What issue are you having?
I use tailscale just fine on my gos.
E: sorry I kinda misread here
this post was submitted on 26 Jun 2026
47 points (100.0% liked)
Selfhosted
60093 readers
553 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam.
-
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
-
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
Yes. Run a tailscale exit node which connects to the internet via said VPN. Connect to tailscale on android and select the exit node
Now you are routing android to tailscale and exiting via the vpn.
Not sure about pangolin on this front
I do this more or less, while the VPS itself doesn’t route over a VPN I have traffic forwarded between Tailscale and a commercial VPN.
It’s actually much more complicated and involved then that involving four double hop VPN tunnels, two that stay 100% in my country then two that bounce around other countries routed over the first two. This way my traffic exits the country without it appearing that way.
This seems like the way forward for me.
Just so I understand properly. I set up one of my home machines as an exit node and all my traffic from my android goes through that home machine?
How do I connect my VPN to tailscale on the home machine? Its not mulvad unfortunately
Yep. I had it set up in a docker compose setup with tailscale and gluetun. There is actually decent documentation for this on gluetun docs i think.
Then your tailscale container exists via gluetun which connects to your VPN.
Edit: Found these
that exit node will essentially need to work as a router, connected to both the tailnet and whatever other VPN peer you are working with. you could also use something like a gluetun container as I think it works with a wide variety of popular VPN providers.
I'd say you install the VPN on the home machine, then when you turn on tailscale on your phone, the traffic should be Phone->home machine (exit node)->VPN
VPN to home, then route outbound traffic over the other VPN.
I was reading this yesterday
https://tailscale.com/docs/reference/faq/other-vpns
I probably won't do it myself, but maybe it works for you
idk how it works on grapheneos. but on normal android i could use work profile for this. and singbox inside the work profile to open a local socks5 proxy, then connecting to it from outside the work profile.
Tailscale will let you use mullvad vpn as exit nodes
This is sadly the only way to do it on Android. It's not supported by Headscale and it only supports Mullvad.
It’s a shame you can’t force an exit node to be used by the whole tailnet
Edit: Does hesdscale support exit nodes at all? You could for example run a VPN on a router and then use that device as an exit node. I suspect that would work if you can use normal exit nodes
You can use exit nodes, but at least in my case that would be really stupid of me to do. If you have a router connected to a VPN and you use that router as an exit node, all of your traffic is going from your mobile device to the VPN server to your router back to the VPN server to the destination host and any return traffic takes the same route in reverse, adding additional latency and limiting your bandwidth to the minimum of any link in either direction along the entire chain. You can potentially exclude the mobile to router Tailscale traffic from the VPN tunnel to skip a little bit of latency, but it probably doesn't help much unless your VPN server is in a third location that is not along the path between your current location and your router. My slow upload speed would become a slow download speed, and when I travel long distances my latency to services at my destination would become half a second.
What I do is I have a travel router that I deploy where I'm staying, and that router has a site-to-site VPN with my home network. That way traffic doesn't need to travel across continents to reach a server only 20ms away.
I also have a set of services that are exposed directly to the internet and I can reach those servers without Tailscale. I can live with being connected to a different VPN and not having the Tailscale-only services.
It may be possible to just use Wireguard. The main benefit of Tailscale instead of Wireguard is that two Tailscale nodes that are next to each other can connect directly without going through another server, and this is accomplished by continuously reconfiguring Wireguard. If you just want a private network VPN where you have a fixed route to your private network and a fixed route to a public internet VPN, you can do that without Tailscale. If you are traveling with a phone and a laptop, connections from the phone's VPN IP to the laptop's VPN IP will be slower as they route through your VPN server, but they will work.
Headscale does support exit nodes, I use it to get pihole filtering on my phone away from home.
Maybe run the public VPN at home with NAT enabled, and use it as the default gateway in the private VPN. Never done it but I think I've seen some guides on that concept.
I use my own "solution" to host a WireGuard node inside a tailnet: https://github.com/stratself/tswg
You can also try https://github.com/juhovh/tailguard
Gluetun + Tailscale also kind of worked, but quite slow
You can use tailscale + gluetun docker containers to use your favorite commercial vpn as an exit node on the same machine. https://github.com/alexmaisa/tailscale-vpn-exitnode
Or you need to update iptables of you don't use docker and have e. g. wireguard out as an exit node. Or if you have vpn out on your router, and tailscale on the home network, you just use it as exit node.
Have one VPN attached in a work profile and another in your private space
Depends on what threat you’re protecting against IMHO.
If you’re trying to be anonymous, connecting to your home IP first is a dead giveaway to who you are. Both your home ISP and whichever ISP you’re connnected to will know.
Only easy way to maintain some anonymity right now would be to use Tailscale’s Mullvad integration……Tailscale to connect your servers, Mullvad for anonymize/country changing.
Other way might be to ONLY use Tailscale/Mullvad, and set up an alternative auth front door to your own network. Complicated and doesn’t work as nicely tho.
I've got pangolin running on a VPS. It was dead simple.
If only pangolin supported 0.0.0.0 routing. It's been requested for months but instead of doing that... They've been courting paid enterprise usage.
What are you trying to accomplish with that?
Might sound like a dumb question, but have you opened the port on your router?
My ASUS router handles my WireGuard setup, I can forward my home VPN server through one of Protons VPN servers essentially creating a multi-hop setup.