home network (my Exit Node), and can get to 100% of my assets remotely just fine (NAS, Proxmox, SSH to any device, etc.).
But I'm not here trying to sell Tailscale. There are a zillion ways to get remote access, all of which have pros and cons. No worries!
can you only speficy what devices use the exit not as i said i dont want everything going out that node as it slows stuff down..
from my reading this is the only solution i found.. a secondary router running tailscale and a separate vpned subnet with those devices on it.'
ie
from my reading no exit nodes like i said route everything out thus causing slowdowns.. i can already do that over my own openvpn conduit or wireguard i have both on my merlin router.. but choose not to..
I will look more into the subnet for tailscale but again i can probably do that my self bu setting up a second subnet and router put all wifi switches and apc card on it i want to reach and setup my own wireguard always up vpn and configure it to send all traffic on the subnet through the conduit.
I am new to Tailscale (thanks @jtp10181 for the suggestion).
It was the most trivial install ever.
I added subnet routing to one RPi running Tailscale and voila. No slowdowns whatsoever, existing traffic going through the usual route, only vpn traffic going through the RPi. No need for an exit node.
I made a mess of the conversation - sorry. You are right, while using a device configured to use an Exit Node all traffic is routed through the Exit Node. You can configure local lan traffic on the remote node to not go through the Exit Node, of course.
I turn on/off using the Exit Node when remote depending on whether I want to connect to all my home lan devices that do not have Tailscale installed or not, or if I want more internet privacy/dislike the internet filters on the network I'm on.
For the devices on my home lan that do not have Tailscale installed (NAS, servers, etc), their speed is unaffected by Tailscale at all - except the traffic that needs to talk to a remote Tailscale device as that would have to be relayed or go through the Exit Node [if the remote device is what initiated the communication].
Is it possible your router isn't capable of higher speeds when connected through a VPN? While I use a tailscale subnet on my server I don't funnel everything through it, I do funnel everything through proton VPN directly on router. My old router could only handle around 500mbps but the new one can do 950mbps out of my 1 gig service. It seems it takes a lot of processing power (relatively) to run wireguard at higher speeds.
I tried twingate but couldn't get it to work. By chance do you use Android phone? If so have you tried to run twingate at the same time as a commercial vpn for privacy? My dream is to be able to stay behind my vpn while still using an overlay network. It doesn't work with tailscale but twin gate markets itself as something different, though my assumption is it is still just a VPN being marketed as something else.
i got tailscale working on my glinet router at our cottage that is behind cgnat on starlink and was able to configure it as a subnet router (even though it is on the same subnet as my main router) and exit node.
i was then able to reach (when i brought tailscale up on my laptop) the other devices such as my main router and my ecowitt weatherstation (to update firmware).
and the main router does have my own full time up openvpn to my mich house.
if you want a different vpn up and tailscale i think you can do what i did.
have two routers.. a main router and a secondary router like my glinet .
i did have a little trouble getting tailscale to work on the glinet .. install went fine.. but it is running in access point mode so i only have one subnet.. so i had to use the tailscale command line on it to configure and bring up tailscale.. luckly glinets also have their own cloud connection (goodcloud) that when enabled allows remote access to the router via web or ssh window. so i got on the ssh window and configured tailsscale.
main router is 192.168.50.1
glinet is 192.168.50.3
I'm still playing with it. haven't gotten it working yet. I will say they give you a TON of infmoration on how to set it up, but its a mess that just sorta leads you from one rabbit hole to the next.
No i use an iPhone now. I have wire guard set up and it's working fine. It was much easier to set up and use than OpenVPN or Asus Instant guard. Trying to set up twingate is just sort of a side project to see if I can do it. I have a few of those happening currently. In general, I'm trying to learn more in regard to security and networking. so im picking up more and more of these little projects.
Blocks some of the view in its likely location, lol.
Hopefully the hub will be able to talk to the driveway gate Ecolink contact sensor from there.
There's also a probable floor drilling operation involved for the Envisilink cable.
I haven't plugged it in yet; that's for tomorrow.
So much for starlink. I will be dropping them as thay are lying ba*tards.
I have been in an undersubscribed and excess capacity area for going on two years so they were charging me a reduced $90 per month rate.
And in that time they launched many more satellites in my latitude ring and i have only seen or heard of one other subscriber in my rural area.
Suddenly overnight i am in a limited capacity area and they are rising my rate 33% or $30 to $120.
Their excuse:
Hello Laurence,
Each service area has a different capacity limit that our satellites can support and is not based on the population of the area. Though we do not have more detailed information to share, as we launch more satellites into orbit and improve our software, we will continuously re-evaluate our capacity. Starlink may adjust prices over time to reflect market conditions and changes to network capacity.
You can view the steps to cancel your account when you're ready here: [Help Center](h
