This is the noob-friendly manual path if you do not want to use the wizard.
- Download the Linux package from 9proxy.
- Install it for your distro.
- Confirm the CLI works:
9proxy -hDebian/Ubuntu:
curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled
sudo tailscale upArch/Manjaro:
sudo pacman -S tailscale
sudo systemctl enable --now tailscaled
sudo tailscale upGet your tailnet IP:
tailscale ip -4Open the login UI:
9proxy auth -sCheck login:
9proxy setting --display
# Look for: User Logged: true9proxy setting --ip <tailscale-ip>Bind a port and country (example US on 60000):
9proxy proxy -c US -p 60000
9proxy port --status- In Tailscale admin console, share your device to your friend.
- Friend logs in to Tailscale and accepts.
- Friend uses:
- Host:
- Port: 60000
- Type: SOCKS5 (or HTTP)
This makes your phone work without per-app proxy settings.
- Advertise exit node:
sudo tailscale up --advertise-exit-nodeThen approve it in the admin console.
- Enable forwarding:
cat <<'EOF' | sudo tee /etc/sysctl.d/99-tailscale-exit-node.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF
sudo sysctl --system- Install redsocks:
- Debian/Ubuntu:
sudo apt install redsocks - Arch/Manjaro:
pamac build redsocks2
- Configure redsocks (example):
- Debian/Ubuntu:
/etc/redsocks.conf - Arch/Manjaro:
/etc/redsocks2.conf
base {
log_debug = off;
log_info = on;
log = "syslog:daemon";
daemon = on;
user = redsocks;
group = redsocks;
redirector = iptables;
}
redsocks {
bind = "0.0.0.0:12345";
relay = "<tailscale-ip>:60000";
type = socks5;
autoproxy = 0;
}Start:
- Debian/Ubuntu:
sudo systemctl enable --now redsocks - Arch/Manjaro:
sudo systemctl enable --now redsocks2
- Add iptables redirect:
Create
/usr/local/sbin/ts-9proxy-redirect.shand systemd unit as shown indocs/SECURITY.md.
UDP TPROXY is required for DNS queries to go through the SOCKS5 proxy. Without this, dnsleaktest.com will show wrong DNS servers.
Add redudp to your redsocks config:
redudp {
bind = "0.0.0.0:12346";
relay = "<tailscale-ip>:60000";
type = socks5;
udp_timeout = 30;
udp_timeout_stream = 180;
}Then set up the TPROXY iptables rules. The wizard does this automatically:
tailscale-proxy enable-redirect # includes UDP by defaultOr to fix DNS leak on existing setup:
tailscale-proxy fix-dns-leakThis is a "killswitch" that blocks any forwarding from tailscale0.
It prevents leaks if the proxy goes offline, but it also blocks LAN access.
Use the script and systemd unit in docs/SECURITY.md, then enable it:
sudo systemctl enable --now ts-no-leak.serviceRun a local SOCKS5 proxy that forwards to your tailnet proxy:
tailscale-proxy local-socks --listen 127.0.0.1:1080 --upstream <tailscale-ip>:60000Run it in the background:
tailscale-proxy local-socks-on --listen 127.0.0.1:1080 --upstream <tailscale-ip>:60000TCP forward example:
tailscale-proxy forward --tcp "0.0.0.0:8080=127.0.0.1:8080"UDP forward example:
tailscale-proxy forward --udp "0.0.0.0:5353=<tailscale-ip>:5353"tailscale-proxy http-proxy --listen 127.0.0.1:8080 --upstream <tailscale-ip>:60000
tailscale-proxy pac --listen 127.0.0.1:8080Restrict access to specific tailnet IPs:
tailscale-proxy allowlist-on --port 60000 --ip <tailnet-ip-1> --ip <tailnet-ip-2>tailscale-proxy share --port 60000tailscale-proxy profile-list
tailscale-proxy profile-apply phone_stable
tailscale-proxy self-testDisable the redirect services, remove the scripts, and stop redsocks. The wizard can do this for you.