Deploy and Host Tailscale Exit Node on Railway

Tailscale Exit Node is a feature of Tailscale's WireGuard-based VPN that routes all your device's internet traffic through a designated node in your tailnet. It acts as a secure, private gateway, giving you full control over your egress IP without relying on third-party VPN providers.

About Hosting Tailscale Exit Node

Hosting a Tailscale Exit Node on Railway involves running a lightweight container that joins your Tailscale network and advertises itself as an exit node. The service authenticates via an auth key, enables IP forwarding, and handles traffic routing through Railway's infrastructure. Railway's persistent networking and always-on deployment model make it a reliable host for an exit node that your devices can connect to at any time. Configuration is minimal, typically just a Tailscale auth key and a few environment variables and Railway handles the underlying compute and uptime.

Common Use Cases

• Secure remote access: Route traffic from personal devices through a trusted exit node when on untrusted public Wi-Fi networks
• Fixed egress IP: Give services or scripts a stable, predictable IP address for API allowlisting or geo-restricted access
• Team VPN replacement: Provide a shared, self-hosted exit node for a small team without paying for a commercial VPN service

Dependencies for Tailscale Exit Node Hosting

• Tailscale account: A free or paid Tailscale account to generate an auth key and manage your tailnet
• Railway account: A Railway account with a project to deploy and host the exit node container

Deployment Dependencies

• https://tailscale.com: The VPN platform powering the exit node
• https://login.tailscale.com/admin/settings/keys: Generate a reusable or ephemeral auth key to authenticate the node
• https://railway.com: The hosting platform for the exit node service
• https://hub.docker.com/r/tailscale/tailscale: The official container image used for deployment

Implementation Details

Set the following environment variables in your Railway service:

TS_AUTHKEY=tskey-auth-your-key-here

Once your End-Point is deployed and connecting to Tailscale and you see the deployment in your Machines list in Tailscale and click the three dots on the right hand side of your listed deployment and select 'Edit route settings...' and in the modal select 'Use as exit node' and click 'Save'.

Why Deploy Tailscale Exit Node on Railway?

• Always-on uptime: Railway's persistent deployment model keeps your exit node available around the clock without manual restarts or self-managed servers
• Simple configuration: Deploy with just a Docker image and a handful of environment variables; no complex networking or firewall rules to manage
• Global infrastructure: Railway offers multiple deployment regions, letting you place your exit node closer to where you need the egress traffic to originate
• Cost-effective: Railway's usage-based pricing makes it cheaper than running a dedicated VPS solely for a VPN exit node
• No maintenance overhead: Railway handles the underlying compute, scaling, and infrastructure so you can focus on using Tailscale rather than managing servers

Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.

By deploying Tailscale Exit Node on Railway, you are one step closer to supporting a complete full-stack application with minimal burden. Host your servers, databases, AI agents, and more on Railway.