I love Tailscale‘s exit nodes functionality. Makes it easy to tunnel out of a virtual machine in any country. The idea is very similar to commercial VPNs like Mullvad and NordVPN, but is self-hosted.
I share my Tailscale network with friends and family, mostly to allow their usage of my pi-hole nodes. I wanted to prevent them from using my exit nodes though.
Last week, I found that Tailscale engineers have a new Access Control Lists (ACLs) functionality to enable or disable internet access on such nodes. Add
autogroup:internet:443,22 to your devices’
accept rule, and you are good to go.
Every other device on your Tailscale network wouldn’t be able to use the public internet when they tunnel out of such nodes.