How to Configure GL.iNet Router to host Tailscale Exit Node

Background

Many GL.iNet routers come with a built-in Tailscale application, bringing the power of this P2P mesh VPN to your fingertips. However, the current official implementation is in the preliminary stages and does not yet expose a UI option to toggle "Exit Node" functionality.

Many users want their router to act as an Exit Node (routing all internet traffic from their phone or laptop through their home router). This tutorial demonstrates how to enable this function via SSH, how to preserve the setting during firmware upgrades, and how to revert the changes.

Important Note / Disclaimer:
The configuration outlined in this tutorial involves manual modification of system files via SSH and utilizes features that are currently in a preliminary stage of development.

• No Official Support: This functionality is not officially supported by GL.iNet at this time. Our customer service and technical support teams are unable to assist with troubleshooting issues related to these specific modifications.
• Advanced Users Only: This guide is intended for users familiar with command-line interfaces (CLI) and SSH. Incorrect changes to system files may cause network instability or require a firmware reset.
• Future Updates: As this is an experimental implementation, future firmware upgrades may overwrite these settings or change how Tailscale functions.

Verified Devices & Firmware Compatibility

This method has been specifically tested and verified on the devices listed below. However, generally speaking, any GL.iNet router running firmware version 4.8.x should be compatible with this method.

• Flint 3 (GL-BE9300): v4.8.3
• Flint 2 (GL-MT6000): v4.8.3
• Slate 7 (GL-BE3600): v4.8.1
• Beryl AX (GL-MT3000): v4.8.1

Prerequisites

Before proceeding, please ensure you meet the following requirements:

1. SSH Access: You know how to SSH into your router (using PuTTY, Terminal, or PowerShell).
2. CLI Familiarity: You are comfortable with basic command-line operations and text editors in a UNIX-like environment.
3. Tailscale Account: You have an active Tailscale account and at least one other device connected to your Tailscale network.

Part 1: Setting up the Exit Node

Step 1: Modify the Router Configuration via SSH

1. SSH into your GL.iNet router.
2. Run the following command. This modifies the startup script to enable Tailscale to advertise itself as an Exit Node whenever it starts.

sed -i 's/tailscale up/tailscale up --advertise-exit-node/' /usr/bin/gl_tailscale

Step 2: Enable Tailscale in the Admin Panel

1. Open your web browser and go to the GL.iNet Admin Panel.
2. Navigate to Applications -> Tailscale.
3. Enable Tailscale and bind/login your Tailscale account if you haven't already.
4. Crucial Step: Ensure that "Allow Remote Access WAN" is enabled.
   • Why? This ensures the firewall zone automatically allows traffic to flow from the Tailscale Zone to the WAN Zone. Without this, the internet on your other devices will not work when connected to the exit node.
   • This will also advertise the WAN subnet as a route, but if you don't need it, you can simply not to approve it in the Tailscale Admin Console.

image1053×673 35.6 KB

Step 3: Approve the Exit Node in Tailscale Console

1. Go to the Tailscale Admin Console on your computer.
2. Find your GL.iNet Router in the machines list.
3. Click the menu icon (three dots) on the right side of the router's entry.
4. Select Edit route settings.
5. Check the box labeled "Use as exit node".

Step 4: Connect from Client Devices

On your client device (phone, laptop, etc.):

1. Open the Tailscale app.
2. Locate the "Exit Node" option.
3. Select your GL.iNet router from the list. Your traffic is now securely routed through your router!

Part 2: Persisting Changes (Firmware Upgrades)

By default, the /usr/bin/ directory is overwritten during a firmware upgrade. To ensure your Exit Node modification survives an upgrade, you can add the file to the system upgrade backup list.

Run the following command via SSH:

echo "/usr/bin/gl_tailscale" >> /etc/sysupgrade.conf

To remove this persistence setting later:

sed -i '/\/usr\/bin\/gl_tailscale/d' /etc/sysupgrade.conf

Part 3: How to Revert Changes

If you want to stop using the router as an exit node or return the router to its default state, use one of the options below.

Option 1: Reverse the modification

SSH into the router and run:

sed -i 's/--advertise-exit-node//' /usr/bin/gl_tailscale

Option 2: Restore from ROM (Recommended if Option 1 fails)

If the file is corrupted or Option 1 doesn't work, you can copy the original file back from the read-only memory (ROM):

cp -p /rom/usr/bin/gl_tailscale /usr/bin/gl_tailscale

Reference Documentation

For further research and official guidance, please refer to the following resources:

• GL.iNet Official Tailscale Guide: A comprehensive guide on how to configure Tailscale on GL.iNet routers, including a list of supported device models.
  Tailscale - GL.iNet Router Docs 4

• Tailscale Official: The official documentation from Tailscale explaining what Exit Nodes are, use cases, and detailed configuration steps for various platforms.
  Exit nodes (route all traffic) · Tailscale Docs

Cool, thank you.

can this be configured to be used in parallel with a wireguard vpn so my devices use the vpn while connected to the tailscale exit node?

You may refer to this tutorial for configuration, but note that this is an advanced usage. Since it is not yet officially supported, it may be unstable or require frequent maintenance.

I really hope this hack officially supported by GUI… (at least as hidden advanced option) also running tailscale in AP mode…

GL.iNet Router to host Tailscale Exit Node?
I think this feature may not be far off—it’s already on the roadmap.

Tailscale support in AP mode may not be possible. In this mode, the device should not handle routed traffic, all traffic is forwarded to the main router for processing.

native exit node: glad to hear that!

running in AP mode: i think it’s possible working as an edge device or subnet router.. and i’m already forcing running it on flint2 AP mode

root@flint2:~# cat /usr/bin/gl_tailscale | grep router
sys_mode="router" # $(uci -q get glconfig.general.mode)
if [ "$sys_mode" != "router" ]; then

(ref: Tailscale App no longer running in AP mode - #4 by ikun)

Yes, but as far as I understand, this would require configuring static routes on other devices to forward Tailnet traffic to the flint2 AP. It’s likely a technique intended for more advanced users.

If we place a button there, regular users might misunderstand and assume that this feature works in AP mode without any additional configuration.

I hope chiming in here is OK.

I got GL-MT5000 and went through the basic setup to put in in front of an eero mesh, which I switched to bridge mode - so far everything worked, and the “stuff” that happened behind the eero paywall is visible on the Brume 3.

Next step was to make it a tailscale exit node. That’s where I found this post and followed some of the steps:
as it was already bound to my taiscale but the laptop wasn’t seeing it as an exit node I did ssh and ran
sed -i 's/tailscale up/tailscale up --advertise-exit-node/' /usr/bin/gl_tailscale
then enabled the WAN zone
allowed it in the tailscale admin console to be “Use as exit node” (Note: it complained that Brume 3 is behing on “tailscale 1.80.3-1 (OpenWrt)” and I’ve not searched if I should and how to upgrade it manually)
figured out I might as well make it persistent and ran
echo "/usr/bin/gl_tailscale" >> /etc/sysupgrade.conf

I thought I’d reboot the Brume 3 first before I test if my laptop would see the new exit node and route traffic through it.

Upon reboot, the eero mesh got lost and so did my laptop (don’t beat me up but it’s easter, I’m remote and I was doing all that via chrome remot desktop, lol). I can’t see any of my home devices so I guess the eero isn’t getting something from the brume but I can’t say what at this point.

Fortunately, now that the brume 3 is reachable via WAN I could ssh into it.

Only that I’m puzzled what the SED cli or the Allow Remote Access WAN could have done to kill the home side of the network and what’s the safest way to fix or revert this today while I’m still remote.

If nothing is obvious, happy to do troubleshooting, and hopefully add Brume 3 to the list above of “competible but not supported” devices.

Have you seen this beauty from @rthco for the exit node:

https://remotetohome.io/blog/gl-tailscale-fix/

And this one from @admon for the update:

Thanks. @Lastimosa.

@Marv The plugin above actually includes the option for @admon TS tiny binary, the firewall rules setup and persistence across firmware updates for you.

Thanks @Lastimosa @rthco and @admon

All done quickly and nicely.

My laptop has TS and I can select the Brume 3 as an exit node, it seems to work.

Now, the question is… what broke the eero’s bridge mode. My Flint 3, in AP mode, hardwired next to the Brume 3, is also showing offline on goodcloud so it’s not the eero but something else that broke on the Brume 3, maybe before I did any of the TS Exit Node work but I see the issue now as this is when I rebooted (those uptime metrics looked soo good since last century’s early linux boxes lol)

OK, something’s gone wrong with TS… lots of those upon reboot…

Sat Apr 4 17:17:24 2026 daemon.crit dnsmasq[31416]: cannot read /tmp/dnsmasq.d/gl_dpi.confserver=/stork-basking.ts.net/100.100.100.100: No such file or directory
Sat Apr 4 17:17:24 2026 daemon.crit dnsmasq[31416]: FAILED to start up

Any known issues with concurrently useing DPI, Tailscale, WireGuard Client and/or AdGuard Home that would bug dnsmasq?

@rthco not sure if you have seen this, but something added at the bottom of /etc/dnsmasq.conf this line

conf-file=/tmp/dnsmasq.d/gl_dpi.confserver=/stork-basking.ts.net/100.100.100.100

and I’m puzzled as it’s a mix of TS and DPI in a single entry

Something new as DPI seems to be officially announced on the Brume 3 (or I can’t find it in any other GL-iNet product's’ docs)

@Marv There’s nothing in our plugin that touches /etc/dnsmasq.conf.

That's the GL DPI module writing a TS DNS entry for your TS MagicDNS domain pointing at the TS DNS resolver (100.100.100.100).

Two things jammed into one malformed line. Likely a GL firmware bug where the DPI config generator didn't add a newline between the conf-file directive and the server directive.

You should report to GL. It's mostly likely their new DPI module writing broken dnsmasq configs.

Thank you for your report.

We have reproduced the issue locally and identified the cause, and it will be fixed in a future release.

For now, please manually edit /etc/dnsmasq.conf to add the line break and then restart dnsmasq to resolve the issue.

vi /etc/dnsmasq.conf

image924×162 6.03 KB

/etc/init.d/dnsmasq restart

Thanks for taking a note of my report and fixing it @will.qiu

A side note on the use of sed that might be something I carry from my past. While troubleshooting I’d normally comment out the suspected line, duplicate it and try the steps in this notes. In this case running “sed -i 's/--advertise-exit-node//' /usr/bin/gl_tailscale“ doesn’t account for the commented out line and “fixes” both.

Adding a check for lines starting with # would add to the perfection of the product, if not too much work.

Thank you for your suggestion.

However, we have already planned to integrate this feature into the v4.9 firmware, so this document will likely no longer be updated.