Fly.io as a Tailscale Exit Node
By Mahyar Mirrashed • 3 minutes read •
Warning
In a hurry? Skip to the setup instructions.
Most people know VPNs as a way to keep prying eyes, like your ISP or your office IT, out of your personal browsing online. VPNs do this by encrypting your connection, routing it through another machine somewhere else in the world, hiding your activity and your true location.
But beyond the privacy marketing (and fear mongering), there’s a catch: most commercial VPNs are either questionably private (many log and resell your data), slow, or expensive, especially if you only need them very occasionally. You might pay for round-the-clock service, but only actually use a VPN for the occasional hotspot session. Even the reputable providers cannot guarantee total privacy if you do not trust how they run their servers.
This leads us to running our own VPN.
Why Run Your Own VPN?
There are two (relatively simple) tools to roll your own VPN: Tailscale and Fly.io.
- Tailscale: Instead of relying on a central VPN server company, Tailscale lets you create your own mesh VPN using the open-source WireGuard protocol. This means you control where your data goes, with direct device-to-device encryption, and no central choke point, or snooping by your VPN provider. Effectively, you’re almost entirely limited to your raw uplink and downlink speeds.
- Fly.io: An extremely simple method of spinning up global servers running Docker containers in seconds, without wrestling with manual cloud VPS setup or server images. One simple deployment gets you a secure, reliable node anywhere you need it.
By putting Tailscale on Fly.io, you get a private VPN exit node with total control and full encryption, ready whenever you want it.
Five-Minute Setup: Tailscale Exit Node on Fly.io
Here’s how to get your own encrypted, on-demand VPN node running, with minimal fuss.
1. Register Accounts
- Sign up at https://fly.io/ and https://tailscale.com/.
2. Create an Auth Key in Tailscale
- Go to Tailscale’s Keys page.
- Generate a new key (choose Reuseable and Ephemeral options).
3. Install and Authenticate the Fly.io CLI
4. Launch Your App With Docker
Setup a new Fly.io app using the following fly.toml
:
Copy this configuration:
= "fly-router"
[]
="/usr/local/bin"
="--hostname=fly --advertise-exit-node"
[]
= "tailscale/tailscale:stable"
[]
="immediate"
[]
="ts_data"
="/var/lib/tailscale"
5. Store Your Tailscale Auth Key
6. (Optional, but Recommended) Persist Tailscale State
Create a volume so your node’s identity is retained between launches:
7. (Re-)Deploy
You now have an encrypted exit node, controlled entirely by you, that you can route traffic through using Tailscale from any of your devices. No untrusted middlemen, no slowdowns, and you only run it when you want.
Credits
Inspired by and adapted from the original Gist available on GitHub. Please considering starring it if you found this guide helpful.