██
██ ██ ██
██ ██ ██
▒███▒██ ██░████ ░████░ ▒█████░ ███████ ██░████ ░████░ ██ ██ ███████ ░████▒
░███████ ███████▓ ░██████░ ████████ ███████ ███████ ░██████░ ██ ██ ███████ ░██████▒
███ ███ ███ ▒██ ███ ███ ██▒ ░▒█ ██ ███░ ███ ███ ██ ██ ██ ██▒ ▒██
██░ ░██ ██ ██ ██░ ░██ █████▓░ ██ ██ ██░ ░██ ██ ██ ██ ████████
██ ██ ██ ██ ██ ██ ░██████▒ ██ ██ ██ ██ ██ ██ ██ ████████
██░ ░██ ██ ██ ██░ ░██ ░▒▓██ ██ ██ ██░ ░██ ██ ██ ██ ██
███ ███ ██ ██ ███ ███ █▒░ ▒██ ██░ ██ ███ ███ ██▒ ███ ██░ ███░ ▒█
░███████ ██ ██ ░██████░ ████████ █████ ██ ░██████░ ▓███████ █████ ░███████
▒███▒██ ██ ██ ░████░ ░▓████▓ ░████ ██ ░████░ ▓███░██ ░████ ░█████▒
▒██
█░ ▒██
██████▓
▒████▒
A self-hosted Linux gateway that tunnels device traffic through a remote residential exit node — because sometimes home is wherever your IP address is.
- Overview
- How It Works
- Prerequisites
- Hardware
- Software
- Installation
- Usage
- Troubleshooting
- Contributing
ghostroute is a self-hosted Linux gateway that tunnels device traffic through a remote residential exit node — because sometimes home is wherever your IP address is.
Built on a repurposed laptop running Ubuntu Server 24.04, ghostroute creates a dedicated WiFi access point that any device can connect to. Traffic from connected devices is routed through an encrypted Tailscale tunnel and exits the internet from a remote location — using that location's real residential IP address.
Most VPN solutions rely on datacenter IP addresses that are easily detected and blocked. ghostroute solves this by using a genuine residential connection as the exit point, making traffic indistinguishable from a normal home user.
- Zero port forwarding required — Tailscale handles NAT traversal automatically
- Residential exit node — traffic exits from a real home connection, not a datacenter
- Device agnostic — any WiFi device connects without VPN client software
- Fully self-hosted — no subscriptions, no third party services beyond Tailscale's free tier
- Survives reboots — all services start automatically on boot
- Low cost — runs on repurposed hardware with free software
ghostroute sits between your devices and the internet, silently redirecting traffic through a remote residential connection.
Your Device ghostroute (local) Remote PC (exit node)
───────────── ────────────────── ─────────────────────
Roku, Phone, → Connects → Linux device → Tailscale → Windows/Linux PC
Smart TV, etc. via WiFi access point tunnel at remote location
│
↓
Traffic exits here
at residential IP
On your end:
- A repurposed laptop (or a raspberry pi) running Ubuntu Server 24.04
- A USB WiFi adapter capable of AP mode (MT7612U chipset recommended)
- The laptop broadcasts its own dedicated SSID
- Devices connect to that SSID like any normal WiFi network
The tunnel:
- Tailscale handles the encrypted connection between both locations
- No port forwarding required on either end
- Both sides connect outbound to Tailscale's coordination servers
At the remote location:
- Any always-on Windows or Linux PC
- Runs Tailscale and advertises itself as an exit node
- All traffic from your connected devices exits here
- The internet sees the remote location's residential IP address
Before getting started, make sure you have the following in place.
Your location:
- A Linux laptop/Raspberry Pi to act as the local gateway
- A USB WiFi adapter with AP mode support — the Panda PAU0D or any adapter using the MT7612U chipset is recommended and confirmed working
- An ethernet connection from the laptop/Raspberry Pi to your router
Remote location:
- An always-on Windows or Linux PC
- An active internet connection
- Ubuntu Server 24.04 LTS — confirmed working with kernel 6.8. Do not use Ubuntu 26.04 — kernel 7.0 has a known driver regression with the MT7612U chipset at the time of writing
- Tailscale — free for personal use, handles the encrypted tunnel and NAT traversal automatically
- hostapd — turns the USB WiFi adapter into an access point
- dnsmasq — handles DHCP and DNS for devices connected to the access point
- A Tailscale account — free tier supports up to 100 devices and is sufficient for this use case
- No port forwarding required on either end — Tailscale handles this automatically
- The remote PC must be always-on whenever you want the tunnel active
1. Download the ISO
Download Ubuntu Server 24.04 LTS from the official Ubuntu releases page:
https://releases.ubuntu.com/24.04/ubuntu-24.04.4-live-server-amd64.iso
Make sure to download 24.04 LTS specifically. As of May 2026, Ubuntu 26.04 ships with kernel 7.0 which has a known driver regression with the MT7612U chipset. This may be resolved in future kernel updates.
2. Flash the ISO
Flash the ISO to a USB drive using Rufus with these settings:
| Setting | Value |
|---|---|
| Partition scheme | GPT |
| Target system | UEFI (non CSM) |
| File system | FAT32 |
| Cluster size | Default |
When prompted, select ISO Image mode.
3. Install Ubuntu Server
Boot from the USB drive and work through the installer with these settings:
- Installation type: Ubuntu Server (not minimized)
- Storage: Use entire disk, set up as LVM group, do not encrypt
- OpenSSH: Install during setup
- Snaps: Skip all
4. Post-install housekeeping
Update the system:
sudo apt update && sudo apt upgrade -yEnable automatic security updates:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgradesDisable lid suspend so the laptop/Raspberry Pi keeps running with the lid closed:
sudo nano /etc/systemd/logind.confFind and change:
#HandleLidSwitch=suspend
to:
HandleLidSwitch=ignore
Then apply:
sudo systemctl restart systemd-logind1. Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh2. Authenticate
sudo tailscale upVisit the URL provided and log in with your Tailscale account.
3. Set up the exit node at the remote location
On the remote Windows or Linux PC, install Tailscale from tailscale.com/download and log in with the same account.
Then advertise it as an exit node. On Windows, open a command prompt:
tailscale up --advertise-exit-node
On Linux:
sudo tailscale up --advertise-exit-nodeThen approve the exit node in the Tailscale admin dashboard at login.tailscale.com.
4. Connect to the exit node
On your Linux laptop/Raspberry Pi, find your exit node's device name in the Tailscale dashboard, then run:
sudo tailscale up --exit-node=<remote-pc-name> --exit-node-allow-lan-access=true --accept-dns=falseReplace <remote-pc-name> with the device name shown in your Tailscale dashboard.
5. Fix LAN routing
Tailscale can interfere with local network traffic. First identify your local subnet by running:
ip route showLook for a line like 192.168.x.0/24 dev <ethernet-interface> — that is your local subnet. Then add a routing rule to keep LAN traffic direct:
sudo ip rule add from <your-local-subnet> lookup main priority 100For example, if your subnet is 192.168.1.0/24:
sudo ip rule add from 192.168.1.0/24 lookup main priority 100Make it permanent by creating a networkd-dispatcher script:
sudo nano /etc/networkd-dispatcher/routable.d/50-tailscale-lanAdd, substituting your actual subnet:
#!/bin/bash
ip rule add from <your-local-subnet> lookup main priority 100Make it executable:
sudo chmod +x /etc/networkd-dispatcher/routable.d/50-tailscale-lan1. Find your interface names
Before proceeding, identify your WiFi and ethernet interface names:
iw devLook for the WiFi adapter interface name — it will look something like wlx9cefd5f7370c or wlan0. Note this as <wifi-interface>.
ip link showLook for your ethernet interface — it will look something like eno1, eth0, or enp3s0. Note this as <ethernet-interface>.
2. Install required packages
sudo apt install hostapd dnsmasq -y3. Configure hostapd
sudo nano /etc/hostapd/hostapd.confAdd, substituting your interface name, network name, and password:
interface=<wifi-interface>
driver=nl80211
ssid=YourNetworkName
hw_mode=g
channel=1
wmm_enabled=1
ieee80211n=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YourPasswordHere
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
If your network is not visible on some devices, try changing
channel=1tochannel=6orchannel=11.
4. Configure hostapd defaults
sudo nano /etc/default/hostapdFind and update:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
5. Configure dnsmasq
The AP network uses 192.168.4.x by default. This can be changed to any subnet that does not conflict with your existing home network. Substitute <wifi-interface> with your actual interface name:
sudo nano /etc/dnsmasq.confAdd to the bottom:
interface=<wifi-interface>
bind-interfaces
listen-address=192.168.4.1
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
dhcp-option=3,192.168.4.1
dhcp-option=6,1.1.1.1,8.8.8.8
1. Enable IP forwarding
sudo nano /etc/sysctl.confUncomment:
net.ipv4.ip_forward=1
Apply:
sudo sysctl -p2. Set up NAT rules
Substitute <wifi-interface> and <ethernet-interface> with your actual interface names:
sudo apt install iptables iptables-persistent -y
sudo iptables -I FORWARD 1 -i <wifi-interface> -o <ethernet-interface> -j ACCEPT
sudo iptables -I FORWARD 2 -i <ethernet-interface> -o <wifi-interface> -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o <ethernet-interface> -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADESave the rules:
sudo netfilter-persistent save1. Create a systemd service to assign the WiFi interface IP on boot
Substitute <wifi-interface> with your actual interface name:
sudo nano /etc/systemd/system/wifi-ap-setup.serviceAdd:
[Unit]
Description=WiFi AP Interface Setup
Before=hostapd.service dnsmasq.service
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/bash -c '/sbin/ip addr add 192.168.4.1/24 dev <wifi-interface> 2>/dev/null || true'
ExecStart=/sbin/ip link set <wifi-interface> up
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable it:
sudo systemctl enable wifi-ap-setup
sudo systemctl daemon-reload2. Enable all services
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo systemctl enable dnsmasq3. Reboot and verify
sudo rebootAfter rebooting, confirm everything is working:
- The SSID is visible on your devices
- Connected devices receive an IP in the
192.168.4.xrange - Visiting whatismyip.com shows the remote location's IP address
Any WiFi-capable device can connect to ghostroute without any special configuration or VPN client software.
- On the device, open WiFi settings and look for the SSID you configured in
hostapd.conf - Enter the password you set in
wpa_passphrase - The device will receive an IP address in the
192.168.4.xrange automatically - All traffic from that device will now exit the internet from the remote location's IP address
To confirm traffic is exiting from the correct location, visit the following from a connected device:
https://whatismyip.com
The IP address shown should match the remote location's public IP, not your local ISP's IP.
To verify all services are running correctly:
sudo systemctl status hostapd
sudo systemctl status dnsmasq
sudo systemctl status tailscaleAll three should show active (running).
To see which devices have been assigned IP addresses by dnsmasq:
cat /var/lib/misc/dnsmasq.leasesThere is no additional configuration required to add more devices — simply connect them to the SSID. The DHCP range is set to 192.168.4.2 through 192.168.4.20, supporting up to 19 simultaneous devices. To expand this range, edit /etc/dnsmasq.conf and restart dnsmasq:
sudo systemctl restart dnsmasqCheck hostapd is running:
sudo systemctl status hostapdTry a different channel. Some devices, particularly iPhones, can be picky about certain 2.4GHz channels. Edit /etc/hostapd/hostapd.conf and try channel=1, channel=6, or channel=11:
sudo nano /etc/hostapd/hostapd.conf
sudo systemctl restart hostapdVerify the adapter supports AP mode:
iw list | grep -A 10 "Supported interface modes"AP must appear in the list. If it does not, your adapter does not support AP mode and a different adapter is required.
Check dnsmasq is running:
sudo systemctl status dnsmasqCheck the interface has its IP assigned:
ip addr show <wifi-interface>You should see inet 192.168.4.1/24 in the output. If not, assign it manually and restart dnsmasq:
sudo ip addr add 192.168.4.1/24 dev <wifi-interface>
sudo systemctl restart dnsmasqIf this keeps happening after reboots, check that the wifi-ap-setup service is running:
sudo systemctl status wifi-ap-setupCheck IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forwardShould return 1. If not:
sudo sysctl -w net.ipv4.ip_forward=1Check NAT rules are in place:
sudo iptables -t nat -L -nYou should see MASQUERADE rules for both your ethernet interface and tailscale0. If missing, re-add them:
sudo iptables -t nat -A POSTROUTING -o <ethernet-interface> -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE
sudo netfilter-persistent saveCheck the Tailscale tunnel is active:
sudo tailscale statusThe remote PC should show as active; exit node.
This is usually caused by Tailscale intercepting local network return traffic. Re-apply the LAN routing fix:
sudo ip rule add from <your-local-subnet> lookup main priority 100If this keeps happening, verify the networkd-dispatcher script is in place and executable:
cat /etc/networkd-dispatcher/routable.d/50-tailscale-lan
ls -la /etc/networkd-dispatcher/routable.d/50-tailscale-lanThe file should be executable (-rwxr-xr-x). If not:
sudo chmod +x /etc/networkd-dispatcher/routable.d/50-tailscale-lanCheck Tailscale is connected to the exit node:
sudo tailscale statusThe remote PC should show active; exit node. If not, reconnect:
sudo tailscale up --exit-node=<remote-pc-name> --exit-node-allow-lan-access=true --accept-dns=falseCheck the remote PC is online. The exit node must be powered on and connected to the internet for traffic to route through it.
Check the adapter appears in the USB device list:
lsusbIf the adapter does not appear, try a different USB port. Avoid USB 3.0 ports (marked with SS) if possible — some adapters initialize more reliably on USB 2.0.
Check the driver is loaded:
lsmod | grep mt76If no output, load the driver manually:
sudo modprobe mt76x2uCheck kernel version compatibility. The MT7612U chipset requires kernel 6.x. Verify your kernel version:
uname -rIf running kernel 7.0 (Ubuntu 26.04), downgrade to Ubuntu 24.04 LTS which ships with kernel 6.8.
Contributions are welcome. If you've tested ghostroute on different hardware, fixed a bug, or improved the setup process, feel free to open a pull request.
- Hardware compatibility reports — tested on a different adapter or SBC? Open an issue with your hardware details and kernel version
- Bug fixes — if something in the guide is wrong or outdated, submit a correction
- Improvements — cleaner approaches to any of the configuration steps are welcome
- Troubleshooting additions — ran into a problem not covered here? Document it and submit a PR
- Keep changes focused and minimal
- Test your changes before submitting
- Update relevant documentation alongside any configuration changes
- If adding hardware compatibility notes, include chipset, kernel version, and Ubuntu version