A sequel nobody asked for (but everyone needed)

JUST. Fucking. Make. An Exit Node.

You already installed Tailscale. Now buy a Raspberry Pi 5, plug it in at home, and route your traffic through it. It takes 10 minutes.

You're Paying For a VPN. Why?

Let's be honest about what you actually want:

And your solution is to pay £10/month to route all your traffic through some company's server in a data centre you've never seen, operated by people you've never met, who pinky promise they don't log anything?

You already have a home internet connection. You already have Tailscale. Just route your traffic through your own house. It's your exit node. You control it. Done.

What Even Is an Exit Node?

Normally, Tailscale connects your devices in a private mesh. Traffic between them is encrypted and direct. Beautiful.

An exit node takes it further: you pick one device on your tailnet and say "route ALL my internet traffic through this thing."

So when you're sat in a Caffè Nero on dodgy Wi-Fi, your laptop sends everything through an encrypted tunnel back to your Pi at home, and out through your home broadband.

To the internet, you're at home. To the coffee shop, you're just sending encrypted gibberish. To hackers on the network: good luck.

What You Need (The Shopping List)

This is not a 47-part homelab build. It's four things.

Raspberry Pi 5 (4GB or 8GB)
The brain. 4GB is plenty for this.
~£55–80
USB-C Power Supply (27W)
Official RPi 5 PSU. Don't cheap out.
~£12
MicroSD Card (32GB+)
Any decent brand. Samsung, SanDisk, whatever.
~£8
Ethernet Cable
Plug it into your router. Wi-Fi works but don't.
~£3

Total: roughly £80–100 one time. That's 8–10 months of NordVPN. After that, it's free. Forever. Because it's yours.

The Actual Setup (Yes, All Of It)

If you can follow a recipe, you can do this. It's literally copy-paste into a terminal.

Flash Raspberry Pi OS

Download Raspberry Pi Imager, pick Raspberry Pi OS Lite (64-bit), flash it to your SD card. In the settings, enable SSH and set a username/password. No desktop needed. This is a headless box.

Plug It In

SD card in. Ethernet cable in. Power in. Wait 60 seconds. Find its IP from your router's admin page, or just try:

ssh your-username@raspberrypi.local

Update Everything

sudo apt update && sudo apt upgrade -y

This takes a couple of minutes. Go make a brew.

Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh

One line. That's the whole install.

Enable IP Forwarding

This lets your Pi forward traffic. Without it, exit node won't work.

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Start Tailscale as an Exit Node

sudo tailscale up --advertise-exit-node

It'll give you a URL. Open it. Authenticate. Done.

Approve It in the Admin Console

Go to login.tailscale.com/admin/machines, find your Pi, click the ... menu, and approve the exit node. Tailscale doesn't auto-approve for security reasons.

Use It

On your laptop/phone, open Tailscale, go to Exit Nodes, pick your Pi. All your traffic now goes through your home broadband.

Check it: whatismyipaddress.com — it should show your home IP.

That's it. Eight steps. Ten minutes.
You now own your own VPN.

Why This Is Better Than a Commercial VPN

Bonus: Make It Survive Reboots & Power Cuts

Tailscale auto-starts on boot by default. But let's make sure everything's solid.

# Confirm tailscaled starts on boot
sudo systemctl enable tailscaled

# Optional: set a static hostname so it's easy to find
sudo hostnamectl set-hostname exit-node

Now tuck it behind your router, forget about it, and enjoy your own personal VPN for the rest of time.

Optional Extras (Since You're Here)

Run Pi-hole on the Same Box

Block ads and trackers at the DNS level for your entire tailnet. Your exit node is already forwarding traffic — might as well clean it on the way out.

Subnet Router

Advertise your home LAN through the Pi so you can access printers, NAS, smart home stuff — all over Tailscale, without installing Tailscale on each device.

Auto-Updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Security patches apply themselves. You sleep soundly.

FAQ (You're Going To Ask Anyway)

Won't this be slower than a proper VPN?

Depends on your home broadband. If you've got decent fibre, it'll be faster than most VPN providers because there's no congested shared server in the middle. Your traffic goes through your own pipe.

Can I use this to appear in another country?

No. Your exit node is at your house. You'll appear to be at home. That's the whole point. If you want to pretend to be in Japan, this isn't that. But if you want to appear to be at home while you're abroad — this is exactly that.

Does Tailscale see my traffic?

No. The connection is end-to-end encrypted using WireGuard. Tailscale's coordination server handles key exchange and device discovery, not your actual traffic. They literally can't see it.

What if my home internet goes down?

Then your exit node goes down. Same as if your VPN provider has an outage — except this time you can walk over and unplug and replug your router. Which is more than you can do with NordVPN's data centre in Panama.

Does the Pi 5 use much power?

About 3–5 watts idle. That's roughly £10–15 a year in electricity. Less than one month of most VPN subscriptions.

Do I need a static IP at home?

Nope. Tailscale handles NAT traversal. Your Pi connects outward to Tailscale's coordination server, so it works behind CGNAT, dynamic IPs, double NAT, whatever. That's the whole point of Tailscale.

Can I use a Pi 4 instead?

Yes. It'll work fine. The Pi 5 is just faster and has better thermals. A Pi 4 (2GB+) will handle exit node duties without breaking a sweat.

Stop paying strangers to route your traffic.
Buy a Pi. Install Tailscale.
Make it your exit node.