A developer set up a home Tailscale exit node using a lightweight LXC container on Proxmox. Testing with traceroute revealed traffic routing through their home ISP after passing through the encrypted Tailscale mesh. Unlike standard Tailscale setups that only expose devices, an exit node creates a full-tunnel VPN experience by routing internet traffic through chosen devices.

Tailscale combines WireGuard for encrypted data transmission with a proprietary control plane handling device discovery, authentication, and NAT traversal. The system uses hole-punching techniques to establish direct connections between devices, with DERP relays as fallback on restricted networks. This architecture enables secure connections even when devices are behind different routers.

Compared to traditional VPNs like OpenVPN, Tailscale uses policy routing rather than rewriting the main routing table. This approach allows for more granular control and prevents tunnel loops. The model explains why Tailscale can offer free service—user traffic primarily flows through users' own ISPs and exit nodes, not Tailscale infrastructure, potentially saving $200,000-$500,000 monthly for providers relaying all traffic directly.