Disclaimer: This project demonstrates a technical approach for routing traffic through Tailscale. It does not provide any proxy tools or services.
Run a Tailscale exit node in a Docker container, transparently forwarding Tailnet traffic to the host SOCKS5 proxy via redsocks + iptables.
Client → Tailscale tunnel → tailscale0 (container)
→ iptables NAT REDIRECT → redsocks (port 12345)
→ SOCKS5 → host proxy (host.docker.internal:7890) → Target
Private address ranges bypass the proxy (RETURN):
0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16,
224.0.0.0/4, 240.0.0.0/4
UDP port 443 (QUIC/HTTP3) is REJECTED in the FORWARD chain to force TCP fallback.
- A SOCKS5 proxy running on the host, listening on
0.0.0.0:7890(or modify the port inredsocks.conf) - Docker
- Tailscale Auth Key
cp .env.example .env
# Edit .env, set TS_AUTHKEY
docker compose up -dThe container advertises itself as an exit node via TS_EXTRA_ARGS=--advertise-exit-node.
- Open the Tailscale Admin Console
- Find
macmini-docker-exit, click...→ Edit route settings - Approve the
0.0.0.0/0route (full traffic exit) - Click Use as exit node to make it available as an exit option
| Platform | Steps |
|---|---|
| macOS | Menu bar Tailscale icon → Exit Node → select macmini-docker-exit |
| iOS / Android | In-app Exit Node menu → select macmini-docker-exit |
| Windows | System tray Tailscale icon → Exit Node → select macmini-docker-exit |
| Linux | tailscale set --exit-node=macmini-docker-exit |
Once selected, all outbound traffic from that device flows through the Tailscale tunnel to the container, then via iptables → redsocks → host proxy to the target.
| File | Purpose |
|---|---|
redsocks.conf |
Set port to the host proxy port; type supports socks5/http-connect/http-relay |
docker-compose.yaml |
hostname sets the Tailnet display name; TS_EXTRA_ARGS for additional tailscale flags |
entrypoint.sh |
iptables rules — modify to whitelist additional subnets |