{"slug":"subnet-routers","title":"Subnet routers","tags":["tailscale","routing"],"agent_summary":"Last validated: Jan 12, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Subnet routers\r\n\r\nLast validated: Jan 12, 2026\r\n\r\nSubnet routersare available for [all plans](https://tailscale.com/pricing).\r\n\r\nSubnet routers let you extend your Tailscale network (known as a tailnet) to include devices that don't or can't run the Tailscale client. They act as gateways between your tailnet and physical subnets, enabling secure access to legacy devices, entire networks, or services without installing Tailscale everywhere. This capability maintains Tailscale's security model while providing flexibility for complex network environments.\r\n\r\n## [Why it matters](https://tailscale.com/docs/features/subnet-routers\\#why-it-matters)\r\n\r\nWhen designing a secure network, installing the Tailscale client directly on each device provides the best security and performance through end-to-end [encryption](https://tailscale.com/docs/concepts/tailscale-encryption). However, network administrators frequently encounter situations where direct installation isn't feasible. Devices like printers often lack the capability to run Tailscale, and in large environments such as [AWS VPCs](https://tailscale.com/docs/install/cloud/aws) or legacy networks undergoing gradual modernization, installing clients on every endpoint becomes impractical.\r\n\r\nSubnet routers bridge this gap by functioning as gateways that relay traffic between your tailnet and conventional subnet-based networks. They maintain Tailscale's security model by respecting [access control policies](https://tailscale.com/docs/features/access-control) while extending connectivity to non-Tailscale devices. This approach offers a practical balance between security and connectivity requirements.\r\n\r\nAn important consideration for organizations is that devices behind subnet routers don't count toward your [pricing plan's device limit](https://tailscale.com/pricing). Nevertheless, when possible, installing Tailscale directly on devices remains preferable for optimal performance, security, and configuration simplicity.\r\n\r\n## [Benefits](https://tailscale.com/docs/features/subnet-routers\\#benefits)\r\n\r\nThe subnet router approach provides several important advantages for network administrators and organizations. Each benefit addresses specific challenges in modern network environments.\r\n\r\n- **Connect legacy devices**—include devices that can't run the Tailscale client in your Tailscale network.\r\n- **Integrate entire networks**—connect large networks, such as AWS VPCs, without installing Tailscale on each device.\r\n- **Gradual deployment**—phase in Tailscale adoption by connecting existing network segments through subnet routers.\r\n- **Maintain access control**—subnet routers respect Tailscale's access control policies, maintaining security across your network.\r\n\r\n## [Use cases](https://tailscale.com/docs/features/subnet-routers\\#use-cases)\r\n\r\nSubnet routers solve practical problems in various network environments by extending Tailscale's secure connectivity model. These use cases represent common deployment scenarios where subnet routers provide substantial value.\r\n\r\n- **Managed service access**—securely connect to cloud-managed services like Amazon RDS or Google Cloud SQL without exposing them to the public internet.\r\n- **Cloud network integration**—seamlessly connect cloud VPCs or other cloud network segments to your Tailscale network.\r\n- **Device connectivity**—make devices like printers or cameras accessible to remote Tailscale users without needing to install the Tailscale client.\r\n\r\n## [How subnet routers work](https://tailscale.com/docs/features/subnet-routers\\#how-subnet-routers-work)\r\n\r\nSubnet routers function as networking bridges that connect separate network environments under a unified access model. They operate at the network layer to facilitate communication between your Tailscale network and traditional subnet-based networks.\r\n\r\nA subnet router connects subnets, which are parts of a larger network. In Tailscale, a subnet router is a device in your tailnet that you use as a gateway to advertise routes to other devices. This lets devices connect to your tailnet without installing the Tailscale client.\r\n\r\nAny device that uses the subnet router as a gateway is considered _behind_ the subnet router. Subnet routers use Source Network Address Translation (SNAT) by default. When SNAT is enabled, traffic from a device behind a subnet router appears to come from the router itself, not the original device. If preserving the original source IP address is important for your use case, you can [disable SNAT](https://tailscale.com/docs/features/subnet-routers#disable-snat) to maintain the original device's IP address in the traffic packets.\r\n\r\nSubnet Routers \\| Tailscale Explained - YouTube\r\n\r\nTap to unmute\r\n\r\n[Subnet Routers \\| Tailscale Explained](https://www.youtube.com/watch?v=UmVMaymH1-s) [Tailscale](https://www.youtube.com/channel/UCcdv38QxPjSMqbt5ffLhJLA)\r\n\r\n![thumbnail-image](https://yt3.ggpht.com/K3B5Hdi7j4zy2y53nlQCQb9J0qHNuSXhD2hWysrwaiDvv19tPr5RY04QuQfFOvb9rDq9cugGjZU=s68-c-k-c0x00ffffff-no-rj)\r\n\r\nTailscale68.5K subscribers\r\n\r\n### [Subnet routers and exit nodes](https://tailscale.com/docs/features/subnet-routers\\#subnet-routers-and-exit-nodes)\r\n\r\nSubnet routers and exit nodes serve different purposes in the Tailscale ecosystem, though they both involve routing traffic. Understanding the distinction helps you deploy the right solution for your networking needs.\r\n\r\nExit nodes route outbound internet traffic from your tailnet devices, effectively functioning as VPN servers. When you connect to an exit node, your internet traffic appears to come from the exit node's location. This is useful for accessing geo-restricted content or improving privacy. In contrast, subnet routers provide access to specific private subnets. They enable tailnet devices to reach non-Tailscale devices within those subnets, but don't affect internet traffic routing. If you need to access private networks like office LANs or cloud VPCs, subnet routers are the appropriate solution.\r\n\r\n## [Set up a subnet router](https://tailscale.com/docs/features/subnet-routers\\#set-up-a-subnet-router)\r\n\r\nSetting up a subnet router involves installing Tailscale on a device that will act as the gateway, configuring it to advertise routes, and ensuring proper access controls. This process requires administrative access to both the subnet router device and your Tailscale network.\r\n\r\nYou can use almost any device that runs the Tailscale client as a subnet router. To configure a device to run as a subnet router, use the instructions below or refer to the [quickstart guide](https://tailscale.com/docs/features/subnet-routers/how-to/setup).\r\n\r\n1. [Install the Tailscale client](https://tailscale.com/docs/features/subnet-routers#install-the-tailscale-client).\r\n2. [Connect to Tailscale as a subnet router](https://tailscale.com/docs/features/subnet-routers#connect-to-tailscale-as-a-subnet-router).\r\n3. [Enable subnet routes from the admin console](https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console).\r\n4. [Add access rules for advertised subnet routes](https://tailscale.com/docs/features/subnet-routers#add-access-rules-for-the-advertised-subnet-routes).\r\n5. [Verify your connection](https://tailscale.com/docs/features/subnet-routers#verify-your-connection).\r\n6. [Use your subnet routes from other devices](https://tailscale.com/docs/features/subnet-routers#use-your-subnet-routes-from-other-devices).\r\n\r\n### [Install the Tailscale client](https://tailscale.com/docs/features/subnet-routers\\#install-the-tailscale-client)\r\n\r\nThe first step in creating a subnet router is installing the Tailscale client on the device that will serve as your gateway. Installation procedures vary by platform, but the process is straightforward across supported operating systems.\r\n\r\n[Linux](https://tailscale.com/docs/features/subnet-routers?tab=linux) [macOS](https://tailscale.com/docs/features/subnet-routers?tab=macos) [tvOS](https://tailscale.com/docs/features/subnet-routers?tab=tvos) [Windows](https://tailscale.com/docs/features/subnet-routers?tab=windows) [Android](https://tailscale.com/docs/features/subnet-routers?tab=android)\r\n\r\n[Download and install Tailscale](https://tailscale.com/download/linux) onto the device you plan to use as a subnet router.\r\n\r\n### [Connect to Tailscale as a subnet router](https://tailscale.com/docs/features/subnet-routers\\#connect-to-tailscale-as-a-subnet-router)\r\n\r\nAfter installing Tailscale, you need to configure the device to function as a subnet router by enabling IP forwarding and advertising the subnet routes you want to make available. These steps transform a standard Tailscale node into a gateway for other networks.\r\n\r\n[Linux](https://tailscale.com/docs/features/subnet-routers?tab=linux) [macOS](https://tailscale.com/docs/features/subnet-routers?tab=macos) [tvOS](https://tailscale.com/docs/features/subnet-routers?tab=tvos) [Windows](https://tailscale.com/docs/features/subnet-routers?tab=windows) [Android](https://tailscale.com/docs/features/subnet-routers?tab=android)\r\n\r\nTo use a Linux device as a subnet router, you need to complete two essential configurations: enabling IP forwarding and advertising subnet routes. Linux devices make particularly good subnet routers due to their stability and networking capabilities.\r\n\r\n1. Enable IP forwarding.\r\n2. Advertise subnet routes.\r\n\r\n#### [Enable IP forwarding](https://tailscale.com/docs/features/subnet-routers\\#enable-ip-forwarding)\r\n\r\nWhen enabling IP forwarding, ensure your firewall denies traffic forwarding by default. This is the default setting for standard firewalls like `ufw` and `firewalld`. Blocking traffic forwarding by default prevents unintended routing of traffic.\r\n\r\nIP forwarding is required to use a Linux device as a subnet router. This kernel setting lets the system forward network packets between interfaces, essentially functioning as a router. The process for enabling IP forwarding varies between Linux distributions. However, the following instructions work in most cases.\r\n\r\nIf your Linux system has a `/etc/sysctl.d` directory, use:\r\n\r\n```shell\r\necho 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf\r\necho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf\r\nsudo sysctl -p /etc/sysctl.d/99-tailscale.conf\r\n```\r\n\r\nOtherwise, use:\r\n\r\n```shell\r\necho 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf\r\necho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf\r\nsudo sysctl -p /etc/sysctl.conf\r\n```\r\n\r\nIf your Linux node uses `firewalld`, you might need to allow masquerading due to a [known issue](https://github.com/tailscale/tailscale/issues/3416). As a workaround, you can allow masquerading with this command:\r\n\r\n```shell\r\nfirewall-cmd --permanent --add-masquerade\r\n```\r\n\r\n#### [Advertise subnet routes](https://tailscale.com/docs/features/subnet-routers\\#advertise-subnet-routes)\r\n\r\nAfter you enable IP forwarding, run `tailscale set` with the `--advertise-routes` flag. It accepts a comma-separated list of subnet routes.\r\n\r\n```shell\r\nsudo tailscale set --advertise-routes=192.0.2.0/24,198.51.100.0/24\r\n```\r\n\r\nMake sure to replace the subnets in the example above with the correct ones for your network. All platforms except Apple TV support both IPv4 and IPv6 subnets. Apple TV only supports IPv4 subnets.\r\n\r\nIf the device is authenticated by a user who can advertise the specified route in [`autoApprovers`](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers), the subnet router's routes will automatically be approved. You can also advertise any subset of the routes allowed by `autoApprovers` in the tailnet policy file. If you'd like to expose default routes (`0.0.0.0/0` and `::/0`), consider using [exit nodes](https://tailscale.com/docs/features/exit-nodes) instead.\r\n\r\n### [Enable subnet routes from the admin console](https://tailscale.com/docs/features/subnet-routers\\#enable-subnet-routes-from-the-admin-console)\r\n\r\nThe admin console provides a centralized interface for approving and managing subnet routes advertised by your devices. This step ensures that the routes you've configured on your subnet router become active in your tailnet.\r\n\r\nYou can skip this step if you use [`autoApprovers`](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers).\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n2. Locate the **Subnets** badge in the devices list or use the [`property:subnet`](https://login.tailscale.com/admin/machines?q=property%3Asubnet) filter to list all devices advertising subnet routes.\r\n3. Select a device with the `subnet` property, then go to the **Subnets** section.\r\n4. Select **Edit**. This opens the **Edit route settings**.\r\n5. Under **Subnet routes**, select the routes to approve, then select **Save**.\r\n\r\nYou can disable [key expiry](https://tailscale.com/docs/features/access-control/key-expiry) on your server to avoid having to periodically reauthenticate. If you use [tags](https://tailscale.com/docs/features/tags), [key expiry is disabled by default](https://tailscale.com/docs/features/tags#key-expiry).\r\n\r\n### [Add access rules for the advertised subnet routes](https://tailscale.com/docs/features/subnet-routers\\#add-access-rules-for-the-advertised-subnet-routes)\r\n\r\nAccess controls determine which devices and users can access resources through your subnet router. Properly configured access rules are essential for maintaining security while enabling the connectivity you need.\r\n\r\nAccess rules control which traffic is permitted, while route approval controls which routes are injected into client routing tables. These are separate mechanisms. For a complete explanation, refer to the [route injection reference](https://tailscale.com/docs/reference/route-injection).\r\n\r\nYou can skip this step if you already have rules that allow access to your advertised subnet routes.\r\n\r\n1. Open the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console to update your [tailnet policy file](https://tailscale.com/docs/features/access-control/acls).\r\n2. Create an [access rule](https://tailscale.com/docs/reference/syntax/policy-file#acls) that lets access to the advertised subnet.\r\n\r\nThe following example tailnet policy configuration ensures members of `group:dev` can access devices in the subnets `192.0.2.0/24`, `198.51.100.0/24` and `2001:db8::/32`, and ensures the subnet `192.0.2.0/24` can access the subnet `198.51.100.0/24` and vice versa, _if [subnet route masquerading](https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading) is disabled_.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\"alice@example.com\", \"bob@example.com\"]\r\n  },\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:dev\",\"192.0.2.0/24\", \"198.51.100.0/24\"],\\\r\n      \"dst\": [\"192.0.2.0/24\", \"198.51.100.0/24\", \"2001:db8::/32\"],\\\r\n      \"ip\": [\"*:*\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n### [Verify your connection](https://tailscale.com/docs/features/subnet-routers\\#verify-your-connection)\r\n\r\nVerification ensures that your subnet router is properly configured and functioning as expected. This step confirms that your tailnet devices can communicate with the subnet router before attempting to access resources behind it.\r\n\r\nCheck that you can ping the Tailscale IP address of your new subnet routers from a tailnet device (such as a Linux, macOS, or Windows device). You can find the Tailscale IP in the [admin console](https://login.tailscale.com/admin) or by running the following command on the subnet router.\r\n\r\n```shell\r\ntailscale ip -4\r\n```\r\n\r\n### [Use your subnet routes from other devices](https://tailscale.com/docs/features/subnet-routers\\#use-your-subnet-routes-from-other-devices)\r\n\r\nOnce your subnet router is configured and verified, you need to ensure that other devices in your tailnet can discover and use the new routes. This process varies slightly by operating system.\r\n\r\nAndroid, iOS, macOS, tvOS, and Windows automatically pick up your new subnet routes.\r\n\r\nBy default, Linux devices only discover [Tailscale IP addresses](https://tailscale.com/docs/concepts/tailscale-ip-addresses). To enable automatic discovery of new subnet routes on Linux devices, use the `--accept-routes` flag:\r\n\r\n```shell\r\nsudo tailscale set --accept-routes\r\n```\r\n\r\n## [Update subnet routes](https://tailscale.com/docs/features/subnet-routers\\#update-subnet-routes)\r\n\r\nNetwork requirements evolve over time, and you may need to modify the subnet routes advertised by your subnet router. This process involves updating the route advertisements and ensuring that the changes are properly approved and accessible.\r\n\r\nTo update subnet routes:\r\n\r\n1. [Connect to Tailscale as a subnet router](https://tailscale.com/docs/features/subnet-routers#connect-to-tailscale-as-a-subnet-router).\r\n2. [Enable subnet routes from the admin console](https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console).\r\n3. [Add access rules for advertised subnet routes](https://tailscale.com/docs/features/subnet-routers#add-access-rules-for-the-advertised-subnet-routes).\r\n4. [Verify your connection](https://tailscale.com/docs/features/subnet-routers#verify-your-connection).\r\n5. [Use your subnet routes from other devices](https://tailscale.com/docs/features/subnet-routers#use-your-subnet-routes-from-other-devices).\r\n\r\nYou can exclude any routes to prevent the subnet router from advertising them.\r\n\r\n## [Use advanced subnet routing](https://tailscale.com/docs/features/subnet-routers\\#use-advanced-subnet-routing)\r\n\r\nAfter you set up a subnet router, you might consider:\r\n\r\n- [Route DNS lookups to an internal DNS server](https://tailscale.com/docs/features/subnet-routers#route-dns-lookups-to-an-internal-dns-server).\r\n- [Set up high availability for subnet routers](https://tailscale.com/docs/features/subnet-routers#set-up-high-availability).\r\n- [Use overlapping routes with different prefix lengths](https://tailscale.com/docs/features/subnet-routers#use-overlapping-routes-with-different-prefix-lengths) for granular routing control.\r\n- Connect two or more subnets using [site-to-site](https://tailscale.com/docs/features/site-to-site) networking.\r\n- [Disable source NAT (SNAT)](https://tailscale.com/docs/features/subnet-routers#disable-snat).\r\n\r\n### [Route DNS lookups to an internal DNS server](https://tailscale.com/docs/features/subnet-routers\\#route-dns-lookups-to-an-internal-dns-server)\r\n\r\nDNS configuration lets your tailnet resolve names both for Tailscale devices and for resources on the advertised subnets. This capability enables seamless name resolution across your hybrid network environment.\r\n\r\nYou can add [Tailscale IP addresses to public DNS records](https://tailscale.com/docs/reference/dns-in-tailscale) because Tailscale IP addresses are only accessible to authenticated users of your network. You can use an internal DNS server on your subnet by configuring split DNS in the [DNS](https://login.tailscale.com/admin/dns) page of the admin console.\r\n\r\n### [Set up high availability](https://tailscale.com/docs/features/subnet-routers\\#set-up-high-availability)\r\n\r\nFor critical environments, redundant subnet routers provide reliability by ensuring continued connectivity even if individual subnet router devices fail. This approach is essential for production networks where continuous availability is required.\r\n\r\nYou can set up high availability to ensure your network is connectable even if one subnet router goes offline. For more information, refer to our topic on [high availability failover](https://tailscale.com/docs/how-to/set-up-high-availability).\r\n\r\nWhen setting up subnet routers for high availability (HA), be careful with the `--accept-routes` flag. If you turn on `--accept-routes` for subnet routers that share the same routes in the same region, the standby router will accept its own advertised routes from the primary router.\r\n\r\nThis leads to an inefficient routing path. The standby router will send traffic for its directly connected subnet through the primary router instead. For example, if both subnet routers advertise and accept the same route, such as `192.168.1.0/24`, the standby router will send all `192.168.1.0/24` traffic through the primary router, even though it is directly connected to that network.\r\n\r\nFor most HA subnet router setups, use the `--advertise-routes` flag alone. Avoid using `--accept-routes` unless you specifically need that routing behavior.\r\n\r\n### [Use overlapping routes with different prefix lengths](https://tailscale.com/docs/features/subnet-routers\\#use-overlapping-routes-with-different-prefix-lengths)\r\n\r\nTailscale supports advertising overlapping subnet routes with different prefix lengths from multiple subnet routers. When traffic is sent to a destination IP address, Tailscale uses longest prefix matching (LPM) to select the most specific route available.\r\n\r\nFor example, if you configure:\r\n\r\n- Subnet router A advertising `10.0.0.0/16`\r\n- Subnet router B advertising `10.0.0.0/24`\r\n\r\nTraffic is routed based on the most specific match:\r\n\r\n- `10.0.0.1` routes through subnet router B (matched by the more specific `/24` route)\r\n- `10.0.1.1` routes through subnet router A (only matched by the `/16` route)\r\n\r\nThis capability is useful for scenarios where you need granular control over routing within a larger address space, such as:\r\n\r\n- Directing specific subnets through dedicated routers for performance\r\n- Applying different security policies to specific subnets\r\n- Gradually migrating subnets to new infrastructure\r\n\r\nTailscale does not fall back to a less-specific route when the subnet router for a more-specific route goes offline. In the example above, if subnet router B (advertising `10.0.0.0/24`) becomes unavailable, Tailscale drops traffic to `10.0.0.1` rather than falling back to subnet router A's `10.0.0.0/16` route.\r\n\r\nTailscale treats each advertised prefix independently using static route selection, not dynamic routing. An offline router cannot withdraw its route advertisement, so clients continue to prefer the more-specific prefix even when no healthy router serves it.\r\n\r\nTo avoid this, configure all subnet routers that advertise a broader prefix to also advertise the more-specific prefix. For example, have subnet router A advertise both `10.0.0.0/16` and `10.0.0.0/24`. This ensures the more-specific prefix has multiple candidate routers and can fail over if one goes offline.\r\n\r\nFor more information about this behavior and additional workarounds, refer to [overlapping subnet route failover](https://tailscale.com/docs/reference/troubleshooting/network-configuration/overlapping-subnet-route-failover).\r\n\r\n### [Disable SNAT](https://tailscale.com/docs/features/subnet-routers\\#disable-snat)\r\n\r\nSource Network Address Translation (SNAT) affects how source IP addresses appear to devices in different parts of your network. By default, Tailscale performs SNAT on traffic passing through subnet routers, but this behavior can be modified when necessary.\r\n\r\nBy default, when you advertise subnet routes, Tailscale uses source network address translation (SNAT) (also called masquerading). You can disable SNAT by using the `--snat-subnet-routes=false` flag (Linux only) with the [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli/up) command. Disabling SNAT preserves the source IP addresses of the hosts behind the subnet router.\r\n\r\n```shell\r\ntailscale up --snat-subnet-routes=false\r\n```\r\n\r\nThe `--snat-subnet-routes` flag only works with Linux subnet routers.\r\n\r\nWhen you disable source NAT on a subnet router, devices behind it can access the Tailscale IP addresses of devices they connect to but don't automatically know how to route traffic back to those Tailscale IP addresses. To fix this, you must add a return route that tells the devices to send all Tailscale traffic through your subnet router. You can configure this route in one of three places:\r\n\r\n- On the device's operating system\r\n- In your VPC settings\r\n- Through your DHCP server\r\n\r\nThe route should include:\r\n\r\n- Network: `100.64.0.0/10` (the Tailscale IP address range, which includes [reserved IP addresses](https://tailscale.com/docs/reference/reserved-ip-addresses))\r\n- Next hop or gateway: The LAN IP address of your subnet router\r\n\r\n[Currently](https://github.com/tailscale/tailscale/issues/18725) setting `--snat-subnet-routes=false` on a node that's acting as both a subnet router and exit node can result in upstream drops. The recommended workaround for this is to sepearate the role of the subnet router and the exit node between two nodes if the subnet router must have SNAT disabled.\r\n\r\n## [Caveats](https://tailscale.com/docs/features/subnet-routers\\#caveats)\r\n\r\n### [Expired device keys](https://tailscale.com/docs/features/subnet-routers\\#expired-device-keys)\r\n\r\nWhen a connector's (such as, app connector, subnet router, exit node) key expires, the connector's advertised routes remain configured on other devices but become unreachable (known as \"fail close\" policy). Tailscale keeps these routes in place intentionally because removing them could leak traffic to untrusted networks.\r\n\r\nTo prevent disruption from this behavior, [disable key expiry](https://tailscale.com/docs/features/access-control/key-expiry#disabling-key-expiry) on the connector or configure [high availability](https://tailscale.com/docs/how-to/set-up-high-availability). If you prefer to withdraw routes when a key expires, you can use the admin console or [API](https://tailscale.com/docs/reference/tailscale-api) to enable and disable advertised routes when certain conditions are met.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Subnet routers</h1>\n<p>Last validated: Jan 12, 2026</p>\n<p>Subnet routersare available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>Subnet routers let you extend your Tailscale network (known as a tailnet) to include devices that don't or can't run the Tailscale client. They act as gateways between your tailnet and physical subnets, enabling secure access to legacy devices, entire networks, or services without installing Tailscale everywhere. This capability maintains Tailscale's security model while providing flexibility for complex network environments.</p>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#why-it-matters\">Why it matters</a></h2>\n<p>When designing a secure network, installing the Tailscale client directly on each device provides the best security and performance through end-to-end <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a>. However, network administrators frequently encounter situations where direct installation isn't feasible. Devices like printers often lack the capability to run Tailscale, and in large environments such as <a href=\"https://tailscale.com/docs/install/cloud/aws\">AWS VPCs</a> or legacy networks undergoing gradual modernization, installing clients on every endpoint becomes impractical.</p>\n<p>Subnet routers bridge this gap by functioning as gateways that relay traffic between your tailnet and conventional subnet-based networks. They maintain Tailscale's security model by respecting <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a> while extending connectivity to non-Tailscale devices. This approach offers a practical balance between security and connectivity requirements.</p>\n<p>An important consideration for organizations is that devices behind subnet routers don't count toward your <a href=\"https://tailscale.com/pricing\">pricing plan's device limit</a>. Nevertheless, when possible, installing Tailscale directly on devices remains preferable for optimal performance, security, and configuration simplicity.</p>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#benefits\">Benefits</a></h2>\n<p>The subnet router approach provides several important advantages for network administrators and organizations. Each benefit addresses specific challenges in modern network environments.</p>\n<ul>\n<li><strong>Connect legacy devices</strong>—include devices that can't run the Tailscale client in your Tailscale network.</li>\n<li><strong>Integrate entire networks</strong>—connect large networks, such as AWS VPCs, without installing Tailscale on each device.</li>\n<li><strong>Gradual deployment</strong>—phase in Tailscale adoption by connecting existing network segments through subnet routers.</li>\n<li><strong>Maintain access control</strong>—subnet routers respect Tailscale's access control policies, maintaining security across your network.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#use-cases\">Use cases</a></h2>\n<p>Subnet routers solve practical problems in various network environments by extending Tailscale's secure connectivity model. These use cases represent common deployment scenarios where subnet routers provide substantial value.</p>\n<ul>\n<li><strong>Managed service access</strong>—securely connect to cloud-managed services like Amazon RDS or Google Cloud SQL without exposing them to the public internet.</li>\n<li><strong>Cloud network integration</strong>—seamlessly connect cloud VPCs or other cloud network segments to your Tailscale network.</li>\n<li><strong>Device connectivity</strong>—make devices like printers or cameras accessible to remote Tailscale users without needing to install the Tailscale client.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#how-subnet-routers-work\">How subnet routers work</a></h2>\n<p>Subnet routers function as networking bridges that connect separate network environments under a unified access model. They operate at the network layer to facilitate communication between your Tailscale network and traditional subnet-based networks.</p>\n<p>A subnet router connects subnets, which are parts of a larger network. In Tailscale, a subnet router is a device in your tailnet that you use as a gateway to advertise routes to other devices. This lets devices connect to your tailnet without installing the Tailscale client.</p>\n<p>Any device that uses the subnet router as a gateway is considered <em>behind</em> the subnet router. Subnet routers use Source Network Address Translation (SNAT) by default. When SNAT is enabled, traffic from a device behind a subnet router appears to come from the router itself, not the original device. If preserving the original source IP address is important for your use case, you can <a href=\"https://tailscale.com/docs/features/subnet-routers#disable-snat\">disable SNAT</a> to maintain the original device's IP address in the traffic packets.</p>\n<p>Subnet Routers | Tailscale Explained - YouTube</p>\n<p>Tap to unmute</p>\n<p><a href=\"https://www.youtube.com/watch?v=UmVMaymH1-s\">Subnet Routers | Tailscale Explained</a> <a href=\"https://www.youtube.com/channel/UCcdv38QxPjSMqbt5ffLhJLA\">Tailscale</a></p>\n<p><img src=\"https://yt3.ggpht.com/K3B5Hdi7j4zy2y53nlQCQb9J0qHNuSXhD2hWysrwaiDvv19tPr5RY04QuQfFOvb9rDq9cugGjZU=s68-c-k-c0x00ffffff-no-rj\" alt=\"thumbnail-image\"></p>\n<p>Tailscale68.5K subscribers</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#subnet-routers-and-exit-nodes\">Subnet routers and exit nodes</a></h3>\n<p>Subnet routers and exit nodes serve different purposes in the Tailscale ecosystem, though they both involve routing traffic. Understanding the distinction helps you deploy the right solution for your networking needs.</p>\n<p>Exit nodes route outbound internet traffic from your tailnet devices, effectively functioning as VPN servers. When you connect to an exit node, your internet traffic appears to come from the exit node's location. This is useful for accessing geo-restricted content or improving privacy. In contrast, subnet routers provide access to specific private subnets. They enable tailnet devices to reach non-Tailscale devices within those subnets, but don't affect internet traffic routing. If you need to access private networks like office LANs or cloud VPCs, subnet routers are the appropriate solution.</p>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#set-up-a-subnet-router\">Set up a subnet router</a></h2>\n<p>Setting up a subnet router involves installing Tailscale on a device that will act as the gateway, configuring it to advertise routes, and ensuring proper access controls. This process requires administrative access to both the subnet router device and your Tailscale network.</p>\n<p>You can use almost any device that runs the Tailscale client as a subnet router. To configure a device to run as a subnet router, use the instructions below or refer to the <a href=\"https://tailscale.com/docs/features/subnet-routers/how-to/setup\">quickstart guide</a>.</p>\n<ol>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#install-the-tailscale-client\">Install the Tailscale client</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#connect-to-tailscale-as-a-subnet-router\">Connect to Tailscale as a subnet router</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console\">Enable subnet routes from the admin console</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#add-access-rules-for-the-advertised-subnet-routes\">Add access rules for advertised subnet routes</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#verify-your-connection\">Verify your connection</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#use-your-subnet-routes-from-other-devices\">Use your subnet routes from other devices</a>.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#install-the-tailscale-client\">Install the Tailscale client</a></h3>\n<p>The first step in creating a subnet router is installing the Tailscale client on the device that will serve as your gateway. Installation procedures vary by platform, but the process is straightforward across supported operating systems.</p>\n<p><a href=\"https://tailscale.com/docs/features/subnet-routers?tab=linux\">Linux</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=macos\">macOS</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=tvos\">tvOS</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=windows\">Windows</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=android\">Android</a></p>\n<p><a href=\"https://tailscale.com/download/linux\">Download and install Tailscale</a> onto the device you plan to use as a subnet router.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#connect-to-tailscale-as-a-subnet-router\">Connect to Tailscale as a subnet router</a></h3>\n<p>After installing Tailscale, you need to configure the device to function as a subnet router by enabling IP forwarding and advertising the subnet routes you want to make available. These steps transform a standard Tailscale node into a gateway for other networks.</p>\n<p><a href=\"https://tailscale.com/docs/features/subnet-routers?tab=linux\">Linux</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=macos\">macOS</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=tvos\">tvOS</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=windows\">Windows</a> <a href=\"https://tailscale.com/docs/features/subnet-routers?tab=android\">Android</a></p>\n<p>To use a Linux device as a subnet router, you need to complete two essential configurations: enabling IP forwarding and advertising subnet routes. Linux devices make particularly good subnet routers due to their stability and networking capabilities.</p>\n<ol>\n<li>Enable IP forwarding.</li>\n<li>Advertise subnet routes.</li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/features/subnet-routers#enable-ip-forwarding\">Enable IP forwarding</a></h4>\n<p>When enabling IP forwarding, ensure your firewall denies traffic forwarding by default. This is the default setting for standard firewalls like <code>ufw</code> and <code>firewalld</code>. Blocking traffic forwarding by default prevents unintended routing of traffic.</p>\n<p>IP forwarding is required to use a Linux device as a subnet router. This kernel setting lets the system forward network packets between interfaces, essentially functioning as a router. The process for enabling IP forwarding varies between Linux distributions. However, the following instructions work in most cases.</p>\n<p>If your Linux system has a <code>/etc/sysctl.d</code> directory, use:</p>\n<pre><code class=\"language-shell\">echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf\r\necho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf\r\nsudo sysctl -p /etc/sysctl.d/99-tailscale.conf\n</code></pre>\n<p>Otherwise, use:</p>\n<pre><code class=\"language-shell\">echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf\r\necho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf\r\nsudo sysctl -p /etc/sysctl.conf\n</code></pre>\n<p>If your Linux node uses <code>firewalld</code>, you might need to allow masquerading due to a <a href=\"https://github.com/tailscale/tailscale/issues/3416\">known issue</a>. As a workaround, you can allow masquerading with this command:</p>\n<pre><code class=\"language-shell\">firewall-cmd --permanent --add-masquerade\n</code></pre>\n<h4><a href=\"https://tailscale.com/docs/features/subnet-routers#advertise-subnet-routes\">Advertise subnet routes</a></h4>\n<p>After you enable IP forwarding, run <code>tailscale set</code> with the <code>--advertise-routes</code> flag. It accepts a comma-separated list of subnet routes.</p>\n<pre><code class=\"language-shell\">sudo tailscale set --advertise-routes=192.0.2.0/24,198.51.100.0/24\n</code></pre>\n<p>Make sure to replace the subnets in the example above with the correct ones for your network. All platforms except Apple TV support both IPv4 and IPv6 subnets. Apple TV only supports IPv4 subnets.</p>\n<p>If the device is authenticated by a user who can advertise the specified route in <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\"><code>autoApprovers</code></a>, the subnet router's routes will automatically be approved. You can also advertise any subset of the routes allowed by <code>autoApprovers</code> in the tailnet policy file. If you'd like to expose default routes (<code>0.0.0.0/0</code> and <code>::/0</code>), consider using <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit nodes</a> instead.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console\">Enable subnet routes from the admin console</a></h3>\n<p>The admin console provides a centralized interface for approving and managing subnet routes advertised by your devices. This step ensures that the routes you've configured on your subnet router become active in your tailnet.</p>\n<p>You can skip this step if you use <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\"><code>autoApprovers</code></a>.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</li>\n<li>Locate the <strong>Subnets</strong> badge in the devices list or use the <a href=\"https://login.tailscale.com/admin/machines?q=property%3Asubnet\"><code>property:subnet</code></a> filter to list all devices advertising subnet routes.</li>\n<li>Select a device with the <code>subnet</code> property, then go to the <strong>Subnets</strong> section.</li>\n<li>Select <strong>Edit</strong>. This opens the <strong>Edit route settings</strong>.</li>\n<li>Under <strong>Subnet routes</strong>, select the routes to approve, then select <strong>Save</strong>.</li>\n</ol>\n<p>You can disable <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">key expiry</a> on your server to avoid having to periodically reauthenticate. If you use <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/features/tags#key-expiry\">key expiry is disabled by default</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#add-access-rules-for-the-advertised-subnet-routes\">Add access rules for the advertised subnet routes</a></h3>\n<p>Access controls determine which devices and users can access resources through your subnet router. Properly configured access rules are essential for maintaining security while enabling the connectivity you need.</p>\n<p>Access rules control which traffic is permitted, while route approval controls which routes are injected into client routing tables. These are separate mechanisms. For a complete explanation, refer to the <a href=\"https://tailscale.com/docs/reference/route-injection\">route injection reference</a>.</p>\n<p>You can skip this step if you already have rules that allow access to your advertised subnet routes.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console to update your <a href=\"https://tailscale.com/docs/features/access-control/acls\">tailnet policy file</a>.</li>\n<li>Create an <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rule</a> that lets access to the advertised subnet.</li>\n</ol>\n<p>The following example tailnet policy configuration ensures members of <code>group:dev</code> can access devices in the subnets <code>192.0.2.0/24</code>, <code>198.51.100.0/24</code> and <code>2001:db8::/32</code>, and ensures the subnet <code>192.0.2.0/24</code> can access the subnet <code>198.51.100.0/24</code> and vice versa, <em>if <a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading\">subnet route masquerading</a> is disabled</em>.</p>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\"alice@example.com\", \"bob@example.com\"]\r\n  },\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"group:dev\",\"192.0.2.0/24\", \"198.51.100.0/24\"],\\\r\n      \"dst\": [\"192.0.2.0/24\", \"198.51.100.0/24\", \"2001:db8::/32\"],\\\r\n      \"ip\": [\"*:*\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#verify-your-connection\">Verify your connection</a></h3>\n<p>Verification ensures that your subnet router is properly configured and functioning as expected. This step confirms that your tailnet devices can communicate with the subnet router before attempting to access resources behind it.</p>\n<p>Check that you can ping the Tailscale IP address of your new subnet routers from a tailnet device (such as a Linux, macOS, or Windows device). You can find the Tailscale IP in the <a href=\"https://login.tailscale.com/admin\">admin console</a> or by running the following command on the subnet router.</p>\n<pre><code class=\"language-shell\">tailscale ip -4\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#use-your-subnet-routes-from-other-devices\">Use your subnet routes from other devices</a></h3>\n<p>Once your subnet router is configured and verified, you need to ensure that other devices in your tailnet can discover and use the new routes. This process varies slightly by operating system.</p>\n<p>Android, iOS, macOS, tvOS, and Windows automatically pick up your new subnet routes.</p>\n<p>By default, Linux devices only discover <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP addresses</a>. To enable automatic discovery of new subnet routes on Linux devices, use the <code>--accept-routes</code> flag:</p>\n<pre><code class=\"language-shell\">sudo tailscale set --accept-routes\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#update-subnet-routes\">Update subnet routes</a></h2>\n<p>Network requirements evolve over time, and you may need to modify the subnet routes advertised by your subnet router. This process involves updating the route advertisements and ensuring that the changes are properly approved and accessible.</p>\n<p>To update subnet routes:</p>\n<ol>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#connect-to-tailscale-as-a-subnet-router\">Connect to Tailscale as a subnet router</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#enable-subnet-routes-from-the-admin-console\">Enable subnet routes from the admin console</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#add-access-rules-for-the-advertised-subnet-routes\">Add access rules for advertised subnet routes</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#verify-your-connection\">Verify your connection</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#use-your-subnet-routes-from-other-devices\">Use your subnet routes from other devices</a>.</li>\n</ol>\n<p>You can exclude any routes to prevent the subnet router from advertising them.</p>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#use-advanced-subnet-routing\">Use advanced subnet routing</a></h2>\n<p>After you set up a subnet router, you might consider:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#route-dns-lookups-to-an-internal-dns-server\">Route DNS lookups to an internal DNS server</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#set-up-high-availability\">Set up high availability for subnet routers</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#use-overlapping-routes-with-different-prefix-lengths\">Use overlapping routes with different prefix lengths</a> for granular routing control.</li>\n<li>Connect two or more subnets using <a href=\"https://tailscale.com/docs/features/site-to-site\">site-to-site</a> networking.</li>\n<li><a href=\"https://tailscale.com/docs/features/subnet-routers#disable-snat\">Disable source NAT (SNAT)</a>.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#route-dns-lookups-to-an-internal-dns-server\">Route DNS lookups to an internal DNS server</a></h3>\n<p>DNS configuration lets your tailnet resolve names both for Tailscale devices and for resources on the advertised subnets. This capability enables seamless name resolution across your hybrid network environment.</p>\n<p>You can add <a href=\"https://tailscale.com/docs/reference/dns-in-tailscale\">Tailscale IP addresses to public DNS records</a> because Tailscale IP addresses are only accessible to authenticated users of your network. You can use an internal DNS server on your subnet by configuring split DNS in the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#set-up-high-availability\">Set up high availability</a></h3>\n<p>For critical environments, redundant subnet routers provide reliability by ensuring continued connectivity even if individual subnet router devices fail. This approach is essential for production networks where continuous availability is required.</p>\n<p>You can set up high availability to ensure your network is connectable even if one subnet router goes offline. For more information, refer to our topic on <a href=\"https://tailscale.com/docs/how-to/set-up-high-availability\">high availability failover</a>.</p>\n<p>When setting up subnet routers for high availability (HA), be careful with the <code>--accept-routes</code> flag. If you turn on <code>--accept-routes</code> for subnet routers that share the same routes in the same region, the standby router will accept its own advertised routes from the primary router.</p>\n<p>This leads to an inefficient routing path. The standby router will send traffic for its directly connected subnet through the primary router instead. For example, if both subnet routers advertise and accept the same route, such as <code>192.168.1.0/24</code>, the standby router will send all <code>192.168.1.0/24</code> traffic through the primary router, even though it is directly connected to that network.</p>\n<p>For most HA subnet router setups, use the <code>--advertise-routes</code> flag alone. Avoid using <code>--accept-routes</code> unless you specifically need that routing behavior.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#use-overlapping-routes-with-different-prefix-lengths\">Use overlapping routes with different prefix lengths</a></h3>\n<p>Tailscale supports advertising overlapping subnet routes with different prefix lengths from multiple subnet routers. When traffic is sent to a destination IP address, Tailscale uses longest prefix matching (LPM) to select the most specific route available.</p>\n<p>For example, if you configure:</p>\n<ul>\n<li>Subnet router A advertising <code>10.0.0.0/16</code></li>\n<li>Subnet router B advertising <code>10.0.0.0/24</code></li>\n</ul>\n<p>Traffic is routed based on the most specific match:</p>\n<ul>\n<li><code>10.0.0.1</code> routes through subnet router B (matched by the more specific <code>/24</code> route)</li>\n<li><code>10.0.1.1</code> routes through subnet router A (only matched by the <code>/16</code> route)</li>\n</ul>\n<p>This capability is useful for scenarios where you need granular control over routing within a larger address space, such as:</p>\n<ul>\n<li>Directing specific subnets through dedicated routers for performance</li>\n<li>Applying different security policies to specific subnets</li>\n<li>Gradually migrating subnets to new infrastructure</li>\n</ul>\n<p>Tailscale does not fall back to a less-specific route when the subnet router for a more-specific route goes offline. In the example above, if subnet router B (advertising <code>10.0.0.0/24</code>) becomes unavailable, Tailscale drops traffic to <code>10.0.0.1</code> rather than falling back to subnet router A's <code>10.0.0.0/16</code> route.</p>\n<p>Tailscale treats each advertised prefix independently using static route selection, not dynamic routing. An offline router cannot withdraw its route advertisement, so clients continue to prefer the more-specific prefix even when no healthy router serves it.</p>\n<p>To avoid this, configure all subnet routers that advertise a broader prefix to also advertise the more-specific prefix. For example, have subnet router A advertise both <code>10.0.0.0/16</code> and <code>10.0.0.0/24</code>. This ensures the more-specific prefix has multiple candidate routers and can fail over if one goes offline.</p>\n<p>For more information about this behavior and additional workarounds, refer to <a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/overlapping-subnet-route-failover\">overlapping subnet route failover</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#disable-snat\">Disable SNAT</a></h3>\n<p>Source Network Address Translation (SNAT) affects how source IP addresses appear to devices in different parts of your network. By default, Tailscale performs SNAT on traffic passing through subnet routers, but this behavior can be modified when necessary.</p>\n<p>By default, when you advertise subnet routes, Tailscale uses source network address translation (SNAT) (also called masquerading). You can disable SNAT by using the <code>--snat-subnet-routes=false</code> flag (Linux only) with the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up</code></a> command. Disabling SNAT preserves the source IP addresses of the hosts behind the subnet router.</p>\n<pre><code class=\"language-shell\">tailscale up --snat-subnet-routes=false\n</code></pre>\n<p>The <code>--snat-subnet-routes</code> flag only works with Linux subnet routers.</p>\n<p>When you disable source NAT on a subnet router, devices behind it can access the Tailscale IP addresses of devices they connect to but don't automatically know how to route traffic back to those Tailscale IP addresses. To fix this, you must add a return route that tells the devices to send all Tailscale traffic through your subnet router. You can configure this route in one of three places:</p>\n<ul>\n<li>On the device's operating system</li>\n<li>In your VPC settings</li>\n<li>Through your DHCP server</li>\n</ul>\n<p>The route should include:</p>\n<ul>\n<li>Network: <code>100.64.0.0/10</code> (the Tailscale IP address range, which includes <a href=\"https://tailscale.com/docs/reference/reserved-ip-addresses\">reserved IP addresses</a>)</li>\n<li>Next hop or gateway: The LAN IP address of your subnet router</li>\n</ul>\n<p><a href=\"https://github.com/tailscale/tailscale/issues/18725\">Currently</a> setting <code>--snat-subnet-routes=false</code> on a node that's acting as both a subnet router and exit node can result in upstream drops. The recommended workaround for this is to sepearate the role of the subnet router and the exit node between two nodes if the subnet router must have SNAT disabled.</p>\n<h2><a href=\"https://tailscale.com/docs/features/subnet-routers#caveats\">Caveats</a></h2>\n<h3><a href=\"https://tailscale.com/docs/features/subnet-routers#expired-device-keys\">Expired device keys</a></h3>\n<p>When a connector's (such as, app connector, subnet router, exit node) key expires, the connector's advertised routes remain configured on other devices but become unreachable (known as \"fail close\" policy). Tailscale keeps these routes in place intentionally because removing them could leak traffic to untrusted networks.</p>\n<p>To prevent disruption from this behavior, <a href=\"https://tailscale.com/docs/features/access-control/key-expiry#disabling-key-expiry\">disable key expiry</a> on the connector or configure <a href=\"https://tailscale.com/docs/how-to/set-up-high-availability\">high availability</a>. If you prefer to withdraw routes when a key expires, you can use the admin console or <a href=\"https://tailscale.com/docs/reference/tailscale-api\">API</a> to enable and disable advertised routes when certain conditions are met.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}