Fly.io as a Tailscale Exit Node

By Mahyar Mirrashed3 minutes read

Warning

In a hurry? Skip to the setup instructions.

Most people know VPNs as a way to keep prying eyes, like your ISP or your office IT, out of your personal browsing online. VPNs do this by encrypting your connection, routing it through another machine somewhere else in the world, hiding your activity and your true location.

But beyond the privacy marketing (and fear mongering), there’s a catch: most commercial VPNs are either questionably private (many log and resell your data), slow, or expensive, especially if you only need them very occasionally. You might pay for round-the-clock service, but only actually use a VPN for the occasional hotspot session. Even the reputable providers cannot guarantee total privacy if you do not trust how they run their servers.

This leads us to running our own VPN.

Why Run Your Own VPN?

There are two (relatively simple) tools to roll your own VPN: Tailscale and Fly.io.

By putting Tailscale on Fly.io, you get a private VPN exit node with total control and full encryption, ready whenever you want it.

Five-Minute Setup: Tailscale Exit Node on Fly.io

Here’s how to get your own encrypted, on-demand VPN node running, with minimal fuss.

1. Register Accounts

2. Create an Auth Key in Tailscale

3. Install and Authenticate the Fly.io CLI

brew install flyctl # Or, use your platform's method
fly auth login

4. Launch Your App With Docker

Setup a new Fly.io app using the following fly.toml:

flyctl launch --copy-config

Copy this configuration:

app = "fly-router"

[env]
  PATH="/usr/local/bin"
  TS_EXTRA_ARGS="--hostname=fly --advertise-exit-node"

[build]
  image = "tailscale/tailscale:stable"

[deploy]
  strategy="immediate"

[mounts]
  source="ts_data"
  destination="/var/lib/tailscale"

5. Store Your Tailscale Auth Key

flyctl secrets set TS_AUTH_KEY=tskey-xxxxx

Create a volume so your node’s identity is retained between launches:

flyctl volumes create ts_data --region yyz --size 1 # Use your selected region as appropriate

7. (Re-)Deploy

flyctl deploy

You now have an encrypted exit node, controlled entirely by you, that you can route traffic through using Tailscale from any of your devices. No untrusted middlemen, no slowdowns, and you only run it when you want.

Credits

Inspired by and adapted from the original Gist available on GitHub. Please considering starring it if you found this guide helpful.