Step 6 of the series: Bypass internet restrictions and protect your privacy on public Wi-Fi

In this part of the series, each step of the setup script from the previous article is explained in detail.

If you’re not interested in the technical background, you can skip this part.

The numbers refer to the headers in the script of the previous article.

1. No variables are needed here.

2. Enable forwarding in UFW

Open the file /etc/default/ufw and change the DEFAULT_FORWARD_POLICY to ACCEPT.

DEFAULT_FORWARD_POLICY="ACCEPT"

3. Enable postrouting for NAT

Edit /etc/ufw/before.rules and insert the following before the first *filter line:

*nat
:POSTROUTING ACCEPT [0:0]

# Tailscale NAT (Exit Node)
-A POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE

COMMIT

Here, ens3 is your external interface (check with ip a).

4. Adjust UFW rules

UFW does not need to explicitly allow Tailscale traffic as long as Tailscale itself is functioning, but to ensure clients are allowed to route through:

# Allow routed traffic from Tailscale to external interface
sudo ufw route allow in on tailscale0 out on ens3

5. Enable IP forwarding via sysctl

To configure the new Tailscale client as an exit node, IP forwarding must be enabled.

Create the file /etc/sysctl.d/90-tailscale.conf with the following content:

sudo nano /etc/sysctl.d/90-tailscale.conf

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Then activate the kernel parameters:

sudo sysctl -p /etc/sysctl.d/90-tailscale.conf

6. Optimize performance using ethtool

More information about these performance settings can be found in the Tailscale Performance best practices.

By default, networkd-dispatcher is enabled on Ubuntu 24.04. You can verify this with:

sudo systemctl is-enabled networkd-dispatcher

enabled

Now create a script that runs every time the server starts and optimizes throughput for Tailscale as an exit node:

printf '#!/bin/sh\n\nethtool -K %s rx-udp-gro-forwarding on rx-gro-list off \n' "$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")" | sudo tee /etc/networkd-dispatcher/routable.d/50-tailscale
sudo chmod 755 /etc/networkd-dispatcher/routable.d/50-tailscale

The following command sets the kernel parameters and verifies that the script executes without error:

sudo /etc/networkd-dispatcher/routable.d/50-tailscale
test $? -eq 0 || echo 'An error occurred.'

7. Restart UFW

Reload UFW to apply all settings:

sudo ufw reload

8. Restart Tailscale with the –advertise-exit-node flag

Finally, stop Tailscale and start it again with the –advertise-exit-node option:

sudo tailscale down
sudo tailscale up --advertise-exit-node

This completes the configuration of kernel parameters and the firewall, and enables your machine to be used as a Tailscale exit node.