A Tailscale exit node built with tsnet that forwards all mobile device traffic through Burp Suite for penetration testing.
┌──────────┐ WireGuard ┌─────────────────────┐ HTTP CONNECT ┌────────────┐ ┌──────────┐
│ Mobile │ ───────────────── │ mobile-exit-proxy │ ────────────────── │ Burp Suite │ ────── │ Internet │
│ Device │ (Tailscale) │ (tsnet exit node) │ (127.0.0.1:8083) │ Proxy │ │ │
└──────────┘ └─────────────────────┘ └────────────┘ └──────────┘
│
Web Panel :8080
(status & control)
Traffic flow:
- Mobile device connects to Tailscale and selects this node as exit node
- All mobile internet traffic is routed through the WireGuard tunnel
- TCP traffic is intercepted and forwarded through Burp Suite:
- HTTP (port 80): Forwarded as HTTP forward proxy requests (plaintext)
- HTTPS/TLS (port 443+): Tunneled via HTTP CONNECT (Burp can MITM with its CA cert)
- DNS queries (UDP :53) are forwarded to configurable upstream servers
- JSONC config file — comments supported, easy to customize
- Multiple proxy backends — failover & health checking
- Buffer pooling —
sync.Poolfor reduced GC pressure on high-throughput - Web control panel — accessible via tailnet, shows live stats
- DNS forwarding — configurable upstream DNS servers
- No system Tailscale needed — runs entirely in userspace via tsnet
- Go 1.21+
- A Tailscale account
- Burp Suite with proxy listener on
127.0.0.1:8083 - Tailscale installed on your mobile device (Android/iOS)
go build -o mobile-exit-proxy .export TS_AUTHKEY="tskey-auth-xxxxx"
./mobile-exit-proxy -proxy 127.0.0.1:8083 -verbosecp config.example.jsonc config.jsonc
# Edit config.jsonc with your settings
./mobile-exit-proxy -config config.jsonc| Flag | Default | Description |
|---|---|---|
-config |
(none) | JSONC config file path |
-hostname |
mobile-exit-proxy |
Tailscale hostname (overrides config) |
-authkey |
$TS_AUTHKEY |
Tailscale auth key (overrides config) |
-proxy |
127.0.0.1:8083 |
Burp proxy address (overrides config) |
-verbose |
false |
Verbose logging (overrides config) |
See config.example.jsonc for all options:
Go to Tailscale Admin > Keys and generate a reusable auth key.
Ensure Burp's proxy listener is running on 127.0.0.1:8083 (or your configured address).
export TS_AUTHKEY="tskey-auth-xxxxx"
./mobile-exit-proxy -config config.jsonc- Go to Tailscale Admin > Machines
- Find
mobile-exit-proxy>...> Edit route settings - Enable "Use as exit node"
Android: Tailscale app > Exit node > Select mobile-exit-proxy
iOS: Tailscale app > Exit node selector (top) > Select mobile-exit-proxy
Android:
- Export Burp CA cert (Proxy > Options > Export CA certificate)
- Transfer
.derto device - Settings > Security > Install certificates > CA certificate
iOS:
- Export and transfer Burp CA cert
- Settings > General > Profile > Install
- Settings > General > About > Certificate Trust Settings > Enable full trust
Open http://mobile-exit-proxy:8080 from any device on your tailnet to see live connection stats and proxy backend health.
For apps with certificate pinning, use alongside:
- Android: Frida with ssl-pinning bypass scripts, or objection
- iOS: Frida/objection, or SSL Kill Switch 2 (jailbroken)
- Increase
buffer_sizeto65536(64KB) for high-throughput testing - Add multiple proxy backends for failover
- Health checks run every
health_intervalto detect proxy failures - Buffer pooling via
sync.Poolminimizes GC overhead
{ "hostname": "mobile-exit-proxy", "proxies": [ { "addr": "127.0.0.1:8083", "alias": "burpsuite", "health_check": true }, { "addr": "127.0.0.1:8084", "alias": "backup", "health_check": true } ], "dns": ["8.8.8.8:53", "1.1.1.1:53"], "buffer_size": 32768, "web_listen": ":8080", "verbose": false }