FR: Automatically use an Exit Node on Untrusted/New Wifi Networks

[jdgiddings]

Tell us about your idea!

Automatically begin using an Exit Node on Untrusted/New Wifi Networks

What are you trying to do?

I would like Tailscale to (optionally) automatically start using a specified exit node when the device is connected to a new wifi network, and push a notification to the user that it this happened, with the option to trust this wifi network

How should we solve this?

For the user interface, a simple on/off toggle, however that is handled on the platform. Similar to "Allow local network access" on Windows, --exit-node-allow-lan-access on Linux. For mobile platforms, perhaps a toggle switch in the "Use exit node..." menu in the app

The actual implementation should be really simple. Store a list of trusted wifi networks (SSID is a poor identifier as it's not unique but is likely the best available option), and when the device connects to a wifi network check the SSID against the stored list and if not found, begin using an exit node

Some 'nice to haves':

• Turn the setting on/off by default in the admin panel
• Add/remove trusted networks globally via the admin panel

What is the impact of not solving this?

Currently I am asking users to manually select an exit node on public wifi networks. This requires users to:

• care about security (not a given!)
• remember to select an exit node
• know what is and isn't public/untrustworthy wifi

Having Tailscale automatically secure traffic would make the whole networking and VPN experience that much smoother and more secure

Anything else?

No response

[freezscholte]

This would a really nice and needed feature on our side, besides names of Wifi networks or network ip ranges I also would set an option to set a trusted network based on the MAC address of the gateway in that network. For Wifi you could keep it simple and do the check based on SSID. We tested Perimeter81 and they also included this option.
@DentonGentry any updates on this feature and if its signed to be developed yet?

[DentonGentry]

I promise that we will update the bug if work begins in earnest. This is not currently at the top of the list to work on.

[mato]

To add my motivations for this from #4615

• When roaming and thousands of miles away from the home network, the additional latency introduced by using an exit node is not always worth it, and security-wise I consider the cell operator's tunnel back to the home network "good enough".
• In environments where battery use is a concern, it'd similarly be nice to minimise this when on a trusted network (cell or Wifi).

[cliss]

Just to throw in my $0.02:

I already run a WireGuard VPN on a Raspberry Pi thanks to PiVPN, but wanted to try out TailScale since everyone I know won't stop talking about how great it is. 😆

There is a lot to like about TailScale, but one of my favorite WireGuard features is on-demand activation. I have my WireGuard VPN set up such that any time I'm not on my home WiFi, it will automatically connect to my home VPN. Here's the macOS interface:

The same is possible on iOS as well.

I know TailScale is more of a "network extender" than a "traditional" VPN, but exit nodes gets me 98% of the way to feature parity with WireGuard. If I could only have automatic exit node activation, I could ditch WireGuard entirely.

[mihaip]

If Shortcuts support was available (#2504) this could be implemented in terms of a Wi-Fi trigger.

[Janov911]

The wireGuard app on ios has this feature, making it a very versatile implementation. Would be great if the tailscale apps include something of the same

[doughnet]

Agree this is a very useful feature. It allows for set and forget ... without needing to manually go enable VPN when hopping onto an unknown Wi-Fi.

[ste7enm]

There is a lot to like about TailScale, but one of my favorite WireGuard features is on-demand activation. I have my WireGuard VPN set up such that any time I'm not on my home WiFi, it will automatically connect to my home VPN. Here's the macOS interface:

The same is possible on iOS as well.

Does this need to be a different FR as it's slightly different than what @jdgiddings was asking for originally? I'm also really missing this functionality of WireGuard myself, connecting automatically from my phone when I was no longer connected to my local WiFi network.

[ukanuk]

The Wireguard feature mentioned above looks about what I would expect -- a whitelist of Wi-Fi 2.4Ghz, Wi-Fi 5GHz, and wired networks. Maybe some type of geofence for phones could work if that's easier.

Enabling exit node when I visit the coffee shop and disabling exit node when I'm at home is recommended use per https://tailscale.com/kb/1103/exit-nodes/. However because it's a manual process and Tailscale mostly runs silently in the background, I frequently forget to toggle the exit node connection on/off.

Subconsciously I know I have a VPN, so I'm safe checking my bank account and doing other things while on public Wi-Fi at the café. But I frequently forget to toggle the exit node connection on/off, which means I am already logged into my bank before I remember I have to manually toggle the exit node.

[ukanuk]

Note that for networks with a login page, the exit node would have to be temporarily disabled. Perhaps a button to "disable exit node until connected to internet" would make this process easier.

[doughnet]

Also another hiccup I came across with the WireGuard app is when setting up IoT devices that need connecting to a Wi-Fi network it would complicate things.

[uxandy]

I came here looking for the same solution. I absolutely love Tailscale, but not having this feature means I may be forced to go to WireGuard until Tailscale is kind enough to give us something similar.

I am constantly having to activate tailscale every time I leave my house so I can get HA alerts. It's an absolute nuisance after the 500th time.

[Atemu]

Subconsciously I know I have a VPN, so I'm safe checking my bank account and doing other things while on public Wi-Fi at the café.

You're safe checking your bank account or whatever from any network as long as you're using https. The network operator might know that you are accessing your bank website (depending on DNS setup and their hosting infrastructure, even that's not possible) but not what exactly it is you're doing there.

I am constantly having to activate tailscale every time I leave my house so I can get HA alerts.

You shouldn't constantly toggle Tailscale. If anything, you should toggle the exit node usage.

With the exit node disabled, all internet traffic will go the normal way but you can still transparently reach all your devices at home. If you want to access them via their local IP addresses rather than their Tailscale addresses (requiring Tailscale on each of them), you will have to forward your home subnet as a route from one of your machines at home and then that'll also work.

[mihaip]

iOS Shortcuts support is now available in unstable builds (#2504 (comment)). Combined with Wi-Fi network and/or location automations, it should be possible to approximate the desired behavior.

[strayer]

iOS Shortcuts support is now available in unstable builds (#2504 (comment)). Combined with Wi-Fi network and/or location automations, it should be possible to approximate the desired behavior.

I don‘t think this really helps in this situation. As far as I can see all location based automations (including Wifi connection changes) will show a prompt and require manual confirmation.

This feature only makes sense if the exit node is automatically toggled on network changes.

Please do correct me if I‘m wrong though!

[vrijlaarsdam]

It would also be awesome to have this feature inclusive of mobile networks, so that Tailscale will start at any time it's not on an allowlisted network.
That would allow access to enterprise apps while in office without needing Tailscale, but seamlessly providing access when out of office. The same would be true for home - for example, a user could use their local network DHCP to access PiHole at home, but Tailscale to their PiHole the moment they walk out the door.

[Re-posted after originally adding this comment with the wrong GH account, my bad]

[mikesellt]

+1 for this feature. I use Tailscale a bit differently than some, I suppose. I have Adguard Home set up on my home network, and I have a Raspberry Pi acting as a Tailscale node that is sending my home network subnets to Tailscale. When my kids are at home, they're using my Adguard Home DNS for ad blocking as well as content filtering. When they're away from home, they have to connect to Tailscale to get that protection. I just tell them to leave it connected even when they're at home. There's an extra hop they have to take via the raspberry pi "vpn router" but whatever. The problem is that they with either manually disable Tailscale or reboot their phone or something and it remains disconnected. It would be great if, at least, when they leave the home wifi I know the Tailscale VPN will be re-established automatically. I've looked in to Tasker and other 3rd party apps to do this, and I haven't found anything that works. Thanks.

[dontcrash]

This needs to be implemented. Reluctant to switch until it is.

https://developer.apple.com/documentation/networkextension/neondemandruleconnect

[doughnet]

This needs to be implemented. Reluctant to switch until it is.

https://developer.apple.com/documentation/networkextension/neondemandruleconnect

yes that would be awesome!

[Mincka]

If on/off is enough, it is now possible to use intents with Tasker on Android's beta version:
tailscale/tailscale-android#87 (comment)

There's already another feature request for a Exit node intent:
#8143

[carlosonunez]

Hey, there!

On iOS, Tailscale recently added (or I recently noticed) support for iOS Shortcuts.

Specifically, they have:

• Connect to Tailscale Network
• Disconnect from Tailscale Network
• Use exit node
• Stop using exit node

With these, I was able to create Shortcuts that, when paired with the "When $DEVICE joins any Wi-Fi network" Automation, provide 98% of this functionality automatically. (You have to tap "Run" when the Automation triggers for this kind of Automation, hence why it's not 100%.)

I was also able to create a similar shortcut that triggers when Airplane Mode is Turned off (i.e. when you want to use Tailscale over cellular).

With these shortcuts, my workflow looks like this:

Automation	Action	Result
When I arrive at $HOME	Turn on Wifi	Triggers "When $DEVICE joins any Wi-Fi Network" Automation
When $DEVICE connects to $CAR	Turn off Airplane Mode	Triggers "When Airplane Mode is turned off" Automation
When Airplane Mode is turned off	Run "Turn on Tailscale - Cellular" shortcut	Tailscale is turned on if I get service within 15 seconds
When $DEVICE joins any Wi-Fi Network	Run "Turn on Tailscale - Wi-Fi" shortcut	Tailscale is turned on if Internet connection is good within 60 seconds

It's a bit Rube Goldberg-ian, but it works really well for me. I actually prefer this over it being baked into the Tailscale app since it triggers at a system level (instead of hoping that a Tailscale daemon is running in the background and catches the event).

The iCloud links to these shortcuts are below. I've used these for the last day with great success. I hope y'all find them useful!

• Wi-Fi
• Cell

Enjoy!

[taclane]

instead of hoping that a Tailscale daemon is running in the background and catches the event.

The system method noted above is what the Wireguard iOS app uses.

No additional daemons or background processes required. The phone itself is using the on-demand ruleset to determine when to start it up, even if the VPN app isn't already active.

It's true that the shortcut method mostly works, but it's not nearly as convenient as having the tunnel automatically start/stop as you transition from wifi to cellular (or the other way around).

[carlosonunez]

Fair point! 100% agree that it would be much better to have Tailscale manage this!

[MadSpindel]

Tailscale should open source their iOS app so others could contribute with functionality like this.

[mich2k]

+1 for this feature. I use Tailscale a bit differently than some, I suppose. I have Adguard Home set up on my home network, and I have a Raspberry Pi acting as a Tailscale node that is sending my home network subnets to Tailscale. When my kids are at home, they're using my Adguard Home DNS for ad blocking as well as content filtering. When they're away from home, they have to connect to Tailscale to get that protection. I just tell them to leave it connected even when they're at home. There's an extra hop they have to take via the raspberry pi "vpn router" but whatever. The problem is that they with either manually disable Tailscale or reboot their phone or something and it remains disconnected. It would be great if, at least, when they leave the home wifi I know the Tailscale VPN will be re-established automatically. I've looked in to Tasker and other 3rd party apps to do this, and I haven't found anything that works. Thanks.

I have the same exact use case but what about android?

[JDongian]

Enforcing exit node usage is really important for my corporate use case; otherwise I'm left to manually verify every user's compliance. This feature I think would greatly help, +1

[DentonGentry]

@JDongian you'd want exit nodes to turn on for specific Wifi networks?
Or you want to force use of exit nodes across all devices, like using an MDM to force exit nodes on?

[JDongian]

I got directed to this feature from #4186

We'd enforce exit nodes to turn on for all wifi networks, I think that would be simplest. We could make an exception for our corporate wifi. We would ideally be able to use MDM to force exit node configurations.

[washcycle]

For a customer use case for corporate users that may not know how to manage tailscale beyond signing in. This feature would allow us to secure their outgoing internet traffic when at insecure locations like airpots, conferences, starbucks, etc.

[gabriel-vanca]

Lack of this feature is what prevents me from using Tailscale.

[danield555]

writing it here because I suspect it could be also linked in code :
have a "default starting setup" defined in mdm policy : for example a default exit node ( or default to none) ,

[Averyy]

This works amazing on the iOS app, would be great to have it on the macOS app as well. Same idea, I want exit node / vpn off when on my home network, but automatically turn on when im connected to any other network.

[sulzer]

Another corporate use case here, on untrusted WiFi networks it'd be amazing if Tailscale could automatically switch to an exit node. If there are multiple exit node, preferably the one with the lowest latency. This should be fully automated, as we can't rely on our users to manually connect to exit nodes depending on the WiFi. We utilize Tailscale on MacOS and Windows.

[osdiab]

With the Mullvad VPN add on, would be amazing to a) auto connect to it on untrusted networks, with the addition of b) auto choose the lowest latency region.